Category Archives: IoT

CARES Act Delivery Hampered By Old Tech, Bad Data

Image: “FCW”


Aspects of the federal government’s economic response to the coronavirus pandemic were marred by outdated state technology software and a crushing volume of beneficiaries that overwhelmed many systems, according to a new report from the watchdog Government Accountability Office.


“Federal officials said “the ability to easily modify data systems to incorporate new flexibilities varies among state and local agencies,” leading to numerous delays and interoperability challenges across multiple recovery programs related to the Coronavirus Aid, Relief, and Economic Security Act passed in March.

Agencies like Health and Human Services reported that states had to coordinate across different data systems to serve existing beneficiaries as well as a surge of new applicants for programs like Electronic Benefit Transfer and Supplemental Nutrition Assistance Program payments. Meanwhile, uneven technological sophistication across different states made remote collaboration in the wake of the pandemic caused challenges while coordinating payments for the Women, Infants and Children (WIC) program.

According to Department of Labor officials, many states processing unemployment claims were using “information technology systems that date as far back as the 1970s” and crashed under the load of newly laid off workers filing for benefits. The department has provided federal grants, technical assistance and guidance to help modernize those systems, but “relatively few” states conducted adequate load-testing to handle the volume of claims they have received since March.

These systems was already straining, with federal and state governments overseeing more than $2.7 billion in improper unemployment payments in 2019, and overseers worry the numbers will look even worse this year as the government has rushed to respond to the economic fallout of the virus.

“DOL’s experience with temporary UI programs following natural disasters suggests there may be an increased risk of improper payments associated with CARES Act UI programs,” auditors wrote.

A rushed response also led the IRS to send more than a million stimulus checks to citizens who were deceased. As FCW has reported, the agency emphasized speed to get relief dollars into the hands of Americans as soon as possible, leading to processing errors and opening the door to potential fraud. Auditors suggest that implementing 2018 recommendations to align their authentication practices with NIST cybersecurity guidance making better use of death data housed at the Department of Treasury and other agencies could address the problem.

Auditors noted that ” IRS has full access to the death data maintained by the Social Security Administration…but Treasury and its Bureau of the Fiscal Service, which distribute the payments, do not.”

In a response attached to the audit, IRS Chief Risk Officer Tom Brandt said employee worked “around the clock since mid-March to develop new tools and new guidance” to make handle economic impact payments but that “our work is not done yet” and the agency will consider the GAO’s recommendations further.

Information technology challenges and delays also reportedly hampered efforts by the Small Business Administration to process economic injury disaster loans, though details are scarce. The report paints a portrait of disorganized agency that at times unresponsive to oversight. While auditors asked to meet with agency officials on April 13 to get more detailed information on individual loan data and other aspects of the response, SBA didn’t agree to a meeting until June 1 and provided “primarily publicly available information in response to our inquiries” about loan data.

In a statement, House Oversight and Government Reform Chairwoman Rep. Carolyn Maloney (D-N.Y.) said the report “provides a comprehensive and independent look at the Trump administration’s incompetent and dangerous response to the coronavirus pandemic” and pressed for more information on IRS stimulus payments to dead Americans. She also called on SBA to address transparency concerns about its loan program “immediately.”

SBA responded to a draft version of the report disputing GAO’s claims, saying they offered staff for interviews and provided 420 pages, including “information on loan numbers and loan volume, the number and type of lenders participating in [the Paycheck Protection Program], loan numbers and loan volume for each type of lender, loan numbers and volume by industry and state” and other figures.

“To be clear, SBA has never refused to provide data to GAO,” wrote William Manger, Chief of Staff for Administrator Jovita Carranza.

Federal agencies were of course not immune from technological troubles, and the audit suggests modernization efforts at the IRS, the Department of Housing and Urban Development and other agencies can better position them to process funds related to the CARES Act.

The report also posits that agencies could make better use of a number of existing contracting authorities and programs, including contracts that allow work to begin before a final agreement is reached, Other Transaction Authority (OTA) that sidestep certain federal regulations to prototype new technologies and higher spending thresholds for emergency purchases.

GAO is currently working on separate reports examining how agencies planned and managed contracts related to the pandemic, reimbursement policies for contractors who performed emergency work and the use of the Defense Product Act.”

Five Regulatory Changes For Government Contractors to Watch



In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG.


“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG. As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act establishes two constraints on telecommunications supply chains. Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.

Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment. The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released. This means that key terms, such as “entity”and “use” remain undefined. Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act. The Act establishes the Federal Acquisition Security Council, which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.

The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain. The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order. Although the Department of Defense and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide. Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification. CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain. Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.

Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins. Most importantly, contractors will no longer be able to self-certify compliance. Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year. DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026. DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States. The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020. There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.

The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use. DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.

The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.”

DARPA’s First Bug Bounty: Find Vulnerabilities In Hardware-Based Security



DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering (FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.


“The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. 

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system’s software,” Rebello said.  

More information on FETT can be found here.”

3 Government Contract Marketing Tactics To Employ As The Fiscal Year Ends



Each of these tactics works regardless of the Covid 19 crisis, but they are more important now that we do not currently have the face-to-face option of our normal end-of-fiscal year.


“The Covid 19 crisis has forced Feds and contractors alike to a new level of “digital transformation,” a forced migration to tools we were aware of but not necessarily using often or well: online meetings, telework, and leveraging social networks like LinkedIn, Twitter and Facebook more fully and more frequently.

With the physical re-opening of federal sites still in question, the need to adapt has never been greater. I have heard from different sources that federal offices will not return to any semblance of normal in this fiscal year, and possible not until calendar 2021.

In the meantime, here are a few ideas to win more business at the end of fiscal 2020 on Sept. 30.

First, relevant content, well written or produced, then properly deployed after production. Content can take many forms, from articles and blog posts, to videos and podcasts, from webinars to white papers, and much more. Studies from Market Connections, Inc, Hinge Marketing and others have not only demonstrated the value of content in the procurement process, but have shown it to be a critical factor when you are targeting specific contracts, going after business with a specific agency, or developing and showcasing an area of expertise.

Producing the content is step one, putting it where your target audience will find it is step two.

All content should be resident on your web site under a “Resources” button. After that, share it via social sharing and email. If you post it on LinkedIn, it automatically goes to your 1st degree connections via their “Home” page. If someone else shares it, it goes into their 1st degree network the same way.

Your content should be educational in nature and avoid any overt sales message. Just include contact info at the end and encourage readers and viewers to share.

Second, virtual events. By this time we should all be ZOOM-masters, right? I had been on ZOOM before Covid 19 sequestered us, but now I feel like I cannot live without it. ZOOM is massively more personal than a call.

Many events, even larger ones, have gone virtual with varying degrees of success. For those that didn’t quite make it, the problem may have been the tech backbone or the partner you chose to produce the event.

Vetting your virtual event provider and testing capacity is key, so start by asking your peers who they are using. If you attend an event that works, or that does not work so well, find out which platform was used.

If you are hosting an event for govies, make certain it is on a platform approved by their agency. If it is FedRAMP compliant, you should be OK. If not, rethink your platform.

Virtual events are here to stay.

Third, social selling. Social selling has been growing in importance over the last few years, but has now become critical. LinkedIn is the primary venue for this and the traffic on LinkedIn since the “stay at home” order has risen significantly.

Social selling is not traditional selling. It is the art and science of getting on the radar of a defined audience and staying on the radar in a non-intrusive way by leveraging social networks. It is not designed to replace traditional sales or business development, but to supplement and support them.

Sharing the content you develop is a social selling technique. Finding, liking and commenting on content shared by your prospects, is another technique. “Following” your prospects before reaching out is yet another. There are several easy-to-do social selling tactics.

Reaching out to connect with your prospect audience can be a social selling technique as long as you don’t send the LinkedIn connection “form letter.” Find a way to put the connection request in context of what the prospect does and what you bring to the table, but not a sales context.

Best of fortunes for your federal “busy season”!”


Mark Amtower

Mark Amtower advises government contractors on all facets of business-to-government (B2G) marketing and leveraging LinkedIn. Find Mark on LinkedIn at

Cyber Speed Vs. Cyber Security In The Age Of Pandemic

Image: Shaun Gordon “Future Stack


The need for speed may always conflict with concerns about preventing fraud and bolstering security. But one thing is sure: Future systems must be built for resilience, because the next technology upheaval could be right around the corner.


“The sudden imperative to move state employees to remote work followed by the unprecedented flow of billions into states coffers to pay unemployment benefits has created big headaches for government agencies.

Sophisticated fraudsters have been waiting patiently for just this moment — the convergence of a flood of government funding and new, lax controls to allow money to get to applicants quickly. Armed with personally identifiable information obtained through data breaches and sold on the dark web, these fraudsters have applied for state unemployment compensation under false pretenses, diverting millions of taxpayer dollars and causing havoc for program officials and legitimate applicants. In addition, in states where mobile applications were quickly developed so applicants could apply conveniently via their smart phones, normal controls and processes were not implemented and, in some cases, security was compromised.

“The move to remote work also led to some malicious activity as government agencies were forced to rapidly deploy remote-access solutions that were not designed to accommodate a surge of growth. Again, to get the workforce to be productive quickly, some security processes and controls were relaxed or waived.

Obviously, the pandemic forced government to balance the need for quick action against ensuring that security processes were followed and controls put into place. In the battle between speed and security, however, speed often won.  Fraudsters, always watching for vulnerability and opportunity, pounced. And they are still pouncing.

In retrospect, better cybersecurity controls could have been baked into payment processes from the beginning. This upfront activity could have largely prevented the incident and response efforts that inevitably occur when security becomes an afterthought. However, hindsight is not helpful now, so what can be done going forward to bolster security and prevent fraud?

Government agencies should examine every key decision since work-from-home orders began. They should conduct risk assessments, understand the threats, vulnerabilities and consequences – and reimagine security tools and processes that should have been built in.  Rather than thinking it’s too late and giving up, agencies should re-evaluate remote access and newly implemented collaboration tools, especially those involving third parties. For unemployment claims, agencies should re-examine modified applications and mobile apps to assure security. They must also look into privileged access, which may have changed, and continue to apply risk management concepts.

Above all, agencies must continue to focus on the fundamentals and make them integral to their culture. These include access management (especially for privileged users), training and awareness, consistent software patching, regular antivirus updates and well-tested business continuity and resilience processes.

While these measures can certainly help in the short term, the real solution is longer term.

If the pandemic has taught us anything, it’s the need to be resilient — and that is especially true for government technology systems.

Broadly speaking, what has occurred over the past three months should cause government organizations to think about the next crisis and build systems that can adapt to whatever happens — whether it is a sudden need for remote work solutions, a major program change to respond to an economic collapse or the constant need to stay one step ahead of hackers and fraudsters.  In short, agencies must evolve with the environment.

When agencies anticipate disruption, technology transformation projects can be planned with resilience and adaptability in mind. Cloud-based operations must be considered for critical applications because the cloud can provide the agility, efficiency and the elasticity needed during both normal business operations and unpredictable times.”

New Redesigned Social Security Retirement Benefits Portal

Image: Social Security Administration


The newly redesigned retirement benefits portal, will make it easier for millions to file for retirement benefits, the agency said in a statement.

The new portal also cuts down on pages and dense wording in favor of more concise information.


The agency also optimized the portal for mobile devices, as well as set up subscription lists for retirement information and benefits updates.”


“Social Security is part of the retirement plan for almost every American worker. It provides replacement income for qualified retirees and their families. This section of our website helps you better understand the program, the application process, and the online tools and resources available to you.”

Networked Customer Experience (CX) Is Converging Public And Private Sectors

Image: “WSP


The government’s mobilization in the recent weeks to design a network of citizen-focused programs has been profound to watch—and in many ways represents the future of experience. 

At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.


“In a matter of weeks, and in some cases days or hours, many businesses have pivoted because of the pandemic to meet the needs of their customers and offer a completely different customer experience (CX). Similarly, hospitals and medical practices have started to pivot their business model to focus on telemedicine, and many small businesses that were never in the delivery space have shifted quickly so they can continue to bring goods and services to customers—and remain profitable during a challenging time.

But the private sector is not the only space innovating and taking a customer-centered approach to the public health crisis. Government agencies have also had to shift in significant ways to operate in this unique environment and interact with citizens differently. Here are just a few examples of what federal organizations have done in a very short period of time to continue meeting their mission to serve citizens:

  • On April 15, the IRS launched the Get My Payment web tool so the millions of Americans who will receive stimulus checks can track the status of their payment. Shortly after deploying this tool the IRS began monitoring usage trends and customer feedback to drive the creation of coronavirus stimulus-specific FAQ content and iterative agile application improvements. The IRS has been, and will continue, deploying updates several times each week since launch.
  • In order to stay accountable to the public and report on the nearly $3 trillion stimulus funds, the Treasury Department is updating the Data Act systems to update its tools to account for increased submission requirements by agencies spending CARES Act money. The department is making that information available to the public on and the Data Lab in new visualizations and data downloads.
  • In order to re-open recreation areas safely and in accordance with safe distancing guidelines, federal land management agencies are using as one of their tools to provide advanced reservations, manage visitation volume, distribute information, and offer online payment solutions to visitors.
  • And the General Services Administration’s Technology Transformation Services pivoted up to 20 percent of its talent pool, at times, to fast-paced response efforts—including the development of authentication technology for the Paycheck Protection Program run out of the Small Business Administration and which is keeping so many businesses afloat.

Moving Toward Networked Customer Experiences

In both the private and public sectors, customers are expecting interactions that are seamless, with access to a collection of features simultaneously. We refer to this as a “networked” experience model, where customers create value with multiple providers, and the experience depends on the value those providers deliver collectively. There are still experience challenges that are unique to government given its organizational and mission complexity.

There will be a time soon when those responsible for delivering federal services like social security, veterans’ benefits, and medical programs will be able to rethink the entire customer interaction. At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.

It’s clear that a networked services model has in many ways operationalized during this public health crisis, in which customer experience has taken on heightened significance. Federal organizations can’t afford major missteps, and agency leaders should take advantage of support resources for help navigating this complex new normal. Over the past few years several organizations and programs have been established, including the United States Digital ServiceOPM LabsGSA’s 18F and their IT Modernization Center of Excellence for Customer Experience, to help agencies evolve with a rapidly changing experience landscape. Lighthouse agencies (such as the U.S. Department of Agriculture) and Lead Agency Partners (such as the Department of Veterans Affairs) for customer experience have had fully operational CX practices in place since before the crisis, and their models can serve as a blueprint for others along their experience journeys.”

Pandemic And Diversity Objectives Mean Allies And Partners More Important Than Ever

Image: “Istock


The globalized pandemic reminds Americans of their inextricable ties to the rest of the world. We do not live or operate in isolation. Strength in numbers, based on common values and amplified by shared decision-making and interoperability, ensures effective deterrence, denial and, when required, defeat of those who would oppose our way of life. 


“Now, more than ever, engagement and interoperability help us maintain and extend competitive advantage. As much of the world turns inward to deal with the impact of the current COVID-19 pandemic, U.S. competitors and adversaries seek advantage. National security professionals must continue to look outward, to deter, deny and, when necessary, defeat potential adversaries.

Deterrence, denial and defeat are always made easier with friends. Burden sharing at any level lessens the load the United States might otherwise bear alone. Demonstrating resolve across national boundaries also pays dividends, since potential adversaries may reconsider bad actions if they believe many countries will act together to oppose those actions.

Additionally, cognitive diversity — exploring strategies and courses of action that draw from multiple cultures and experiences — can help us outthink, rather than outfight, potential adversaries.

Finally, interoperability across the spectrum of conflict ensures the combined efforts of the United States and its allies and partners can deter, deny and defeat effectively.

Many U.S. politicians decry what they see as European allies failing to shoulder an equitable resource burden to maintain NATO’s relevance and strength. While there is always room for friends to talk about how best to split the bill, all allied contributions ultimately eliminate some national security burdens that might otherwise fall solely on the United States. Since the nation’s founding, American economic success has in many ways depended on free and open trade with allies and partners across the globe.

When Europe faced ruin from an incredibly destructive world war, U.S. forces helped catalyze an ending. And when a world war came to Europe a second time, America provided equipment and eventually forces to ensure a democratic, free market future for the western world.

The United States also played a lead role in winning the war in the Pacific, establishing the conditions for significant trade and national security relationships that continue to define international engagements.

Since that Second World War, U.S. economic and military strength has been inextricably tied to the maintenance of peace in Europe and the Pacific. These security relationships enabled economic growth with no known historical counterpart. U.S. presence and engagement through military and economic partnerships serve as the best guarantor of future peace and economic prosperity across the world.

American presence and engagement help guarantee peace and prosperity because of the inherent strength in numbers. While the United States may, in good faith, argue and disagree with its allies and partners, ultimately its interests align; we all want free and open societies based on democratic values where everyone has the opportunity to work to make a good life for their families. These shared bedrock ideals buttress alliances and partnerships as we work to deter, deny and defeat state and non-state actors who would attack those ideals. Collective resolve — backed by collective action — forms the foundation of a world order that has benefited nations across the globe with economic growth and prosperity.

But allies and partners bring more than simply burden sharing and numbers; most importantly they bring cognitive diversity to U.S. strategy, operations and tactics. Academic studies, as well as practical experience, clearly demonstrate that diverse, inclusive teams make better decisions. American warriors don’t own a monopoly on insights that can provide advantage across the spectrum of conflict.

Different experiences — cultural, educational and professional — frame approaches to tough challenges. We operate more effectively when we consider a broad array of alternatives, and we benefit from partners’ insights when we include them in all facets of operations, from determining strategy, to planning operations, through execution and finally evaluating effectiveness.

My experiences in my last assignment in Japan confirmed for me that our unique network of allies and partners is a force multiplier to achieve peace, deterrence and interoperable warfighting capability. The Defense Department is reinforcing its commitment to established alliances, while also expanding and deepening relationships with new partners who share our respect for self-determination, fair and reciprocal trade, and the rule of law.

Building partnership capacity in our long-standing security alliances is the bedrock on which U.S. strategy rests. It provides a durable, asymmetric strategic advantage that no competitor or rival can match. Expanding interoperability will ensure respective defense enterprises can work together effectively during day-to-day competition, crisis and conflict.

Through focused security cooperation, information sharing agreements and regular exercises, we connect intent, resources and outcomes and build closer relationships between militaries and economies. Increasing interoperability also involves ensuring military hardware and software can integrate more easily with those of our allies, to include offering financing and sales of cutting edge U.S. defense equipment to security partners.

The National Security Strategy calls on the United States to pursue cooperation and reciprocity with allies, partners and aspiring partners; cooperation means sharing responsibilities and burdens. The United States expects its allies and partners to shoulder a fair share of the burden to protect against common threats. When we pool resources and share responsibility for our common defense, the security burden becomes lighter and more cost-effective.

The globalized pandemic reminds Americans of their inextricable ties to the rest of the world. We do not live or operate in isolation. Strength in numbers, based on common values and amplified by shared decision-making and interoperability, ensures effective deterrence, denial and, when required, defeat of those who would oppose our way of life. “

5G Promise And Perils For Government Agencies

Image: “FCW


Agencies’ existing network and cybersecurity investments will help navigate the 5G future, but discussions about how to adapt these investments, and reorient them where necessary, must happen now.

Knowing what devices are connecting to your networks, what their cyber posture is and how they behave will remain the first and most critical component of effective cyber risk mitigation.


“Fifth generation (5G) wireless technology has the potential to transform how the U.S. government achieves its many critical missions. With superior bandwidth, agencies will be able to connect more mission-supporting devices than ever. 5G also promises to increase functionality of these devices through reduced latency and speeds that are up to 100 times faster than the current fourth generation Long Term Evolution (LTE) technology. This can translate into improved performance, security, safety and efficiency for federal missions.

Congress and the White House both recognize how important it is that the U.S. fully harness the power of 5G in meeting government missions. The need for effective and efficient COVID-19 response and recovery has only highlighted this.

The U.S. military — the most logistically complex organization in the world – is likely to emerge as a leading 5G adopter and innovator. In the fiscal 2020 defense spending bill, Congress prioritized 5G research and development by providing $275 million to the Department of Defense for next generation information communications technology, including 5G. The DOD is currently demonstrating the benefits of 5G in government in a few interesting projects, including at the U.S. Naval Supply Systems Command Fleet Logistics Center San Diego, the concept of a “smart warehouse” is being tested. This project will leverage 5G to manage inventory and process orders with optimal efficiency and accuracy. As the DOD contemplates the wide range of possible use cases for 5G technology, its spending will align to these desired uses.

To allow the DOD and other federal agencies to realize 5G’s full potential, however, the government must address concerns about 5G and cyber risks. One of the widely discussed risks associated with 5G is the problem of potentially compromised hardware being incorporated into our national telecommunications infrastructure. Congress and the White House have both taken steps to address this issue — calling for the incorporation of a microelectronic trusted supply chain and operational security standards into 5G equipment.

The government has also prohibited telecommunications providers that receive federal funding from utilizing Huawei and ZTE equipment, two telecommunications equipment manufacturers the U.S. government believes have ties to the Chinese Communist Party and therefore could potentially be compelled to install unauthorized remote access capabilities (so-called “backdoors”) into their products. The concern that such backdoors could be exploited by the Chinese government for espionage, sabotage or even acts of war is shared by many U.S. policymakers and experts, on a bipartisan basis.

While much of the security discussion surrounding 5G has thus far focused on certain Chinese equipment manufacturers, there is another major security concern that must be addressed: the security risk posed by the addition of millions of additional devices, including Internet of Things (IoT) devices, accessing government network resources.

In the past, such devices have connected to network resources utilizing U.S. government-managed wired or wireless access points on government-controlled campuses. The 5G vision instead entails millions of devices accessing network resources remotely via cellular connections, likely provided through a blend of government and carrier-owned networks. Whose job is it to determine which of these devices are legitimate and do not pose a threat to either the carrier or the agency IT infrastructure they access? Who is responsible for monitoring devices while connected to ensure they don’t change their state – in other words, present themselves as legitimate, secure devices, but once admitted to the network proceed to engage in hacking or espionage activities? And ultimately, how should this diverse landscape of devices and connectivity be prioritized and segmented according to roles and criticality, so that the most sensitive and mission-critical functions are identified and protected? In a 5G future, government network security teams risk losing visibility and control of devices accessing their federal networks through carriers’ 5G towers.

Fortunately, most agencies have laid down an important foundation enabling them to overcome some of the challenges of securing their networks as 5G adoption increases. Two government-wide cybersecurity programs — the civilian agency-focused Continuous Diagnostics and Mitigation (CDM) program and the DOD’s Comply to Connect (C2C) program — are examples of dynamic frameworks and integrated capabilities designed to ensure all devices are detected and classified as they connect to the network, and are inspected continuously for cybersecurity risks, including patch and configuration status, banned hardware and software, behavioral anomalies and a host of other attributes.

Agencies that have mature instantiations of either the CDM or C2C programs will have the same level of insight into devices connecting via carrier-owned 5G networks as they do for those connecting within a campus, cloud or data center network, and will be able to enforce the same security and network access policies. Not insignificantly, the remote working trend that has become necessary during the COVID-19 pandemic has provided federal agencies some lessons in applying their CDM and C2C tools to devices that are connecting through Internet Service Provider networks in employees’ homes – in some rare cases on devices that are not owned or managed by the federal government. While telework architectures are still in need of improvement, a productive outcome of the COVID-19 crisis is that it has afforded federal agencies, in particular the DOD, an opportunity to apply “zero trust” strategies even as the concept of the network “perimeter” has been completely shattered.

We are still in the early days of 5G and the full benefits for federal agencies have yet to be realized. The operationalization of 5G will mean many millions more devices connecting to government systems. These devices support services vastly improving citizens’ security and safety and allowing government services to be delivered more effectively. However, allowing all of these devices to connect to government systems without a robust capability for finding, profiling and monitoring them would jeopardize not only agencies’ existing networks, but the very missions 5G equipment is deployed to support.

The C2C and CDM programs are good examples of how [a]visibility-first approach enables more effective security and ensured agencies’ mission-readiness. Securing 5G-enabled networks through this foundation reduces national security risk and enhances government agencies’ ability to continue serving missions.”

Automation Is Advancing In Federal Acquisition

Image: “FCW


Federal agencies are evolving from leveraging rote robotic processing bots in their acquisition operations toward more complex artificial intelligence processes to inject even more efficiencies into contracting.


“We do have seeds of true AI sprouting” for federal acquisition applications, Omid Ghaffari-Tabrizi, director of the Acquisitions Centers of Excellence in the General Services Administration said during a Defense One June 3 virtual event on automation in acquisition.

While robotic process automation (RPA) bots that handle rote, repetitive chores and free up humans for other work are increasingly common, AI is more complicated, according to Ghaffari-Tabrizi.

GSA uses a bot to track, find and change Section 508 disability clauses in contracts to ensure compliance, and that work is more advanced than just rote processing he said. That review, he said, takes “some degree of intelligence,” but the output is always reviewed by humans to ensure accuracy.

While RPA bots can be implemented relatively quickly based on automating established processes, AI takes more time and expertise because it forges new paths in processes and data, by finding new ways to traverse both, said Michelle McNellis, who is also a director of acquisitions at GSA.

GSA has been at the forefront of implanting bots, with dozens automatically performing repetitive electronic processes, such as automating the work associated with processing offers under the Federal Acquisition Service’s Multiple Award Schedules as well as an invoice notification bot.

It’s also using bots for its FASt Lane, eOffer and eMod processes, said Ghaffari-Tabrizi. FASt Lane is the agency’s program to accelerate how IT contractors get new products onto its buying schedules, while eOffer/eMod allow vendors to submit modifications to their contracts.

Other federal agencies looking to harness similar RPA capabilities, said McNellis, should move deliberately, getting input from all agency operations, including finance, IT, acquisition and management. Legal issues and IT capabilities need to be addressed before moving ahead with either AI or RPA efforts, she said.”