Category Archives: IoT

The Next $10 Billion Chapter In The Veterans Administration Health Care Systems Development Saga

Standard

VA New System

Editors’ Note:  The story herein on “FEDSCOOP” announces the latest trip on a decades- long road of efforts by the Veteran’s Administration to connect the  health care systems of the military with those of the VA and establish state of the art records keeping for veterans.  

This sole source, non-competitive, contract award to CERNER,  a commercial firm in lieu of in-house systems development  is a major change in approach from past efforts that have cost billions and led to shut downs and start overs. 

Having seen these types of government systems management challenges from the inside for over 4 decades I find myself sincerely doubting that both the scope and the price tag are final.   For historical perspective, please see: 

A VETERAN CONNECTS THE DOTS IN THE MILITARY AND VETERANS HEALTH CARE SYSTEMS MAZE   

Ken Larson

_______________________________________________________________________________________

“FEDSCOOP”

“The Department of Veterans Affairs announced Thursday that it has officially signed a contract with Cerner for a new electronic health record (EHR) system.

The inked contract is worth up to $10 billion over 10 years.

“With a contract of that size, you can understand why former Secretary [David] Shulkin and I took some extra time to do our due diligence and make sure the contract does what the President wanted,” acting Secretary Robert Wilkie said in a statement. “President Trump has made very clear to me that he wants this contract to do right by both Veterans and taxpayers, and I can say now without a doubt that it does.”

The new EHR will be “similar” to that used by the Department of Defense, which will allow patient data will be “seamlessly” shared between the two. This has been a major pain point with the Department’s current EHR, the Veterans Information Systems and Technology Architecture, or VistA.

Wilkie reiterated Shulkin’s comments, from March, that the VA will learn from some of the DOD’s challenges in deploying its new EHR, known as MHS Genesis, and will not fall prey to the same pitfalls, which have plagued early pilots of the system and led to a report calling it “neither operationally effective nor operationally suitable.”

“VA and DoD are collaborating closely to ensure lessons learned at DoD sites will be implemented in future deployments at DoD as well as VA,” Wilkie said. “We appreciate the DoD’s willingness to share its experiences implementing its electronic health record.”

“Signing this contract today is an enormous win for our nation’s Veterans,” Wilkie said. “It puts in place a modern IT system that will support the best possible health care for decades to come. That’s exactly what our nation’s heroes deserve.”

However big an announcement this may be, actual rollout of the new EHR will take time. At an event in January, former VA CIO Scott Blackburn told the crowd to expect another 10 years of VistA.”

https://www.fedscoop.com/va-ehr-cerner-10-billion-robert-wilkie/

 

 

Advertisements

Silicon Valley Will Never Love The Pentagon

Standard

Silcon Valley will Never Love DOD

“C4ISRNET.COM”

“In early April the New York Times reported 3,100 Google employees signed a letter asking the company to pull out of a DoD program called Project Maven.

In short, that program would use Google’s artificial intelligence to help identify objects in drone video. Eventually, those objects could become targets. Google employees objected to this collaboration and that their talents were used as a weapon of war.”

48172538.cached

[RELATED:  She Kills People From 7,850 Miles Away  ]

___________________________________________________________________________________________

“C4ISRNET”

“For years, senior Department of Defense leaders have preached a message of speed. Buy faster. Test faster. Fail faster. Succeed faster. Get new capabilities out to the troops faster.

Faster, faster, faster.

Representatives from industry nod and say yes, faster is a start but, honestly, even faster would be better.

And so, the question naturally becomes, if everyone wants to go faster — the leaders want to go faster, and the folks on the front line want to go faster and the defense industry wants to go faster — what’s the holdup?

Inevitably, the answer is middle management. DoD bureaucracy is mired in the habit of moving slow. How it was is how it will forever be.

The problem, almost everyone says, is culture.

For several years now, the Pentagon has been reaching out to Silicon Valley as a way to, you guessed it, move faster. It has opened offices and assembled boards and advisors with Silicon Valley luminaries serving as liaisons to the Pentagon. Senior leaders have made approximately a billion jokes about having to wear a hoodie to work. The head of Google’s parent company, Alphabet Inc., is on the board of the Pentagon’s advisory committee.

Pentagon leaders have not made a convincing case as to why their dollars and their vision to change the world are any more altruistic than the next guy with billion-dollar pockets. Again, but this time with a West Coast flavor, the problem is DoD’s culture.

Disruption does not come clean or easy. It requires making people in long-held institutions unhappy.

If DoD wants to move faster, it has a choice: It can disrupt institutions in Washington or disrupt institutions on the West Coast. But if it wants wholesale change, as leaders often claim, it will have to choose workers on one coast to make unhappy.”

https://www.c4isrnet.com/opinion/2018/05/15/silicon-valley-will-never-love-dod/

 

 

GSA Weighing ‘Multiple Initiatives’ For Government 2019 Centers of Excellence (COE) Projects

Standard

GSA Centers of Excellence.png

“FEDSCOOP”

“The USDA was selected to be the “lighthouse” agency for the rollout of all five CoE teams, but future projects could focus on agencies using individual teams.

Those teams are paired with contractors, as well as personnel at target agencies, to carry out IT modernization projects based on their skill sets.”

___________________________________________________________________________________________

“As the General Services Administration moves forward leading the White House’s Centers of Excellence program to modernize IT operations at the Department of Agriculture, agency officials at the agency’s Technology Transformation Service are already looking toward the next round of projects.

Joanne Collins-Smee, deputy commissioner of the Federal Acquisition Service and TTS director, said Friday that the agency was already looking for what projects it could deploy the CoE teams to in fiscal 2019.

“That’s the vision, that we would have several agencies that the CoEs are in at one time,” she said at ACT-IAC’s Igniting Innovation event. “So, for the first substantiation, we all agreed it’s USDA and USDA alone. But as we look into 2019, we are looking at are there other agencies that we would bring on?”

The CoE program, announced in December, is built on five teams of IT talent specializing in cloud adoption, IT infrastructure optimization, customer experience, contact center services and service delivery analytics.

“So as we are evolving this model, the view is that it doesn’t have to be all five. We are going to be building up the teams also,” she said. “So our vision is that we are going to have similar tiger teams. Obviously, they have a very specific skill, but they would go into the next agency. So it’s not like the same team would do USDA and [another] agency.”

The ongoing USDA modernization project is currently in its assessment phase of what is projected to be a three-year overall project, with each team on a separate timeline.

USDA CIO Gary Washington said he expects the implementation phase to begin this fall after the agency assessment and game-planning by the CoE teams are complete.

“We have set ambitious, but realistic timeframes to accomplish this,” he said.

Collins-Smee added that GSA and USDA would be revealing some of that assessment information, as well as the timeline for the implementation phase, in an industry day next month.”

https://www.fedscoop.com/gsa-weighing-multiple-initiatives-next-coe-projects-2019/

 

6 Predictions On How A New Strategy Could Change What The Pentagon Buys

Standard

 

 

National Defense Strategy 2

“C4ISRNET”

“During a speech at Johns Hopkins University in January 2018, Jim Mattis, the secretary of defense, unveiled an updated version of a Pentagon document called the National Defense Strategy.

C4ISRNET asked industry leaders to explain how this shift could play out. Individually, their answers are compelling, but together they create a rich portrait of modern warfare.”

___________________________________________________________________________________________

“After nearly 17 years of war in Iraq and Afghanistan, the new document fundamentally changed the direction of the Department of Defense. Now, the Pentagon is turning its attention to what it describes as a near-peer competition — in other words: China and Russia — and away from the counterterrorism mission.

But with the new focus comes a shift in battlefield technology. The strategy calls for updated nuclear command and control, investments in space, and greater integration of cyber.

CYBER

WHAT WILL CHANGE: More sophisticated cyberattacks

WHAT THE PENTAGON WILL WANT: More automation with cyber and more visibility of who’s on the network

NAME: David Mihelcic, federal chief technology and strategy officer, Juniper Networks

Near-peer adversaries are willing to expend significant resources — both in terms of people and money — to penetrate or disrupt federal networks critical to the security and economic health of the United States. Likewise, near-peer adversaries’ tools and techniques are far superior to those used by more typical criminal hackers. As such, we’re going to see threats against federal networks increase exponentially. In response, federal agencies must defend all their network assets and those of the nation, whether they exist in legacy or cloud environments.

Agencies must proactively hunt near-peer adversaries that are attempting to or have already established a foothold within federal networks. These same techniques must also be adopted by operators of enterprise and service provider networks. U.S. Cyber Command and the Department of Homeland Security will need to be prepared to respond in kind if adversaries act against our defense and civilian networks, as well as our national critical infrastructure. Remember that DHS is tasked with protecting the entire country, not just the federal government. To do that, the department must be prepared to respond to cyberthreats to commercial networks.

Security automation will be critical. Automation can also greatly reduce the risk of human error, such as the accidental exposure of highly sensitive data to potential bad actors.

Agencies will also need increased visibility into all aspects of their network environments. Near-peer adversaries’ attack methods are growing increasingly sophisticated. They may target applications, devices or other means, and are motivated to find vulnerabilities that CIOs may not even realize exist. Federal IT professionals must have tools in place that allow them to identify and remediate those vulnerabilities and quickly react to potential threats.

UNMANNED

WHAT WILL CHANGE: More resilient multidomain weapons systems

WHAT THE PENTAGON WILL WANT: More underwater drones to provide intelligence, surveillance and reconnaissance

NAME: Bill Toti, president, L3 Maritime Sensor Systems

Imagine the USS TEXAS approaches the coast of a foreign harbor. The ship slows to near-hover, and from one of its torpedo tubes emerges a swarm of 30 Iver-PW unmanned underwater vehicles. They swim out, then spread into a pattern equidistant in lateral distance and depth, autonomously station-keeping. They scan the ocean volume for bottom, moored and floating sea mines, reporting mine detection in real-time. After completing the deep survey, they continue on to perform hydrographic survey of the beach to prepare for an upcoming Marine amphibious landing. The entire operation is done within six short hours. Before this technology was available, the process would have taken 100 divers over three weeks to perform comparable surveys.

Not far away, an extra-large underwater drone plants an active sonar projector on the sea floor, which immediately goes active. A series of six medium-diameter Iver-5 unmanned underwater vehicles orbit up to 30 miles away carrying passive receivers, bi-statically tracking four adversary submarines in the area.

Further out to sea, one of 50 deployed Bloodhound unmanned surface vehicles is guided to a target datum by shore-based antisubmarine warfare command-and-control forces. A HELRAS dipping sonar is automatically lowered through a moon bay on the Bloodhound, immediately detecting the target, a cruise-missile firing submarine. The USV then reels in the dipping sonar, autonomously repositioning, then dips its sonar again and starts pinging, regaining track. This Bloodhound USV is able to track the submarine for weeks, until hostilities begin and a P-8 Poseidon aircraft outfitted with an MX-20HD electro-optical sensor system is dispatched to launch a torpedo and destroy the submarine from standoff range.

More resilient multidomain drone systems could benefit ISR needs.
More resilient multidomain drone systems could benefit ISR needs.
SPACE

WHAT WILL CHANGE: Adversaries may have counterspace technologies

WHAT THE PENTAGON WILL WANT: Greater space capabilities and resilient satellite communications

NAME: Rebecca Cowen-Hirsch, senior vice president of government strategy and policy, Inmarsat Government

The DoD’s new national defense strategy places even greater emphasis on the urgency for enhanced threat awareness in space, along with the protection of critical assets, both military and commercial on orbit. In contrast to insurgents in the Middle East, a near-peer adversary is more organized, strategic and state funded, and thus positioned to engage aggressively across multiple domains.

Indeed, a future conflict of this nature would likely involve troops and unmanned assets on the ground, in the air and at sea; satellite jamming incidents; on-orbit threats; and state-sponsored cyber intrusions targeting electric power grids, nuclear plants and other critical infrastructure across the globe.

The National Defense Strategy asserts that an attack on critical components of the U.S. space architecture “will be met with a deliberate response at a time, place, manner and domain of our choosing.” In support, the space industry’s focus must be on the broadest areas of support for C4ISR, for both military and commercially supplied satellite communications platforms. This means continued investment into wideband and additional, protected communications, network diversification, backhaul performance, Overhead Persistent Infrared technologies and enhanced augmentation for GPS. This new strategy shifts focus of some mission sets to support advancements in maritime and aeronautical ISR and other highly mobile tech demanding of resilient SATCOM.

The adversaries here are not “new,” but their tactics and capabilities have and will continue to evolve and expand. To respond, commercial, defense and intelligence assets must prepare to deter, detect and defend against these threats — whether on land, in the air, at sea, space and cyberspace.

ELECTRONIC WARFARE

WHAT WILL CHANGE: Near-peers will have significant jamming capabilities

WHAT THE PENTAGON WILL WANT: More software-defined hardware

NAME: Christopher Rappa, product line director for RF, electronic warfare and advanced electronics, BAE Systems FAST Labs

Past counterterrorism operations revealed the difficulties of fighting an asymmetric battle with a determined, cunning and agile adversary. Insurgents leveraged commercial technology, including cellphones and social media, for battlefield coordination and off-the-shelf components in improvised explosive devices. This use of easily accessible technology stressed the defense acquisition pipeline. Solutions required disproportionate investment and continued to be countered at great cost.

In concert with explosive demand in consumer products, radio frequency microelectronics and processing components are continuing to evolve and grow with no sign of slowing down. Additionally, the hardware is becoming more and more defined by software, enabling flexibility with minimal cost impact. The defense technology acquisition pipeline wasn’t designed to keep up and that is not necessarily the case for near-peer competitors. The DoD and industry needs to and can move faster.

Due to long acquisition cycles and a lower historical priority, the technology disparity is extremely evident in electronic warfare. Advancements in off-the-shelf software-defined systems enable waveform flexibility and agility where parameters can be changed between transmissions. Agility means uncertainty, driving us toward the development of cognitive, adaptive and coordinated EW systems that can adjust to counter new and emerging threats. Key innovations in those systems are required to not just keep pace with the commercial capabilities, but also to provide an edge over the near-peers who will be leveraging that technology and have been investing heavily to disrupt our command of the electromagnetic spectrum while the U.S. focused on the counterterrorism mission.

With a renewed focus on near-peer adversaries, the Department of Defense has reprioritized EW technology development. The next generation of electronic warfare technology will not be dulled by a peer’s ability to leverage commercial technology, a lesson learned from IEDs many years ago.

Satellite imagery could play a critical role in understanding China and Russia.
Satellite imagery could play a critical role in understanding China and Russia.
GEOINT

WHAT WILL CHANGE: The U.S. will have interest in an enormous geographic area

WHAT THE PENTAGON WILL WANT: Machine learning to process giant imagery libraries.

NAME: Walter Scott, executive vice president & chief technology officer, Maxar Technologies

One area that’s become increasingly important is the ability to derive intelligence and insight from volumes of data that are far larger than what human analysts can process naturally. Machine learning in the last few years has reached the point where it’s become an effective massive force multiplier, allowing talented and highly trained analysts to focus their efforts on the places and things that are most likely to have mission significance.

This is important because the relevant geographies are now larger than ever, and the adversaries are more capable. In the 1990s, you had to know where to look. In today’s world, it’s not the stuff you know about that’s going to hurt you — it’s the stuff you don’t know. So, you basically must look everywhere. We’ve greatly expanded our ability to collect imagery to the point where DigitalGlobe is now producing on the order of 80 terabytes of imagery product every day. It would take a single human analyst 85 years to extract just one single feature from that volume of imagery.

Fortunately, the tools to exploit this deluge of data have also been advancing very rapidly, enabling analytic results that might otherwise have gone undiscovered because there just aren’t enough eyeballs in the world to look at every pixel that’s being collected.

IT & Networks

WHAT WILL CHANGE: DoD will rely more heavily on the cloud

WHAT THE PENTAGON WILL WANT: More cloud services

NAMES: Lawrence Hollister, executive director, Cubic Mission Solutions

Unconventional warfare is becoming the new normal. As technology evolves and data to decision speeds are increased, the need for a distributed edge cloud architecture or tactical cloud is a must. The tactical cloud is an operating environment where information, data management, connectivity and command and control are core mission priorities.

To best meet the challenges of future peer and near-peer actors, we must exploit all aspects of fused ISR from multiple assets and leverage technology in secure communications.

Quickly capitalizing on the capabilities of the ever-changing information age will allow our forces to seamlessly share situational understanding across C4ISR systems in every domain.

Near-peer actors have highly effective communication denying capabilities, putting our reach back at risk, thus dislocating the edge teams. This is why a hybrid cloud concept with local tactical cloud applications that can run disconnected from reach back cloud infrastructures is so vital. Even though the multidomain tactical/edge cloud has external connections, the cyber threat is reduced or mitigated through the connections to the edge and theater-level secure gateways.

The tactical/edge cloud model is where every platform is leveraged as a sensor. This vision will enable more rapid, effective decisions and will provide a significant operating advantage. A distributed, self-healing, multidomain tactical/edge cloud that is difficult to penetrate significantly complicates an enemy’s pursuits and will force the enemy to focus more resources toward its own defense and offense. In its desired deployment, the tactical/edge cloud will strategically sever the enemy and will lead to and enable multidomain superiority.”

https://www.c4isrnet.com/industry/2018/05/09/6-predictions-on-how-a-new-strategy-could-change-what-the-pentagon-buys/

 

$2 Billion VA Technology Transfer Process Requires Clarification Says GAO

Standard

VA IP

“FEDSCOOP.COM”

The agency operates a $1.9 billion research program, which has been behind inventions like the pacemaker, early prototypes for the CAT scan and more.

However, this process doesn’t always run as smoothly as it could — GAO found that while the VA’s 3,000 researchers are technically required to disclose their inventions to the agency, they may fail to “consistently” do so.”

_________________________________________________________________________________________

 

“The Department of Veterans Affairs needs to clear some things up in order to improve its technology transfer pipeline, a new Government Accountability Office report found.

The agency also has a tech transfer office, created in 2000, which works to shift internal health care innovations to the private sector for eventual commercialization, from which the VA can then collect royalties.

Some researchers are unaware of their responsibility to report. First-time inventors, for example, may not know what protocol is.

“VA established an online training program in 2017 covering the invention disclosure process, but the training is not mandatory,” the GAO report reads. “VA provided us with a report from October 2017 indicating that out of over 3,000 eligible researchers, 130 had taken the training.” That’s just four percent.

Second, many of the VA’s researchers also hold positions at universities, and this muddies the reporting process. These researchers may disclose their invention to the university assuming that the university will, in turn, disclose to the VA. But this doesn’t always happen.

Collectively, these two issues contribute to “lost technology transfer opportunities and royalties for VA,” the GAO report states. The watchdog recommends that VA implement a couple of fixes to make sure it is getting the full return on its research investment.

First, the report advises, “make training about invention disclosure mandatory.” And as to the university partnerships, GAO suggests that the VA create a standard method of reporting for all. The VA concurred with both of these recommendations.

The Trump administration recently identified tech transfer as one of its cross agency priority goals (referred to as CAP goals) — benchmarks instituted as a way to operationalize the President’s Management Agenda. CAP goal number 14 seeks to “improve the transfer of technology from federally funded research and development to the private sector to promote U.S. economic growth and national security.”

The administration is keenly interested in maximizing the federal return on research investment.

“Future promises are not enough,” Michael Kratsios, deputy CTO at the Office of Science and Technology Policy, said of federal R&D spending at a recent National Institute of Standards and Technology event. “The taxpayer correctly demands that we justify why our spending is important and why it’s important today. We must focus on maximizing our return on federal investment.”

https://www.fedscoop.com/va-tech-transfer-gao-report/

Understanding The Government Contracting Customer and Fueling Innovation

Standard

Government Contractor Innovation

“WASHINGTON TECHNOLOGY” By John Marinaro

“The federal government reached its small business federal contracting goal for the fourth consecutive year, awarding 24 percent in federal contract dollars to small businesses totaling $99.96 billion, an increase of over $9 billion from the previous year.

Small and medium sized businesses should feel empowered by this trend and work to understand what the government needs.”

________________________________________________________________________________________

“How do we truly begin the process of innovating the government? It’s an age-old question that seems to have no definitive answer.

For a small to mid-size government contractor, when you’re dealing with an entity as large as the federal government that’s been doing what they do for decades on end, it can feel almost impossible that you could effectively break through with innovation.

With an agency’s inability to sit down with each individual contract team to hold a tailored discussion around their specific challenges or pressures, it becomes exponentially more important for any contractor to independently take the steps necessary to become a better partner to the government.

After my time at NASA and now having transitioned to private industry, I’ve figured out a couple of focuses that can help with easing the government-contractor relationship.

EMPHASIZE INNOVATION

Government agencies are often torn by the fact that they want to modernize, but the logistics of doing so often prove difficult.

Contractors need to understand that the government is constantly torn between the evil they know– older contracting partners they’ve worked with for years– and the evil they don’t know– new and innovative solutions that would be procured through a brand new contract.

What can a contractor take away from this fact? An emphasis on innovation.

Whether it’s during a discussion in a quarterly meeting or inside RFP development, the government needs to come away understanding why a company’s solution and body of work is truly new and different. It can’t just marginally move the needle, it needs to generate massive returns that will make an agency feel like the results will be worth the cost of time and finances it will take to transition to something brand new.

It’s easier for the government to take the path of least resistance if the alternative doesn’t make more than a small splash.

PROVE YOUR AGILITY AND FLEXIBILITY

Another dilemma that the government faces in their pursuit of innovation is the fact that once they’ve made the decision to incorporate a new team, there’s a delay or stoppage in short term progress.

With a flattened budget, a contract team doesn’t have the time or financial allowance to do research as part of the contract, as this will often draw resources away from other work.

Contractors need to ensure that they can get up to speed quickly without hindering their agency partner. A partner that’s self-motivated to do external reading, research, or learning about a particular challenge provides much more value to a government-contractor relationship than simply waiting for someone to hopefully provide you with that information.

ALIGN YOUR MISSIONS

According to a recent Government Business Council survey, many agencies lack a mission-focused strategy. The survey shares that 1 in 3 respondents feel that their agency’s IT contractors lack an understanding of organization mission objectives. This is also likely results in the government’s difficulties in identifying new solutions to mission challenges.

As a contractor, it is your job to make sure that missions are aligned so that you and your government partner are working towards a long-term goal that positively affects both parties. Without a shared mission, it’s highly possible that miscommunication will occur and innovation will be prevented.

As a small business contractor, working with the government can seem daunting. However, following these suggestions will increase your chances for success.”

https://washingtontechnology.com/articles/2018/04/19/insights-marinaro-flexibility-innovation.aspx

About the Author

download

John Marinaro is the vice president of the federal civilian division of KeyLogic Systems.

 

Defending Hospitals Against Life-Threatening Cyber Attacks

Standard
Defending Hospitals Against Cyber Attack phys.org

Image:  phys.org

“FIFTH DOMAIN”

“Hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people.

And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.”

__________________________________________________________________________________________

“A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.

Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.

I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts.

A wide range of devices

A major challenge in hospitals’ cybersecurity is the enormous number of devices with access to a facility’s network. As with many businesses, these include mobile phones, tablets, desktop computers and servers. But they also have large numbers of patients and visitors who come with their own devices, too – including networked medical devices to monitor their health and communicate with medical staff. Each of these items is a potential on-ramp for injecting malware into the hospital network.

Hospital officials could use software to ensure only authorized devices can connect. But even then, their systems would remain vulnerable to software updates and new devices. Another key weakness comes from medical equipment offered as free samples by device manufacturers who operate in a competitive market. They’re often not tested for proper security before being connected to the hospital network. One of our interviewees mentioned:

”In hospitals … there’s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free that eventually makes its way on to our floors, and then a year later we get a bill for it.”

When new technologies bypass regular processes for purchase and risk assessment, they aren’t checked for vulnerabilities, so they introduce even more opportunities for attack. Of course, hospital administrators should balance these concerns against the improvements in patient care that new systems can bring. Our research suggests that hospitals need stronger processes and procedures for managing all these devices.

Staff buy-in

Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us they’re worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said they’re focused on patient care and don’t have time to worry about cybersecurity.

People typically treat cybersecurity protections as secondary to what they’re trying to get done. One person we interviewed described why some staff committed the cardinal cybersecurity sin of sharing a password:

“To use an ultrasound machine [you need a password, which] has to change every 90 days. [Staff] just want to use the ultrasound machine. It’s not holding a lot of patient data … so they create a shared login so that they can provide patient care.”

The needs can vary widely across a hospital, in ways that can be surprising – such as access to sites likely to carry malicious software. A chief information officer at a research hospital told us,

“I personally believe that hardcore pornography has no purpose on hospital supported devices. What did I do five years ago? I put up internet content filters that prevented people from navigating to pornography. Within five minutes, the director of psychiatry calls to tell me that we have a grant to study pornography in a medical context [so we had to modify our filters].”

These experiences are why we concluded that budget limitations are not as crucial to hospital cybersecurity as employee involvement. A hospital can buy as many pieces of hardware and software as it wants. If workers aren’t following organizational procedures, the technology won’t keep hospitals safe. Our research suggests that cybersecurity is as much about managing people as it is about technology.

Compliance is not security

The threat is nationwide, and keeps getting harder to defend against, as one chief information security officer told us:

“The nature of attacks is increasingly sophisticated. It used to be my biggest threat was … students. Today, it’s state-sponsored attacks, terrorism and organized crime. It’s more threats than ever before of a more serious nature.”

Unfortunately, many hospital administrators seem to believe that protecting data is as simple as meeting state and federal regulations. But those are minimum standards that don’t adequately address the threat. As one of our interviewees said,

“Compliance is a low bar. I guarantee that little health care organizations and hospitals would do nothing (without regulation). They would have a piece of paper on a shelf called their security policy. It’s needed as a backstop to get companies at least thinking about it. But being compliant does not solve the greater risk management problem.”

Our research shows that hospitals need to think beyond compliance. Also, with so few hospitals well defended against cyberattacks, all hospitals appear more attractive as potential targets. In our view, it’s not enough for hospitals to improve their own defenses – nor for regulators to raise standards. They should manage, and evaluate the security of, the devices on their networks and ensure medical staff understand how good cyber-hygiene can support good patient care. Further, policymakers, health care leaders and hospitals themselves should work together to make the industry as a whole less susceptible to attacks that threaten people’s privacy and their very lives.”

https://www.fifthdomain.com/opinion/2018/04/25/defending-hospitals-against-life-threatening-cyberattacks/

Is Federal Government System Engineering and Technical Assistance (SETA) Contracting for You?

Standard

Final

“SMALL TO FEDS”  By Ken Larson 

System Engineering and Technical Assistance (SETA) contracting may provide an avenue for the small business in gaining the momentum necessary for building a government contracting past performance record.   It does not require an off-the-shelf product or capital intensive facilities.”
____________________________________________________________________________________
“The commercial, start up or growing entrepreneur may have specialized skills, products and services that could be marketable to the government but a window of opportunity or an entrance niche is sometimes difficult to locate in the very large and competitive federal contracting venue.

SETA contracting is often utilized by the government to enhance agency statistics requiring firms that hold small business designations and who can offer quality services in support of the internal agency facilities or operations.

Set Aside Designations

DEFINITIONS

FAR Sub-part 37.2 defines advisory and assistance services and provides that the use of such services is a legitimate way to improve the prospects for program or systems success:

Advisory and Assistance Services

FAR 16.505(c) provides that the ordering period of an advisory and assistance services task order contract, including all options or modifications, may not exceed five years unless a longer period is specifically authorized in a law that is applicable to such a contract:

DFARS Part 237.2 provides very important information applicable to advisory and assistance contracts:

The contracting officer and requiring activity must also be aware of FAR Subpart 9.5 when considering the potential for organizational and consultant conflicts of interest:

THE NATURE OF THE WORK 
 
Typical SETA efforts may involve long term contracts to perform acquisition assistance, project management, price or program analysis, independent estimates, administrative support, computer and data base operations, technical and security services, facilities maintenance functions or similar tasks. The typical SETA contractor rarely interacts with other government contractors and if interaction occurs it is only with other SETA contractors and subcontractors performing in similar roles at the same agency or in the presence of a government contracting officer/authorized representative. They are generally behind the scenes and cannot directly represent the US Government.
SETA contracting requires skilled management and labor resources capable of performing a scope of work for which the government has identified a need and for which outsourcing to an industry contractor has been selected as the means to fulfill that need. The venue demands strong human resources management and an enhanced business system to price, account and bill on a job cost basis under government service contracts.
  

INCUMBENT WORK FORCES

SETA contractors often target incumbent work forces where an agency plans to offer a small business the opportunity to assume an existing services program formerly run by a larger firm or a small business that has grown beyond the size limit designated for the procurement.

In these instances the winner will have solid plans for recruiting and retaining the existing work force executing a transition plan and insuring that the government does not encounter an interruption in services.Contingent hire agreements and sophisticated human resources processes are necessary to position the company during the proposal effort and as the contract proceeds. Contingent personnel are well aware of their market value among the SETA contractors competing for the work.

MARKETING APPROACH

As budgets become tighter, the government agencies will be looking for solid performance at the lowest possible price, stability in performance and contractors adept at learning government processes and systems as well as working with the agency to improve them.
Find opportunities well in advance of their being formally solicited on FEDBIZOPPS. Look for existing services and support contracts in their last year or self-market a services contract to an agency whose mission requires your expertise. 
 
Propose and price to win using the following guidance:

Proposal Preparation
UNDERSTAND ORGANIZATION CONFLICT OF INTEREST (OCI) RESTRICTION
 If you are considering becoming a SETA contractor, determine what portion of the market in your industry will be unavailable to you in that role with the agency to whom you contract. As a SETA contractor you will not be allowed to compete for the programs being procured by the agency other than the SETA support contacts. You knowledge of the inside workings of the government agency would be a conflict of interest in bidding other projects. 
You should target for SETA exploration only those agencies to which you do not intend to market other services. 
  
SUMMARY

 
Consider SETA contracting if your marketing plan contains elements of support and assistance that an agency may be willing to outsource. If you hold small business designations, seek marketing opportunities to foster government set aside procurements for the designations you hold and understand that SETA contract will be the only programs you will hold with that agency due to OCI restrictions. “

Atlanta Was Not Prepared To Respond To A Ransomware Attack

Standard
Atlanta Ransomware

Image: Dan X. O’Neil

“STATESCOOP”

“A month after the SamSam ransomware virus infected its computer systems, Atlanta’s city government still struggles to provide several services to its residents.

The city is scrambling to dig out from arguably the highest-profile ransomware incident on U.S. soil yet, shelling out nearly $2.7 million in emergency contracts to IT consultants and crisis managers.”

________________________________________________________________________________________

“Water and sewer bills can’t be paid online or over the phone, and business licenses can only be obtained in person. Public Wi-Fi at Hartsfield-Jackson International Airport, the country’s busiest airport, was down for two weeks. City council members reported losingdecades’ worth of correspondence. The municipal courthouse only regained the ability to schedule traffic-ticket hearings on April 16.

Atlanta officials may eventually give full accounting of how the March 22 ransomware attack was allowed to happen, and why the recovery process has been so slow and out of the public view. (The city last issued an official update on March 30.) But the hack hit just the right conditions to sow mayhem: In the weeks since officials were locked out of their systems for a $51,000 ransom demand, it’s been revealed that Atlanta’s municipal IT was woefully disorganized and outdated. Couple that with the recent swearing-in of Mayor Keisha Lance Bottoms, who by her own admission had not devoted much attention toward cybersecurity, and Atlanta became a ripe target for digital bedlam.

As recently as January, the city auditor was excoriating officials for a lax approach toward cybersecurity that left the government with obvious vulnerabilities, obsolete software and an IT culture driven by “ad hoc or undocumented” processes, according to a report published that month by the auditor’s office.

Not everyone is looking for someone to blame, though. Amid all the frustration that the cyberattack has caused, there’s one push for Atlanta to conduct a “blameless” review of the episode. But that seems like something that’s still a long way off from happening. Whatever the case, the attack was not surprising to cybersecurity experts.

“Atlanta is a fairly typical path,” said Max Kilger, a business professor who specializes in cybersecurity at the University of Texas at San Antonio. “These guys seem to be targeting organizations that work for the public good. There’s an urgency when a city gets taken down. The ransomware people are basically counting on that to leverage a payment out of these targets.”

Better to spend now than pay later

By all known accounts, Atlanta hasn’t paid up, though the mayor’s public remarks about it have been inconclusive. “Everything is up for discussion,” Bottoms said six days into the hack. The involvement of the FBI, which recommends ransomware victims refuse their attackers’ demands, suggests Atlanta hasn’t given in.

Kilger said a city as large as Atlanta, with a $2.1 billion budget, is a tempting target for ransomware operators because the ransom demand is so paltry compared the city’s pocketbook. Even if Atlanta won’t pay, the hackers behind the SamSam ransomware are still running a tidy operation — collecting nearly $850,000 since their first attack in late 2015, according to analyses of the SamSam group’s bitcoin wallet. That includes payments from ransomware victims that did pay the bounties to recover their data, including Hancock Regional Hospital in Indiana and Yarrow Point, Washington, an affluent town of 1,000 residents just east of Seattle.

But in those cases, the targets went against the FBI’s advice. The bureau recommends against acceding to ransom demands for the simple reason that a ransomware victim has no guarantee that its attacker won’t “shoot the hostage” anyway. “Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” the FBI advises.

If there’s money going anywhere, it’s to consultants. In the month since the hack, Atlanta has doled out more than half a dozen emergency contracts to cybersecurity firms like Secureworks, Fyrsoft, and CDW, and consulting services from Ernst & Young and Edelman to manage the public response. In Colorado, where a SamSam attack in February took out internal systems at the state’s transportation department, officials have spent between $1 million and $1.5 million on recovery so far.

Government IT officials might find it’s better to spend more money up front hardening their cybersecurity, rather than shelling out after a hack.

“If I were an executive, I would look at the risk equation,” said Walter Tong, a security architect at the Georgia Technology Authority, which manages the state’s IT infrastructure. ”Is it worth spending the money or paying the ransom? I would not like to be in that kind of position.”

IT complacency

Tong’s office is not working on Atlanta’s recovery; he said it doesn’t offer the kinds of recovery services the city needs right now. But he said he knows the job of rebuilding the city’s computer systems will be a long one.

“It takes a while to rebuild and reconstruct applications and network devices,” Tong said. “Hackers choose targets and they find ways of getting there, whether it’s to cause a disruption of service or destruction of data, or both.”

Unlike other ransomware programs that take over networks when a user opens a phishing email or inadvertently runs a malignant program, SamSam infiltrates systems with brute-force attacks like guessing weak or default passwords until one breaks through. SamSam often targets Java-based application servers or Microsoft’s Remote Desktop Protocol.

Tong said his office often looks for those kinds vulnerabilities in network settings and older devices. Had Tong’s team examined Atlanta’s systems, they would’ve found those conditions in abundance. The city auditor’s January report found nearly 100 government servers running on Windows Server 2003, which Microsoft stopped supporting in 2015.

“You can spend a lot of time on educating, making sure your network devices are patched and secure,” Tong said. “But once it happens, you have to have an instant response plan.”

The January audit report suggests Atlanta was nowhere near ready to deal with a cyberattack. Monthly scans conducted over the course of the audit, found between 1,500 and 2,000 security vulnerabilities in Atlanta’s systems. In fact, the number of IT security flaws grew so large, that city agencies slid into a habit of inaction, the audit stated.

“The large number of severe and critical vulnerabilities identified by the monthly vulnerability scan results metric has existed for so long the organizations responsible for this area have essentially become complacent and no longer take action other than to update the monthly report,” the document reads. “The significance of such a backlog of severe and critical vulnerabilities without corrective actions is evidence of procedural, technical or administrative failures in the risk management and security management processes.”

Don’t play the blame game

Whether the hackers who hit Atlanta knew it at the time, the ransomware arrived less than three months into the term of a new mayor who admitted after the hack that cybersecurity had not been one of her administration’s priorities. That was a shift from her predecessor, Kasim Reed, who often played up Atlanta’s emergence as a hub for the cybersecurity industry: The city is home to companies like SecureWorks and Bastille, and Reed went on trade missions to Israel to get that country’s cybersecurity firms to investin Atlanta. Internally, Reed’s chief information officer, Samir Saini oversaw some IT upgrades, like moving city employees from Microsoft Exchange servers to Microsoft’s cloud services.

Saini was snatched away by New York Mayor Bill de Blasio in January, leaving Saini’s former deputy, Daphne Rackley, as the interim CIO. Then on April 9, Bottoms shook up the city’s leadership by asking everyone in her 35-member cabinet, which is still comprised mostly of holdovers from Reed’s administration, to submit letters of resignation. Bottoms hasn’t announced who she’ll be keeping and who she’ll be replacing, but the ransomware attack has made the CIO job a crucial one to watch.

“Just as much as we focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said a few days after the hack.

But blame for the ransomware attack and responsibility for making sure it doesn’t happen again aren’t necessarily synonymous. Code for Atlanta, a Code for America brigade that advocates for better technology in municipal government, wants Bottoms to eventually order a report that avoids assigning blame.

The idea of a “blameless post-mortem” is widely attributed to developers at the craft site Etsy. In a 2012 post on Etsy’s developer blog, John Allspaw, then a senior vice president at the company, wrote that software engineers respond better to errors and accidents when they know there’s not an overt threat of punishment.

“[A]n engineer who thinks they’re going to be reprimanded are disincentivized to give the details necessary to get an understanding of the mechanism, pathology, and operation of the failure,” Allspaw wrote. “This lack of understanding of how the accident occurred all but guarantees that it will repeat. If not with the original engineer, another one in the future.”

Other companies, including Google, have since adopted that model of review after things go wrong. Code for Atlanta believes that model could work in the public sector, too.

“We want folks in city government to be accountable, but for us it’s more about a culture change,” the group’s leader, Luigi Ray-Montanez, told StateScoop. “When I was at city hall I saw this poster warning people to be wary of cyberattacks. It seems like they were aware of internet culture, but obviously mistakes were made.”

Atlanta City Auditor Amanda Noble told reporters when the audit was first publicized that city officials had started to upgrade their IT security when the ransomware attack hit. But the majority of recommendations the audit made are unlikely to be completed until the third and fourth quarters of 2018.

Despite a recent push to make her government more transparent — including plans to create websites on which the public can track city contracts and municipal data — Bottoms hasn’t given an official statement on the ransomware recovery in weeks. Her office has not responded to requests for an update. Rackley, the acting CIO, has not responded to requests for an interview.

Tong, the security architect for the Georgia Technology Authority, said the city’s current silence might be at the behest of the investigators.

“It’s an active investigation and they likely can’t disclose what’s going on,” he said.

The recovery time for a ransomware victim that doesn’t pay off its attacker can be long. The Colorado Department of Transportation was only 80 percent back online six weeks after it was hit by the SamSam virus. Atlanta’s systems have been flickering back on in spurts, with many public services still rolled back to the pen-and-paper era.

Atlanta’s IT professionals and the contractors it’s hired in the wake of attack are scrambling to patch the holes and upgrade to more secure systems. But lingering out there now, for Atlanta and everywhere else, is the threat of more ransomware attempts to come.

“This is one of many ransomware attacks, and there will be many more,” Kilger, the Texas professor, said. “It’s going to get worse.”

https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack

For Defense Contractors New Qualification Cyber Rule Requires Auditable Plan Documents

Standard

Internet security

“NATIONAL DEFENSE MAGAZINE’

“Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward.

Here are some tips on how to approach creating and utilizing these complex compliance documents.”

_______________________________________________________________________________________

“Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

First of all, DFARS compliance includes safeguarding all controlled unclassified information and “covered defense information.” Contractors must report cyber-related incidents to the Defense Department and any deviations or gaps from NIST SP 800-171. They must show progress on a “plan of action with mitigations” and report and maintain a “system security plan.”

The plan of action with mitigations and system security plan are important artifacts to use to demonstrate your adherence to the NIST 800-171 guidance. Defense contractor or suppliers will need to submit these compliance documents to the department or a prime contractor, preferably sooner rather than later. Defense Department documentation calls these type of artifacts “critical inputs to an overall risk management decision to process, store or transmit” controlled unclassified information.

Contractors processing, storing or transmitting controlled unclassified information must meet these security standards at a minimum that were laid out in the Defense Federal Acquisition Regulation Supplement. Those who decide to avoid it, unfortunately risk losing contracts this year and in years moving forward and even risk falling under the False Claims Act. Especially if a company has already received a questionnaire, it’s important that it submit its compliance status truthfully, and prepare compliance documents now if it wants to keep its customers.

Identifying the scope and target of valuation is important here. There are approximately 120 controls included in NIST SP 800-171 and assessing each of these controls for documents, for every component of a system, can be a massive undertaking for an organization. By identifying only those components that are either directly or indirectly in scope, a contractor can reduce the list of areas that need to be assessed.

Having these two documents proving each control status and plan for remediation allows an organization to address the DFARS 252.204-7012 requirement for 2018. The key is showing where the gaps are, a plan for remediation and progress according to that plan.

Here is the direct guidance from the Office of the Under Secretary of Defense: “NIST SP 800-171 was revised (Revision 1) in December 2016 to enable non-federal organizations to demonstrate implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”

The security requirement 3.12.4 — system security plan, added by NIST SP 800-171, Revision 1 — requires the contractor to develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 — plans of action — requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

The goal is to assess the target of evaluation defined in step one and the components identified in step two of the process against the controls. Both current and target scores should be recorded to enable a gap analysis that will feed the two documents.

A system security plan can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation of a plan to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”

In addition to the plan of actions and mitigations, the system security plan “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.”

That means that the documents must describe the requirements, how a contractor plans to remediate for each of the controls, and a timeline for remediation in the organization.

That is just the bare bones, as there is much more information that can be included for compliance such as team members in charge of controls, deadlines and technology that will be adopted in remediation steps.

A great deal of company resources will have to be allotted to getting these documents ready if requested. Regardless of the method, these documents are key for saving contracts if not yet fully compliant, and will put a company in good standing for primes or contracts against the competition.

In 2018, contractors need to ensure they are working on becoming compliant using these documents, and that they can demonstrate competitiveness and adherence to the regulations if the business relies on defense-related revenue.”

http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents