Category Archives: Environment and World Security

CARES Act Delivery Hampered By Old Tech, Bad Data

Standard
Image: “FCW”

FCW

Aspects of the federal government’s economic response to the coronavirus pandemic were marred by outdated state technology software and a crushing volume of beneficiaries that overwhelmed many systems, according to a new report from the watchdog Government Accountability Office.

_____________________________________________________________________________

“Federal officials said “the ability to easily modify data systems to incorporate new flexibilities varies among state and local agencies,” leading to numerous delays and interoperability challenges across multiple recovery programs related to the Coronavirus Aid, Relief, and Economic Security Act passed in March.

Agencies like Health and Human Services reported that states had to coordinate across different data systems to serve existing beneficiaries as well as a surge of new applicants for programs like Electronic Benefit Transfer and Supplemental Nutrition Assistance Program payments. Meanwhile, uneven technological sophistication across different states made remote collaboration in the wake of the pandemic caused challenges while coordinating payments for the Women, Infants and Children (WIC) program.

According to Department of Labor officials, many states processing unemployment claims were using “information technology systems that date as far back as the 1970s” and crashed under the load of newly laid off workers filing for benefits. The department has provided federal grants, technical assistance and guidance to help modernize those systems, but “relatively few” states conducted adequate load-testing to handle the volume of claims they have received since March.

These systems was already straining, with federal and state governments overseeing more than $2.7 billion in improper unemployment payments in 2019, and overseers worry the numbers will look even worse this year as the government has rushed to respond to the economic fallout of the virus.

“DOL’s experience with temporary UI programs following natural disasters suggests there may be an increased risk of improper payments associated with CARES Act UI programs,” auditors wrote.

A rushed response also led the IRS to send more than a million stimulus checks to citizens who were deceased. As FCW has reported, the agency emphasized speed to get relief dollars into the hands of Americans as soon as possible, leading to processing errors and opening the door to potential fraud. Auditors suggest that implementing 2018 recommendations to align their authentication practices with NIST cybersecurity guidance making better use of death data housed at the Department of Treasury and other agencies could address the problem.

Auditors noted that ” IRS has full access to the death data maintained by the Social Security Administration…but Treasury and its Bureau of the Fiscal Service, which distribute the payments, do not.”

In a response attached to the audit, IRS Chief Risk Officer Tom Brandt said employee worked “around the clock since mid-March to develop new tools and new guidance” to make handle economic impact payments but that “our work is not done yet” and the agency will consider the GAO’s recommendations further.

Information technology challenges and delays also reportedly hampered efforts by the Small Business Administration to process economic injury disaster loans, though details are scarce. The report paints a portrait of disorganized agency that at times unresponsive to oversight. While auditors asked to meet with agency officials on April 13 to get more detailed information on individual loan data and other aspects of the response, SBA didn’t agree to a meeting until June 1 and provided “primarily publicly available information in response to our inquiries” about loan data.

In a statement, House Oversight and Government Reform Chairwoman Rep. Carolyn Maloney (D-N.Y.) said the report “provides a comprehensive and independent look at the Trump administration’s incompetent and dangerous response to the coronavirus pandemic” and pressed for more information on IRS stimulus payments to dead Americans. She also called on SBA to address transparency concerns about its loan program “immediately.”

SBA responded to a draft version of the report disputing GAO’s claims, saying they offered staff for interviews and provided 420 pages, including “information on loan numbers and loan volume, the number and type of lenders participating in [the Paycheck Protection Program], loan numbers and loan volume for each type of lender, loan numbers and volume by industry and state” and other figures.

“To be clear, SBA has never refused to provide data to GAO,” wrote William Manger, Chief of Staff for Administrator Jovita Carranza.

Federal agencies were of course not immune from technological troubles, and the audit suggests modernization efforts at the IRS, the Department of Housing and Urban Development and other agencies can better position them to process funds related to the CARES Act.

The report also posits that agencies could make better use of a number of existing contracting authorities and programs, including contracts that allow work to begin before a final agreement is reached, Other Transaction Authority (OTA) that sidestep certain federal regulations to prototype new technologies and higher spending thresholds for emergency purchases.

GAO is currently working on separate reports examining how agencies planned and managed contracts related to the pandemic, reimbursement policies for contractors who performed emergency work and the use of the Defense Product Act.”

Adaptive Acquisition Framework — Ready, Set, Contract?

Standard
Image: Defense Acquisition University

NATIONAL DEFENSE MAGAZINEBy Dr. William A. Schleckser

This new Adaptive Acquisition Framework displays a patent willingness to put substantial trust in program managers by moving decision-making authority as close to the program manager as possible.

For this new framework to prevail, there must be trust in contracting officers by moving authority for actions as close to the decision-maker — the contracting officer — as possible.

_____________________________________________________________________________

“Undersecretary of Defense for Acquisition and Sustainment Ellen Lord has called the Adaptive Acquisition Framework “the most transformational change to acquisition policy in decades.” Her statement is difficult to argue given the revolutionary nature of the framework’s alterations to acquisition policy and the lack of truly transformational changes seen in acquisition policy and statute over the past 25 years. 

For decades, Defense Department leaders have lamented the laborious, bureaucratic acquisition process and its hindrance to innovative breakthroughs within weapon systems programs.

Many defense technologies, once fielded, lose a non-trivial portion of their relevance due to acquisition delays, a concept identified by former Defense Secretary James Mattis in the 2018 National Defense Strategy. The document pointed to processes’ non-responsiveness and a department over-optimized for exceptional performance, both of which come at the expense of providing timely capability delivery to the warfighter.

In response, Lord rapidly pushed out sweeping new guidance in the form of a six-pathway framework — the Adaptive Acquisition Framework — which is designed to put authority and agility back in the hands of program managers. With this newfound ability, executives will transition between pathways in order to speed delivery of capabilities to the warfighter.

Still, acquisition is not a solo sport. Program managers must rely on their team of acquisition professionals to embrace this new paradigm of speed, agility and risk management for this “transformation” to result in real change in capability delivery. But increasing speed, agility and risk sends a measure of anxiety through the vertebrae of the many contracting professionals who have focused on delivering contracts that are protest-proof and rigidly built to withstand the assaults of indistinct scope and performance.

Nonetheless, for the framework to deliver capabilities at the speed of relevance, contracting professionals at all levels must be willing to embrace this revolutionary change.

This change comes with a prerequisite to develop not only new and inventive processes, but an expanded tool box of soft skills necessary to bring about innovation, active management of risk, and corporate synergy to the contracting community that will result in high-speed, low-drag contracting.

The “Contracting Professional’s Career Roadmap” is a nine-step list published by the Federal Acquisition Institute. It provides contracting professionals a succinct overview of gates through which a contracting professional must successfully pass in order to be effective. Curiously, the first stop on this path, “become familiar with the federal acquisition process,” is not a contract-centric element. The federal acquisition process is not contracting, but contracting is a major subset. The process is the overarching method encompassing all relevant skills and functions by which the federal government acquires products and services.

Ironically, the second stop on the roadmap is “understand your role as a contracting professional” within this process. It was not by chance these items are numbers one and two on the path. That is because federal acquisition is a team sport, of which contracting is one player among many. As with any team sport, each player must understand his or her place and responsibilities within the team framework, otherwise the team will fail. The first thing a youth football coach should do is line up new players in formation — both offense and defense — so they can gain an understanding of where their position is in relation to all the other players. A single player lining up incorrectly could result in a penalty or failure for the team to properly execute the play.

Understanding where a manager fits in the overall formation is just as important in the acquisition team. Taking it to another level, each player also needs to understand how his play impacts his teammates. Commentators often praise a great player for their “knowledge of the game.” It isn’t just their knowledge of their specific responsibilities as a player, but the interrelation of how their play improves the play of those around them.

In federal acquisition, each team member must perform with that level of understanding in order for this new transformation to be successful. This may be even more imperative for contracting team members as the contracting processes tend to consume a significant portion of time while they deliberate source selection and performance risk.

Assistant Secretary of Defense for Acquisition Kevin Fahey identified a need to develop a culture of innovation and creative compliance, and enable critical thinking. In order to be innovative, creatively compliant and critical thinkers, department leadership wants acquisition teams to take calculated risks. As Gen. George S. Patton said, taking risks “is quite different from being rash.”

One tool that transforms rash behavior to measured performance is risk management. To take calculated risks, contracting professionals will need to learn how to actively manage risks. Program managers routinely manage risks and, as a programmatic community, have become comfortable mitigating, accepting, transferring or avoiding risks within their programs.

Contracting professionals must learn and implement these skills as they execute contractual actions. No longer will the acquisition community idly await the perfect contract. Perfection late is perfection lost. Too often contract award timeliness was sacrificed in an effort to gain contractual perfection through overly cumbersome approval chains and non-value-added reviews.

Timeliness has also been assaulted by excessive “documentation,” which has been a watchword for the contracting community and for good reason. However, as with any good thing, it tends to be overdone. In some ways the acquisition community may have become overly obsessive and unreasonably compulsive with its documentation, and some streamlining may be in order.

Procedural changes to contracting are only a first step. The real gains may be seen in a closer coupling of the acquisition team functional communities. In today’s continuously changing environment, requirements can no longer be developed in a vacuum only to be thrown over the fence to the next team. Requirement generators, program managers and contracting officers must integrate early and intimately in the requirements process to develop requirements, discuss possible options, perform market research, consider acquisition plans and jointly produce acquisition timelines. Contracting professionals often enter or are invited late into the acquisition process. Contracting organizations do it to themselves when they demand customers only turn over a requirement once it has been fully detailed with the finalized work statement, funding documents and cost estimates.

In today’s rapidly changing environment, contracting professionals better serve customers by entering as early in the requirements generation process as possible. The team must come together so closely and early that it would be difficult for an outsider to identify where program management stops and contracting starts.

If the first time a contracting professional sees a requirement is when it has been fully documented in a formal work statement, an opportunity to bring value to the process has been lost. Additionally, synergies that come from synchronized market research and critical thinking amid the program manager, contracting officer and other acquisition team members are missed; and with it early considerations for competition, innovative contracting and/or small business participation because the requirement has been fixed making change too difficult or time consuming.

Failing to capture the synergistic effects of close coordination, contracting will struggle to regain any status as an innovation enabler, and may continue to be relegated to chasing acquisition timelines and contract perfection.

The Adaptive Acquisition Framework is an opportunity to inject innovation, creativity and critical thinking into the federal acquisition process by placing authority and agility into the hands of program managers. However, this transformational change to acquisitions will not create true transformation unless the players are willing to embrace the change. Program and product managers can only deliver capability as fast as their team supports.

Although the framework is program management focused, it also presents a challenge to — and opportunity for — the contracting community. As a critical component to the delivery of products and services, the contracting community must get on board with the new vision being promoted by leadership. It is a vision overdue given the speed at which technological capabilities are progressing.

More specifically, contracting professionals must understand that timeliness can no longer be held hostage by contractual perfection, overly cumbersome approval chains and non-value-added reviews. Perfection late is perfection lost. As a result, contracting professionals must become intimately integrated early into the acquisition process starting at the notion of the requirement. Otherwise, they risk being a deterrent to the innovation and creativity crucial in today’s fast-moving environment.”

https://www.nationaldefensemagazine.org/articles/2020/5/29/adaptive-acquisition-framework-ready-set-contract

Dr. William A. Schleckser is a professor of contract management at the Defense Acquisition University. He is Defense Department Level III certified in contracting and program management.

US-Mexico-Canada Agreement Enters into Force, Officially Replacing NAFTA

Standard
Image: “U.S. Grains Council

U.S. SMALL BUSINESS ADMINISTRATION “- By Loretta Greene, Associate Administrator

“On July 1, 2020, the U.S.-Mexico-Canada Agreement (USMCA) enters into force, officially replacing the North American Free Trade Agreement (NAFTA).

USMCA is a ground-breaking achievement for U.S. small businesses and is the first trade agreement ever to include a full chapter dedicated to small business interests.”

____________________________________________________________________________

“Supporting and expanding U.S. small business trade with Mexico and Canada is a top priority for me as the new Associate Administrator for SBA’s Office of International Trade (OIT).  SBA OIT has a team of talented trade finance specialists and finance products to help small businesses involved in international trade to access capital, purchase inventory as a manufacturer or supplier, and expand through trade.  OIT helps ensure small businesses are adequately represented in trade negotiations led by the Office of the U.S. Trade Representative and educates U.S. small businesses on the wide range of federal and state resources that can increase their ability to compete in international trade. 

The modernization of trade with Mexico and Canada under USMCA is designed to benefit U.S. small businesses and to ensure more balanced trade. U.S. companies with fewer than 500 employees comprise 65 to 70 percent of all identified U.S. companies trading goods with our closest neighbors, according to the most recent statistics. 

Companies selling goods to Mexico and Canada can now achieve expanded export opportunities under the USMCA.   In 2019, U.S. companies sold $292.6 billion in U.S. goods to Canada and $256.5 billion in U.S. goods to Mexico. 

As part of USMCA, SBA OIT launched a new international sales information resource sitewww.sba.gov/tradetools, which is part of the http://www.trade.gov/usmca to assist small businesses to use USMCA. Both links also connect to pages created by Mexico and Canada.  Small businesses can explore the agreement, learn about the rules, and identify where to direct questions and find resources through these information sharing platforms. Resources include a new Customs and Border Protection’s USMCA Center staffed with experts.

As small businesses use the USMCA, they will find important commitments across the agreement including:

  • The Small and Medium-Sized Enterprise Chapter creates a SME Dialogue to consider small business trade opportunities and challenges across the three countries.  This is an important innovation to ensure U.S. small businesses will continue to be heard and considered.
  • The USMCA Cross-Border Trade in ServicesChapter enhances market access.  U.S. small business services can now be provided market access across North America without requirements for a foreign office or foreign representative.
  • The Customs and Trade Facilitation Chapter increases certainty by providing for advance rulings commitments with expanded scope and a free, publicly accessible websites for advance rulings.  
  • Furthermore, to decrease unintended trade costs, this Chapter also provides procedures to correct errors.
  • To support small e-commerce sellers shipping with express services, Canada has raised its de minimis level for North American express shipments for the first time in decades, doubling it from $C20 to $C40 for taxes.
  • Canada will also provide for duty free shipments up to $C150.
  • Mexico will continue to provide tax free treatment for shipments up to $US50 and will provide duty free treatment for shipments up to US$117.
  • The Good Regulatory Practices Chapter, a first in a U.S. trade agreement, specifically includes provisions encouraging the Parties to take into consideration the effects on small businesses in the development and implementation of regulations.  The USMCA’s prioritization of small business traders is exciting as it will increase small business friendly ecosystems in North America and facilitate more trade.

SBA is proud to be part of this achievement. We look forward to helping more U.S. small businesses trade with Mexico and Canada, while supporting those already exporting to further expand their sales. To learn more, visit www.sba.gov/tradetools or contact the SBA International Trade Ombudsman Hotline at (855) 722-4877 or international@sba.gov with questions.”

ABOUT THE AUTHOR:

Loretta Greene

Loretta Greene is the Associate Administrator for SBA’s Office of International Trade https://www.sba.gov/person/loretta-greene/

Five Regulatory Changes For Government Contractors to Watch

Standard
Image: Mastercontrol.com

“WASHINGTON TECHNOLOGY”

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG.

______________________________________________________________________________

“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG. As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act establishes two constraints on telecommunications supply chains. Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.

Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment. The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released. This means that key terms, such as “entity”and “use” remain undefined. Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act. The Act establishes the Federal Acquisition Security Council, which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.

The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain. The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order. Although the Department of Defense and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide. Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification. CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain. Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.

Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins. Most importantly, contractors will no longer be able to self-certify compliance. Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year. DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026. DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States. The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020. There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.

The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use. DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.

The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.”

https://washingtontechnology.com/articles/2020/06/26/insights-covington-regulatory-changes.aspx

GSA Bumps STARS II Ceiling By $7 Billion

Standard
Image: “FCW

FCW

The General Services Administration raised the ceiling of its 8(a) Streamlined Technology Application Resource for Services (STARS) II contract by $7 billion, to $22 billion.

STARS II is a small business set-aside for customized IT services and IT-services-based solutions from 787 small business contractors that qualify under Small Business Administration standards. GSA said the contract is used by 50 federal agencies to plan and supply long-term IT projects.

_____________________________________________________________________________

“In early April, the GSA’s 8(a) STARS II governmentwide contract hit its $15 billion ordering obligation limit.

“By raising the 8(a) STARS II ceiling, GSA continues to ensure that we meet the needs of our federal agency customers,” said GSA Administrator Emily Murphy in a June 23 statement on the increase. “As agency demand for IT products and services has increased during the COVID-19 pandemic, GSA is proud that STARS II will remain available to help agencies deliver world class IT services.”

GSA started limiting task orders on the GWAC to agencies whose contracting officers had obtained a “control number” to use the contract vehicle, but it stopped issuing new control numbers.

All 787 contractors remain on the vehicle, GSA said in its announcement. Agencies can place new task orders through Aug. 30, 2021, and work can continue on those new orders through June 30, 2022.

GSA is working on a new iteration of the contract, 8(a)STARS III.

In a June 10 blog post, Laura Stanton, acting assistant commissioner of GSA’s Federal Acquisition Services’ Office of Information Technology Category, said the agency plans to issue the final solicitation for the STARS III contract by end of the federal government’s fiscal year on Sept. 30.

The initial STARS III request for information went out last August.

Stanton said the increase to STARS II wasn’t the first for the popular contract to accommodate agency demand.

“As we move into this contract’s fourth generation we can say for certain that this program is a huge success. A significant number of prior 8(a) STARS program participants have grown their businesses so much that we now see them thriving with the big companies on GSA’s Alliant 2 GWAC,” she said.”

https://fcw.com/articles/2020/06/24/rockwell-stars-ii-ceiling-bump.aspx?oly_enc_id=

Ways To Solve The Cyber Talent Gap

Standard
Image: “Itproportal

FCW

Two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

Declining budgets and a lack of career development programs contributing factors for rising turnover rates among federal IT contractors.”

______________________________________________________________________________

“Federal agencies and Congress have increasingly looked to bug bounty programs to find and stamp out cybersecurity vulnerabilities in their software. A new survey of nearly 3,500 security researchers who use Bugcrowd’s platform offers a glimpse into the backgrounds and motivations of a highly coveted pool of emerging cyber talent that both government and industry are desperate to recruit.

More than half of those surveyed live in urban environments, and three out of four speak multiple languages. Despite efforts within the information security community in recent years to improve diversity, the average age of those who participated in the survey skewed overwhelmingly young and male.

According to the survey, higher education is an important feature for many security researchers and their families. They’re most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data “suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits.”

While the size of the average American household has been in decline for decades, nearly half (48%) of respondents come from large families with between 4-12 members. Even with more mouths to feed, 64% reported pulling down a median annual income of just $25,000 or less, though many also say they only chase bug bounties on a part-time basis. Perhaps not surprisingly, making money was cited as the most important issue, followed by flexible hours and improved skills.

The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on white hat hackers over the next year as they race to identify and fix hidden software vulnerabilities.

The pandemic “has demystified many of the perceived differences between employees working remotely and security researchers” and emerging technologies such as machine learning that are not yet mature enough to meet the increased demand.

“This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent,” the company forecasts.

John Zangardi, former CIO at the Departments of Defense and Homeland Security, told FCW in an interview that in his experience, two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

While they often cannot compete on pay, one potential advantage for federal agencies could be through supporting the continuing education goals of its IT and cyber employees. A recent study by government contracting intelligence firm Deltek cited declining budgets and a lack of career development programs as a contributing factor for rising turnover rates among federal IT contractors, while a majority of respondents to the Bugcrowd survey say they use the platform for personal development and improving their skills.

Last year the Trump administration issued an executive order creating a new rotational program for federal employees to detail at the Cybersecurity and Infrastructure Security Agency and other agencies to improve their technical skills. CISA has also sought ways to sidestep normal federal hiring procedures to more easily hire information security specialists and pay them more.

Zangardi said during his tenure, cyber retention incentive bonus programs at DHS that provided extra compensation to employees who complete new certifications acted as a partial salve to some of the government’s inherent recruiting challenges. However, he acknowledged that for many positions — particularly highly-skilled ones — individuals can still earn tens of thousands of dollars more per year by doing similar work in the private sector.

“I can’t change the GS federal pay scale, but we can take steps to ensure that we’re giving them what we can,” said Zangardi.”

https://fcw.com/articles/2020/06/23/johnson-cyber-workforce-survey.aspx?oly_enc_id=

DARPA’s First Bug Bounty: Find Vulnerabilities In Hardware-Based Security

Standard

GCN”

DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering (FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.

__________________________________________________________________________

“The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. 

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system’s software,” Rebello said.  

More information on FETT can be found here.”

https://gcn.com/articles/2020/06/15/darpa-ssith-bug-bounty.aspx?oly_enc_id=

Cyber Speed Vs. Cyber Security In The Age Of Pandemic

Standard
Image: Shaun Gordon “Future Stack

“GCN” BY TONY HUBBARD, DAVE BUCKLEY, KATHY CRUZ

The need for speed may always conflict with concerns about preventing fraud and bolstering security. But one thing is sure: Future systems must be built for resilience, because the next technology upheaval could be right around the corner.

____________________________________________________________________________

“The sudden imperative to move state employees to remote work followed by the unprecedented flow of billions into states coffers to pay unemployment benefits has created big headaches for government agencies.

Sophisticated fraudsters have been waiting patiently for just this moment — the convergence of a flood of government funding and new, lax controls to allow money to get to applicants quickly. Armed with personally identifiable information obtained through data breaches and sold on the dark web, these fraudsters have applied for state unemployment compensation under false pretenses, diverting millions of taxpayer dollars and causing havoc for program officials and legitimate applicants. In addition, in states where mobile applications were quickly developed so applicants could apply conveniently via their smart phones, normal controls and processes were not implemented and, in some cases, security was compromised.

“The move to remote work also led to some malicious activity as government agencies were forced to rapidly deploy remote-access solutions that were not designed to accommodate a surge of growth. Again, to get the workforce to be productive quickly, some security processes and controls were relaxed or waived.

Obviously, the pandemic forced government to balance the need for quick action against ensuring that security processes were followed and controls put into place. In the battle between speed and security, however, speed often won.  Fraudsters, always watching for vulnerability and opportunity, pounced. And they are still pouncing.

In retrospect, better cybersecurity controls could have been baked into payment processes from the beginning. This upfront activity could have largely prevented the incident and response efforts that inevitably occur when security becomes an afterthought. However, hindsight is not helpful now, so what can be done going forward to bolster security and prevent fraud?

Government agencies should examine every key decision since work-from-home orders began. They should conduct risk assessments, understand the threats, vulnerabilities and consequences – and reimagine security tools and processes that should have been built in.  Rather than thinking it’s too late and giving up, agencies should re-evaluate remote access and newly implemented collaboration tools, especially those involving third parties. For unemployment claims, agencies should re-examine modified applications and mobile apps to assure security. They must also look into privileged access, which may have changed, and continue to apply risk management concepts.

Above all, agencies must continue to focus on the fundamentals and make them integral to their culture. These include access management (especially for privileged users), training and awareness, consistent software patching, regular antivirus updates and well-tested business continuity and resilience processes.

While these measures can certainly help in the short term, the real solution is longer term.

If the pandemic has taught us anything, it’s the need to be resilient — and that is especially true for government technology systems.

Broadly speaking, what has occurred over the past three months should cause government organizations to think about the next crisis and build systems that can adapt to whatever happens — whether it is a sudden need for remote work solutions, a major program change to respond to an economic collapse or the constant need to stay one step ahead of hackers and fraudsters.  In short, agencies must evolve with the environment.

When agencies anticipate disruption, technology transformation projects can be planned with resilience and adaptability in mind. Cloud-based operations must be considered for critical applications because the cloud can provide the agility, efficiency and the elasticity needed during both normal business operations and unpredictable times.”

https://gcn.com/articles/2020/06/18/speed-vs-security.aspx

World Trouble Spots- An Objective View of the Gap Between Those Who Have Made It and Those Left Behind

Standard

paradox_of_left_behind

Editor’s Note:  Although published 5 years ago, this topic seems ever more pertinent today with pandemic and social unrest issues at the fore.  It is republished here for your  renewed consideration

Ken Larson 

“STRATFOR – GLOBAL AFFAIRS”

“MIND THE GAP” by Professor Jay Ogilvy

“The growing divide between those who have made it and those who are being left behind is happening globally, in each of the great civilizations, not just Islam.

The issue of the comparative advantages or disadvantages of different cultures is complicated and getting more so because with modernity and globalization, our lives are getting more complicated. We are all in each other’s faces today in a way that was simply not the case in earlier centuries.

Whether through travel or telecommunications or increasingly ubiquitous and inexpensive media, each and every one of us is more aware of the cultural other than in times past.”

__________________________________________________________________________

“The Charlie Hebdo attack and its aftermath in the streets and in the press tempt one to dust off Samuel Huntington‘s 1996 book, The Clash of Civilizations and the Remaking of World Order. Despite the criticisms he provoked with that book and his earlier 1993 article in Foreign Affairs, recent events would seem to be proving him prescient.

Or was he?

While I am not about to deny the importance of religion and culture as drivers of geopolitical dynamics, I will argue that, more important than the clashes among the great civilizations, there is a clash within each of the great civilizations. This is the clash between those who have “made it” (in a sense yet to be defined) and those who have been “left behind” — a phrase that is rich with ironic resonance.

Before I make my argument, I warn that the point I’m trying to make is fairly subtle. So, in the interest of clarity, let me lay out what I’m not saying before I make that point. I am not saying that Islam as a whole is somehow retrograde. I am not agreeing with author Sam Harris’ October 2014 remark on “Real Time with Bill Maher” that “Islam is the mother lode of bad ideas.”

Nor am I saying that all religions are somehow equal, or that culture is unimportant. The essays in the book Culture Matters, which Huntington helped edit, argue that different cultures have different comparative advantages when it comes to economic competitiveness.

These essays build on the foundation laid down by Max Weber’s 1905 work, The Protestant Ethic and the Spirit of Capitalism. It is only the “sulfuric odor of race,” as Harvard historian David Landes writes on the first page of the first essay in Culture Matters, that has kept scholars from exploring the under-researched linkages between culture and economic performance.

Making It in the Modern World

In the modern world, the development of the individual human, which is tied in part to culture, has become more and more important. If you think of a single human life as a kind of footrace — as if the developmental path from infancy to maturity were spanning a certain distance — then progress over the last several millennia has moved out the goal posts of maturity. It simply takes longer to learn the skills it takes to “make it” as an adult.

Surely there were skills our Stone Age ancestors had to acquire that we moderns lack, but they did not have to file income taxes or shop for insurance. Postmodern thinkers have critiqued the idea of progress and perhaps we do need a concept that is forgivingly pluralistic. Still, there have been indisputable improvements in many basic measures of human progress. This is borne out by improved demographic statistics such as birth weight, height and longevity, as well as declining poverty and illiteracy. To put it very simply, we humans have come a long way.

But these historic achievements have come at a price. It is not simple for individuals to master this elaborate structure we call modern civilization with its buildings and institutions and culture and history and science and law.

A child can’t do it. Babies born into this world are biologically very similar to babies born 10,000 years ago; biological evolution is simply too slow and cannot equip us to manage this structure. And childhood has gotten ever longer. “Neoteny” is the technical term for the prolongation of the period during which an offspring remains dependent on its parent.

In some species, such as fish or spiders, newborns can fend for themselves immediately. In other species — ducks, deer, dogs and cats — the young remain dependent on their mothers for a period of weeks. In humans, the period of dependency extends for years. And as the generations and centuries pass, especially recently, that period of dependency keeps getting longer.

As French historian Philippe Aries informed us in Centuries of Childhood, “in medieval society, the idea of childhood did not exist.” Prior to modernity, young people were adults in miniature, trying to fit in wherever they could. But then childhood got invented. Child labor laws kept children out of the factories and truancy laws kept them in public schools.

For a recent example of the statutory extension of childhood known as neoteny, consider U.S. President Barack Obama’s announcement that he intends to make community college available for free to any high school graduate, thus extending studenthood by two years.

The care and feeding and training of your average human cub have become far greater than the single season that bear cubs require. And it seems to be getting ever longer as more 20-somethings and even 30-somethings find it cheaper to live with mom and dad, whether or not they are enrolled in school or college.

The curriculum required to flourish as an adult seems to be getting ever longer, the goal posts of meaningful maturity ever further away from the “starting line,” which has not moved. Our biology has not changed at anywhere near the rate of our history. And this growing gap between infancy and modern maturity is true for every civilization, not just Islamic civilization.

The picture gets complicated, though, because the vexed history of the relationships among the world’s great civilizations leaves little doubt about different levels of development along any number of different scales of achievement. Christian democracies have outperformed the economies and cultures of the rest of the world. Is this an accident? Or is there something in the cultural software of the West that renders it better able to serve the needs of its people than does the cultural software called Islam?

Those Left Behind

Clearly there is a feeling among many in the Islamic world that they, as a civilization, have been “left behind” by history. Consider this passage from Snow, the novel by Nobel Prize-winning Turkish author Orhan Pamuk:

“We’re poor and insignificant,” said Fazul, with a strange fury in his voice. “Our wretched lives have no place in human history. One day all of us living now in Kars will be dead and gone. No one will remember us; no one will care what happened to us. We’ll spend the rest of our days arguing about what sort of scarf women should wrap around their heads, and no one will care in the slightest because we’re eaten up by our own petty, idiotic quarrels. When I see so many people around me leading such stupid lives and then vanishing without a trace, an anger runs through me…”

Earlier I mentioned the ironic resonance of this phrase, “left behind.” I think of two other recent uses: first, the education reform legislation in the United States known as the No Child Left Behind Act; the second, the best-selling series of 13 novels by Tim LaHaye and Jerry Jenkins in which true believers are taken up by the Rapture while the sinners are “left behind.” In both of these uses, it is clearly a bad thing to be left behind.

Culture is something we can change in response to circumstances rather than waiting, as other animals must, for our genes to evolve under the pressures of natural selection. As a result, though we are still basically the same animals that we were when we invented agriculture at the end of the ice age, our societies have evolved faster and faster and will continue to do so at an ever-increasing rate in the 21st century.

And because the fundamental dynamics of this divide are rooted in the mismatch between the pace of change of biological evolution on the one hand (very slow) and historical or technological change on the other (ever faster), it is hard to see how this gap can be closed. We don’t want to stop progress, and yet the more progress we make, the further out the goal posts of modern maturity recede and the more significant culture becomes.

There is a link between the “left behind” phenomenon and the rise of the ultra-right in Europe. As the number of unemployed, disaffected, hopeless youth grows, so also does the appeal of extremist rhetoric — to both sides. On the Muslim side, more talk from the Islamic State about slaying the infidels. On the ultra-right, more talk about Islamic extremists. Like a crowded restaurant, the louder the voices get, the louder the voices get.

I use this expression, those who have “made it,” because the gap in question is not simply between the rich and the poor. Accomplished intellectuals such as Pamuk feel it as well. The writer Pankaj Mishra, born in Uttar Pradesh, India, in 1969, is another rising star from the East who writes about the dilemma of Asian intellectuals, the Hobson’s choice they face between recoiling into the embrace of their ancient cultures or adopting Western ways precisely to gain the strength to resist the West.

This is their paradox: Either accept the Trojan horse of Western culture to master its “secrets” — technology, organization, bureaucracy and the power that accrues to a nation-state — or accept the role of underpaid extras in a movie, a very partial “universal” history, that stars the West. ”

About the Author:

“Jay Ogilvy joined Stratfor’s editorial board in January 2015. In 1979, he left a post as a professor of philosophy at Yale to join SRI, the former Stanford Research Institute, as director of research. Dr. Ogilvy co-founded the Global Business Network of scenario planners in 1987. He is the former dean and chief academic officer of San Francisco’s Presidio Graduate School. Dr. Ogilvy has published nine books, including Many Dimensional Man, Creating Better Futures and Living Without a Goal.”

Air Force Executes Program To Reshape Defense Industrial Base

Standard

FCW

Goal is to pivot away from the defense prime model (while still working with those companies) and create a new industrial base that more easily allows tech companies to simultaneously work with the Defense Department and the commercial sector.

The Air Force’s Ventures team, launched earlier this year with a tentative $1 billion in contract awards for 550 small businesses, oversees all of the branch’s small business initiatives, hopes to codify the process this year.

______________________________________________________________________________


“The Air Force’s increasing interest in startups isn’t just to get a taste of innovation but completely change the defense industrial base.

“We’re not going to win against China long term if they’re got a nationalized industrial base. They have access to that entire talent pool, they’ve got access to every company within their borders. And we are only working with a small subset,” Will Roper, the Air Force’s acquisition chief said of defense prime companies during a virtual Air Force Association Mitchell Institute event June 9.

“That subset continues to collapse every year under the pressure of programs that are too few and far between to sustain diversity and continual competition. So we have to have a new model that encourages companies to come in and work with [the] military but not necessarily put them on a path to become a defense prime.”

The Air Force began hosting pitch events in 2019, to stimulate its work with small businesses and speed contract awards for capabilities that could readily transition to the warfighter, and attract venture capital investment. Roper announced the creation of the AFVentures team in March as a joint effort with the service’s acquisition team, AFWERX, and the small business innovation research and small business technology transfer program.

In the last year, Roper said the Air and Space Force has added 1,000 new companies to its industrial base over the past 18 months. Those companies are still focused on research and development but the acquisition chief wants to make working with the Air Force simple and keep up that pace, adding another 1,000 companies each year with smaller investments in the tens of thousands of dollars.

Roper also said he hopes to fund “medium bets” of about $1.5 million in contract awards for about 350 startups each year.”