Cybersecurity – Federal News Network https://federalnewsnetwork.com Helping feds meet their mission. Mon, 04 Jul 2022 17:07:41 +0000 en-US hourly 1 https://federalnewsnetwork.com/wp-content/uploads/2017/12/cropped-icon-512x512-1-60x60.png Cybersecurity – Federal News Network https://federalnewsnetwork.com 32 32 Key cyber agency set to get procurement authority, contracting officers https://federalnewsnetwork.com/acquisition-policy/2022/07/key-cyber-agency-set-to-get-procurement-authority-contracting-officers/ https://federalnewsnetwork.com/acquisition-policy/2022/07/key-cyber-agency-set-to-get-procurement-authority-contracting-officers/#respond Mon, 04 Jul 2022 17:07:41 +0000 https://federalnewsnetwork.com/?p=4134301 The Cybersecurity and Infrastructure Security Agency is continuing its fast evolution as a standalone department, with CISA set to get its own procurement authority this month.

“We have some exciting news — our component acquisition executive gets initial procurement authority early July,” CISA Chief Information Officer Robert Costello said during an event hosted by the Homeland Security Defense Forum last week. “That’s a huge, huge deal.”

CISA will have its own contract specialists, Costello said. Currently, CISA relies on outside entities, including the Office of Procurement Operations at Department of Homeland Security headquarters, to carry out its procurement needs.

David Patrick is currently CISA’s chief acquisition executive, according to the agency’s website. Prior to CISA, Patrick served in various leadership roles in acquisition offices at Immigration and Customs Enforcement, DHS headquarters, and U.S. Customs and Border Protection.

Patrick is “leading the realignment of CISA acquisition and procurement activities and the transformation of the Office of the Chief Acquisition Executive,” CISA’s website states.

As one of the newest federal standalone agencies, CISA is still building out management and support operations that other agencies may take for granted. CISA was established as a standalone operational component of DHS in 2018, having previously been the National Protection and Programs Directorate at DHS headquarters.

“There’s a lot of work to do internally just on our own identity and culture,” Costello said. “Now we’re a component of equal rank to [the Transportation Security Administration] or CBP, so we’re developing our own culture here as well.”

CISA procurement plans

CISA is requesting $6.2 million in fiscal 2023 for 50 positions, including 25 full-time equivalents, to establish and build out a procurement team within the Office of the Chief Acquisition executive, budget documents show.

“As a new agency, CISA does not currently have the internal procurement operations and support functions to effectively and efficiently support CISA’s growing and rapidly changing cybersecurity, infrastructure, emergency communications, risk management, stakeholder engagement, and other missions,” the documents state.

The new team will help CISA streamline and improve its procurement planning and execution by working more closely with other CISA divisions and programs, the justification documents continue.

Other goals include “identifying and utilizing existing contractual flexibilities and methodologies to best meet end-user needs in a rapidly changing environment,” as well as partnering more closely with industry through outreach events.

“A CISA procurement activity will operate as a full business partner and serve as a strategic asset dedicated to improving the agency’s overall business performance,” the documents state.

‘Handing out laptops’

Costello joined CISA last year. He has experience at much larger IT divisions in other DHS components, though, including ICE and CBP.

At the cyber agency, Costello said he gets to be more “hands on” as CIO of a relatively new standalone component.

“There have been days where I’m handing out laptops or configuring stuff,” he said during last week’s event.

The CIO’s office has a staff of about 90 people, Costello said. A priority for the coming year, he said, is expanding support to CISA’s growing field operations, including statewide cybersecurity directors, chemical security advisors, and regional directors.

“I’m starting to embed my folks out in the field and provide improved services out there so that they have the same level of technology as we do here at headquarters,” Costello said.

CISA has seen a rapid growth in recent years as both the Biden administration and Congress have looked to the agency to respond to cybersecurity threats in particular. The agency has taken on a lead role in the cybersecurity of the federal civilian executive branch. It’s also working more closely with private industry to combat cyber threats to critical infrastructure.

Costello said his role CIO is to support those growing functions with up-to-date technology. Still, he said the CIO organization at CISA is still a work in progress.

“We’re definitely maturing a lot of our processes, building a component CIO office,” he said. “I really do think it’s going to take a few years to kind of get to the same level of say, an ICE or CBP, where we’re doing all those functions ourselves. And so in some areas, maybe I’ve slowed down some work because we’re not quite there at that maturity level as we stabilize other areas.”

With CISA looking to attract top cybersecurity talent, Costello said the agency needs to use the most up-to-date technology. He said a big focus for him has been supporting different devices, including Macs and Androids, he said. In December, for example, CISA began using Slack for internal collaboration.

“We really need to be a place where people want to come to work for the tech,” Costello said.

Costello is also aiming to set the bar high when it comes to federal cybersecurity by ensuring CISA’s internal security complies with the agency’s mandates and guidance in areas like zero trust architectures.

A big focus for CISA’s internal security developments is identity, credential and access management (ICAM), an area in which Costello said the agency is currently “lacking.” But at the same time, the CIO said he has the advantage of being able to build new, “green field” solutions rather than needing to update an extensive legacy IT environment.

“I had some goals in mind this year,” Costello said. “We met a lot of them. Some of them are going to slip, and that’s okay, because I want to build a really strong foundation that CISA can build on for a decade. And so I’d rather take a six month slip on a project than build a really poor foundation. So that’s what we’re concentrating on: identity, monitoring systems, and building our people and in teams up, deciding what the federal-to-contractor makeup is going to look like, and what skill sets that we need.”

]]>
https://federalnewsnetwork.com/acquisition-policy/2022/07/key-cyber-agency-set-to-get-procurement-authority-contracting-officers/feed/ 0
How the public sector can overcome training and skills gaps to combat rising cyber threats https://federalnewsnetwork.com/commentary/2022/07/how-the-public-sector-can-overcome-training-and-skills-gaps-to-combat-rising-cyber-threats/ https://federalnewsnetwork.com/commentary/2022/07/how-the-public-sector-can-overcome-training-and-skills-gaps-to-combat-rising-cyber-threats/#respond Mon, 04 Jul 2022 14:27:19 +0000 https://federalnewsnetwork.com/?p=4134026 For those with careers in the public sector, the growth in remote work has raised new concerns regarding an organization’s ability to maintain ongoing and effective cyber defense. For example, working from home often requires employees to utilize unsecured wireless networks, leaving devices susceptible to data breaches and ransomware attacks.

Vulnerable systems are increasingly becoming more of a target for bad actors who have recently elevated their infiltration capabilities through sophisticated AI and automation tools. Now, attackers can easily access, disrupt, retrieve data, and then leave an organization’s cybersecurity system fully undetected. And in light of current geopolitical events, it’s clear that adversaries will continue to relentlessly attack U.S. cyber infrastructure, underscoring the increasing need for proactive measures.

With more threats and vulnerabilities than ever before, IT departments must be trained for today’s challenges and understand the value of outsourcing additional help from trusted managed service providers (MSP) to improve their overall cybersecurity posture.

Training a new generation of IT experts

Reinforcing an organization’s cyber defenses is no easy feat, especially when most IT departments are understaffed. The demand for knowledgeable cybersecurity experts was already mounting before the pandemic, but in the last year, job openings within the industry have increased nearly a third, with over 600,000 cybersecurity positions remaining unfilled.

Short-staffed IT departments are more susceptible to data breaches and ransomware attacks due to fewer eyes monitoring an organization’s system and less technical expertise. Filling these positions will take time, so organizations struggling to maintain adequate cyber protection should look to partner with an accredited MSP in the interim.

Quality MSPs can provide advanced services while backed by the latest certifications that demonstrate their expertise and trustworthiness. When searching for an MSP, agencies should confirm the provider meets these criteria to ensure data protection and high-quality cybersecurity assistance.

Working with an MSP is extremely beneficial, but internal labor and skill gaps still need to be addressed. Educating the next generation of IT professionals is key, and many are looking to future undergraduate students to fill the cybersecurity skills gap. Tech giants like Microsoft are even working with community colleges across the globe to train prospective IT practitioners. While these efforts are admirable, educational institutions simply cannot produce enough college graduates to accommodate this increasing demand. American veterans, however, are eager to join the cyber workforce.

Reskilling veterans for success in cybersecurity

The U.S. is the proud home to more than 18 million veterans, with roughly 200,000 service members retiring their uniforms every year. Unfortunately, many returning veterans often have difficulty readjusting to civilian life. Finding a job is a critical part of this transition, but many veterans lack the experience needed to fairly compete in the labor market, especially in the cyber/IT sector.

Fortunately, nonprofits now offer cybersecurity training programs catered to former military and their spouses. These programs provide proper training and arm their participants with the internationally-recognized credentials, skills and resources they need to pursue self-sustaining cyber careers. Moreover, these lessons are updated regularly by cyber industry experts to ensure participants pursue the most relevant and in-demand certifications possible. Providing courses that reskill veterans will prevent unemployment for these citizens and help eliminate America’s cyber workforce shortage.

Out with the old, in with the new

Another hurdle is outdated technology. Many organizations are tethered to legacy systems and applications, often making their efforts extremely slow, prone to bugs, and thus, subject to cyberattacks. When organizations continue using outdated computing software and/or hardware, it exposes them to new risks.

While seemingly counterintuitive, organizations continue to use these obsolete systems because they don’t want to endanger the stability of their current applications by switching to a new program. Shifting to modern technologies can be costly and often messy. Many IT professionals have expressed their concerns about tampering with a program that already accomplishes its intended purpose.

Moreover, upgrading an IT infrastructure is tedious, time-consuming, and cannot be accomplished overnight. Thankfully, there are new cloud-based solutions that can easily be integrated alongside legacy systems. As a result, IT professionals should confidently be able to store, manage and process information remotely. All while knowing they are backed by the latest certifications and have access to critical features such as backup, recovery and data protection. Housing these capabilities on a unified cloud platform can make IT management easier and more accessible for everyone.

Looking to the future

Today, the threat of cyber warfare is more present than ever. Therefore, strengthening the current cybersecurity workforce with knowledgeable employees and implementing new cloud-based programs alongside legacy systems would significantly protect the U.S. public sector from looming threats.

Thankfully, the federal government continues to enact new legislation to help facilitate some of these needed changes. Last November, an infrastructure bill was passed, designating billions of dollars in new cyber spending over the next few years. Public agencies rejoiced as this is the biggest government investment in state and local cybersecurity to date. Defining how public organizations can apply for these grants, raising awareness of eligibility, and subsequently addressing these obstacles will go a long way towards safeguarding the US from future cyberattacks.

John Zanni is CEO of Acronis SCS.

 

]]>
https://federalnewsnetwork.com/commentary/2022/07/how-the-public-sector-can-overcome-training-and-skills-gaps-to-combat-rising-cyber-threats/feed/ 0
Regulators enforcing sanctions against Russia face an uphill battle. AI is their ally https://federalnewsnetwork.com/commentary/2022/06/regulators-enforcing-sanctions-against-russia-face-an-uphill-battle-ai-is-their-ally/ https://federalnewsnetwork.com/commentary/2022/06/regulators-enforcing-sanctions-against-russia-face-an-uphill-battle-ai-is-their-ally/#respond Thu, 30 Jun 2022 19:17:53 +0000 https://federalnewsnetwork.com/?p=4130784 In the wake of Russia’s invasion of Ukraine, the U.S. and other Western democracies united to levy the harshest package of sanctions ever imposed on a single nation. Yet, despite the strategic resolve driving their efforts, these governments may lack sufficient resources to fully enforce the sanctions.

At the heart of the problem lies a critical shortage of skilled personnel within the agencies tasked to enforce the sanctions. Faced with the most comprehensive sanctions in a generation and a thinning workforce to implement them, government officials are left with very few options but to take a page from the private sector and integrate AI technology into their investigation operations.

AI’s speed, scope, accuracy and efficiency would optimize sanction enforcement efforts. The technology’s capacity to analyze vast amounts of data and rapidly identify criminal activity and potential risks make it a formidable tool in the enforcement of financial regulations, including international sanctions.

Challenges of scaling Russian sanctions

President Joe Biden recently announced a major scaling-up of Russian sanctions, targeting two of Russia’s largest financial institutions — Sberbank and Alfa-Bank — along with an expanded list of individuals tied to the Kremlin. These joined the already voluminous list of sanctioned entities that were targeted directly or severely limited through exclusion from SWIFT, the global payment system for cross-border trade.

But the West’s capacity to maintain, let alone expand, its current sanctions program is already experiencing significant gaps and limitations. In early 2020 — at the onset of the Coronavirus pandemic — the U.S. Government Accountability Office released a report describing how several U.S. agencies responsible for enforcing sanctions were short-staffed and have been unable to fill enough full-time positions to operate effectively for years.

Without adequate human or technological support, regulators may be compromised in their efforts to counter the bad actors working to circumvent the sanctions. Many of them may be counting on the possibility that overwhelming mountains of data in the global financial system could slow down or block regulators’ actions. If enforcement teams adopt advanced AI technologies to boost sanctioning efforts, however, the same violators would soon realize the unfavorable odds in making such a wager.

Risk discovery, detection speed and accuracy

Risk detection lays the groundwork for all sanction enforcement actions. Moreover, detection speed and detection accuracy, via the elimination of “false positives,” play a critical role in determining the probability of success.

Here’s where the case for AI is most compelling. AI can help private financial institutions more than double the number of risks detected, reduce false positives by 60%, and increase the pace of risk detection by 40%. Through advanced machine learning technologies, AI systems are capable of analyzing large, complex, noisy and incomplete datasets (a.k.a., topological data analysis) to identify the latest and riskiest criminal behaviors. AI detects anomalies in payments and transaction patterns in a discreet manner that doesn’t depend on interrogations and won’t tip off the institutions, companies, or individuals seeking to sidestep sanctions.

AI can also help analysts develop behavioral models based on past sanction violations or similar financial crimes. Based on those models, it can analyze large volumes of data from a variety of sources to automatically pinpoint current violators. It can even identify emerging threats, to uncover the “DNA” of complex crime behaviors on its own.

Equally important is the capacity of an AI application to present its findings in an easy-to-understand format suitable for end users that are not data scientists or IT specialists. And all of this analysis can be executed in just a fraction of the time it would take most trained investigators — a crucial advantage in an endeavor in which time is of the essence, and there’s already an enormous drain on resources, time and capital.

AI could be a game-changing ally for regulatory and law enforcement agencies in their efforts to thwart sanctions violators. And, with political relations with Russia evolving by the day, if not the hour, the sooner support is brought in to help track new and existing sanctions against the country, the better.

Raj Srivatsan is Vice President, Civilian at SymphonyAI.

 

]]>
https://federalnewsnetwork.com/commentary/2022/06/regulators-enforcing-sanctions-against-russia-face-an-uphill-battle-ai-is-their-ally/feed/ 0
USPTO putting foundational piece of zero trust architecture in place https://federalnewsnetwork.com/cybersecurity/2022/06/uspto-putting-foundational-piece-of-zero-trust-architecture-in-place/ https://federalnewsnetwork.com/cybersecurity/2022/06/uspto-putting-foundational-piece-of-zero-trust-architecture-in-place/#respond Wed, 29 Jun 2022 13:24:04 +0000 https://federalnewsnetwork.com/?p=4127859 var config_4127894 = {"options":{"theme":"hbidc_default"},"extensions":{"Playlist":[]},"episode":{"media":{"mp3":"https:\/\/dts.podtrac.com\/redirect.mp3\/pdst.fm\/e\/chrt.fm\/track\/E2G895\/aw.noxsolutions.com\/launchpod\/federal-drive\/mp3\/062922_Jason_web_6v9x_f2fc1bbd.mp3?awCollectionId=1146&awEpisodeId=a350e42d-5999-4ba8-a7dc-1acef2fc1bbd&awNetwork=322"},"coverUrl":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2018\/12\/FD1500-150x150.jpg","title":"USPTO putting foundational piece of zero trust architecture in place","description":"[hbidcpodcast podcastid='4127894']nn<em>Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive\u2019s daily audio interviews on\u00a0<\/em><a href="https:\/\/itunes.apple.com\/us\/podcast\/federal-drive-with-tom-temin\/id1270799277?mt=2"><em><span style="color: #0070c0;">Apple Podcast<\/span><\/em><span style="color: #0070c0;">s<\/span><\/a><em>\u00a0or\u00a0<a href="https:\/\/www.podcastone.com\/federal-drive-with-tom-temin?pid=1753589">PodcastOne<\/a>.<\/em>nnThe U.S. Patent and Trademark Office is taking a huge step to reduce the cyber risks from its employees.nnTime and again, cybersecurity research finds the employee is the weakest cyber link. The fiscal 2020 Federal Information Security Management Act (FISMA) <a href="https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2021\/05\/FY-2020-FISMA-Report-to-Congress.pdf">report to Congress<\/a> said two of the top three risk and vulnerability assessments findings were directly related to employees, spear phishing weaknesses and easily, crack-able passwords. The Office of Management and Budget hasn\u2019t released the 2021 FISMA report to Congress, which typically comes out at the end of May.nnTo that end, USPTO will be among the first agencies to implement a Secure Access Service Edge (SASE) architecture.nn[caption id="attachment_2867404" align="alignright" width="300"]<img class="size-medium wp-image-2867404" src="https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2020\/05\/Jamie-Holcombe-300x200.jpg" alt="Head shot of Jamie Holcomb" width="300" height="200" \/> Jamie Holcombe is the chief information officer (CIO) at the United States Patent and Trademark Office (USPTO). (Photo by Jay Premack\/USPTO)[\/caption]nnJamie Holcombe, the chief information officer for USPTO, said SASE will accelerate USPTO\u2019s journey <a href="https:\/\/federalnewsnetwork.com\/federal-insights\/2022\/06\/disa-already-preparing-for-whats-to-come-after-thunderdome-to-evolve-zero-trust\/">to zero trust<\/a>.nn\u201cI think it's the first foundational piece of the zero trust architecture that we get to actually act upon. So with the executive order, and zero trust architecture, the fact is that it's not one product, it's more of a philosophy. I like SASE as that architectural philosophy to ensure that we can identify users and devices, and apply the policy-base security controls, delivering that secure access to the applications and ensuring that our data is secure,\u201d Holcombe said in an interview with Federal News Network. \u201cThe fact that SASE addresses the architecture and that philosophy around that scope is providing us the first time that we can really concentrate on that architecture and the ability to actually go into it and use products, not just one product, but products in that philosophy for ensuring SASE and zero trust.\u201dnnSASE, which is one of the latest cyber buzzwords, attempts to converge multiple security technologies for web, cloud, data and threat protection into a platform the attempts to protect users, data and applications in the cloud and on-premise.nnThe move toward a SASE model will help eliminate perimeter-based tools and gives security operators a \u201csingle pane of glass\u201d from which to ensure the safety users, data and devices and apply a consistent security policy.nnUSPTO awarded Netskope contract that could be worth $4 million and last as long as 19 months to implement the SASE architecture.nnHolcombe said by implementing the SASE architecture, USPTO will drive security to the edge instead of <a href="https:\/\/federalnewsnetwork.com\/cloud-computing\/2021\/09\/cloud-exchange-usptos-jamie-holcombe\/">just the network<\/a>.nn\u201cWhat we're talking about is the identification of users, the identification of devices and all the things in between the OSI layers [where computers communicate with each other] to put them all together in a secure way,\u201d he said. \u201cNetskope\u2019s product actually provides the ability for that architecture. But there's a lot of other things that you need to plug and play in order to be that secure. So that's what the edge means to me going out and securing not just one part but all the parts in an architecture.\u201dn<h2>Risk scores driving decisions<\/h2>nBeau Hutto, the vice president of federal at Netskope, said this approach lets agencies apply what they know about users, devices and other factors like location to create a risk profile and then apply to in a \u201cleast privileged\u201d way.nn\u201cThe user should have a risk score. The actual device should have a risk score. The data has a sensitivity score. So being able to bring a very basic layer all of that together and what access you give to that data because really the crown jewels is the data, it's no longer the network,\u201d Hutto said. \u201cWhen you go to protect that data, you have to understand the context in which everything's being accessed. That is truly where least privilege zero trust architectures come into play in a significant way.\u201dnnThrough SASE, USPTO is putting the employee and data at the center of the security effort. Holcombe said if they can reduce the ability of the user from clicking a link or give up their network credentials, then the agency\u2019s cyber posture will greatly improve.nn\u201cWhat I like about SASE is the fact that the machine-device control plane is in the realm of the user. I'm just doing a service and I don't care what server it sits on. But when I create that cyber secure session, what I can do that is ensure that machine-device control plane actually has the right risk profile and it's a two-way scoring. It's just as important for the user to be secure as the device is to be secure, and everything in between the application, the data and the network,\u201d he said. \u201cWhat I'm really trying to do is pull that scope that surface area of the user and bring it down into the technical, such that the user doesn't have to care and that it's more of a machine-device control plane. That's the way we get our security done.\u201dnnHutto added creating that platform or single pane of glass breaks down the silos that have built up over the last few decades around security.n<h2>Accelerating the move to the cloud<\/h2>nThrough SASE, USPTO, or any agency for that matter, will capture and analyze cyber information in a more standardized, scalable and agile way.nn\u201cWe've had the opportunity to re-imagine how our security stack can look, should it be a security stack in the cloud or as-a-service? Where the first hit that your user makes is to the service and whether they go on-premise or back out to the cloud, it's just in a very elegant, easy, very performant solution,\u201d Hutto said.nnHolcombe said it will take some time before USPTO fully implements a SASE architecture. He said he will start with the <a href="https:\/\/federalnewsnetwork.com\/technology-main\/2020\/07\/uspto-cio-sees-uptick-in-productivity-it-investments-pay-off-during-pandemic\/">applications already in the cloud<\/a>, about 17% of all applications the agency runs.nn\u201cWe are staging for about the next 17% to 20%. So we'll have around 35% to 40% of our applications in the cloud before the end of the year. That's from almost 3% to 4% two years ago,\u201d he said. \u201cSome of the applications are not there. The ones that are going to be there are in the next 20% to 30%, we're actually refactoring them with our product design teams. We're actually including cybersecurity and testing, and doing the continuous integration and continuous deployment in these new applications. But there's about 30% of our applications that will never go out in the cloud. They are just too old.\u201dnnHolcombe said the more USPTO puts applications and workloads in the cloud and use DevSecOps to continually modernize them, the more it can take advantage of SASE.nn\u201cOne of my design philosophies besides pushing security to the edge is also the fact that I will not deploy something until I know I can rip it out in three years. I want to replace any tool that I put in, because that is the speed in which these tools are being rejuvenated, and there's better tools in three years,\u201d he said. \u201cIf you design something that lasts anywhere from 5 to 10 years, you're wrong. Design it to do what you needed to do in three years, and then look to other things to replace it. The return on investment needs to be within three years or don't do it.\u201d"}};

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The U.S. Patent and Trademark Office is taking a huge step to reduce the cyber risks from its employees.

Time and again, cybersecurity research finds the employee is the weakest cyber link. The fiscal 2020 Federal Information Security Management Act (FISMA) report to Congress said two of the top three risk and vulnerability assessments findings were directly related to employees, spear phishing weaknesses and easily, crack-able passwords. The Office of Management and Budget hasn’t released the 2021 FISMA report to Congress, which typically comes out at the end of May.

To that end, USPTO will be among the first agencies to implement a Secure Access Service Edge (SASE) architecture.

Head shot of Jamie Holcomb
Jamie Holcombe is the chief information officer (CIO) at the United States Patent and Trademark Office (USPTO). (Photo by Jay Premack/USPTO)

Jamie Holcombe, the chief information officer for USPTO, said SASE will accelerate USPTO’s journey to zero trust.

“I think it’s the first foundational piece of the zero trust architecture that we get to actually act upon. So with the executive order, and zero trust architecture, the fact is that it’s not one product, it’s more of a philosophy. I like SASE as that architectural philosophy to ensure that we can identify users and devices, and apply the policy-base security controls, delivering that secure access to the applications and ensuring that our data is secure,” Holcombe said in an interview with Federal News Network. “The fact that SASE addresses the architecture and that philosophy around that scope is providing us the first time that we can really concentrate on that architecture and the ability to actually go into it and use products, not just one product, but products in that philosophy for ensuring SASE and zero trust.”

SASE, which is one of the latest cyber buzzwords, attempts to converge multiple security technologies for web, cloud, data and threat protection into a platform the attempts to protect users, data and applications in the cloud and on-premise.

The move toward a SASE model will help eliminate perimeter-based tools and gives security operators a “single pane of glass” from which to ensure the safety users, data and devices and apply a consistent security policy.

USPTO awarded Netskope contract that could be worth $4 million and last as long as 19 months to implement the SASE architecture.

Holcombe said by implementing the SASE architecture, USPTO will drive security to the edge instead of just the network.

“What we’re talking about is the identification of users, the identification of devices and all the things in between the OSI layers [where computers communicate with each other] to put them all together in a secure way,” he said. “Netskope’s product actually provides the ability for that architecture. But there’s a lot of other things that you need to plug and play in order to be that secure. So that’s what the edge means to me going out and securing not just one part but all the parts in an architecture.”

Risk scores driving decisions

Beau Hutto, the vice president of federal at Netskope, said this approach lets agencies apply what they know about users, devices and other factors like location to create a risk profile and then apply to in a “least privileged” way.

“The user should have a risk score. The actual device should have a risk score. The data has a sensitivity score. So being able to bring a very basic layer all of that together and what access you give to that data because really the crown jewels is the data, it’s no longer the network,” Hutto said. “When you go to protect that data, you have to understand the context in which everything’s being accessed. That is truly where least privilege zero trust architectures come into play in a significant way.”

Through SASE, USPTO is putting the employee and data at the center of the security effort. Holcombe said if they can reduce the ability of the user from clicking a link or give up their network credentials, then the agency’s cyber posture will greatly improve.

“What I like about SASE is the fact that the machine-device control plane is in the realm of the user. I’m just doing a service and I don’t care what server it sits on. But when I create that cyber secure session, what I can do that is ensure that machine-device control plane actually has the right risk profile and it’s a two-way scoring. It’s just as important for the user to be secure as the device is to be secure, and everything in between the application, the data and the network,” he said. “What I’m really trying to do is pull that scope that surface area of the user and bring it down into the technical, such that the user doesn’t have to care and that it’s more of a machine-device control plane. That’s the way we get our security done.”

Hutto added creating that platform or single pane of glass breaks down the silos that have built up over the last few decades around security.

Accelerating the move to the cloud

Through SASE, USPTO, or any agency for that matter, will capture and analyze cyber information in a more standardized, scalable and agile way.

“We’ve had the opportunity to re-imagine how our security stack can look, should it be a security stack in the cloud or as-a-service? Where the first hit that your user makes is to the service and whether they go on-premise or back out to the cloud, it’s just in a very elegant, easy, very performant solution,” Hutto said.

Holcombe said it will take some time before USPTO fully implements a SASE architecture. He said he will start with the applications already in the cloud, about 17% of all applications the agency runs.

“We are staging for about the next 17% to 20%. So we’ll have around 35% to 40% of our applications in the cloud before the end of the year. That’s from almost 3% to 4% two years ago,” he said. “Some of the applications are not there. The ones that are going to be there are in the next 20% to 30%, we’re actually refactoring them with our product design teams. We’re actually including cybersecurity and testing, and doing the continuous integration and continuous deployment in these new applications. But there’s about 30% of our applications that will never go out in the cloud. They are just too old.”

Holcombe said the more USPTO puts applications and workloads in the cloud and use DevSecOps to continually modernize them, the more it can take advantage of SASE.

“One of my design philosophies besides pushing security to the edge is also the fact that I will not deploy something until I know I can rip it out in three years. I want to replace any tool that I put in, because that is the speed in which these tools are being rejuvenated, and there’s better tools in three years,” he said. “If you design something that lasts anywhere from 5 to 10 years, you’re wrong. Design it to do what you needed to do in three years, and then look to other things to replace it. The return on investment needs to be within three years or don’t do it.”

]]>
https://federalnewsnetwork.com/cybersecurity/2022/06/uspto-putting-foundational-piece-of-zero-trust-architecture-in-place/feed/ 0
GSA considers how to interconnect systems for new buildings https://federalnewsnetwork.com/technology-main/2022/06/gsa-considers-how-to-interconnect-systems-for-new-buildings/ https://federalnewsnetwork.com/technology-main/2022/06/gsa-considers-how-to-interconnect-systems-for-new-buildings/#respond Tue, 28 Jun 2022 19:28:46 +0000 https://federalnewsnetwork.com/?p=4126408 IoT Security Month - June 28, 2022

As the director of the Buildings Technology Services Division at the General Services Administration’s Office of IT, Sandy Shadchehr said there has been a surge in desire for interconnected building systems over the past decade. In her office’s case, presidential mandates to integrate buildings for more, and more efficient data, are reinforcing the trend to migrate systems to the network.

“There’s a lot of IP-enabled devices. And with that, obviously, with the connectivity, with all those benefits that you get from connectivity, there comes the risk. And what is happening these days, back to your question is cyber, cyber, cyber,” she said on Federal Monthly Insights — IoT Security.

In the days of “standalone mode,” building systems were meant to last 20 or so years, and the risk levels were comparably low because those systems were not connected. Today, when system components are now IT components, the risk if greater, she said. But, interconnectivity can have preventative measures that bring on cost benefits.

“Once you have the systems interconnected and they communicate with each other, then you can actually have a dashboard that you can have in an entire building in a nice console that you’re looking at and you can start doing predictive analysis so that you’re not just waiting until system breaks down,” she said on the Federal Drive with Tom Temin. “You can actually have a way of systems sending you notification: This thing doesn’t sound like this, this piece of equipment is not working quite right.”

That can mean fewer people needed in the building at all times, as well as greater energy efficiency, she said. But it also raises questions around ownership of the data on those systems. If something is hacked, Shadchehr said, traditionally that was a problem for IT or the singular security person. She said GSA changed its stance and determined that everyone has a role in solving cybersecurity weaknesses, from the Public Buildings Service to the chief information officer, to the building manager, the operational management maintenance person, and the service center director.

Examples of cyber dangers to building systems include people obtaining data about the operations to predict when personnel are working, to disrupt operations by hacking into a building. GSA’s portfolio of critical buildings for the federal government’s more sensitive agencies are top of mind, and are why constant vigilance is required, she said.

“Another one is that there can be a disruption of operations. There could be a very sensitive court proceeding going on and somebody can turn the lights on and off, and that can disrupt, or it can make a building very hot in the middle of July in Arizona, or in Texas,” she said. “They can make it unbearable to be in the building or incredibly cold, and the pipes get burst … so many things, so many scenarios that can happen, absolutely.”

Part of the predictive analytics of buildings systems Shadchehr described comes from occupancy and environmental sensors. The former can be things like thermostats and motion-detected room lights. COVID-19 was a game changer for these, as agencies needed to spread out their building occupancy for social distancing. At GSA headquarters in Washington, D.C., they used sensors to determine where to place people throughout the building. It is not just cameras but also devices using wifi or Bluetooth can alert a censor when they enter the building. The Office of IT is tapping into the Internet of Things to see what works and what does not compromise security or privacy.

“We’ve done a few different pilots to see what works better for us. And we have buildings and all shapes and sizes and color so it’s we have to probably try different types of things for different types of buildings that we have,” Shadchehr said.

Sensors and networks produce data, and the “mad rush” of IoT inspired a similar dash to collect that data. Just because GSA is collecting that data does not mean it will “just talk with each other,” she said. The Office of IT wants to work closely with the Office of Design and Construction to ensure the IT backbone is installed in new construction to be an afterthought.

“It’s a lot easier to put it in place or to build it correctly, as you’re building the building, instead of going back and retroactively try to fit that. We’ve been in that scenario many times, and it’s a lot more costly, a lot more time consuming to basically fit a square peg in a round hole,” she said.

]]>
https://federalnewsnetwork.com/technology-main/2022/06/gsa-considers-how-to-interconnect-systems-for-new-buildings/feed/ 0
CMMC early adopter program to further spur vendor cyber actions https://federalnewsnetwork.com/ask-the-cio/2022/06/cmmc-early-adopter-program-to-further-spur-vendor-cyber-actions/ https://federalnewsnetwork.com/ask-the-cio/2022/06/cmmc-early-adopter-program-to-further-spur-vendor-cyber-actions/#respond Mon, 27 Jun 2022 20:45:07 +0000 https://federalnewsnetwork.com/?p=4124265 var config_4124488 = {"options":{"theme":"hbidc_default"},"extensions":{"Playlist":[]},"episode":{"media":{"mp3":"https:\/\/dts.podtrac.com\/redirect.mp3\/pdst.fm\/e\/chrt.fm\/track\/E2G895\/aw.noxsolutions.com\/launchpod\/adswizz\/1128\/062322_askciododfletchercmmcpanel_we_gxhy_a0b38306.mp3?awCollectionId=1128&awEpisodeId=973483b5-75b4-45d9-bccc-22dfa0b38306&awNetwork=322"},"coverUrl":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2018\/12\/AsktheCIO1500-150x150.jpg","title":"CMMC early adopter program to further spur vendor cyber actions","description":"[hbidcpodcast podcastid='4124488']nnThe Defense Department has been talking about the Cybersecurity Maturity Model Certification (CMMC) standards for more than three years.nnAnd while the final version 2.0 standards aren\u2019t going to be ready until next summer, the impact of just talking about improving cybersecurity among contractors is real.nnStacy Bostjanick, the chief of implementation and policy and deputy CIO for cybersecurity for the Defense Department, said contractors are definitely more accepting of the need to protect their data. But, she quickly admitted, they may not have fully embraced CMMC.nn\u201cThe 7012 [Defense acquisition regulations] clause started that in earnest in 2013. We got a ton of pushback and finally got it into a rule in 2017. And then after that, we had a few incidents like SolarWinds, the Colonial pipeline, and now people are like, \u2018Oh, yeah, maybe people are coming after me. Oh, maybe it is an issue,\u2019\u201d Bostjanick said at the recent AFCEA NOVA Small Business IT Day.nnDr. Kelly Fletcher, the principal deputy chief information officer for the Defense Department, said the current approach, based on self-attestation, creates a potentially unleveled playing field for contractors who choose to take the right steps to secure their data and those that just say they do.nn\u201cWe know we have totally divergent compliance. If you're complying now with what is in your contract, you're competing against folks that aren't, and I think CMMC is trying to get after that,\u201d Fletcher said. \u201cI don't think CMMC is perfect. I think any solution we come up with isn't going to be perfect. But it is our first attempt to get after that.\u201dn<h2>25% of DIB met cyber requirements<\/h2>nWhile the problem may not be new, the data collected by the Defense Contract Management Agency (DCMA) shows just how troubling it is.nnJohn Ellis, the technical directorate's software division director at DCMA, said out of 300 assessments the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) did over the last few years, only 25% of the companies were compliant with the 110 requirements in the National Institute of Standards and Technology\u2019s Special Publication 800-171.nn\u201cIf roughly 25% of companies were fully compliant when we assess them, now, if you extrapolate that across the DIB, that's why we're informing some of the decisions. So if what CMMC is going to do for us in the future that we can't do today is what we do today is largely a post-assessment activity. There are holes in those mechanisms, things are not fully implemented,\u201d Ellis said at the Coalition for Government Procurement spring conference in Falls Church, Virginia. \u201cCMMC is going to let us address some of that stuff that does lead to stronger prevention of ransomware attacks because it's going to require companies to become far more fully compliant. If 75% of your companies can't meet the requirements and they're required to meet all of those before they can be awarded a contract, what does that mean, in terms of who can compete for contracts? It doesn't bode well.\u201dnnEllis said the DIB\u2019s shortcoming based on their assessments and the need to bring more companies up to par faster is why DCMA is launching the early adopter program for CMMC. This is for defense companies to work with certified third-party assessment organizations (C3PAOs) before the CMMC 2.0 is finalized. Ellis said DCMA auditors would look over the C3PAO\u2019s shoulder and offer feedback and insights, but not an official DIBCAC review.nn\u201cWe started the planning for the early adopter program a couple of months ago, but we haven\u2019t started the assessments yet. I expect us to start them later this summer,\u201d Ellis said. \u201cThe assessments are on site, but also include a lot of coordination ahead of time with the company, the C3PAO and our folks. It\u2019s a 45-60 day process that happens at the company\u2019s site.\u201dnnEllis said the C3PAO and the DCMA auditors will conduct a medium or high confidence assessment, which is more like a document review, where they, with the company, to through the system security plan to ensure that they've documented their requirements in a way that that articulates that they understand the requirements.n<h2>Benefits for DoD, vendors alike<\/h2>nThe early adopter program is part of several ongoing initiatives DoD is pursuing to get a head start on CMMC. Bostjanick said earlier this year that DoD will do a <a href="The%20early%20adopter%20program%20is%20part%20of%20several%20ongoing%20intiatives">series of tabletop exercises<\/a> to test out the cyber standards.nnBostjanick said the early adopter program benefits the C3PAOs, DCMA and the DIB because all <a href="https:\/\/federalnewsnetwork.com\/defense-main\/2021\/12\/congressional-auditors-point-to-challenges-ahead-for-pentagons-cmmc-program\/">will get experience<\/a> with CMMC standards.nn\u201cYou will be given a DIBCAC high assessment in supplier performance risk system (SPRS), and our intent, which means our hope because lawyers told me we can't promise anything because rulemaking is that, when CMMC becomes a thing, either as an interim thing next May or a final thing the following May, that companies certifications will still be good for an additional three years,\u201d she said. \u201cOne of the things that you're going to see in CMMC 2.0 is each company has a requirement to do an annual affirmation. Which states \u2018Yep, I'm still good. I'm still in compliance. Nothing has changed. Nothing has caused me to go out of compliance. I affirm I still meet the requirements.\u2019\u201dnnEllis said there are about <a href="https:\/\/federalnewsnetwork.com\/cybersecurity\/2022\/02\/more-companies-may-have-to-get-a-cmmc-assessment-after-all\/">20,000 companies<\/a> in SPRS today and if, based on the DCMA review of about 300 companies, approximately 75% are not in compliance with the 110 controls detailed in NIST 800-171 today, there is a lot of work that still needs to be done.nn\u201cThe data is in SPRS says the opposite. We see an awful lot of scores that are very, very, very high, and we're a little concerned about that for a couple of reasons,\u201d Ellis said. \u201cOne, we're concerned about companies not really doing the things that they said they were going to do. And two, it gives a false sense of security both to the companies and to the government in the procuring activities that are relying upon that information.\u201dnnDoD is facing similar questions about its own systems\u2019 compliance. A recent Government Accountability Office <a href="https:\/\/federalnewsnetwork.com\/defense-main\/2022\/06\/is-dod-holding-to-same-cmmc-standards-as-contractors\/">highlighted<\/a> in late May the Pentagon\u2019s struggles in meeting the same NIST 800-171 standards for internal systems.nnEllis said DCMA started reviewing about 300 contractors\u2019 compliance to the NIST standards in 2019 and the hope is that those companies that were among the first, would be part of the early adopter program.nnHe said the NIST reviews alone have improved vendor cybersecurity.nn\u201cWe had one company that was in the negative 200 range and now they are in the mid-two digit range, meaning they have improved remarkable over the last few years,\u201d he said. \u201cIt's really important that folks understand, this is not meant as a threat. We're looking at it to derive knowledge and insight. We're going to anonymize the results, unless we were to stumble into something that's fraudulent and then that's a whole another can of worms, by the way. But what we will do is share that information of what we learned with the companies that we've assessed so that people can see the goodness of the information that's actually in the system. It should inform both government folks and quite honestly, it should inform the DIB. You don't ever want to be in a position where you think you're much better than you are, and then either the DIBCAC shows up or a C3PAO assessment is conducted, and you find that you've missed the mark, significantly. That's not good for you as a company. And it's certainly not good for us to rely upon somebody that doesn't have that understanding.\u201dnnTo prepare for the influx of work coming from CMMC, the DIBCAC is staffing up. DCMA plans to grow its staff in the DIBCAC to about 150 employees from 50 a few years ago."}};

The Defense Department has been talking about the Cybersecurity Maturity Model Certification (CMMC) standards for more than three years.

And while the final version 2.0 standards aren’t going to be ready until next summer, the impact of just talking about improving cybersecurity among contractors is real.

Stacy Bostjanick, the chief of implementation and policy and deputy CIO for cybersecurity for the Defense Department, said contractors are definitely more accepting of the need to protect their data. But, she quickly admitted, they may not have fully embraced CMMC.

“The 7012 [Defense acquisition regulations] clause started that in earnest in 2013. We got a ton of pushback and finally got it into a rule in 2017. And then after that, we had a few incidents like SolarWinds, the Colonial pipeline, and now people are like, ‘Oh, yeah, maybe people are coming after me. Oh, maybe it is an issue,’” Bostjanick said at the recent AFCEA NOVA Small Business IT Day.

Dr. Kelly Fletcher, the principal deputy chief information officer for the Defense Department, said the current approach, based on self-attestation, creates a potentially unleveled playing field for contractors who choose to take the right steps to secure their data and those that just say they do.

“We know we have totally divergent compliance. If you’re complying now with what is in your contract, you’re competing against folks that aren’t, and I think CMMC is trying to get after that,” Fletcher said. “I don’t think CMMC is perfect. I think any solution we come up with isn’t going to be perfect. But it is our first attempt to get after that.”

25% of DIB met cyber requirements

While the problem may not be new, the data collected by the Defense Contract Management Agency (DCMA) shows just how troubling it is.

John Ellis, the technical directorate’s software division director at DCMA, said out of 300 assessments the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) did over the last few years, only 25% of the companies were compliant with the 110 requirements in the National Institute of Standards and Technology’s Special Publication 800-171.

“If roughly 25% of companies were fully compliant when we assess them, now, if you extrapolate that across the DIB, that’s why we’re informing some of the decisions. So if what CMMC is going to do for us in the future that we can’t do today is what we do today is largely a post-assessment activity. There are holes in those mechanisms, things are not fully implemented,” Ellis said at the Coalition for Government Procurement spring conference in Falls Church, Virginia. “CMMC is going to let us address some of that stuff that does lead to stronger prevention of ransomware attacks because it’s going to require companies to become far more fully compliant. If 75% of your companies can’t meet the requirements and they’re required to meet all of those before they can be awarded a contract, what does that mean, in terms of who can compete for contracts? It doesn’t bode well.”

Ellis said the DIB’s shortcoming based on their assessments and the need to bring more companies up to par faster is why DCMA is launching the early adopter program for CMMC. This is for defense companies to work with certified third-party assessment organizations (C3PAOs) before the CMMC 2.0 is finalized. Ellis said DCMA auditors would look over the C3PAO’s shoulder and offer feedback and insights, but not an official DIBCAC review.

“We started the planning for the early adopter program a couple of months ago, but we haven’t started the assessments yet. I expect us to start them later this summer,” Ellis said. “The assessments are on site, but also include a lot of coordination ahead of time with the company, the C3PAO and our folks. It’s a 45-60 day process that happens at the company’s site.”

Ellis said the C3PAO and the DCMA auditors will conduct a medium or high confidence assessment, which is more like a document review, where they, with the company, to through the system security plan to ensure that they’ve documented their requirements in a way that that articulates that they understand the requirements.

Benefits for DoD, vendors alike

The early adopter program is part of several ongoing initiatives DoD is pursuing to get a head start on CMMC. Bostjanick said earlier this year that DoD will do a series of tabletop exercises to test out the cyber standards.

Bostjanick said the early adopter program benefits the C3PAOs, DCMA and the DIB because all will get experience with CMMC standards.

“You will be given a DIBCAC high assessment in supplier performance risk system (SPRS), and our intent, which means our hope because lawyers told me we can’t promise anything because rulemaking is that, when CMMC becomes a thing, either as an interim thing next May or a final thing the following May, that companies certifications will still be good for an additional three years,” she said. “One of the things that you’re going to see in CMMC 2.0 is each company has a requirement to do an annual affirmation. Which states ‘Yep, I’m still good. I’m still in compliance. Nothing has changed. Nothing has caused me to go out of compliance. I affirm I still meet the requirements.’”

Ellis said there are about 20,000 companies in SPRS today and if, based on the DCMA review of about 300 companies, approximately 75% are not in compliance with the 110 controls detailed in NIST 800-171 today, there is a lot of work that still needs to be done.

“The data is in SPRS says the opposite. We see an awful lot of scores that are very, very, very high, and we’re a little concerned about that for a couple of reasons,” Ellis said. “One, we’re concerned about companies not really doing the things that they said they were going to do. And two, it gives a false sense of security both to the companies and to the government in the procuring activities that are relying upon that information.”

DoD is facing similar questions about its own systems’ compliance. A recent Government Accountability Office highlighted in late May the Pentagon’s struggles in meeting the same NIST 800-171 standards for internal systems.

Ellis said DCMA started reviewing about 300 contractors’ compliance to the NIST standards in 2019 and the hope is that those companies that were among the first, would be part of the early adopter program.

He said the NIST reviews alone have improved vendor cybersecurity.

“We had one company that was in the negative 200 range and now they are in the mid-two digit range, meaning they have improved remarkable over the last few years,” he said. “It’s really important that folks understand, this is not meant as a threat. We’re looking at it to derive knowledge and insight. We’re going to anonymize the results, unless we were to stumble into something that’s fraudulent and then that’s a whole another can of worms, by the way. But what we will do is share that information of what we learned with the companies that we’ve assessed so that people can see the goodness of the information that’s actually in the system. It should inform both government folks and quite honestly, it should inform the DIB. You don’t ever want to be in a position where you think you’re much better than you are, and then either the DIBCAC shows up or a C3PAO assessment is conducted, and you find that you’ve missed the mark, significantly. That’s not good for you as a company. And it’s certainly not good for us to rely upon somebody that doesn’t have that understanding.”

To prepare for the influx of work coming from CMMC, the DIBCAC is staffing up. DCMA plans to grow its staff in the DIBCAC to about 150 employees from 50 a few years ago.

]]>
https://federalnewsnetwork.com/ask-the-cio/2022/06/cmmc-early-adopter-program-to-further-spur-vendor-cyber-actions/feed/ 0
Current, former Hill staffers say centralized authority needed to modernize Congress https://federalnewsnetwork.com/congress/2022/06/current-former-hill-staffers-say-centralized-authority-needed-to-modernize-congress/ https://federalnewsnetwork.com/congress/2022/06/current-former-hill-staffers-say-centralized-authority-needed-to-modernize-congress/#respond Mon, 27 Jun 2022 17:18:09 +0000 https://federalnewsnetwork.com/?p=4123922 The upside to Congress’ decentralized nature is that innovation can come from anywhere. The downside is that coordinating those innovations is hard.

Current and former Hill staffers say technology can and has solved many common problems for members of Congress, but they want to see members tap into more commercial-friendly platforms and give centralized authority to bodies like the Bulk Data Task Force, or the House Digital Service.

Stephen Dwyer, senior adviser to House Majority Leader Steny Hoyer (D-Md.), pointed to solutions such as the Dome Watch and Dome Directory mobile apps, created by the office to help members of Congress, their staff and the public better track movements on the House floor. The 13-year-old private intranet DemCom for House Democratic staff was also redesigned last year with expanded access for Senate staff, mobile functionality and a bigger database of information.

But custom-built systems for “uniquely Congressional purposes,” as Dwyer said, are not all that’s recommended. He told the House Select Committee on Modernization last week, the programs are representative of what is possible when the legislative body coordinates its technology efforts, but that requires in-house digital staff for each office. He recommended hiring digital aides with programming and development skills for every member, in addition to more traditional political science and communications staffers.

“There’s just so much more that they need to do, even versus five, 10 years ago when I was in a congressional office,” Dwyer said. “A lot of that is in digital communications. Every office needs to not just take a bunch of pictures and post them on Twitter and Facebook but they have to do more technical Facebook Lives, they’ve got to take their boss live, there’s a lot of technical tasks that didn’t exist many years ago.”

But Dwyer said Congress needs to recognize the demand for these workers and compensate them appropriately. The House is raising its staff salary floor to $45,000, after essentially a decade-long pay freeze and record inflation made it difficult to attract and retain employees.

One of the Modernization committee’s recommendations last Congress was to create a common committee calendar portal to reduce scheduling conflicts. Vice Chairman William Timmons (R-S.C.) asked witnesses for suggestions to get the ball rolling on what he said could have a big impact on members and staff. Reynold Schweickhardt, Lincoln Network senior adviser, said an issue is that between the House clerk, the chief information officer and the committees themselves there is no clear button to push for technology needs. As such, another recommendation was to clearly focus the responsibility for legislative product.

“I think the other challenge that I alluded to is there’s no gatekeeper for scheduling projects. The CIO, they may be working on five to 10 projects, so they tell you they’re working on your project and they are, but they’re sort of shuffling things back and forth,” said Schweickhardt, who served at the Committee on House Administration for 13 years and the Government Publishing Office for eight years Versus a program-management kind of functionality that says, ‘What are the three things we want to accomplish in the next couple of months? Let’s knock ‘em out. Let’s figure out what the next set of important things are.’”

Dwyer said the foundation is laid. For several years, House rules have required all committees to post hearings and testimony in a central place, putting the body ahead of the Senate, but amplifying that with a more consumer-friendly version would help, he said.

Melissa Dargan, co-founder of AppMy LLC and a former Hill staffer, seconded the use of funds for a centralized scheduling platform. It’s a problem she tried to tackle when she launched the TourTrackr app to better manage constituent tour requests.

“From constituent tour requests to flown flag purchases, these important responsibilities were tracked using printouts, binders and excel spreadsheets. It was a fragmented, inefficient process. At the time, there were no digital alternatives that House offices were approved to use. So while these tasks seemed easy, they were tedious, repetitive and time consuming,” she said, adding that technological innovation does not need to come at the expense of security.

“I respect and understand that the House has high standards for new tech approval. Protecting security and personal identifiable information are critical to ensure the integrity of the institution. That said, upholding those priorities and creating a welcoming environment for new tech products can be done simultaneously,” Dargan said.

]]>
https://federalnewsnetwork.com/congress/2022/06/current-former-hill-staffers-say-centralized-authority-needed-to-modernize-congress/feed/ 0
Agencies are on the clock for zero trust; a tailored SSE strategy can help https://federalnewsnetwork.com/commentary/2022/06/agencies-are-on-the-clock-for-zero-trust-a-tailored-sse-strategy-can-help/ https://federalnewsnetwork.com/commentary/2022/06/agencies-are-on-the-clock-for-zero-trust-a-tailored-sse-strategy-can-help/#respond Fri, 24 Jun 2022 18:40:35 +0000 https://federalnewsnetwork.com/?p=4119532  

Ever since the Biden administration’s 2021 cybersecurity executive order, federal agencies have been on the clock to onboard zero trust architectures (ZTA) into their information technology environments.

The most recent deadline is two years away. A January 2022 Office of Management and Budget guidance is asking agencies to comply with the five pillars of the Cybersecurity and Infrastructure Security Agency’s zero trust model by September 2024.

While this request may seem daunting, ZTA deployment does not have to be an arduous migration of talent, technology and resources. Federal leaders can start with targeted approaches that tackle each aspect of zero trust, such as endpoint risk posture or internet access, to better mitigate against evolving cyber threats and gain visibility and controls over their networks.

There are several small steps agencies can take to lay the foundation for zero trust. Most notably, deploying solutions to monitor users and endpoints.

Security Service Edge (SSE), a framework that converges critical security capabilities, provides a blueprint of the types of cloud-delivered solutions required for zero trust. Each product addresses a piece of the puzzle to ensure sensitive data is protected while enabling productivity.

Securing endpoints and web usage

One component of SSE is mobile endpoint security. Agencies already maintain government-issued device inventories with management tools, but these products only provide passive capabilities to update. To provide access that doesn’t add risk and to detect and respond to modern threats, agencies need to continuously monitor the risk level of those endpoints, whether it’s the device’s operating system, apps installed or the network they’re connected to.

The adjacent capability an organization needs for zero trust is to protect against web-based threats. This is where secure web gateway (SWG) comes in, monitoring internet traffic to ensure malicious content doesn’t enter your networks. Many of these attacks are now targeting mobile endpoints as users increasingly rely on these devices for both work and life.

Establishing micro-segmentation

While low risk endpoints should be given access too, that connection does not need to be network wide. Their risk levels fluctuate constantly, which means access needs to be dynamic. By establishing controls to limit availability by user identity and device, enterprises can subdivide their network with a process called micro-segmentation.

Micro-segmenting means that, even when a device and user is cleared for access, its connection to apps and data will be restricted. So in the event of an insider threat, compromised account, or an accidental risky action, the damage is limited.

SSE technologies leverage context-based telemetries such as user authentication, device, location, time of day and the requesting device’s risk posture. With this visibility, agencies can build policies that dynamically enforce policies based on those various factors.

Protecting data no matter where it resides

To ensure your data is secure while enabling telework, agencies need the ability to secure activities to all apps, whether they’re in the cloud or on premises. SSE technologies like SWG, cloud access security broker (CASB) and zero trust network access (ZTNA) serves as a security guard between the user and what they need to access, either by monitoring for malware, user and endpoint risk postures, logging user actions, enforcing security controls and more.

SSE becomes especially relevant as more agencies pursue multi-cloud environments. With IT environments varying based on technology and resources, agency leaders will have to assess their systems to determine which zero trust tools best fit their operations. Regardless, leaders need to ensure that the security platform they use considers the risk levels of users and their endpoints, and what types of data they need access to.

In addition to visibility and control, cybersecurity has been challenged by complexity as cloud apps and telework became the norm. To ensure your data is secure without adding extra operational burden, it’s critical that agencies look for SSE solutions that have a single policy engine.

Not only does a unified platform streamline operations for your security administrators, it makes secure access more efficient, so that workers can seamlessly connect to what they need, whether it’s in the cloud, inside data centers or on the internet.

By converging security capabilities, SSE protects data without hindering productivity — exactly what ZTA sets out to do. 2024 is closer than it seems.  I recommend agencies explore the different components of SSE and find a platform that can protect data no matter where their users reside.

Tony D’Angelo is vice president for the public sector at Lookout.

 

]]>
https://federalnewsnetwork.com/commentary/2022/06/agencies-are-on-the-clock-for-zero-trust-a-tailored-sse-strategy-can-help/feed/ 0
CISA advisors recommend agency cut onboarding time to 90 days https://federalnewsnetwork.com/hiring-retention/2022/06/cisa-advisors-recommend-agency-cut-onboarding-time-to-90-days/ https://federalnewsnetwork.com/hiring-retention/2022/06/cisa-advisors-recommend-agency-cut-onboarding-time-to-90-days/#respond Wed, 22 Jun 2022 21:26:05 +0000 https://federalnewsnetwork.com/?p=4115490 var config_4119114 = {"options":{"theme":"hbidc_default"},"extensions":{"Playlist":[]},"episode":{"media":{"mp3":"https:\/\/dts.podtrac.com\/redirect.mp3\/pdst.fm\/e\/chrt.fm\/track\/E2G895\/aw.noxsolutions.com\/launchpod\/federal-drive\/mp3\/062422_Justin_web_33hk_712ef873.mp3?awCollectionId=1146&awEpisodeId=1e64b994-2c0a-4972-9c1b-a7c8712ef873&awNetwork=322"},"coverUrl":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2018\/12\/FD1500-150x150.jpg","title":"CISA advisors recommend agency cut onboarding time to 90 days","description":"[hbidcpodcast podcastid='4119114']nnThe Cybersecurity and Infrastructure Security Agency is looking to streamline and speed up its hiring process based upon a suite of recommendations from agency advisors who found CISA is not moving quickly enough to address a critical dearth of cyber talent.nnCISA\u2019s Cybersecurity Advisory Committee approved <a href="https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2022\/06\/CSAC-Recommendations-06-16-2022.pdf">its first tranche of recommendations<\/a> during a meeting Wednesday. The federal advisory committee <a href="https:\/\/federalnewsnetwork.com\/cybersecurity\/2021\/12\/cisa-advisory-committee-could-reframe-approach-to-network-security\/">met for the first time late last year.<\/a> The personnel recommendations approved during the latest meeting were issued by the \u201cTransforming the Cyber Workforce\u201d subcommittee, led by Mastercard Chief Security Officer Ron Green.nnThe subcommittee is recommending CISA conduct \u201ca comprehensive review of its current workforce and talent needs to ensure that it is properly aligned with the agency\u2019s strategic goals and future growth.\u201d It is also urging CISA to cut in half the amount of time it takes to onboard job applicants and expand the agency\u2019s recruiting efforts to a wider swath of potential candidates.nnCISA Director Jen Easterly praised the subcommittee\u2019s work and said she would consider the recommendations over the next 90 days. The agency will then produce an action plan that sketches out a path forward for the recommendations it adopts.nn\u201cI like the ambition,\u201d Easterly said during Wednesday\u2019s meeting. \u201cI like the audacious nature of some of them.\u201dnnThe committee acknowledges recent strides CISA has made in its hiring process, including the agency\u2019s use of <a href="https:\/\/federalnewsnetwork.com\/workforce\/2021\/11\/why-the-new-dhs-cyber-talent-management-system-was-nearly-seven-years-in-the-making\/">the new Cyber Talent Management System (CTMS).<\/a> But it is urging CISA to \u201cmove with far greater speed and urgency\u201d in improving its talent acquisition processes.nn\u201cThe process is lengthy and difficult to navigate both internally and externally, and therefore places CISA at a tremendous disadvantage relative to private sector employers for this critical and highly sought-after talent pool,\u201d the report states.nnThe committee is recommending CISA set a goal of 90 days for a cybersecurity candidate to go from offer to onboarding. The process currently takes an average of 198 days at CISA, according to the report.nnAdditionally, the committee is urging CISA to \u201cmove away from a rigid, inflexible job classification system to a flexible, adaptable, pool-based talent management approach better aligned with organizational needs and career paths for experienced professionals.\u201dnnCISA is already in the process of hiring a \u201cchief people officer,\u201d Easterly confirmed. The new position will work with agency leadership \u201cto advance a unified approach to talent acquisition, establish workforce development priorities, and ensure alignment with professional career paths,\u201d according to the advisory committee\u2019s report.nn\u201cThe CSAC strongly supports CISA\u2019s current plans to do this,\u201d it adds.nnThe panel is also recommending CISA develop \u201ca systemic approach to collecting and analyzing data on candidate pools and hiring processes to benchmark, monitor and improve hiring cycles, using an organizational chart to monitor time to fill, time to hire, source of hire, recruitment funnel effectiveness and diversity of candidate slate metrics.\u201dnn<a href="https:\/\/federalnewsnetwork.com\/hiring-retention\/2022\/06\/one-potential-job-for-the-national-cyber-director-fix-the-cyber-workforce-problem\/">Other<\/a> <a href="https:\/\/federalnewsnetwork.com\/hiring-retention\/2022\/02\/data-will-be-key-to-building-national-cyber-workforce-strategy-officials-say\/">reports<\/a> have highlighted the lack of good data as a barrier to the government\u2019s cyber and IT personnel management.nnDuring the meeting, Easterly said CISA needs more innovative hiring ideas. She also acknowledged the slow start of the CTMS. The talent system was launched in November following years of development. Last month, <a href="https:\/\/fcw.com\/security\/2022\/05\/seven-years-making-dhss-new-cyber-talent-system-boasts-just-one-hire\/367534\/">FCW reported<\/a> that just one employee had started working under CTMS.nn\u201cIt has had a slow start because it's a brand new way of managing people. It's an entire entirely different system,\u201d Easterly said. \u201cBut we're now starting to get our bearings and are starting to up the number of people we're giving offers to.\u201dn<h2>Remote and telework positions at CISA<\/h2>nOne of CISA\u2019s greatest strengths with hiring is its flexibility on location, according to Easterly. She said nearly 2,000 CISA positions are either remote or telework-eligible. CISA\u2019s total workforce is approximately 2,500 employees, according to budget documents.nnEasterly asked the workforce subcommittee to also take a closer look at recommendations around remote work and telework.nn\u201cI think it\u2019s terrific, it really helps with recruiting,\u201d Easterly said. \u201cBut as we allow for this important flexibility in our workforce, I want to make sure that we are in fact instilling the culture that we need to be successful, and that we are all embracing the values and the principles that define the culture that we're at CISA.\u201dn<h2>Security clearance hurdles<\/h2>nThe panel also identified the security clearance process as a major sticking point in speeding up hiring for CISA. \u201cThe subcommittee heard consistently that the current, unpredictable suitability process is unnecessarily cumbersome and time-consuming, which is a significant obstacle to hiring,\u201d the report states.nnThe panel is recommending CISA conduct a \u201cthorough review of the interagency security clearing process to identify paths to streamline and speed up this critical path for CISA candidates.\u201dnnEasterly asked the committee to dive further into the security clearance issue as well. She says CISA is taking a look at all of its open job positions to make sure clearance requirements aren\u2019t an unnecessarily high bar.nn\u201cWe're very much scrutinizing all of our open jobs to make sure if they really do need a level of clearance,\u201d she said. \u201cNot all need a [Top Secret] clearance.\u201dn<h2>National cyber workforce plans<\/h2>nIn addition to addressing its internal workforce challenges, the panel also says CISA must play a \u201ckey role\u201d in building the national cyber workforce. \u201cThe agency\u2019s future depends on it,\u201d the report states. \u201cThere is a significant gap in availability of skilled cybersecurity professionals compared to the rapidly growing need.\u201dnnCyberseek, a public-private partnership, <a href="https:\/\/www.cyberseek.org\/heatmap.html">estimates<\/a> there are some 700,000 unfilled cybersecurity positions nationwide. That includes nearly 40,000 unfilled positions in the public sector.nnThe committee is recommending CISA focus on education, including by supporting a virtual National Cyber Academy, akin to a digital West Point, where attendees could participate in a \u201cCISA Cadet Track\u201d leading to a traditional degree along with a commitment to work at the agency.nnThe panel is also recommending CISA work with members in the Joint Cyber Defense Collaborative to establish a \u201cCyber Force\u201d pilot program involving \u201ctours of duty\u201d at the agency. The JCDC was established last year. Its members include several major technology and cybersecurity firms.nn\u201cJCDC members should loan out top security practitioners\/volunteers for a one-to-two-year tour of duty before returning to the private sector as designated CISA Liaisons to facilitate ongoing public-private collaboration such as threat sharing, especially during \u2018Shields Up\u2019 initiatives and cybersecurity crises,\u201d the committee\u2019s report states. \u201cTo further incentivize broad participation in this program, the CSAC recommends that CISA support legislation to offer tax credits and other similar benefits to participating organizations.\u201dnnThe Office of the National Cyber Director at the White House is developing a national cyber workforce strategy, which will include CISA. The advisory committee says its ideas "align with their initial thinking.""}};

The Cybersecurity and Infrastructure Security Agency is looking to streamline and speed up its hiring process based upon a suite of recommendations from agency advisors who found CISA is not moving quickly enough to address a critical dearth of cyber talent.

CISA’s Cybersecurity Advisory Committee approved its first tranche of recommendations during a meeting Wednesday. The federal advisory committee met for the first time late last year. The personnel recommendations approved during the latest meeting were issued by the “Transforming the Cyber Workforce” subcommittee, led by Mastercard Chief Security Officer Ron Green.

The subcommittee is recommending CISA conduct “a comprehensive review of its current workforce and talent needs to ensure that it is properly aligned with the agency’s strategic goals and future growth.” It is also urging CISA to cut in half the amount of time it takes to onboard job applicants and expand the agency’s recruiting efforts to a wider swath of potential candidates.

CISA Director Jen Easterly praised the subcommittee’s work and said she would consider the recommendations over the next 90 days. The agency will then produce an action plan that sketches out a path forward for the recommendations it adopts.

“I like the ambition,” Easterly said during Wednesday’s meeting. “I like the audacious nature of some of them.”

The committee acknowledges recent strides CISA has made in its hiring process, including the agency’s use of the new Cyber Talent Management System (CTMS). But it is urging CISA to “move with far greater speed and urgency” in improving its talent acquisition processes.

“The process is lengthy and difficult to navigate both internally and externally, and therefore places CISA at a tremendous disadvantage relative to private sector employers for this critical and highly sought-after talent pool,” the report states.

The committee is recommending CISA set a goal of 90 days for a cybersecurity candidate to go from offer to onboarding. The process currently takes an average of 198 days at CISA, according to the report.

Additionally, the committee is urging CISA to “move away from a rigid, inflexible job classification system to a flexible, adaptable, pool-based talent management approach better aligned with organizational needs and career paths for experienced professionals.”

CISA is already in the process of hiring a “chief people officer,” Easterly confirmed. The new position will work with agency leadership “to advance a unified approach to talent acquisition, establish workforce development priorities, and ensure alignment with professional career paths,” according to the advisory committee’s report.

“The CSAC strongly supports CISA’s current plans to do this,” it adds.

The panel is also recommending CISA develop “a systemic approach to collecting and analyzing data on candidate pools and hiring processes to benchmark, monitor and improve hiring cycles, using an organizational chart to monitor time to fill, time to hire, source of hire, recruitment funnel effectiveness and diversity of candidate slate metrics.”

Other reports have highlighted the lack of good data as a barrier to the government’s cyber and IT personnel management.

During the meeting, Easterly said CISA needs more innovative hiring ideas. She also acknowledged the slow start of the CTMS. The talent system was launched in November following years of development. Last month, FCW reported that just one employee had started working under CTMS.

“It has had a slow start because it’s a brand new way of managing people. It’s an entire entirely different system,” Easterly said. “But we’re now starting to get our bearings and are starting to up the number of people we’re giving offers to.”

Remote and telework positions at CISA

One of CISA’s greatest strengths with hiring is its flexibility on location, according to Easterly. She said nearly 2,000 CISA positions are either remote or telework-eligible. CISA’s total workforce is approximately 2,500 employees, according to budget documents.

Easterly asked the workforce subcommittee to also take a closer look at recommendations around remote work and telework.

“I think it’s terrific, it really helps with recruiting,” Easterly said. “But as we allow for this important flexibility in our workforce, I want to make sure that we are in fact instilling the culture that we need to be successful, and that we are all embracing the values and the principles that define the culture that we’re at CISA.”

Security clearance hurdles

The panel also identified the security clearance process as a major sticking point in speeding up hiring for CISA. “The subcommittee heard consistently that the current, unpredictable suitability process is unnecessarily cumbersome and time-consuming, which is a significant obstacle to hiring,” the report states.

The panel is recommending CISA conduct a “thorough review of the interagency security clearing process to identify paths to streamline and speed up this critical path for CISA candidates.”

Easterly asked the committee to dive further into the security clearance issue as well. She says CISA is taking a look at all of its open job positions to make sure clearance requirements aren’t an unnecessarily high bar.

“We’re very much scrutinizing all of our open jobs to make sure if they really do need a level of clearance,” she said. “Not all need a [Top Secret] clearance.”

National cyber workforce plans

In addition to addressing its internal workforce challenges, the panel also says CISA must play a “key role” in building the national cyber workforce. “The agency’s future depends on it,” the report states. “There is a significant gap in availability of skilled cybersecurity professionals compared to the rapidly growing need.”

Cyberseek, a public-private partnership, estimates there are some 700,000 unfilled cybersecurity positions nationwide. That includes nearly 40,000 unfilled positions in the public sector.

The committee is recommending CISA focus on education, including by supporting a virtual National Cyber Academy, akin to a digital West Point, where attendees could participate in a “CISA Cadet Track” leading to a traditional degree along with a commitment to work at the agency.

The panel is also recommending CISA work with members in the Joint Cyber Defense Collaborative to establish a “Cyber Force” pilot program involving “tours of duty” at the agency. The JCDC was established last year. Its members include several major technology and cybersecurity firms.

“JCDC members should loan out top security practitioners/volunteers for a one-to-two-year tour of duty before returning to the private sector as designated CISA Liaisons to facilitate ongoing public-private collaboration such as threat sharing, especially during ‘Shields Up’ initiatives and cybersecurity crises,” the committee’s report states. “To further incentivize broad participation in this program, the CSAC recommends that CISA support legislation to offer tax credits and other similar benefits to participating organizations.”

The Office of the National Cyber Director at the White House is developing a national cyber workforce strategy, which will include CISA. The advisory committee says its ideas “align with their initial thinking.”

]]>
https://federalnewsnetwork.com/hiring-retention/2022/06/cisa-advisors-recommend-agency-cut-onboarding-time-to-90-days/feed/ 0
USDA has been trying to consolidate 17 networks for a decade, now it has the money to do it https://federalnewsnetwork.com/it-modernization/2022/06/usda-has-been-trying-to-consolidate-17-networks-for-a-decade-now-it-has-the-money-to-do-it/ https://federalnewsnetwork.com/it-modernization/2022/06/usda-has-been-trying-to-consolidate-17-networks-for-a-decade-now-it-has-the-money-to-do-it/#respond Wed, 22 Jun 2022 14:49:17 +0000 https://federalnewsnetwork.com/?p=4114550 Gary Washington is trying to do something at least four other Agriculture Department chief information officers have promised to do, but came up well short.

The difference this time as USDA tries, once again, to consolidate 17 disparate networks into one is Washington has real funding.

USDA will receive $64 million from the Technology Modernization Fund Board for this project. This was USDA’s fifth award under TMF.

The TMF Board made two other awards on June 21 as well, giving the Homeland Security Department $26.9 million to modernize its Homeland Security Information Network (HSIN) and $3.9 million to the Federal Trade Commission to procure a security operations center-as-a-service (SOCaaS) in order to implement a zero trust architecture.

The board has made 14 awards since receiving $1 billion from the American Rescue Plan Act in 2021. It still has more than $650 million left in the account. The Office of Management and Budget and the General Services Administration on June 16 committed to spending $100 million on customer experience projects that cut wait times for public-facing federal services, as well as excessive paperwork and other barriers.

While DHS signaled its desire to update HSIN in an April request for information and the FTC’s move to zero trust is part of the Biden administration’s overall push to improve cybersecurity, the USDA award is what Congress created the TMF for in the first place — to give agencies a boost to get over the modernization hump.

“This investment will be used for the USDANet startup costs that reduces the number of USDA-owned and operated networks from 17 to 1 and will result in $734 million in estimated costs savings/avoidance,” the TMF website states. “The lowered total cost of ownership by the USDA means Mission Areas can allocate greater portions of their IT spending from basic infrastructure to public-facing applications that promote conservation, goodwill, and optimization of resources.”

Washington said at a recent event sponsored by ACT-IAC on June 14 said this effort will be done through the Enterprise Infrastructure Solutions (EIS) vehicle run by GSA.

Gary Washington is the USDA chief information officer.

“We have submitted our project plan. We’ve been working with our contractor, and we’re aggressively working toward meeting the milestones that we have to set,” Washington said during the panel discussion on EIS. “We had approximately 54% disconnect rate, currently, so we’re going try to aggressively get that up. But the primary thing is we’re going to transition to a managed service model, where we can, like modernize the network periodically like we’re supposed to. It provide better service because we’re all over the country, and we have a national presence as well.”

USDA awarded Lumen a task order under EIS in January that could be for as much as 11 years and could be worth $1.2 billion.

One of the key factors for the TMF Board to make an award is whether the agency has an existing project and contract in place.

Long-running challenge at USDA

Previous attempts to consolidate and modernize USDA’s networks have struggled but not for lack of trying or will. For example in 2011, then Secretary Tom Vilsack — who is back as secretary today — approved a report detailing 379 recommendations for improving agency operations and saving administrative money to reinvest into citizen services.

Washington even called in the IT Centers of Excellence in 2018 to help wrangle these networks and move applications to the cloud. While the IT CoEs helped the agency move more applications and systems to the cloud, Washington said EIS gives them an opportunity to rethink how their supporting infrastructure supports their cloud environment and cloud strategy.

“It’s going to really happen, and I’m going make sure I will be here to make sure it does happen,” Washington said about the network consolidation. “We were very excited about that. Our leadership is excited about it. Actually, I briefed the secretary on this last week. So it’s just really a matter of getting our equipment and making sure that we would pick up the pace in terms of actually implementing this solution. We’ve got a lot riding on this.”

As for the investments at DHS and FTC, the board continues to signal its desire to choose projects that could have broad impacts on users or on demonstrating how something could work.

DHS released an RFI to modernize HSIN in April, seeking industry feedback on how to take the current platform from complex, costly and not optimized for cloud-based and mobile features to one that better supports end-users and rapidly addresses threats to homeland security.

“DHS looks to redefine information accessibility and build a modern, comprehensive information sharing platform using cloud-based technologies to increase speed, mobility, and access to unclassified information,” the RFI stated.

Cloud native, modern tools

With the TMF money, DHS says it will “rebuild its information sharing system as a cloud native platform with modern tools and technologies. The new platform will be capable of scaling up to meet peaks in demand during times of emergency while also offering significant new features including improved access and security; better content sharing and discoverability; and greater emphasis on connecting HSIN’s partners to each other for closer collaboration. DHS will also use the TMF investment to build a platform that is more responsive to a post pandemic work environment for users with easy and secure access on mobile platforms and other devices.”

DHS expects the extra money to accelerate its modernization effort to create a system that is more flexible, offers a better user experience and costs less.

The board’s award to the FTC — its fourth specifically around zero trust — is almost a proof-of-concept that other small agencies could take advantage of.

The FTC will use the extra funding to replace its existing security operations center that is built for government-operated data centers and has trouble scaling to address growing cyber threats.

“[T]he FTC will expedite its SOCaaS implementation using security services and trusted cloud service providers to host sensitive FTC data. This comprehensive approach will greatly reduce the risk of bad actors executing a ransomware or other cyber attack,” the TMF website stated. “It will also reduce the number of man hours currently expended to respond to indicators of cyber incidents. These hours could then be repurposed to continue improvements to the agency’s many operational systems for merger filing review and reporting of fraud. The agency is collaborating on this effort with other federal cyber security leaders, including the Department of Homeland Security, to share best practices.”

Raghav Vajjhala, the FTC CIO, said in July 2021 that half of all of its systems and applications are in the cloud and is upgrading its network to be software-defined. These modernization efforts need a modern security architecture, he said.

]]>
https://federalnewsnetwork.com/it-modernization/2022/06/usda-has-been-trying-to-consolidate-17-networks-for-a-decade-now-it-has-the-money-to-do-it/feed/ 0
Creating a safe space for IoT https://federalnewsnetwork.com/technology-main/2022/06/creating-a-safe-space-for-iot/ https://federalnewsnetwork.com/technology-main/2022/06/creating-a-safe-space-for-iot/#respond Tue, 21 Jun 2022 21:30:34 +0000 https://federalnewsnetwork.com/?p=4112837 IoT Security Month — June 21, 2022

The innovative world of Internet of Things means industry and government can build things better, stronger faster.  They can gather more information, and quickly integrate it. However, there is a price to moving that much data around at that speed. It also means keeping pace with the security concerns in a sophisticated, quickly-evolving environment. The environment of cloud storage and remote sensors is under constant cybersecurity threats.

“It’s definitely a balancing act between using the latest technologies, but also making sure they’re secure at the same time,” Tim Mierzwa,  enterprise strategy lead for the information technology resources branch at the National Center for Advancing Translational Sciences (NCATS) said on Federal Monthly Insights — IoT Security. NCATS uses IoT to create biological and chemical profiling that aids in the development of drugs and treatments in the medical field.

“From a clinical perspective, you can gather all sorts of  health metrics from heart rates, or insulin levels, things like that. And, you do need to sort of minimize or anonymize that data as well. Because that data in the wrong hands can definitely be very dangerous,” Mierzwa said on Federal Drive with Tom Temin.

NCATS has seen steady growth since its inception in 2012, according to Mierzwa. Starting small and growing meant it only got big enough to form its own cybersecurity division in 2019. As they  moved forward with developing new technologies, the security team  had to move fast to keep up and maintain secure data. That meant developing protocols and governance plans to safeguard large amounts of data  containing personal information.

At FEMA, IoT sensors send information that allows it  to move with greater speed and accuracy in emergencies. For example, AT&T provides a service called FirstNet for first responders.

“I get signal on FirstNet in garages where my T-Mobile personal phone has no hope of working. So, you know, the utilization of being able to have a robust network like that, that can handle communications for all these devices is critical to what we do,” said James Rodd, cloud portfolio manager at FEMA.

“Security is a massive concern for us. Obviously, responding to emergencies, the last thing we want to happen is some kind of security attack that would prevent us from doing that,” Rodd said. While keeping up with protocols is a constantly evolving process, he said sometimes nothing is more important than remembering the basics.

“One of the most critical things that we tend to not pay enough attention to is your baseline updates and stuff like that, like just making sure that your that your mobile devices are updated to the latest firmware, that you’re aware of any security,” he said.

Part of the network that  FEMA relies on involves sensors in remote areas. Those sensors can detect floods and wildfires. sometimes before anyone locally  noticed a problem. As those networks grow,  their security also has to improve and keep evolving.

“Unfortunately, in FEMA, sometimes we kind of silo ourselves because we’re responding to an incident. And we put procedure and policy and effect and then find out that it doesn’t meet the requirements of our executive order or whatever, zero tolerance. And then we have to go and kind of backwards engineer our solution, which we’ve already been utilizing. I hate to say it, but when do we find out that it’s not good, usually during an audit, you know, and that’s not a good time to be finding out. So I would definitely say, networking is a huge factor and making sure you go to the sources,” Rodd said.

]]>
https://federalnewsnetwork.com/technology-main/2022/06/creating-a-safe-space-for-iot/feed/ 0
CISA provides agencies with long-awaited cloud security guidance https://federalnewsnetwork.com/cybersecurity/2022/06/cisa-provides-agencies-with-long-awaited-cloud-security-guidance/ https://federalnewsnetwork.com/cybersecurity/2022/06/cisa-provides-agencies-with-long-awaited-cloud-security-guidance/#respond Fri, 17 Jun 2022 11:28:28 +0000 https://federalnewsnetwork.com/?p=4106365 The Cybersecurity and Infrastructure Security Agency has released new guidance for applying modern network security practices across multiple cloud computing scenarios. It’s another evolution in a years-long effort to make it easier for agencies to securely adopt cloud services.

CISA published the  draft Trusted Internet Connections (TIC) 3.0 Cloud Use Case on Thursday. CISA is accepting comments on the draft document through July 22 before it works toward publishing a final version.

In a blog post, CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote that the use case builds upon last May’s cybersecurity executive order and CISA’s Cloud Security Technical Reference Architecture. An initial version of the “TRA” was published last fall.

“With the appetite for cloud guidance growing, this new CISA resource will help federal agencies effectively leverage applicable aspects of the Cloud Security TRA and work to achieve a mandate in the EO for secure cloud services,” Goldstein wrote.

The cloud use case has been highly anticipated since the White House Office of Management and Budget rescinded previous TIC policy and directed CISA to update the TIC initiative nearly three years ago.

The September 2019 memorandum from then-Deputy Director for Management Margaret Weichert identified previous requirements for agencies to flow traffic through a physical TIC access point as “an obstacle to the adoption of cloud-based infrastructure.”

Her memo directed CISA to publish TIC use cases to identify alternative security controls for scenarios when traffic is not required to flow through a TIC access point. The cloud use case is the final product to drop in the TIC 3.0 series. CISA has already published the Traditional TIC Use Case, Branch Office Use Case, and Remote User Use Case.

Ross Nodurft, former head of OMB’s cyber team and executive director of tech industry group Alliance for Digital Innovation, welcomed the new CISA guidance, calling it a “policy release valve” for agencies looking at cloud security architectures beyond the old TIC access points.

“It’s been a very long time coming,” Nodurft said. “And I’m frankly, I know a lot of the agencies have been asking for it, because it provides a bunch of different iterations of what architectures could and should look like.”

The document covers security considerations across Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Email-as-a-Service (EaaS) deployments.

“This guidance also incorporates cloud-specific considerations, such as the shared services model and cloud security posture management principles outlined in the Cloud Security TRA,” Goldstein wrote in his blog. “Another unique aspect of this use case is that it was written from the vantage point of cloud-hosted services, as opposed to from the vantage point of the client accessing these services.”

It further breaks the guidance down into different “security patterns,” such as when an agency campus network connects with a cloud service provider versus when a remote user connects to cloud resources.

The idea is to give agencies more clarity on how they can securely adopt cloud services, especially after last May’s executive order directed agencies to “accelerate the move to secure cloud services.” OMB has also directed agencies to start adopting zero trust architectures by, in part, leveraging the security features in cloud services.

“While this use case can be leveraged as agencies move towards Zero Trust Architectures, implementation of zero trust requires additional controls, additional rigor of applying security capabilities, and measures beyond those detailed in this use case,” the use case document states.

Nodurft said another important advancement in the cloud use case is the discussion around telemetry, or network data collected to detect cyber threats. TIC access points have traditionally collected telemetry data.

The guidance states that agencies should track access to “all agency data and applications in the cloud and analyze all access events for suspicious behaviors,” while noting that many cloud service providers have capabilities in place for logging, monitoring and analysis of telemetry data.

“We want to start talking to the agencies about what type of telemetry data we can capture, given the security tools and security capabilities you guys are employing in your security architectures,” Nodurft said. “And then what does that look like from a centralized log aggregation repository? Are we are we going to really finally be able to have a centralized view from CISA and are agencies going to be able to then use that same telemetry information to look at their own security networks in a new way?”

]]>
https://federalnewsnetwork.com/cybersecurity/2022/06/cisa-provides-agencies-with-long-awaited-cloud-security-guidance/feed/ 0
After a long-term study, evidence-based decisions need trustworthy data https://federalnewsnetwork.com/open-datatransparency/2022/06/after-a-long-term-study-evidence-based-decisions-need-trustworthy-data/ https://federalnewsnetwork.com/open-datatransparency/2022/06/after-a-long-term-study-evidence-based-decisions-need-trustworthy-data/#respond Thu, 16 Jun 2022 16:54:10 +0000 https://federalnewsnetwork.com/?p=4105725 In the push for evidence-based decision making, data-driven studies are scrutinized more and more at federal agencies. Long-term studies that rely on multiple stakeholders are vulnerable to environmental changes, technological barriers and personnel cooperation — all of which have an outcome on the data.

Trust underpins evidence-based innovation, but for Teri Caswell, a broadband program specialist at the National Telecommunication & Information Administration, all parties still need to agree on their definition of trustworthiness.

“Is the evidence that’s been provided or sought after trusted because it’s been tried and true? Is it trusted because of the community and the audiences of the people who are touching it or defining it, or presenting it?” she said as part of the Performance Institute’s 2022 Government Performance Summit on Wednesday. “I personally believe that if I am part of a compilation of evidence or artifact that has been and there’s a delineation there as well, but if I can present it once and then, when asked, present it again in a different labeling, packaging, compilation — however you want to phrase it — it still has to be trusted.”

In other words, context matters.

Trust is also important to Shonda Mace, a project manager in the Texas General Land Office’s Community Development and Revitalization who has experience working with FEMA and federal Department of Housing and Urban Development on long-term disaster recovery. After Hurricane Harvey in 2017, her office is conducting regionalized flood studies, which she said were purposely regionalized because local communities often do not communicate with each other, sometimes because of a lack of trust. Her team has to be that reliable go-between.

“So one big thing we’re doing is we’re working with not just the communities, but also other state agencies, and federal agencies to break down silos and work together,” Mace said. “If you don’t have the trust amongst the other agencies and your partners, if you don’t have the trust in most communities, you’re not going to get the information you need to move this project forward.”

With long-term studies, it can be difficult to keep all stakeholders engaged over time. Mace said communities want fast answers and, after a natural disaster has passed, the energy for impact studies can fade. She said it takes a balance of not exhausting stakeholders with outreach but also not waiting so long between outreach that they forget about the study altogether. While multiple agencies in Texas are conducting similar studies to those of her team, they must be careful not to duplicate efforts funded by federal dollars or else relinquishing that money.

Caswell added that there should be client knowledge management in the background of long-term studies. Worldly and environmental considerations can change over the course of the study, such as budgetary cuts, political shifts or another entity assumes the program area.

“The positive side of that is, the more willing we are to look at evidence-based criteria to drive innovation, we should be seeking more than one or even 100 inputs to that innovation design, lest we become, a reputation of doing things in a vacuum and we didn’t consider 80% of our benefactors,” she said.

Her recommendation was to track the key words and phrases that change over the course of multi-year studies, a vocabulary list or checklist of sorts, to maintain some level of consistency in the data so that questions are adequately answered by the end.

She also spoke to the question of whether or not to share information as you go, as opposed to waiting until the end of a study to show stakeholders the data. The anecdotal knowledge subject-matter experts or senior advisors can potentially add to a report headed to an elected official, but it may be hard to digitize. In this case, Caswell said, it helps to have an iterative approach to informing stakeholders and reviewing the study with them before completion.

“I am done with the days of writing a summary report before we’ve even looked at the data. Let’s get it on a paper, let’s get it on report, get people around our camera or table, whatever it takes, and start recognizing what it does look like and are we on the correct path? And if we’re not, there’s your first [knowledge management] piece, right?” she said. “We went this way to prove or disprove the hypothesis, we’ve got a course correction we need to affect, we’re notifying all parties, we’re having a conversation, and we’re building the trust in the process, not just the report.”

However, she said, a major consideration that complicates data collection from stakeholders is the technological requirements involved when partnering with federal agencies. Normalizing technology at the federal level takes a long time, and as cybersecurity requirements increase so do the possible challenges for stakeholders to submit data for studies. Mace’s office encountered this on their contract with the Army Corps of Engineers to review modeling. Sharing large items via box or SharePoint were no longer options as USACE’s file sharing system was not large enough.

Yet, the Texas General Land Office saw this as an opportunity to innovate. Mace said the GLO is working on a new Texas Disaster Information System with the University of Texas and Texas A&M University, “where our vendors can put models into there and USACE can go in and access them and get and get those models.”

]]>
https://federalnewsnetwork.com/open-datatransparency/2022/06/after-a-long-term-study-evidence-based-decisions-need-trustworthy-data/feed/ 0
Coast Guard cyber expert says ransomware attack on federal agency is more than likely https://federalnewsnetwork.com/federal-newscast/2022/06/coast-guard-cyber-expert-says-ransomware-attack-on-federal-agency-is-more-than-likely/ https://federalnewsnetwork.com/federal-newscast/2022/06/coast-guard-cyber-expert-says-ransomware-attack-on-federal-agency-is-more-than-likely/#respond Thu, 16 Jun 2022 16:29:50 +0000 https://federalnewsnetwork.com/?p=4105591 var config_4105663 = {"options":{"theme":"hbidc_default"},"extensions":{"Playlist":[]},"episode":{"media":{"mp3":"https:\/\/dts.podtrac.com\/redirect.mp3\/pdst.fm\/e\/chrt.fm\/track\/E2G895\/aw.noxsolutions.com\/launchpod\/FederalNewscast\/mp3\/061622CASTFORWEB_2j80_b59108c8.mp3?awCollectionId=1102&awEpisodeId=30ee9f22-29a1-4be0-9250-1395b59108c8&awNetwork=322"},"coverUrl":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2018\/12\/FedNewscast1500-150x150.jpg","title":"Coast Guard cyber expert says ransomware attack on federal agency is more than likely","description":"[hbidcpodcast podcastid='4105663']nn<em>To listen to the Federal Newscast on your phone or mobile device, subscribe in\u00a0<a href="https:\/\/www.podcastone.com\/federal-newstalk?showAllEpisodes=true">PodcastOne<\/a>\u00a0or\u00a0<a href="https:\/\/itunes.apple.com\/us\/podcast\/federal-newscast\/id1053077930?mt=2">Apple Podcasts<\/a>. The best listening experience on desktop can be found using Chrome, Firefox or Safari.<\/em>n<ul>n \t<li>The <a href="https:\/\/appropriations.house.gov\/news\/press-releases\/appropriations-committee-releases-fiscal-year-2023-homeland-security-funding" target="_blank" rel="noopener">House Appropriations Committee<\/a> released its draft Homeland Security funding bill. It would provide $615.8 million dollars to support the Transportation Security Administration's pay equivalence initiative. The Cybersecurity and Infrastructure Security Agency may be in line for another big budget increase. The spending bill includes $2.9 billion for CISA. That\u2019s $334 million above CISA\u2019s 2022 budget and $417 million more than the Biden administration\u2019s request for the agency. CISA has seen a steady increase in funding over the last several years as lawmakers respond to cyber threats to both government and the private sector. The bill will be considered in subcommittee today.<\/li>n<\/ul>n<ul>n \t<li>The Federal Emergency Management Agency is taking a hard look at its workforce requirements. FEMA is doing a deep dive analysis of its staffing needs so it can start to plan for what has become a nonstop operational tempo for the agency. FEMA administrator Deanne Criswell told the <a href="https:\/\/homeland.house.gov\/activities\/hearings\/investing-in-the-future-a-review-of-the-fiscal-year-2023-budget-request-for-the-federal-emergency-management-agency" target="_blank" rel="noopener">House Homeland Security Committee<\/a> that the increase in the rate of natural disasters has put a strain on the agency\u2019s workforce. \u201cWe are taking a look right now at taking a step back at now that we have more of this year-long operational tempo instead of the peak that we have traditionally seen during hurricane season, of what does the future staffing model need to look like,\u201d Criswell said.<\/li>n<\/ul>n<ul>n \t<li>Funding for two agency headquarters projects are coming into focus. The <a href="https:\/\/appropriations.house.gov\/news\/press-releases\/appropriations-committee-releases-fiscal-year-2023-financial-services-and" target="_blank" rel="noopener">House Appropriations Committee<\/a>, in its proposed financial services and general government spending bill, would give the General Services Administration another $200 million to continue work on a consolidated Department of Homeland Security campus at St. Elizabeth's in Southeast D.C. The draft bill also gives GSA $500 million to build a new FBI headquarters in suburban Maryland or Virginia.<\/li>n<\/ul>n<ul>n \t<li>The Department of\u00a0 Veterans Affairs is looking to overhaul pay and hiring as part of a bill expanding veterans' access to care. The Honoring Our PACT Act would give the VA up to $40 million a year to buy out the contracts of certain private-sector health care professionals in exchange for employment at rural VA facilities. The bill also expands merit awards and pay incentives for employees that have high-demand skills. The PACT Act also gives the VA 180 days to work with the Office of Personnel Management to establish standardized performance metrics for its human resources positions. The Senate expects a final vote on the bill later this week. (<a href="https:\/\/federalnewsnetwork.com\/veterans-affairs\/2022\/06\/va-looks-to-overhaul-pay-antiquated-hiring-processes-in-major-veteran-care-bill\/" target="_blank" rel="noopener"><em>Federal News Network<\/em><\/a>)<\/li>n<\/ul>n<ul>n \t<li>The IRS gets a $1 billion increase in a draft spending bill for fiscal 2023. The <a href="https:\/\/appropriations.house.gov\/news\/press-releases\/appropriations-committee-releases-fiscal-year-2023-financial-services-and" target="_blank" rel="noopener">House Appropriations Committee<\/a>, in its proposed financial services and general government spending bill, is calling for this money to largely go toward IRS enforcement and taxpayer services. This comes after Congress passed a fiscal 2022 omnibus spending deal that gave the IRS its largest spending increase in decades. The draft bill directs the IRS to maintain an employee training program focused on taxpayers\u2019 rights, dealing courteously with taxpayers, ethics and other topics.<\/li>n<\/ul>n<ul>n \t<li>The House makes its first proposal to fund technology modernization efforts. Even with all the letters and interest from industry associations, the <a href="https:\/\/docs.house.gov\/meetings\/AP\/AP23\/20220616\/114911\/BILLS-117-SC-AP-FY2023-FServices.pdf" target="_blank" rel="noopener">House Appropriations Subcommittee on Financial Services and General Government<\/a> isn't convinced that it needs to fund the Technology Modernization Fund at the president's request. The subcommittee allocated $100 million for the TMF in the draft version of its 2023 spending bill. The Biden administration requested $300 million for next year. The House and Senate zeroed out the TMF in 2022 after giving it $1 billion in the American Rescue Plan Act. The subcommittee is marking up the spending bill today.<\/li>n<\/ul>n<ul>n \t<li>House Democrats want to expand what telework means for federal employees. The <a href="https:\/\/oversight.house.gov\/news\/press-releases\/oversight-committee-passes-critical-legislation-to-curb-disinformation-on-the-us" target="_blank" rel="noopener">Oversight and Reform Committee<\/a> passed a bill, along party lines, that would include remote work under the larger umbrella of telework. Currently, remote work falls under a separate category for feds. The bill would include remote workers in its goal to improve training and management of federal telework programs. The committee also passed legislation to improve optional survey questions collecting data on LGBTQ+ individuals. And another bill looking to combat Census disinformation also passed the committee favorably.<\/li>n<\/ul>n<ul>n \t<li>Bipartisan House lawmakers want agency leaders to be more transparent in their actions. <a href="https:\/\/beyer.house.gov\/news\/documentsingle.aspx?DocumentID=5610" target="_blank" rel="noopener">Reps. Don Beyer (D-Va.) and Chip Roy (R-Texas)<\/a> introduce new bipartisan legislation. The bill would require agency heads to publicly share copies of their schedules and speeches. The Transparent Leadership Act gives agencies 30 days to publish information about meetings and events that they lead. Beyer says agency heads should be held accountable for being transparent on their actions, as they're in a position to serve the interests of the public.<\/li>n<\/ul>n<ul>n \t<li>Nine House Republicans sent <a href="https:\/\/mcusercontent.com\/67fba463240fdd948eb636b35\/files\/dbf7a907-2c0a-9cc7-4ff8-d5b2db4469eb\/Letter_to_OPM_EO_Promoting_Access_to_Voting.pdf" target="_blank" rel="noopener">a second batch of letters<\/a> to 12 agencies on Wednesday over concerns about President Joe Biden\u2019s March 7 executive order. The Congressmen raised alarm bells about Biden\u2019s lack of constitutional and statutory authority to enact the executive order promoting access to voting. The letter asks six questions from each agency about how they plan to implement the executive order, under what authorities and how they plan to protect employees from Hatch Act violations. The lawmakers want a response by June 29. The representatives received no response from agencies after sending the first letter on March 29 expressing similar concerns.<\/li>n<\/ul>n<ul>n \t<li>House appropriators are sticking with President Biden\u2019s 2023 defense budget. The <a href="https:\/\/appropriations.house.gov\/news\/press-releases\/appropriations-subcommittee-approves-fiscal-year-2023-defense-funding-bill" target="_blank" rel="noopener">House Appropriations Defense Subcommittee<\/a> is budgeting $761 billion for the Defense Department in 2023. That number is in line with what the Biden administration requested earlier this year. The appropriations are $32 billion more than what the subcommittee budgeted for 2022. The funds support a $15 minimum wage for contractors, $2.5 billion for investments in clean energy and additional assistance to Ukraine. Some critics are concerned that the budget is not big enough to take recent inflation rates into account and may hinder the Pentagon\u2019s buying power.<\/li>n<\/ul>n<ul>n \t<li>The <a href="https:\/\/www.navy.mil\/Press-Office\/Press-Releases\/display-pressreleases\/Article\/3063228\/uss-preble-ddg-88-commanding-officer-relieved\/" target="_blank" rel="noopener">Navy<\/a> has relieved five high-level officers over the past week. On Tuesday, the service took the commanding officer of the USS Preble off duty. The Navy also relieved the chief of Recruiting Training Command, the top officer and enlisted sailor of the USS Bulkeley and the commanding officer of Electronic Attack Squadron 137. The Navy has not given any further details into the staff changes except that the men were relieved due to a lack of confidence.<\/li>n<\/ul>n<ul>n \t<li>The Air Force is leading the Department of Defense in expanding its uses for artificial intelligence by training the workforce to become citizen developers with a broad understanding of AI. The citizen developers brainstorm potential ways to adapt AI to automate manually intensive processes, making them faster and more efficient. <a href="https:\/\/dcevents.afceachapters.org\/AFCEADCAIMLLuncheon" target="_blank" rel="noopener">Winston Beauchamp<\/a> the deputy chief information officer at the Air Force, says citizen coders have developed 12 solutions and implemented 5 of them, including using AI for weather prediction in areas lacking weather radars.<\/li>n<\/ul>n<ul>n \t<li>The Hosting and Compute Center, or HaCC, at the Defense Information Systems Agency wants to be the "provider of choice" for Defense Department organizations. Director Sharon Woods said to do that, HaCC is prioritizing the customers over the technology itself. HaCC's customer service experience focuses on agile customer relationships, self-service support, and resiliency. Woods said that philosophy is helping HaCC keep pace with changing technology to provide solutions for warfighters. (<a href="https:\/\/federalnewsnetwork.com\/defense-main\/2022\/06\/disas-hacc-prioritizing-customers-over-technology\/" target="_blank" rel="noopener"><em>Federal News Network<\/em><\/a>)<\/li>n<\/ul>n<ul>n \t<li>The Coast Guard's Cyber Red and Blue Team Branch chief, <a href="https:\/\/atarc.org\/event\/recovery-at-scale-rapid-reliable-recovery-from-cyber-attacks-and-other-outages\/" target="_blank" rel="noopener">Kenneth Miltenberger<\/a>, says that a ransomware attack is probably coming to a federal agency soon. He says that it's important to be prepared for such an outcome following recent attacks in Costa Rica by a Russian-tied group called Conti. These attacks have disrupted many of the Costa Rican government's essential services. Miltenberger also says that while programs like FedRAMP are good at protecting agencies from malicious actors, they do not protect against internal threats like human error when setting up automations.<\/li>n<\/ul>n<ul>n \t<li>Federal risk management remains a growing skillset in the government but just how much does it need to grow? That is the question the <a href="https:\/\/survey.guidehouse.com\/jfe\/form\/SV_eXRZsZPirIXre7A?utm_source=AFERM+Newsletter&utm_campaign=b9d353f0fb-EMAIL_CAMPAIGN_2020_03_19_06_49_COPY_01&utm_medium=email&utm_term=0_741f839353-b9d353f0fb-178069638" target="_blank" rel="noopener">Association of Federal Enterprise Risk Management<\/a> is asking federal employees. AFERM released its annual survey seeking agency leaders to answer questions about the current state of enterprise risk management and any emerging trends. The deadline to take the survey is July 15. AFERM will release the results from this 8th annual survey at its ERM Summit in October.<\/li>n<\/ul>"}};

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The House Appropriations Committee released its draft Homeland Security funding bill. It would provide $615.8 million dollars to support the Transportation Security Administration’s pay equivalence initiative. The Cybersecurity and Infrastructure Security Agency may be in line for another big budget increase. The spending bill includes $2.9 billion for CISA. That’s $334 million above CISA’s 2022 budget and $417 million more than the Biden administration’s request for the agency. CISA has seen a steady increase in funding over the last several years as lawmakers respond to cyber threats to both government and the private sector. The bill will be considered in subcommittee today.
  • The Federal Emergency Management Agency is taking a hard look at its workforce requirements. FEMA is doing a deep dive analysis of its staffing needs so it can start to plan for what has become a nonstop operational tempo for the agency. FEMA administrator Deanne Criswell told the House Homeland Security Committee that the increase in the rate of natural disasters has put a strain on the agency’s workforce. “We are taking a look right now at taking a step back at now that we have more of this year-long operational tempo instead of the peak that we have traditionally seen during hurricane season, of what does the future staffing model need to look like,” Criswell said.
  • Funding for two agency headquarters projects are coming into focus. The House Appropriations Committee, in its proposed financial services and general government spending bill, would give the General Services Administration another $200 million to continue work on a consolidated Department of Homeland Security campus at St. Elizabeth’s in Southeast D.C. The draft bill also gives GSA $500 million to build a new FBI headquarters in suburban Maryland or Virginia.
  • The Department of  Veterans Affairs is looking to overhaul pay and hiring as part of a bill expanding veterans’ access to care. The Honoring Our PACT Act would give the VA up to $40 million a year to buy out the contracts of certain private-sector health care professionals in exchange for employment at rural VA facilities. The bill also expands merit awards and pay incentives for employees that have high-demand skills. The PACT Act also gives the VA 180 days to work with the Office of Personnel Management to establish standardized performance metrics for its human resources positions. The Senate expects a final vote on the bill later this week. (Federal News Network)
  • The IRS gets a $1 billion increase in a draft spending bill for fiscal 2023. The House Appropriations Committee, in its proposed financial services and general government spending bill, is calling for this money to largely go toward IRS enforcement and taxpayer services. This comes after Congress passed a fiscal 2022 omnibus spending deal that gave the IRS its largest spending increase in decades. The draft bill directs the IRS to maintain an employee training program focused on taxpayers’ rights, dealing courteously with taxpayers, ethics and other topics.
  • The House makes its first proposal to fund technology modernization efforts. Even with all the letters and interest from industry associations, the House Appropriations Subcommittee on Financial Services and General Government isn’t convinced that it needs to fund the Technology Modernization Fund at the president’s request. The subcommittee allocated $100 million for the TMF in the draft version of its 2023 spending bill. The Biden administration requested $300 million for next year. The House and Senate zeroed out the TMF in 2022 after giving it $1 billion in the American Rescue Plan Act. The subcommittee is marking up the spending bill today.
  • House Democrats want to expand what telework means for federal employees. The Oversight and Reform Committee passed a bill, along party lines, that would include remote work under the larger umbrella of telework. Currently, remote work falls under a separate category for feds. The bill would include remote workers in its goal to improve training and management of federal telework programs. The committee also passed legislation to improve optional survey questions collecting data on LGBTQ+ individuals. And another bill looking to combat Census disinformation also passed the committee favorably.
  • Bipartisan House lawmakers want agency leaders to be more transparent in their actions. Reps. Don Beyer (D-Va.) and Chip Roy (R-Texas) introduce new bipartisan legislation. The bill would require agency heads to publicly share copies of their schedules and speeches. The Transparent Leadership Act gives agencies 30 days to publish information about meetings and events that they lead. Beyer says agency heads should be held accountable for being transparent on their actions, as they’re in a position to serve the interests of the public.
  • Nine House Republicans sent a second batch of letters to 12 agencies on Wednesday over concerns about President Joe Biden’s March 7 executive order. The Congressmen raised alarm bells about Biden’s lack of constitutional and statutory authority to enact the executive order promoting access to voting. The letter asks six questions from each agency about how they plan to implement the executive order, under what authorities and how they plan to protect employees from Hatch Act violations. The lawmakers want a response by June 29. The representatives received no response from agencies after sending the first letter on March 29 expressing similar concerns.
  • House appropriators are sticking with President Biden’s 2023 defense budget. The House Appropriations Defense Subcommittee is budgeting $761 billion for the Defense Department in 2023. That number is in line with what the Biden administration requested earlier this year. The appropriations are $32 billion more than what the subcommittee budgeted for 2022. The funds support a $15 minimum wage for contractors, $2.5 billion for investments in clean energy and additional assistance to Ukraine. Some critics are concerned that the budget is not big enough to take recent inflation rates into account and may hinder the Pentagon’s buying power.
  • The Navy has relieved five high-level officers over the past week. On Tuesday, the service took the commanding officer of the USS Preble off duty. The Navy also relieved the chief of Recruiting Training Command, the top officer and enlisted sailor of the USS Bulkeley and the commanding officer of Electronic Attack Squadron 137. The Navy has not given any further details into the staff changes except that the men were relieved due to a lack of confidence.
  • The Air Force is leading the Department of Defense in expanding its uses for artificial intelligence by training the workforce to become citizen developers with a broad understanding of AI. The citizen developers brainstorm potential ways to adapt AI to automate manually intensive processes, making them faster and more efficient. Winston Beauchamp the deputy chief information officer at the Air Force, says citizen coders have developed 12 solutions and implemented 5 of them, including using AI for weather prediction in areas lacking weather radars.
  • The Hosting and Compute Center, or HaCC, at the Defense Information Systems Agency wants to be the “provider of choice” for Defense Department organizations. Director Sharon Woods said to do that, HaCC is prioritizing the customers over the technology itself. HaCC’s customer service experience focuses on agile customer relationships, self-service support, and resiliency. Woods said that philosophy is helping HaCC keep pace with changing technology to provide solutions for warfighters. (Federal News Network)
  • The Coast Guard’s Cyber Red and Blue Team Branch chief, Kenneth Miltenberger, says that a ransomware attack is probably coming to a federal agency soon. He says that it’s important to be prepared for such an outcome following recent attacks in Costa Rica by a Russian-tied group called Conti. These attacks have disrupted many of the Costa Rican government’s essential services. Miltenberger also says that while programs like FedRAMP are good at protecting agencies from malicious actors, they do not protect against internal threats like human error when setting up automations.
  • Federal risk management remains a growing skillset in the government but just how much does it need to grow? That is the question the Association of Federal Enterprise Risk Management is asking federal employees. AFERM released its annual survey seeking agency leaders to answer questions about the current state of enterprise risk management and any emerging trends. The deadline to take the survey is July 15. AFERM will release the results from this 8th annual survey at its ERM Summit in October.
]]>
https://federalnewsnetwork.com/federal-newscast/2022/06/coast-guard-cyber-expert-says-ransomware-attack-on-federal-agency-is-more-than-likely/feed/ 0
DISA’s HaCC prioritizing customers over technology https://federalnewsnetwork.com/defense-main/2022/06/disas-hacc-prioritizing-customers-over-technology/ https://federalnewsnetwork.com/defense-main/2022/06/disas-hacc-prioritizing-customers-over-technology/#respond Thu, 16 Jun 2022 11:58:58 +0000 https://federalnewsnetwork.com/?p=4104763 The Hosting and Compute Center (HaCC) at the Defense Information Systems Agency wants to be the “provider of choice” for Defense Department organizations, according to Director Sharon Woods. To do that, HaCC is prioritizing the customers over the technology itself.

“So as HACC started rolling out new products, it really became clear that it’s more than the products. It’s about great service to achieve that velocity of action,” Woods said during FCW’s June 15 DoD Cloud workshop. “And so to answer that call, not just for velocity of action, but dynamic change … we have to move quicker, we have to do more. And so the HACC is designing a dynamic customer service experience for our cloud customers, the warfighter.”

HaCC is focused on getting the best possible value to the warfighter, as quickly as possible. Toward that end, its customer service experience consists of three components:

  • agile customer relationship management.
  • self-service support.
  • resiliency for the warfighter.

Agile customer relationship is all about speed to capability. With the shift to focusing on near-peer adversaries, and with a constantly changing cyber threat environment, the requirements of warfighters are changing as well. It’s not enough to spend a year developing a solution, and hope it works. DoD’s mission is too diverse and variable for that.

“We don’t start a project anymore, unless we can deliver some kind of minimal viable product within six months,” Woods said. “We’re very much focused on iterative micro-successes, not just so that we’re making progress, but that we’re making this incremental progress in a way that lets us pivot to user demand to respond to that continuous user feedback.’

One way HaCC is doing that is by using Salesforce to gather feedback and experience from its customers. It also reveals strategic alignments. Often the customer is not the only one having that same problem, but due to silos, no one else is aware of the others’ difficulties. So HaCC is using that experience data not only to inform its own processes and priorities, but also to build partnerships and coalitions.

For example, Woods said DoD’s infrastructure code baselines were originally automated and pre-configured in order to facilitate the rapid creation of a cloud environment. The intention was to develop those baselines in the unclassified environment in AWS and Azure. But through the gathering of feedback, HaCC concluded that wouldn’t be enough. So now it’s added Google and Oracle to those baselines to satisfy the customers’ need for more vendors. It’s also just pushed its first baselines into the classified environment, Woods said, something else the customers expressed a need for.

“Had we not been focused on agile customer relationship management, I think we would have missed the boat on what the customer really needs and allowing the customer to drive where we’re going, and not guess,” Woods said. “And I think that’s something historically that the department can be better about. And we’re looking to continually partner with industry so that we can get your perspective on what you’re seeing in your engagement so that we can understand that collectively.”

In another example, Woods said HaCC just developed a new product: containers as a service. HaCC was looking for a simple, common problem to solve, and it settled on web servers. They have to be set up individually every single time, unless automation is involved. Often, that means manual processes on more than 1,000 different web sites, each one carrying the potential for human error.

So HaCC developed a single, containerized web server that then automatically propagated to all the others. That provided immediate security hardening, and HaCC was able to turn that around in less than six months. In fact, Woods said, it’s already been piloted, and HaCC is already receiving and incorporating the feedback.

That’s why Woods said HaCC devotes an entire team to understanding customer needs and feedback.

“It is time consuming to reach out to customers and really try and understand what’s going on. But what’s the point, unless you’re taking the time to really understand if what we’re doing is responsive to their needs?” Woods asked.

Meanwhile, HaCC turns to self-service support to enable and empower the customer to solve their own problems. Automated password resets are one example that is currently being incorporated by the DoD and industry. Woods said HaCC’s predecessor organization was doing manual password resets across a Microsoft 365 environment with more than three million users. She called it “horrifying.”

That’s why HaCC is making automation a major component of Stratus, DISA’s private cloud replacement for milCloud.

Finally, resiliency for the warfighter is an acknowledgement of two fundamental inevitabilities:

  1. Issues, especially catastrophic ones, will happen in any environment.
  2. DoD, because of its unique mission, is necessarily more prone to catastrophic issues.

That’s why everything has to be engineered with resiliency in mind. Woods compared it to when Netflix intentionally released the Chaos Monkey code to see how well its environment could withstand such an attack. In addition to making catastrophic issues more likely, Woods said DoD’s unique mission also demands resiliency. Warfighters need to know that their cloud environment can withstand pressures.

“We can’t just deliver good IT, that’s not good enough,” Woods said. “We have to deliver a dynamic customer service experience so that we’re not just delivering best value IT, but we’re doing it in a way that really matters for the customer, that solving their problems.”

]]>
https://federalnewsnetwork.com/defense-main/2022/06/disas-hacc-prioritizing-customers-over-technology/feed/ 0