In an alert posted to its website, SSA notified the public about the closures. On late Friday afternoon, an SSA spokeswoman told Federal News Network that the agency plans to re-open its field offices for public service on Monday, July 22.

“Staff impacted by the widespread Microsoft and CrowdStrike issues are being brought back online,” the spokeswoman said. “Our phone lines remain operational and many online services at ssa.gov remain available.”

The IT outage is linked to a flawed software update released by cybersecurity firm CrowdStrike. The defect affects computers running Microsoft Windows, effectively shutting them down with what’s referred to as the “blue screen of death.” Crowdstrike says the incident is “not a security incident or cyberattack.” The company also reports that a fix has been deployed.

U.S. Citizenship and Immigration Services also appears to be affected by the outage. A notice on USCIS’s E-Verify website states that “customers calling E-Verify are experiencing long wait times” because “the worldwide Microsoft outage is impacting phone support.” USCIS did not immediately respond to a request for comment.

A senior Biden administration official told reporters on Friday afternoon that the White House is in “regular contact” with Crowdstrike’s leadership to get updates on the outage and remediation efforts.

“The White House has been convening agencies to assess impacts to the US government’s operations and entities around the country,” the official said. “At this time, our understanding is that flight operations have resumed across the country, although some congestion remains, and 911 centers are able to receive and process calls. We are assessing impact to local hospitals, surface transportation systems, and law enforcement closely and will provide further updates as we learn more. We stand ready to provide assistance as needed.”

The Cybersecurity and Infrastructure Security Agency, which is responsible for overseeing the security of systems across the federal civilian executive branch, said it is working with Crowdstrike, as well as federal, state, local and critical infrastructure partners, “to fully assess and address these issues.”

“Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity,” the cyber agency wrote in an alert Friday. “CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”

Rep. Nancy Mace (R-S.C.), chairwoman of the House Oversight and Accountability Committee’s cybersecurity, IT and government innovation subcommittee, said the panel has requested briefings on the outage from Crowdstrike, Microsoft and CISA .

“We’re also trying to determine the breadth of impact, especially across the federal government at this time,” Mace posted to X on Friday afternoon.

While the outage forced airlines to cancel and delay thousands of flights Friday morning, a Transportation Security Administration spokeswoman said TSA has not been directly affected by the IT incident.

“TSA is monitoring the IT system issues throughout the transportation system in partnership with stakeholders and other agencies,” the spokeswoman told FNN. “There has not been any impact to TSA operations.”

In posts on X, the Federal Aviation Administration said it was working with U.S. airlines as they resume operations.

“Currently FAA operations are not impacted by the global IT issue,” the FAA posted. “We continue to monitor the situation closely.”

Meanwhile, a Department of Veterans Affairs spokesman said the VA is “not aware of any impact on health care operations or any adverse impact on veterans who get their care from VA.”

“We will continue to monitor this situation, and we encourage any Veterans who need support – including those who may be impacted by challenges at non-VA health care facilities – to call 1-800-MYVA411 or visit their local VA medical center for assistance,” VA Press Secretary Terrence Hayes said in a statement. “We are standing by and ready to help.”

The U.S. Postal Service on Friday also said it has not experienced any immediate impacts from the IT outage.

“The Postal Service was not directly impacted by the global IT outage,” USPS spokesman David Walton said. “We are aware of impacts to some of our third-party vendors, however, this has not impacted our ability to move mail and packages for the American people.”

Officials highlight IT consolidation risks

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Crowdstrike outage showcased the “risks of consolidation.”

“The irony of this morning is that a major international cybersecurity company was impacted,” Neuberger said during an event hosted by the Aspen Institute on Friday. “So, we need to really think about our digital resilience – not just in the systems we run, but in the globally connected security systems, the risks of consolidation, how we deal with that consolidation, and how we ensure that if an incident does occur, it can be contained and we can recover quickly.”

In a letter to acting Defense Department Chief Information Officer Leslie Beavers, Sen. Eric Schmitt (R-Mo.) requested a briefing on any potential impacts to DoD networks by July 26.

“This outage is a warning that consolidation and dependence on one provider can be catastrophic, which is why business and government IT systems should have requisite redundancies in place that promote resiliency, as well as competition and innovation,” Schmitt wrote.

This is an evolving story, and we will continue to update it.

(With additional reporting from Jory Heckman)

The post Crowdstrike outage: SSA shutters offices, other agency impacts first appeared on Federal News Network.

OPM previously suspended all new enrollments in the program after a recent surge in fraudulent activity that impacted hundreds of federal employees with Flexible Spending Accounts. OPM’s inspector general said the suspension came “out of an abundance of caution,” and to try to prevent further fraud in the program.

Enrollments in FSAFEDS, including any enrollments based on Qualifying Life Events (QLEs), will reopen Aug. 1, OPM wrote in an email to agency benefit officers Thursday afternoon, shared with Federal News Network. Also beginning Aug. 1, the program will transition to a “.gov” website domain, FSAFEDS.gov, rather than the current domain, FSAFEDS.com.

Enrollees who missed a QLE deadline due to the pause on enrollments should still be able to make modifications once the enrollment pause is lifted, OPM said. Employees who are in that situation will have to call FSAFEDS at 877-372-3337 to request a change to the effective date for the QLE.

Additionally, federal employees will be able to get reimbursed for any claims that were incurred after the effective date for the QLE, OPM said.

OPM is also taking more long-term steps to address security concerns in FSAFEDS, including transitioning to Login.gov, the government’s platform for accessing government benefits and services online.

Once the enrollment pause is lifted next month, any federal employees who create new FSAFEDS accounts or update their enrollments following a QLE will have to complete identify verification using Login.gov.

Overall, the switch to Login.gov for FSAFEDS users will take place in a phased approach. Beginning this October, FSAFEDS users who created their accounts during or after 2023 will be required to complete identity verification steps through Login.gov to be able to continue accessing their accounts. Feds who created their accounts prior to 2023 will then have to go through the same verification process starting in January 2025.

“Enhanced identity verification is one of several steps we’ve taken to combat fraud in the FSAFEDS program,” OPM wrote in Thursday afternoon’s email.

Along with pausing FSAFEDS enrollments for several weeks, OPM also for a short time suspended claims payments from getting distributed to enrollees. All reimbursement payments were paused on June 16, and subsequently restarted on June 26.

During the 10-day payments pause, several federal employees told Federal News Network they did not receive any advance notice that the reimbursement payments would be paused.

OPM said it has been working with third-party vendor HealthEquity, which manages the Flexible Spending Account program, to strengthen security measures and secure all accounts impacted by the fraud. A HealthEquity spokesperson has referred all questions on the situation to OPM.

OPM said it will continue to communicate with federal employees and agency benefits officers in the coming days and weeks with any new updates on the situation.

The post OPM to lift pause on FSAFEDS enrollments in August first appeared on Federal News Network.

GSA launched two new initiatives to continue to relieve some of the burdens of getting cloud services authorized under the Federal Risk Authorization and Management Program (FedRAMP) that contractors and agencies have long-complained about.

Eric Mill, the executive director of cloud strategy at GSA, said the agile delivery pilot will choose about 20 contractors to test out how to use secure software delivery approaches to accelerate the “significant change request” process, which essentially is an approval gate for cloud providers to add new features or capabilities to a FedRAMP authorized service.

“For a lot of cloud providers, this can go on for a long time and really get in the way of what we know to be secure software deployment and delivery practices, which are agile software delivery practices and the federal government absolutely needs to get the benefits of these companies who we are relying on for them to be able to share as many security improvements and updates as possible, new security tools, new patches, and new technology and new capabilities,” Mill said at the GovForward conference sponsored by Carahsoft. “This is an area where we think we can take a look at the way that FedRAMP has operated to date and refactor the process to be one that is based on continuous assessment. I think that’s a phrase you’re going to hear us use a lot because we think we should be getting both more security and more speed at the same time. When we focus our attention on overseeing the process by which changes are made, rather than repeatedly exercising like a stop and go process on every point in time change that a cloud provider makes.”

The PMO says as part of its plan to limit the scope and potential impact of changes to agencies, the new features CSPs launched as part of this pilot must be opt-in.

The PMO says any changes to the fundamental underlying architecture, or new security control implementations that apply to the entire offering, will be excluded from the pilot.

For the purposes of this pilot, the PMO says agencies must choose to use the new feature and the new feature cannot change the:

• System’s fundamental architecture,
• Types of components used such as databases, operating systems, or containers,
• Tooling used to configure, secure, and scan those components, and
• Customer responsibilities for existing features or services.

The FedRAMP program management office will accept applications from vendors to take part in the pilot through July 26 and then make selections by Aug. 16.

The second new initiative is focused on bringing more automation to the program.

The new technical documentation hub will help CSPs in the development, validation and submission of digital authorization packages, and the developers of governance, risk and compliance (GRC) applications and other tools that produce and consume digital authorization package data.

Mill said one of the goals of FedRAMP more broadly is to reduce the time and costs to industry to get their services authorized.

“We’re still in a universe where we traffic 600-page Word documents and PDFs, which is really not how to run a data oriented organization,” Mill said. “We’ve made, what I think are, very concrete investments in changing that dynamic over time. Some of that is who we have hired and brought on to the program where we have a dedicated Open Security Controls Assessment Language (OSCAL) and data standards lead. We already have more technical expertise and practitioner background in the program now than it has had historically, and we’re going to be increasing that very significantly in the near future. We think that by bolstering our technical capacity, we’re going to be able to move dramatically more effectively, and be a more empathetic and effective partner with the cloud providers and agencies who ultimately have the tools that need to integrate with our program so that we don’t have to have people emailing things around much less emailing things around with passwords and stuff like that.”

The website initially is focused on promoting the use of OSCAL and application programming interfaces (APIs) to share digital authorization packages with the PMO and among agencies.

The PMO says this technical hub site will help make the FedRAMP authorization process more efficient and accessible by:

• Providing faster and more frequent documentation updates
• Expanding the breadth and depth of available technical documentation
• Improving the user experience for stakeholders who are implementing OSCAL-based FedRAMP packages and tools
• Establishing a collaborative workflow that supports community contributions for improvements to the documentation

Mill added this approach isn’t necessarily new because FedRAMP is doing all of this work out on GitHub and open source development already.

VA proved out automation

FedRAMP has long held out for the promise of OSCAL. In May 2022, it received the first security authorization package using the framework. The National Institute of Standards and Technology released version 1.0 of OSCAL in June 2021 and in August 2021, FedRAMP released the first set of validation rules via GitHub.

But both the program and vendors have been slow to catch on.

Amber Pearson, the deputy chief information officer at the Department of Veterans Affairs, said at the event that VA was the first agency to deploy and submit a systems security plan using OSCAL.

“We were able to actually transform our standard 426 page system security plan from a text file to machine readable language. We’re really excited where automation is going to take us to help us speed up how we deploy our authority to operates (ATOs) in our environment,” Pearson said. “OSCAL will be the first step to explore automation during our assessment and authorization process because it allows us to programmatically look at how do we build in key metrics to do automatic control testing. We’re actually exploring that with our partnerships with NIST and others. How do we actually speed up from a 360-day ATO timeline to receive an ATO to maybe an assessment and authorization (A&A) in a day? That’s some of the efforts that we’re looking at and how do we quickly assess the security controls and most importantly, about automation, it comes into play when you think about continuous monitoring and being able to measure your risk in near real time.”

Drew Mykelgard, the federal deputy chief information officer, said he hopes OSCAL becomes common place for any organization building or approving software within the next year.

“At every stage, I hope people are like, OSCAL is saving me from Word flat files, PDFs and it is changing the game from one of the biggest points of friction that we feel. We also know that when like the federal government gets behind a standard, we can really push it forward,” he said. “When we have people like Amber and her team pushing this through their governance, risk and compliance (GRC) platforms to intake OSCAL more effectively, running the tests on it and increasing, we can write all the policy we want, but without people like Amber, it’s doesn’t happen.”

The agile delivery pilot and the automation hub are two of the latest efforts the program management office has released since January.

FedRAMP’s continued modernization march

In June, FedRAMP finalized its emerging technology framework, focusing initially on generative artificial intelligence.

In May, OMB and GSA detailed the new structure of FedRAMP, replacing the joint authorization board with the new FedRAMP Board and creating the technical advisory group.

And two months before that, the FedRAMP PMO outlined 28 near-term initiatives in a new roadmap for the future.

All of this started in October when OMB issued the draft policy update to FedRAMP.

The PMO is still without a permanent director after more than three years.

Mykelgard said GSA is close to hiring a new permanent director of the program management office after receiving more than 400 applications.

GSA’s Mill said these and other upcoming changes are all about making concrete investments to change the dynamic over time. He said speed and security don’t have to be polar opposites.

“If you look at the elements on our roadmap, a very healthy chunk of them are designed to chip away in different ways and different slices of the things that generate that time and cost,” Mill said. “What we really need when commodity services out there exist, which can do core functions by companies and other agencies sometimes, it’s the shared services strategy in another form. We benefit from a security perspective, as federal agencies and the federal government when we’re able to stop doing things ourselves. Now when we’re talking about software, we have different and new and exciting opportunities to start running fewer things that are held together by shoestring apps and use things that are given dedicated maintenance, love and security investment. That, in and of itself, is a huge security boon for the government, which should be able to focus its limited IT and security people on the things that cannot be commoditized, that are just unique and core to their mission. That’s the theory of FedRAMP.”

The post FedRAMP’s 2 new efforts target long-time vendor frustrations first appeared on Federal News Network.

An academic course endorsed by the Defense Department and delivered by accelerator company, BMNT aims to help science and engineering students develop their ideas in two companies. It’s called Hacking for Defense. One resulting startup called Pharos aerospace hopes to help both defense and commercial satellite operators deal with space debris. For more, the Federal Drive with Tom Temin spoke with former University of Chicago students, Victor Tyne and Brian Klein.

Interview transcript: 

Victor Tyne
We took the course the Booth School of Business at the University of Chicago, we were a team of students, a team of five students at the time. And we were interested in learning about what a dual use architecture was, and what it meant to do innovation in the defense space. And we did exactly that, we learned a lot about what that looks like. The correspond to a lot of different problems across a lot of different kinds of problem spaces. And we were actually sponsored by the Missile Defense Agency to tackle challenges to secure communication for missile defense systems. And we started pulling strings and thinking about what specific problem can be addressed, whether the one in the original problem statement or not. And we ended up realizing kind of the importance of satellite to ground communications for these kinds of systems, and thinking about what the threats were to that. We identified debris, specifically lethal non trackable debris in low Earth orbit, and then also just unidentified residence based objects, whether any satellite weapons or otherwise as a real threat to secure communication. So we started thinking about what are the gaps in current technology? And how can we address that.

Tom Temin
Sounds like you’re focused on the physical destruction or capability of debris, as opposed to jamming and signal interference, that type of thing.

Victor Tyne
problems that was more focused on the cybersecurity kind of problem, and we pivoted at some point in the course toward a real physical threat.

Tom Temin
What do you major in? What were you guys studying that you were interested in this particular area, Brian.

Brian Klein
Victor and myself have a physics background. So Victor is studying physics, I was a physics major at the University of Chicago in the past, and then latest degree is business, also have another MBA.

Tom Temin
Unlike I guess, some people of your generation, you have an interest in national defense and warfare and helping the country in that manner.

Victor Tyne
I think that I was one of the main motivations for taking the course. And it’s been really interesting going through this process and getting to talk to stakeholders and find out what the challenges they face are and why they’re interested in this kind of technology. I think it’s largely an interest in national defense. But it’s also an interest in just the common good of our planet, the ability to continue having secure satellite communications to continue providing GPS service, all these things that are threatened by things like small lethal non trackable debris, or any satellite weapons in low Earth orbit. So I think it’s a really important issue for National Security, but also just for the common good of how we do things in the 21st century.

Tom Temin
So that’s the dual architecture idea that it serves both civil and military interests.

Victor Tyne
We’ve also found to a large degree, government agencies like the Space Force already doing a lot out of general public interest. And in addition to their National Security effort, that’s been really interesting to learn about and collaborate with.

Tom Temin
And what happened when you completed the course? You were selected for something. And there’s teams from several universities, what happens next? They liked your ideas, tell us about the process.

Brian Klein
Two things happened when we completed the course. The first was we were selected for the University of Chicago’s New Venture Challenge program. So that’s a major, maybe the biggest university accelerator in the country, if not the world, and that accelerator focuses on consumer applications. So we really got to phone our business and our idea from the lens of providing services to consumer companies, but we’re therapy imaging companies, that sort of thing through that program, which is really good ended up placing six out of over 80 teams in that. They liked us too apparently. The other side was we got into the H Rex program. So H 4x is a direct continuation of hacking for defense. And that program focuses much more strongly on dual use technology, on working with government, on learning how to not just do things the government way, but also making connections in the government. And that been a great compliment to us to the NBC focus on consumer sites. And now we’re getting to really learn about running a business not just focusing on consumer, but also focus on government clients.

Tom Temin
Yeah I guess if you can navigate government contracting, you can certainly solve the problem of space debris. I don’t know which one is more difficult to overcome. But in that regard, you mentioned Victor the idea of lethal non trackable. If it’s non trackable, I guess maybe give us a basic foundation on what some possible solutions to lethal debris might be if you can’t track it.

Victor Tyne
Lethal trackable debris is lethal, but currently non trackable. And there are workarounds and solutions to that. This debris is non trackable from the ground with ground radar, because there are limits on the ability to see things from such a distance. And with atmospheric interference. There’s been a big push toward imaging in space of debris tick track, to try to be be able to see what’s historically been lethal and non trackable. And our approach is to do this, but to an unprecedented level in a distributed way. So leveraging technology that’s on a lot of satellites, specifically cameras that a lot of satellites use for other purposes, to track when small pieces of debris enter their field of vision, analyze its position and velocity, get information about where it is and what it is, and record that and keep a database of all this debris. And the reason we’re able to do this on such a large scale is because we’re tapping into cameras that are already on orbit throughout low earth orbit, rather than trying to send up hundreds, if not thousands of new cameras to try to see what we currently can’t.

Tom Temin
Launching clouds of new satellites, just for that purpose, in a sense, increases the risk, because when you let out a cluster of satellites, they don’t all make it. And some of them might turn into the debris that you’re trying to track.

Victor Tyne
And it’s also a huge cost. And it would be extremely costly to launch a large number of satellites, especially with the technology required to do this.

Tom Temin
So it sounds like it’s essentially a software approach, then because the hardware is already in space. And it’s a matter of programming what those cameras are doing to do something else.

Victor Tyne
Exactly. A software problem and a data problem of aggregating data that is either not currently being saved or not currently being collected and making it useful.

Tom Temin
And by the way, is it always imagery within the human visual spectrum, or are there other areas of the spectrum where because these things are small and moving so fast, they can be detected other than visually?

Victor Tyne
That’s a great question. These pieces of debris can be detected with radar and lidar and other things outside of the optical regime. In fact, one of the main ways debris is currently tracked is from the ground with radar. The reason we’re working with optical sensing in space is because those are the cameras that are currently widely used. And they actually do a very good job of seeing what we want to see. And some of these other methods like LiDAR, for example, doesn’t do as well with the distances that we’re working with.

Tom Temin
And getting back to the business side of it, are you accompany yet? And do you have a plan to make a company that could actually sell this technology to the Pentagon, as well as to commercial operators in space.

Brian Klein
We are a company, were incorporated. And we are working on making those connections to not just the Pentagon and other agencies but also commercial providers to that a lot of discussions with providers on what would make the technology interesting for them what they need to be interested in. And now we’re going to be doing the same with government agencies to the ATREX program.

The post This company is helping government satellite operators improve awareness of threats in low-earth orbit first appeared on Federal News Network.

The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.

Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.

“We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”

He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”

“We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

‘Overly broad’ criticisms

CISA received several hundred public comments on the draft rule ahead of a July 3 deadline. Many commenters called on CISA to boost its harmonization efforts. DHS has previously reported that there are 45 different federal cyber incident reporting requirements in place across 22 federal agencies.

The Information Technology Industry Council, for instance, called on CISA to take a more “assertive role” in bringing together different rules, including those under the Federal Acquisition Regulation.

“It is encouraging that CISA has noted this issue and created the process for CIRCIA agreements,” ITI wrote in its comments. “Nonetheless, we encourage CISA to take a more proactive role in harmonizing incident reporting requirements, particularly through the [Cyber Incident Reporting Council], to converge incident reporting, and explore whether a single, national reporting function is feasible.”

ITI and other commenters have also criticized CISA’s rule for being overly broad. Even some lawmakers have pushed back on CISA’s proposal.

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), an architect of the CIRCIA law, is among the critics. Peters said the proposed rule “is overbroad and needs additional clarity in the definitions for covered incident, covered entity, and others used in the proposed rule.”

“CISA has said that it expects to receive 200,000 reports a year, but given the broad definitions, I am concerned that number may be higher than CISA’s estimate,” Peters wrote to CISA. “Under these new requirements, in 2025, thousands of businesses will have to report cyber incidents to the government, and I want to make sure this will not mean that CISA would be able to properly ingest, triage, and analyze the reported information and use the data to improve cybersecurity recommendations and support critical infrastructure.”

House Homeland Security Committee cybersecurity subcommittee Chairman Andrew Garbarino (R-N.Y.) derided the proposed rule for applying to too many entities. “Congress did not intend for CISA to subject so many entities to its reporting requirements,” Garbarino wrote to CISA Director Jen Easterly.

Garbarino also said CISA would be requesting too much data from organizations. He called the amount of information sought “tremendous – and at times, unrealistic.”

Cyber incident data

While Kahangama didn’t respond directly to those comments, he emphasized that DHS’s overarching goal is “not simply just to aggregate data.”

“It’s not simply to do a land grab of getting the most amount of information possible,” he said. “It’s to get the right amount of information in the right format, that can be best utilized to maximize prevention, security and resilience in the space.”

Kahangama said DHS and CISA will make decisions about the incident reporting requirements “through those lenses.”

“I do want to emphasize that a lot of the decisions we will make will obviously be in response to the public comments,” he said. “But it’s not simply about getting data. It’s about getting the right kind of data in the right context. So we look forward to continue to work with folks on that and putting out some more information in due course.”

The post DHS official details efforts to harmonize cyber incident reporting rules first appeared on Federal News Network.

Many regulations require that companies working with national security information implement aggressive levels of cybersecurity standards based on the type and sensitivity of information. Within the last year, President Biden signed the Fiscal Year 2023 National Defense Authorization Act, which produced a $773 billion funding package. While this represents a lucrative potential future for job shops it comes with a caveat: They must be able to meet the technological standards that allow them to comply with ever-changing regulations.

For job shops with smaller teams or limited resources, compliance is no small feat. Nevertheless, compliance is not optional. To meet these standards with limited workforce capacity, job shops must look to leverage technology that can automate processes, monitor and protect against cyberattacks, and update processes in real time. With a pen-and-paper or manual approach, manufacturers are committing significant time and resources that ultimately impact the bottom line, in a time where budgets are tight as they are being asked to do increasingly more with less. As certification standards continue to evolve, working with outdated tools will only hinder job shops’ progress.

Evolving landscape requires agile solutions

Meeting new CMMC standards is not a question of ‘if’ but rather a question of ‘how’ and ‘how quickly.’ The DoD is currently at the stage of suggesting the creation of a thorough and adaptable evaluation system to guarantee that defense contractors and subcontractors, under the CMMC program, have integrated the necessary security measures. This would extend the coverage of current security standards and introduce new security requirements in specific priority programs. In order to remain compliant and continue supplying the DoD, job shops must enhance their data security ahead of these rollouts.

Additionally, for maximum efficiency, manufacturers should focus on leveraging solutions that will integrate with their contractual requirements and CMMC implementation strategy. Cloud-based enterprise resource planning (ERP) solutions can help in a variety of ways, including centralized data management, compliance features, as well as enabling scalability and the ability to manage risk.

Visibility is essential in any security measure, and a centralized data repository provides crucial clarity. Disparate systems cause confusion and a lack of control. Through an ERP solution, sensitive data can be stored and managed in a secure platform, in which CMMC requirements regarding data security and access control can be easily adhered to. For Midway Swiss Turn, the progression to an ERP came following a PC and QuickBooks, and previously, typewriters. Their lack of data organization called for a solution that would allow them to be able to collect all the data and organize it in the most successful way. The evolution to automated collection of accounting data, machine availability and material stock helped revenue and employee numbers increase exponentially. The ability to spur growth with safe and secure data will be integral as CMMC standards finalize and evolve.

For job shops operating with smaller teams and tighter margins, achieving compliant data management is too significant an individual lift. Manual in-house efforts of creating encryption protocols, configuring access controls, maintaining audit logs and monitoring data protection take immense time and resources. In short, that’s a cost that many job shops can’t bear. Instead, cloud-based ERP solutions exhibit features like encryption, access controls and audit trails pre-designed to meet CMMC standards, ensuring compliance while looking out for the bottom line.

As job shops look to leverage opportunities in defense and aerospace investment, CMMC readiness also enables growth and scale. Cloud-based ERP systems bring with them the ability to adapt to changing compliance needs and include risk management features to identify and address cybersecurity vulnerabilities, allowing manufacturers to maintain compliance as standards evolve. CMMC-ready ERP solutions provide customers with a framework to meet timely compliance standards, maintain cybersecurity best practices, and build a competitive advantage in the market with the expanded opportunity to work with government contractors. This ultimately saves manufacturers time and money, enabling them to grow their businesses and avoid costly fines and opportunity exclusions. This forward-looking perspective is invaluable to data security as the CMMC deadlines approach.

Investing in the present and future

Manufacturers must adopt adaptable, industry-evolving solutions to remain compliant and position themselves for future success, especially as the new CMMC standards are set to be in place Q1 of 2025. Failing to leverage the technology required will ultimately be of a higher cost than the technological investment. Secure, agile solutions continue to provide the visibility and compliance that the government requires and serve as a strategic step to set manufacturers up for future success.

Matt Heerey, President of Manufacturing, ECI Software Solutions

The post Data security’s integral role in the digital age first appeared on Federal News Network.

Senate Armed Services Committee leaders filed their version of the National Defense Authorization Act for fiscal 2025 on Monday, which was passed behind closed doors last month in a 22-3 vote. The bill is now heading to the Senate floor for consideration.

The legislation includes an amendment to a portion of Section 1521 of the defense bill for fiscal 2022, which centralizes the procurement of cyber products and services across the Defense Department. 

The fiscal 2022 defense bill states that the DoD components can’t independently purchase cyber services unless they can buy services at a lower per-unit price than what the DoD chief information officer office, which leads department-wide procurement of cyber services, offers. The components can also procure cyber services independently if the DoD CIO office approves the purchase.

If passed, the amendment included in the 2025 defense bill would allow DoD components to buy cyber services independently if they can demonstrate the “compelling need that the requirement of the product has due to its urgency, or to ensure product or service competition within the market.”

Sen. Eric Schmitt (R-Mo.), who has long expressed concern about the Defense Department’s increasing reliance on Microsoft for its cyber products, initiated the amendment.

“DoD CIO has used this authority to create a one-size-fits-all approach to all DoD components, causing serious concerns related to a single zero-day flaw being used to create massive disruptions across DoD’s networks. The amendment returns decision-making power back to DoD components, so they can adopt tailored cybersecurity approaches based on the threats they face,” the amendment summary shared with Federal News Network says.

In May, Schmitt, along with Sen. Ron Wyden (D-Ore.), sent a letter to the Pentagon inquiring about the department’s push to implement Microsoft’s most expensive licenses, known as E5, across all components. The Pentagon already widely relies on Microsoft products and services but it has been considering mandating all components to upgrade to Microsoft’s E5 license as part of its effort to achieve the target level of zero trust by 2027.

“Although we welcome the department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs and better outcomes related to cybersecurity,” Schmitt and Wyden wrote.

Another amendment, also spearheaded by Schmitt, would require companies that conduct software development in China to notify the Pentagon if they are required to disclose any software vulnerability to any Chinese agency, such as the Ministry of Industry and Information Technology.

“PRC security laws mandate that cyber companies with presences in China must report any flaw discovered to their government, potentially giving state-sponsored hackers a treasure trove of zero-day flaws to exploit. This bill would ensure that companies doing business with DoD that have presences in the PRC report the same information to their US-based arm as their PRC arm reports to the CCP government,” the summary of the amendment provided to Federal News Network reads.

The provision amends Section 855 of the fiscal 2022 defense policy bill and is identical to the Defense Technology Reporting Parity Act, which Schmitt filed on the floor prior to the 2025 defense policy bill.

The two amendments signal lawmakers’ growing concern about the Pentagons’ reliance on a single vendor for its cybersecurity products.

The fiscal 2025 defense policy bill authorizes a topline of $911.8 billion, which exceeds spending limits imposed by the Fiscal Responsibility Act passed last year.

Sen. Jack Reed (D-R.I.), chairman of the Armed Services Committee, voted against the legislation due to the funding increase that would break the spending caps.

“I regret that I needed to vote against passage of this bill because it includes a funding increase that cannot be appropriated without breaking lawful spending caps and causing unintended harm to our military. I appreciate the need for greater defense spending to ensure our national security, but I cannot support this approach,” Reed said in a statement.

The House passed its version of the defense bill last month, and the two chambers will have to negotiate to pass the bill before the end of 2024.

The post NDAA amendment to give more authority to DoD components to buy cyber products first appeared on Federal News Network.

Cybersecurity becomes almost a personal matter when you’re working in a war zone and information superiority is a must. My next guest spent 14 months in Afghanistan before the U.S. withdrawal. The retired Navy captain is now CEO of Coalfire, a cybersecurity company. Tom McAndrew joins the Federal Drive with Tom Temin.

Interview Transcript: 

Tom Temin  And you’ve kind of pivoted back and forth between industry and as a reservist who reserve became much less of a potential and more of a reality sound like.

Tom McAndrew Yeah, it was interesting. I think most people aren’t aware of the way that the world works. But a huge part of our military force are made of reservists National Guardsmen that have everyday jobs, and then answer the call to go our nation asked me and I have the great privilege of being a Navy reservists and being sent back out to the Middle East for about right about over 400 Day deployment, which was interesting to say the least. But it was great, great experience, and I’m happy to share it here.

Tom Temin Yeah, that’s more than a weekend or a couple of weeks, 400 days. And what did you do over there?

Tom McAndrew   very, actually, I was very lucky I, I got sent over there. And, you know, when you show up, the way it works is there’s requirements. But then there’s also the needs of what’s going on there. And at the time, when I showed up there, there’s a big need on unmanned systems and AI. So, as we worked with a lot of the partner nations that we had out there, they were very interested in unmanned capabilities and getting more information. And so, this, this idea came up of creating what we call what end up being Taskforce 59, which is the Navy’s first forward deployed unmanned task force that focused on unmanned systems and AI integration. And so, it was great to be kind of an entrepreneur and like working with startups and kind of doing a startup within the DOD was both fun, but also challenging as well.

Tom Temin And Task Force 59 was floating or flying.

Tom McAndrew  Yeah, it’s kind of interesting that the Navy that then you’re on the on the, on the shore, and I spent most of my time in, in Bahrain out there. But it’s a little bit of both I’ve been one of the issues with the, with the military is we tend to kind of have, you know, pilots fly airplanes and ship drivers that drive ships. And we have very different things when it comes to unmanned kind of an all-domain sort of area. And so, as you see now happening with Ukraine and other areas, that has evolved, so this is a it was kind of a first of its kind taskforce that we learned a lot of different things into it, and it’s still there, it’s still growing, it’s still making a big difference out there. So, it’s just great to be part of it.

Tom Temin  Now with the time you departed for the 400 days, were you the CEO of Coal fire at that time?

Tom McAndrew  Yeah, it was, it was interesting. I’m a CEO of a private equity backed company. And I remember getting the orders and not knowing what would happen right. In other, we have a lot of these rules that protect national guardsmen, reservists, which requires you to, you know, keep their job, make sure they would get promoted. But that doesn’t really work as well, when you’re the CEO, you can’t really delegate the strategy of the company for a year, you can’t do those areas. And so, I got lucky in one respect, because you get sent to wherever you need to go. And luckily, I was largely part of some short commands. So, I was able to kind of do my day job and then log on at night and do zoom calls. And, you know, and back then we still had COVID, going on from 2021 2022. So being more remote was less of an issue than maybe it would be today. It certainly had some challenges into it. And there’ll be times like we had the withdrawal from Afghanistan, that we supported, that there were certain periods where I just told the team Hey, I’m, I’m out for the next foreseeable future. I’ll come back online.

Tom Temin  Interesting. So yeah, I mean, you’re not at the level where you’re going to invoice, invoke necessarily detailed employee rights with the investors because you are the CEO. But I imagine you had to probably put in 18-hour days at the minimum, to at least minimally satisfy the overseer the back home duties while doing full time for the military.

Tom McAndrew  You’re the CEO and ultimately I mean, they’re both 24/7 365. So, what’s great is I had great military bosses that understood the unique skill sets that I brought in and provided some flexibility. And then same thing back with my company, right, and how to how to manage this. So, what we’re doing integrations and you know, support on that on the back end. And then on the military side, right, there’ll be ups and downs and things like that. So yeah, it was definitely it was a challenge. And I didn’t really know how it would work, but really kind of took it one day at a time. And just I think that’s one thing that maybe a lot of Americans really don’t understand is just how amazingly supportive and creative I think our military leaders are in taking the best that they can from Reservists National Guardsmen is out there. I mean, since 2001, there’s been over 800,000 people mobilized to support our needs, and we continue to stand by.

Tom Temin  We’re speaking with Tom McAndrew, He is CEO of Coalfire, and retired naval captain, is there a support group for people at the executive level, who gets called into long deployments and kind of share best practices for keeping your company alive and led even while you’re away?

Tom McAndrew  I wish there were maybe there are if I did, maybe I’m just by hang out. Now I can do it. I mean, most of all, it doesn’t happen a whole lot, right? I mean, just the burdens of both are difficult. And usually, people find other ways to kind of give back there is what’s called ESGR, which is the Employers Support of the Guard and Reserve. And they’re a great resource that provides support for any reservists or guardsmen as they deal with mobilization deploys. And their job is to provide resources, help out, help educate also employers of what they need to do by law, and also kind of what are some best practices like a good best practice that a lot of people have is when reservists are guarding, and they’ll do their two or four weeks that they’ll continue to pay them or do their differential pay or cover their health insurance. Because these little, these little nuances become a big deal. If you end up shifting your medical, you’ve got families and all those sorts of areas. So, the ESGR is one great support that’s really helped out as well. And then on the civilian side, larger organizations tend to have, you know, big veteran support groups, but smaller ones really don’t. And I’m lucky, we have, you know, we have over 100 veterans in our group. But when it comes to kind of reservists and guardsmen, it’s, it’s pretty, it’s pretty small. And I think most people don’t really realize the dual lives that a lot of people live.

Tom Temin  and working in the area that you mentioned, the Task Force 59, unmanned systems, these are all data and network driven types of operations. And so, you had a guessing, a pretty visceral understanding of the importance of keeping all of that secure. Did the learnings that you had in working with Task Force 59 maybe inform a little bit of the cybersecurity work that you do?

Tom McAndrew  My worlds have all kind of come together. Right, I was active duty in the Navy for five or six years. And then when I got out actually wanted to kind of completely detached from the DOD and I, you know, joined a small cybersecurity startup and work with banks and regulations. And today, the background of you know, security, cybersecurity business is regular business for organizations. And, you know, cyber warfare used to be something nobody knew about. But now it’s in the news every day. And you know, we leverage our commercial systems, right? We leverage a lot of commercial platforms, what’s out there in the industry. So, all that stuff is really kind of coming together. So, I’m lucky slash unlucky, to kind of have been in both in the civilian world in the military world, and then to see the importance of cybersecurity emerged, has been fantastic.

Tom Temin  And after five years in the Navy, you’re still pretty young, and you’re not a total career, 25, 35, 45 year type of person, do you feel that in going to business and being in leadership positions is maybe easier, having had a short military stint versus some of the many starred individuals that come out after 35 or 40 years, and find that business is a totally different environment with a whole wholly different command and control culture than they might have had for those 35 or 40 years in the military?

Tom McAndrew  Yeah, absolutely. I actually just had a conversation yesterday with a retired three-star Admiral. And, you know, when I was talking to him and said, you know, the difference is today, we live off of our iPhones, our emails, right, and we do all the prep, and in a lot of military environments, you can’t do that. So, we’re still very pen and paper, and we have a lot of kind of communication structure. And I was talking yesterday, it would just it would be so great if military leaders could get real, that commercial experience to see how we deal with risk and use technology and do things at a much faster, efficient pace. And it’s also for civilian leaders to get the military understanding of the authorities and the complexities and the real-world implications. So, it’s very difficult to do both. And it’s not a knock on one or the other. But if you know more than you can take a 30-year civilian and make him an Admiral and make them run something you can’t take a 30-year Admiral and drop them into this. So, it has much more to do with the people that I think that the training that they end up doing.

Tom Temin  Yeah, more than the technology. It’s the culture of business where even with subordinates, there’s a lot of collaboration, let’s say and the need to gain cooperation. Maybe that’s more pronounced than it is in the military.

Tom McAndrew  Yeah, absolutely. I would say that the leadership part is the one that I’m probably most thankful for the military. I mean, I graduated in 2000, from the Naval Academy and went to my first ship in 2001. And I had I think, 20 or 25 people, 22-year-olds don’t get 25 people that they’re responsible for many of them older than you, chiefs, and other senior leaders that call you, sir, but know, but you rely on them, and you build their trust onto it. And so, I’m very grateful to have that experience. And then, you know, 911 happened and I’m doing two deployments to the Middle East. And so that, you know, by the time I got out when I was 27, I, I had had a lot more, I think leadership experience than others, which really was helpful in a startup where startups and other cybersecurity in particular, we have a lot of really good techies that know the technology, but it’s around managing people and leadership and building strong teams. And we see that as a challenge in a lot of cybersecurity spaces.

Tom Temin  And having stepped aboard your first ship in 2001. In many ways, you are truly a child of the 911 generation.

Tom McAndrew  Yeah, I think we were the last class that went through. We go what’s called Surface Warfare Officer school. So, when we graduate, we’re going to Newport Rhode Island and you know, back then it was pre-911. So, we thought we’d joined the Navy see the world and be going floating around and doing all these port visits. And then our first trip was in Australia when I was in Australia when 911 happened. And it totally changed things so that the classes after us knew that when they were training, that they were likely to be using that. But we went through it, it was more of this theoretical training. And so that is one of the things I think I’m always amazed of the military is when something does happen. You have all this training; you go through that you may not really realize how you’re using it or how its leveraged. But the teams do a fantastic job of getting together supporting the mission.

Tom Temin  And just briefly, in your experience, now, your home, you’re CEO, you’re running Coalfire. Just what do you think are the top say three challenges you see in the federal government as it tries to get cyber secure with mixed results?

Tom McAndrew  Oh, only three times? I don’t know. There’s, there’s, there’s quite a bit, maybe I’ll kind of put it in a couple different broad groups. So maybe the first one is just cybersecurity policy. Right? There are so many different federal agencies, federal regulations that are happening, and we’re sick of it. Right, just when you’re the cybersecurity practitioner, a new rule from the SEC, a new rule from DHS a new rule from a state. So, one of our first challenges is we’ve got to centralize our policies and standards to make things easier for the consumers.

Tom Temin  And maybe have fewer of them.

Tom McAndrew  Fewer. Yeah, definitely. And then I mean, a good example right now is like SEC has a mandate that you have to disclose breaches within three days, but DHS has a draft rule that would require that in four days. And you know, states have different requirements. If we’re going to be some disclosure, if we agree what the right year what the timeframe is, so you’re not mapping those. So, policy will be number one, I think the second part is really the reaction to ransomware. And if you if, if you look at what’s happened within cybercrime, I mean, cybercrime is now going to be the amount of money that’s happening, it’s something in the realm of like $10 trillion, like it would be like the third or fourth largest country, if cybercrime was a country, so it’s huge. Ransomware is a huge part of that, that everybody is struggling with. And we really don’t have a good answer. Right now, if you go to the FBI, the FBI will tell you, we don’t recommend paying ransomware you don’t get the money back. But there’s no answer of what helped me solve the problem. It’s a commercial problem that you have to solve. So, I think as a nation, we’ve got to solve ransomware. And then maybe the third area to really talk about is that cybersecurity workforce and just making sure that we’re hiring and retaining the best it’s very difficult from the federal government side to do job postings to get people and what I find it’s not a Pay Issue. Everyone thinks it’s paid. And it’s government. It’s generally I mean, that’s a component but it’s generally the bureaucracy of hiring, retaining getting those people is really that so if we can streamline the way that we hire and retain the cybersecurity workforce, it would be a huge change.

The post When cybersecurity becomes a personal matter first appeared on Federal News Network.

Last year, DISA announced a sweeping reorganization effort to better align its operations with the Joint Staff and combatant commands the agency supports. Using the J-code system, DISA introduced a J-1 focused on manpower, a J-3,5,7 focused on operations and training,  a J-8 in charge of requirements and funding and a J-2, DISA’s first-ever intelligence shop.

Lt. Gen. Robert Skinner, who serves as DISA’s director and the commander of DoDIN, recognized the pressing need for intelligence to better protect the agency’s assets and that the existing DoDIN J2 unit lacked resources and capacity to support DISA’s unique needs.

“When [DISA’s director] puts on his hat as DISA, he needs intelligence to be able to focus on his equities — the physical, the logical, the cognitive equities of what makes up DISA. Where DoDIN J2, they’re looking across 44 other [areas of operation]. They didn’t have the bandwidth, they didn’t have the resources to be able to dive deep into these equities like he believed he needed,” Army Col. Richard Leach, DISA’s intelligence director, told Federal News Network at the AFCEA TechNet Cyber conference in Baltimore last week.

“That’s the focus for me standing up the J-2 shop is to really focus on those DISA equities, ensure that our requirements for intelligence are integrated into the defense and industrial enterprise saying, “I need more intelligence on what malicious cyber actors are doing, but I need it written and I need the requirements developed from the perspective of what DISA does.”

Skinner made the decision to create a J-2 unit directly, so the agency has been reallocating resources, including manpower and funding, from within DISA to form the new shop. Now, Leach, as the unit’s director, is focused on laying the foundation for the J-2 office.

“My big thing in the last year has been how do I build the J-2? I need people, I need authorities, I need capability, I need funding. How do I get billets? How do we move unused billets from the other parts of the agency that aren’t using it over to the J-2?” said Leach.

Since DISA has never had a unit dedicated to intel, the existing jobs within the agency, whether it’s civilian or military personnel, are focused on signal operations or IT roles rather than intelligence.

“We’re having to pull those billets from across other parts of DISA, then I’m having to convert them. Now that I’ve converted them, I have to go back out to the services and say, ‘I no longer need a signal officer or signal [non-commissioned officers], communications NCO of this flavor. We’re going to flip it and we’re going to create an intel billet.  I now need the services to fill those bullets from the military with intel people,” said Leach.

The intel shop will initially comprise about 30 people, which is relatively small compared to other J-2 units. Leach’s goal, however, is to start with a more agile team and scale it in the future. But onboarding all 30 people and fully operationalizing the J-2 unit will most likely take at least two years, said Leach.

The unit is operating on a “shoestring budget” right now since the agency is reshuffling its resources to fund the new shop. Leach said he will be leveraging the DoD intelligence agencies that are being funded for similar programs to help the unit meet its requirements.

“Is 30 people enough? Based upon my initial analysis, that’s what we’re going to go with. I did not want to immediately walk in there and say, ‘I need the same standard that a combatant command does.’ Because we’re brand new, because we’re being pulled out of hide, so to say, I wanted to start out small.  But we’ve got to be able to start that baseline, we’ve got to be able to build the requirements and understand the DISA requirements,” said Leach.

“I don’t have to do it all by myself. There are plenty of other requirements out there across the Defense Intelligence enterprise. We’re talking NSA, the [Defense Intelligence Agency] and the [National Reconnaissance Office]. All of those that make up the DoD intelligence enterprise have capabilities that I can lean on. That comes down to me creating the requirements and putting those requirements out to getting that feedback.”

The post DISA’s intel director laying the foundation for new J-2 shop first appeared on Federal News Network.

The intelligence community’s new IT roadmap lays out a plan to pursue artificial intelligence “at scale,” as IC technology leaders develop guidance for AI standards and services.

The Office of the Director of National Intelligence published the roadmap, “Vision for the IC Information Environment,” late last month. In an exclusive interview, IC Chief Information Officer Adelle Merritt said the roadmap calls for “bold and transformational investments” in technology. She said the roadmap was developed in coordination with all 18 elements of the intelligence community.

“This roadmap really provides a unified vision for where the IC needs to go over the next five years,” Merritt said on Inside the IC.

The strategy makes clear that officials believe AI is poised to “transform the IC’s mission.” It describes several efforts to advance “AI at scale” through 2030.

“Secure, generative, and predictive AI can reduce the time for intelligence insights from days or weeks to mere seconds,” the document states.

By fiscal 2025, intelligence community officials will develop enterprise guidance for AI, including standards, use policies and architectures, to guide how intelligence agencies adopt the technology. The IC’s recently designated chief AI officer is also leading the development of a new IC-wide AI strategy.

The roadmap also shows that between fiscal 2026 and 2029, officials plan to establish “AI enabling services at scale,” including a model repository and training data.

Merritt said ODNI officials need to move quickly with their guidance to keep up with the rapidly evolving state of AI.

“It is critically important that we focus on getting this out and not let it languish, because things are moving on,” she said. “The world has started to adopt this. And it’s a really exciting capability.”

At the same time, Merritt emphasized that the IT roadmap’s five focus areas and 19 initiatives can’t be done in isolation.

“It is a collection of things that all must be done,” she said. “It’s not something that’s ala carte, that you can pick and choose what you decide you want to work on.”

‘Optimizing’ the IC’s cloud

The intelligence community’s successful use of AI will in large part depend on other elements of the roadmap, including cloud computing, data management and cybersecurity.

“As a CIO, when I hear about AI, I quickly think, you’re going to need a lot of data in order to do AI,” Merritt said. “And to have all that data, I’m going to need to store it. I’m also going to need to process it. And I’m going to need to move it around from where I get it to where the users are. So when I hear AI as a CIO, I’m thinking, storage, compute and transport.”

The roadmap lays out a key initiative to “optimize” the intelligence community’s use of the cloud. Intelligence agencies had initially adopted cloud infrastructure using Amazon Web Services under the CIA’s “C2S” contract. But agencies are now moving to the CIA’s “C2E” contract, which includes five major cloud vendors.

Merritt says four of the major cloud providers have now received an authority-to-operate on the IC’s classified networks.

“So we now have some of the best cloud capability on the planet available to us, and so making sure that we continue to nurture that infrastructure underneath upon which all the amazing capabilities will be added,” Merritt said.

In fiscal 2025, the roadmap describes how the intelligence community will develop “a tool, methodology, or process to help IC elements determine which approach and service provider would be most appropriate to meet their individual requirements.”

Merritt said a multi-vendor cloud environment is “critical” for the IC

“It is critically important that we turn the different capabilities that each of these unique cloud service providers have and turn them into mission advantage, and not just resort to the lowest common denominator,” she said. “And so much as we learned how to operate in a single cloud environment, we are now turning our attention to learn how to operate and thrive in a multiple cloud environment.”

Zero trust steering committee

The roadmap also homes in “robust cybersecurity” as a key focus area. And the IC’s strategy for zero trust largely lines up with the Defense Department’s timelines for adopting the security architecture.

The strategy states the intelligence community will achieve a “basic” level of zero trust maturity by Sept. 30, 2025, and an “intermediate” state by Sept. 30, 2027.

Merritt said the IC has also established a “zero trust steering committee” to guide those efforts. The committee includes officials from all 18 elements of the intelligence community.

“Some of our elements have done some amazing things on their zero trust journey, and they have been very willing to share,” she said. “So we’ve had some technical exchanges where we brought in subject matter experts in a specific area invited technical experts from across the elements to learn and to ask questions, so we can accelerate our journey by sharing our knowledge.”

Meanwhile, the roadmap also highlights the move to post-quantum cryptography. “Cryptographic security in a post-quantum world will be pivotal for safeguarding data and digital communications,” the document states. “This includes the development and deployment of advanced cryptographic algorithms designed to be secure against threats from quantum computers, both in commercially available and government devices.”

By fiscal 2027, the intelligence community plans to deploy quantum-resistant cryptography solutions “to bolster the confidentiality of IC networks and transport services,” the plan shows.

Merritt said the IC is working on the plan for deploying quantum-resistant algorithms in the coming years.

“It is important that we do this in a deliberative, thoughtful way, because whenever you start to change technology, you do open up some risk,” she said. “And so when we talk about this as being a race, we can’t be moving so fast that we get sloppy on this.”

The post Intelligence community pushes for ‘AI at scale’ under new IT roadmap first appeared on Federal News Network.

The long awaited final rule on a Defense Department cybersecurity program is almost out. Not yet in effect, the Cybersecurity Maturity Model Certification program rule is now at the White House for review. So you might as well get used to the idea. Joining the Federal Drive with an update, attorney Eric Crucius of Holland and Knight.

Interview Transcript: 

Tom Temin  Eric, I guess the accurate thing to say is this rule is sent over per rulemaking protocol to the Office of Information and Regulatory Affairs.

Eric Crusius  That’s right, it’s there. We’re just waiting for them to review it and release it. And then we’ll, we’ll see all the joys of CMMC come to fruition.

Tom Temin  And what do we know about the final rule based on what we saw of the last version of the proposal and comments?

Eric Crusius  So, the programmatic rule came out in December, the day after Christmas, nice Christmas gift for the entire defense industrial base. And it was a big one, too. It was it was quite lengthy. I, I confess, I did steal some time away from my family to I was traveling to print it out and read it. But there are a lot of things that were made clear in the proposal. But there are some things that were left open, I think that we’ll see the final rule kind of address.

Tom Temin  What are the key takeaways then that people need to know, especially small businesses or large businesses that are going to be subjected to this? I mean, it applies across the board.

Eric Crusius  Right. I do think that this demonstrates the Department of Defense’s dedication to this rule, they push through this very quickly, they got a lot of comments on it, hundreds of comments. And they adjudicate those comments really quickly, when you think about it, because the comment period only closed earlier this year, just a few months ago. And they’ve already gone through all those comments and have now addressed those comments, edited the rule, and sent the final rule over to a wire for review.

Tom Temin  Right. And just by way of our own review, CMMC is a way of ensuring that contractors have in place basic cybersecurity hygiene programs of their own, and that they can prove that they have them to the government.

Eric Crusius  That’s right. And depending on the kind of information you hold for the government, it’s either a self-certification, or a third-party certification, or possibly a DoD certification on top of a third-party certification. So, it’s a kind of a step-up process through three levels.

Tom Temin  Right, and the rules apply, or there’s different versions of the rule, whether you’re a large company, small company or a subcontractor, and it goes down to the subs of the subs.

Eric Crusius  It goes all the way down until you get to a commercial off the shelf provider, cots provider, but it has a broad-based applicability throughout the supply chain, small businesses will be subject to and of course, DoD has come under some criticism about the cost for small businesses of the rule. And they’ve tried to address it by having something like Project spectrum, which is … Online, you can you could look at, that has a lot of information for contractors, also some techniques that contractors use small businesses in particular, using a managed service provider managed security provider, kind of managing the system, there’s no need for small, most small, medium sized businesses to set up their own bespoke system to be compliant, they could plug into a system that’s already been built and just customized for them. And that’s, it’s not cheap, but it’s far less expensive than the alternative.

Tom Temin  Well, you would want to have some cybersecurity system in place anyway, if you’re an operating company with clients, and you could have the potential to be in possession of federal information on your systems.

Eric Crusius  Exactly. For most companies, it’s not just a matter of regulatory compliance. It’s also a matter of what’s good business practice. And it’s hard because these business practices are not cheap. But on the other hand, responding to a cybersecurity incident is very expensive. And the potential lawsuits that can follow contract cancellations that can follow are far more expensive than kind of paying up front for good cybersecurity hygiene.

Tom Temin  And just what can we expect to the of the timeline here, as the rule is at an OIRA for just a few days, what is the protocol for an OIRA to review it and release it back to the agency for finalization?

Eric Crusius  they have 90 days usually to review the rules. So, they’ll probably take a lot of that 90 days to review it, then they’ll send it back to the Department of Defense. The Department of Defense will then edit it publish it on the federal or have it published on the Federal Register. And of course, we’re still waiting for the proposed D-FARs rule, which is the rule that would actually go into the contracts. That’s also at OIRA. And I expect that we’ll see that sometime this summer. And that rule was behind the programmatic rule. But I imagine the turnaround for that rule will be quicker. So, they might probably catch up to the programmatic rule eventually.  Right. Because without the default rule, then there’s no teeth in the CMMC rule. Right? It’s just this programmatic rule that lives in D-FAR somewhere, but it’s never in a contract. So, they eventually need to get it into contracts.

Tom Temin  We’re speaking with attorney Eric Crusius. He’s a partner at Holland and Knight. And with respect to the costs of CMMC, is there any rule of thumb such as a percentage of your revenues or a ratio to sales to the government type of thing that you can as a company have some idea what it will cost you?

Eric Crusius  Unfortunately, not. It’s going to be highly dependent on where a contractor is right now having the if they’ve been compliant with NIST 801 71, and they have controlled unclassified information, the step up to get a CMMC certification is not that great. It’s just a matter of paying an assessor to come in and assess. It’s not quite that simple. But that’s, that’s the major cost there. If a company has really been ignoring these obligations, and even though they’ve been in contracts for a while now, as a self-certification, then the cost is going to be much greater, because they have to pay that tech debt essentially get up to speed and then get assessed. So, for each company’s going to be quite different. Obviously, the small businesses are going to bear the brunt of this. They’re an important part of the defense industrial base. I’d also add that there are a lot of international companies do that do a lot of business with the Department of Defense that are also going to have a high cost and not really a path forward understanding about where they’ll come out. Because there aren’t assessors necessarily overseas yet. So, companies fairly large contractors that are that live overseas are going to have to navigate those waters as well.

Tom Temin  Right? The DIB extends to places like Finland and Israel and a lot of other northern European countries, all you have to do is walk through the aisles at the army show, for example, in Washington every year, and wow, I didn’t know they made that stuff in Norway, right? Like it’s all over the place.

Eric Crusius  It’s very true. It’s very true. So, DoD will hopefully have a way to address that moving forward, it sounds like they’re going to, they’re going to work to kind of shore up the international shortfalls that we’ve seen so far. Because they recognize obviously that that’s a very important part of the DIB.

Tom Temin  Yeah, so preparation for this has been a long time coming. I mean, the first CMMC program was envisioned and constituted some degree during the Trump administration. So, it goes back six, seven years or so now, the assessor base of people that are going to be in demand to assess companies is that in place, as far as we know.

Eric Crusius  It’s getting there, there are assessors that are ready to go. There are C3POs as they call them, the companies that are able to hire and maintain those assessors, assessment teams, there’s, depending on when you look, the last time I checked over, I think 53 C3POs and most of them will have multiple assessment teams, that’s still not a lot for the amount of companies in a did that will need a third party assessment, DoD estimates more than 76,000 will need an assessment. So obviously, it’s going to require slower rollout of the program to enable companies in the supply chain to be able to get assessed, there is a voluntary program. Now the joint surveillance program that’s happening where you get assessed, now, your assessment converts to a CMMC level two assessment. And that’s what a lot of companies are choosing to do. So, they don’t get caught up in the crush that can happen when the rule comes out. The downside of that is that the rule never comes out, you’ve wasted your money getting an assessment, or the time starts right now. So, an assessment is good for three years. If you get a joint surveillance, say September 1, that clock starts running on September 1, not when the rule is in effect to some most companies, that’s a small price to pay. So, there are a lot of folks are out there inquiring about getting join surveillance, and they’ve done they’ve done dozens of them now. So, it’s a fairly successful program.

Tom Temin  Right so every third year means you’re not unduly burdened by an assessment process year after year after year. But it also runs the risk that you might forget, you know, if staff turns out for what’s this thing we did this three years ago.

Eric Crusius  Right? Yeah, and you certainly don’t want to forget, because it is a go no go. If you don’t have that assessment, you and clauses in your contract is required, you can’t perform the work. So, it’s that’s a great point, it’s really great to have policies and procedures in place that will kind of go be there whether no matter who’s in that chair responsible for that assessment.

Tom Temin  Which means there is some burden incumbent on the government, because once that the D-FAR rule is in place. And if it’s for a certain number of contracts, it’s going to have to get into the contract writing systems.

Eric Crusius  That’s right. Yeah, the government is going to really have to department defense specifically going to really have to ramp up and understand like when this goes into contracts, when it does and what level, of course, contractors are going to be required to have to perform the work and that’s going to be dependent on the kind of information they have. So, there’ll be on a contract-by-contract basis, some kind of determination, as far as is this applicable? What level is going to be required? I imagine that will be the subject of some protests as well pre award protest where contractors are going to say no, there’s no CY in here. It’s only level one required. Maybe that contractor is arguing that because they don’t have a level two assessment just yet.

Tom Temin  And does this apply ultimately to every vendor or just certain ones? That is to say, does it apply the CMMC certification for Sam delivering 10,000 eggs from the free-range farms to an aircraft carrier or only to people making ordinance command and control systems, electronics, that kind of thing.

Eric Crusius  It’s going to apply to everyone If you’re selling, like, if the eggs aren’t bespoke eggs for DoD, maybe they have some special legs for the aircraft carriers, then it’s probably not going to keeping its right. Six months at sea. Yes. So those folks who, who are just providing things that you could go in the store and buy, they won’t be subject to CMMC. But if you’re providing something that’s commercial nature, or providing something that you’re making for DoD, specifically, then it’ll be applicable to you. And I’d be interested to see if other agencies pick this up as well. I imagine there are other civilian agencies kind of waiting around seeing how this goes. And if CMMC too.

Tom Temin  Sure, and maybe won’t take 90 days for OIRA to come out with this. I mean, if they knew back in Christmas that it was coming, right. Maybe they’ve done a little pre reading, we can’t tell for sure, but let’s hope.

Eric Crusius  Right and I suspect that there won’t be a lot of changes to the final rule versus the proposed rule, maybe just cleaning up a few things. And if that’s really the case, then I don’t, I could see OIRA going quicker with the rule.

The post A big Defense cybersecurity requirement for contractors moves closer to reality first appeared on Federal News Network.

Join host Tom Temin and his guest, Ray Romano, deputy assistant director for Cyber Threat and Investigations at the State Department as they discuss innovative strategies for expanding and improving the cyber workforce. In addition, Sarah Cleveland, senior strategic advisor at ExtraHop will provide an industry perspective.

Learning Objectives:

• The cyber workforce at the State Department
  
• The State Department AI strategy in cyber operations
• Industry analysis

The post Paying down the cyber skills debt first appeared on Federal News Network.

During this webinar, you will gain the unique perspective of top federal and industry cybersecurity experts:

• La Monte Yarborough, Chief Information Security Officer, Department of Health and Human Services
• Rob Thorne, Chief Information Security Officer, U.S. Immigration and Customs Enforcement
• Chris Wallace, Chief of Cybersecurity and Chief Technology Officer, Program Executive Office, Defense Healthcare Management Systems
• Michael Epley, Chief Architect & Security Strategist, Public Sector, Red Hat
• Greg Carl, Principal Technologist, Pure Storage
• Paul Kurtz, Chief Cybersecurity Officer & Field Chief Technology Officer, Splunk
• Moderator: Luke McCormack, Host of the Federal Executive Forum

Panelists also will share lessons learned, challenges and solutions, and a vision for the future.

The post Federal Executive Forum Zero Trust Strategies in Government Progress and Best Practices 2024 first appeared on Federal News Network.

At the same time, June was the five-year anniversary of the Office of Management and Budget’s cloud smart policy.

These two anniversaries mark important mileposts in agency digital transformation journeys.

The latest data from Deltek, a market research firm, found agencies could spend more than $8 billion on cloud services in fiscal 2025. That is up from over $5 billion in 2020.

As agencies spend more on cloud services and continue to have some applications and data on-premise, security in this hybrid cloud set up becomes even more important.

Agencies need tools and capabilities to monitor applications and data on-premise and in the cloud. They also need to understand the data to make faster and more accurate decisions.

At the same time as agencies are moving applications and data to the cloud and ensuring its security, they have to balance those efforts with improving the employee and customer experience.

Joe Lewis, the chief information security officer for the Centers for Disease Control and Prevention in the Department of Health and Human Services, said his agency is prioritizing the modernization of systems and workloads that serve emergency response and public health crises.

“CDC is full steam ahead on cloud migration and modernization. I think we have embraced the notion that we are going to have legacy workflows that have to reside on-premise, which means that we will perpetually live to some degree in some level of hybrid cloud,” Lewis said on the discussion Evolving Hybrid Cloud Strategies in Modern Agencies. “In that space, I feel like we are working to solve long-standing legacy technical debt problems as we modernize workloads and applications and things that historically were built in stovepipes into more enterprise level platforms that enable data sharing and visualization, and more importantly, the ability to make faster decisions around public health. It’s an exciting time. It’s probably some of the most agile work I’ve seen in my nearly 20 years in the federal space.”

At the same time the CDC is trying to modernize legacy technology, Lewis said changing organization culture is an equally important goal.

Moving to a hybrid cloud culture

He said getting employees to embrace new ways of doing business, specifically how technology can help solve more complex problems, is a key piece to the entire modernization effort.

CDC is not alone in facing this challenge. At the Transportation Security Administration, the pace of change isn’t always comfortable.

“At TSA, a real struggle of bringing people up to a certain level of saying, ‘here’s the next thing, here’s the next change,’ and that constant effort of continuous improvement has really been a real struggle of keeping everybody up to date,” said Dan Bane, the branch manager for secure infrastructure and vulnerability management in the Information Assurance and Cybersecurity Division for Information Technology at TSA in the Department of Homeland Security. “When you have large organizations bringing those people along with the IT changes that are happening so rapidly, it’s a real challenge for the organization.”

TSA has been on a modernization journey for several years, initially starting with infrastructure-as-a-service (IaaS) and transitioning to software-as-a-service (SaaS) most recently for business and mission critical functions.

“We’ve found that some of the expenses that we ran into with some of the SaaS and then also some of the complexities of the technical debt, we didn’t really have people that were really capable at deploying some of those technologies on a quick scale. Frequently the development teams were getting ahead of our security teams,” Bane said. “Our CIO Yemi Oshinnaiye has really helped us integrate a development secure operations DevSecOps approach. It’s not perfect, but we’re a lot better than we were.”

Bane’s team is working more closely now with the development teams, integrating security tools to help automate checks of code to ensure there is speed to production.

“It’s really an area where we are sitting down with an engineer and going through every setting and every activity, and then getting the monitoring capabilities for those different applications running back into our security operations center. It is a huge lift,” he said. “It really becomes an area where we are trying to standardize on a couple of different infrastructure and platforms that we try to build on top of those, instead of this service, that service, this service. Those things have taken a great deal of time, and have really impacted the IT operations’ ability to really deliver the mission capabilities of what we’re trying to do for the organization.”

Reducing tools, complexity

The need to address the culture change as part of the overall modernization journey is common among public and private sector organizations.

But one way is by reducing the number of tools any organization relies on, and then bringing them all together through a single pane of glass, said Brian Mikkelsen, the vice president and general manager for U.S. public sector at Datadog.

“Historically, you’ll have a network group, a [security operations center] group, an operations team, a development team and, then probably, all kinds of different interactions between those teams. But each of those teams have historically had their own tools. They’ll use one tool for the network; one tool for infrastructure observability; another for application performance monitoring (APM); and then something that connects perhaps legacy on-premise security and maybe another tool for cloud security,” Mikkelsen said. “A new way of thinking is built from having an end-to-end observability and security platform. One of the primary things we help customers with is tool reduction and bringing teams into a very common understanding of the health and security posture of their infrastructure and cloud architecture.”

He added by breaking down silos across disparate teams and creating a single source of truth, each of the teams have the same data and can address challenges as they arise.

Having the single source of truth also makes it easier for agencies to decide which applications can go to the cloud today, which ones will need some work, and which ones need to stay on-premise for the foreseeable future.

“What we’re doing is we’re helping federal agencies visualize and instrument their existing legacy platforms, which inherently allows them to baseline and create a roadmap for what they want to prioritize,” Mikkelsen said. “The first question I would ask is just simply, ‘whatever solutions we’re bringing to market, does this connect the dots?’ What I really mean by that is does it provide for tagging, for correlation and for automation? Or am I creating yet another silo? Or am I breaking down silos and bringing teams together? All of this connects to what we’re really trying to do, is these systems are capabilities that deliver experiences to our citizens, our employees, and so all this revolves around also citizen experience initiatives.”

Learning objectives:

• Overarching cloud strategies and where agencies stand today 
• Approaching security and compliance to PREM
• What are the meaningful priorities in the next 12-18 months 

The post Evolving hybrid cloud strategies in modern agencies first appeared on Federal News Network.

• The Justice Department's Civil Cyber-Fraud Initiative chalked up another successful case by winning more than $11 million from two contractors to resolve False Claims Act allegations. Guidehouse paid $7.6 million and Nan McKay and Associates paid $3.7 million to put to rest claims they violated the False Claims Act. The companies failed to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic. Guidehouse and Nan McKay admitted that they failed to satisfy their obligation to complete the required pre-production cybersecurity testing of the system.
  (DoJ wins biggest cyber False Claims Act settlement yet - DoJ)
• House appropriators are digging in even further into federal telework and agencies’ return-to-office policies. One fiscal 2025 spending bill that the GOP-led committee advanced this week includes language targeting teleworking feds. Language accompanying the bill would set new requirements for agencies to publicly report their policies on telework and office space. It would also require agencies to publicly share their office space utilization rates in the D.C. area. Unions are pushing back against the language, saying that telework policies should be tailored to the nature of employees’ work, rather than having a one-size-fits-all approach.
  (More House appropriators target federal telework, office space - Fedeal News Network)
• Two Defense Department projects made the cut for the Presidential Federal Sustainability Awards the White House announced this week. One is a project the Air Force has been working on since 2019 at Florida’s Tyndall Air Force Base, about half of which was destroyed by Hurricane Michael the previous fall. The White House credited Air Force officials with rebuilding with a “base of the future” in mind, and using construction techniques that should make the installation more resilient against severe weather. The second is the huge Edwards Air Force Base solar project, which became one of the world’s biggest solar and battery storage facilities when officials cut the ribbon last year. The 4,000-acre project is also DoD’s biggest public-private partnership to date.
  (DoD Components Receive Presidential Sustainability Award - Department of Defense)
• The Federal Risk and Authorization Management Program (FedRAMP) finalizes the "fast pass" approval process for AI tools. The FedRAMP cloud security program is opening up its doors to specific types of generative artificial intelligence capabilities for priority approvals starting August 31. Under the new emerging technology prioritization framework, FedRAMP is telling vendors to submit three types of GenAI tools for expedited reviews. The FedRAMP management office said it will start with GenAI tools used for chat interfaces and code generation, and debugging tools that use large language models and prompt-based image generation. It also will review associated application programming interfaces (APIs) that provide these functions. It will release the first list of prioritized AI tools by September 30.
  (FedRAMP to begin prioritizing AI cloud capabilities for approvals - Federal News Network)
• The Defense Counterintelligence and Security Agency is managing a surge in security clearance applications. DCSA Director David Cattler said his agency is receiving up to 11,000 new applications for investigations every week. The surge has led to longer security clearance processing timelines. Cattler told the House Oversight Committee this week that secret-level cases are taking an average of 92 days to process and a top-secret case about 188 days.
  (An examination of DOD’s struggling background check system - House Oversight and Accountability Committee )
• For the first time in a decade, the Government Accountability Office is out with a proposed revision of federal internal controls. Called the "Green Book," GAO said its changes emphasize preventive control activities and highlights management's responsibility for internal control at all levels and within all functions of an agency's structure, such as program and financial managers. The proposed revisions provide additional requirements, guidance and resources for addressing risk areas such as fraud, improper payments and information security when designing, implementing and operating an internal control system. GAO has not updated the Standards for Internal Control in the Federal Government since 2014. Comments on the proposed revisions are due by August 26.
  (GAO proposes first updates to the 'Green Book' since 2014 - GAO)
• The Department of Homeland Security is expanding a new cyber personnel system. DHS established the Cyber Talent Management System (CTMS) in 2021. It got off to a slow start, but DHS has now hired nearly 200 people using CTMS. DHS Chief Information Officer Eric Hysen said the department has made hundreds of offers using the system. Hysen told the House Homeland Security Committee that in the coming years, DHS will expand use of CTMS across the department.
  (DHS aims to expand CTMS after ‘challenges’ with rollout - Fedeal News Network)
• The Partnership for Public Service is down to just six finalists for the 2024 Sammies People’s Choice Award. The finalists are part of the larger awards program, which recognizes the work of career civil servants. The People’s Choice finalists include one team that made it possible for non-tax forms to be electronically submitted to the IRS. Another finalist developed an app that lets veterans use their phones to make health care appointments and manage insurance claims. Voting on all six finalists is open to the public until July 12. The winner will be recognized later this year during a Sammies ceremony at the Kennedy Center in Washington, D.C.
  (2024 Sammies People’s Choice Award finalists - Partnership for Public Service)

The post False Claims Act allegations leave two contractors with millions of dollars in fines first appeared on Federal News Network.