Category Archives: Technology

COVID-19 Spawns Government Web Site Phishing Impersonations

Standard
Image: “360smartnetworks.com”

“FCW”

The campaigns targeted both Americans and international users, with some websites impersonating the World Health Organization, the Her Majesty’s Revenue and Customs (the tax collection agency in the U.K.) and the French government.

[Example] A website template for coronavirus financial help that promises to sign users up for their stimulus checks “with 1 click” and contains a drop-down menu to enter credentials for their chosen bank.

____________________________________________________________________________

“Many of the emails used the COVID-19 outbreak to entice users to hand over their banking credentials in order to receive their stimulus checks. 

One email sent to FCW by researchers and not included in their published blog purports to be from the Federal Reserve, touting that its “Protection Program” was fully operational and available to provide payments to economically distressed Americans. It lists a phone number with a Washington D.C. area code for media inquiries and specifies that requests for payments “must be received no later than 45 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER.” In reality the email, sent to approximately 100,000 people, provides users with a link to a spoofed site where they can enter their banking information.

Bizarrely, the [drop down menu] site contains mimicked logos for the White House, the Centers for Disease Control and Prevention and the Federal Emergency Management Agency (though not the IRS, the agency charged with dispersing the checks) all on the same page.

A common theme for almost all the campaigns was an effort to leverage interest in the COVID-19 pandemic, but DeGrippo said the actors otherwise adopted a general “spray and pray” strategy for victims, with little apparent focus on specific individuals or industries.

“They loaded up the spam cannons, shot them out there and hoped for the best,” said DeGrippo. “It’s a tactic that also works. I don’t think not being super targeted is any indication that it’s not effective or that the threat actor is not equipped. Getting 100,000 messages out [over four days] is not an easy feat.”

Even as threat intelligence companies and federal agencies have tracked an explosion of coronavirus-themed scams online in recent months, DeGrippo said that observed credential phish activity has not increased significantly during the pandemic, indicating that it is existing actors shifting their tactics rather than an increase in the overall threat ecosystem.

“Comparatively over the past several years, volumes of credential phish specifically haven’t moved [over the past few months] in ways where we thought ‘Oh my gosh there’s this huge volume increase,'” she said. “What we are seeing is that a threat actor might normally send a credential phish for banking details [and] the shift now is they’re going to wrap that attempt…in a premise around COVID-19.”

Federal agencies like the IRS, the Cybersecurity and Infrastructure Security Agency and the FBI have all warned of a shift in recent months by cyber criminals to profit off increased attention surrounding the pandemic. In particular, experts have worried that the rush by the IRS to process and disperse hundreds of billions of dollars in stimulus relief to Americans has left the program vulnerable to fraud.

Adding to the confusion, the IRS website where Americans can check on the status of their stimulus payments received criticism for its functionality during the initial weeks after passage of the CARES Act, with some users reporting online and on social media that the site did not recognize their taxpayer information and that small differences — like not writing their full name in all capital letters — can trip up the system and return an error message.

The IRS updated its “Get My Payment” tool in late April to fix the error, but the inability to access their information on the official IRS website could have left users more susceptible to exploring quicker solutions offered by scammers. The agency “Frequently Asked Questions” page warns users to be on the lookout for emails and links asking for banking information related to their checks and on May 18 announced it had added another 3,500 phone operators to field questions from taxpayers about their stimulus payments.”

A Pentagon Procurement Program That Seems Doomed to Fail

Standard
Image: “Greycampus.com

REAL CLEAR DEFENSE

The Pentagon spends more money on federal contracts and relies more on private contractors to provide necessary support than all other U.S. government agencies combined.

With a potential ceiling of almost $8 billion dollars, the NGEN-R is one of the largest non-hardware contracts ever awarded. The problem with massive, long-duration IT contracts is that the pace of technological change often makes them out-of-date almost from the start.

______________________________________________________________________________

“The primary objective of the contract is to manage, modernize and eventually merge several massive Navy and Marine Corps networks that collectively encompass some 400,000 computers and 800,000 users at 2,500 locations. NGEN-R will provide secure data and information technology services such as data storage, email, cloud services, and video teleconferencing for Navy and Marine Corps ships and locations around the world.

As if this were not in itself a major undertaking, the Navy acquisition bureaucracy decided to make the effort even more challenging. First, it decided to split what had been for twenty years a single contract into two: a smaller hardware-centric section, and a larger one focused on services and support. Second, the Navy chose to assume the responsibility for overall management of the two contracts. Third, it awarded the services contract to Leidos, a company with no prior experience in providing support to major Navy/Marine Corps networks. Fourth, the new contract sets an extremely aggressive schedule for transferring responsibility for multiple networks from the existing contractors, who have some 30 years of experience in this field.

The NGEN-R award repeats an often-seen pattern in defense acquisitions, particularly those involving IT services and support contracts. The acquisition bureaucracy isn’t satisfied with incremental advancements; it wants to preside over “transformational change.” As a consequence, it dispenses with experienced contractors and tried-and-true approaches in favor of modernizing complex networks. This same bureaucracy buys into the new contractor’s promises that it can effortlessly take over for its predecessors, and then simultaneously integrate and modernize the Navy’s networks—all while lowering costs. We’ve seen this movie many times before and it never ends well.

When an IT network procurement goes wrong, a lot of bad things can happen. The most immediate impacts will be slow responses to individual needs and major events alike. In the former case, this results in increased dissatisfaction and frustration; in the latter case, missions are endangered when Sailors and Marines can’t get data or effectively communicate. Furthermore, it’s less than helpful when the “green” service desk team—the place where one goes for IT support—is struggling to understand how things work. Compounding this demand for IT help is the age of the technology, as refresh cycles for replacement laptops and PCs were likely put on hold until the new team was firmly in place. In the longer term, the Navy risks backsliding on everything it has accomplished over the last 20 years to consolidate its networks, standardize its technology and rein in IT spending. 

Were these normal times, the Navy and its new contractor might have the time and resources to weather the inevitable delays, service interruptions, and cost increases that will result from the acquisition bureaucracy’s desire to have the new contractors do it faster, better and cheaper. However, these are extraordinary times. We are in a crisis in which clear communications and a reliable network are much more important than they were when the contract was awarded. Like everyone else in the world, the Department of the Navy faced a massive challenge in getting several hundred thousand Sailors, Marines and civilians set up to telework and unlike a business, the important mission—protecting the United States—did not stop to wait for the IT to catch up with this radical change. The Navy’s networks have had to be reconfigured in real time while adding new nodes (such as two hospital ships deployed to support New York and Los Angeles’ health systems) and ensuring that both the Navy’s networks and connections to medical networks across the country are viable and secure.

There are already signs that the NGEN-R contract is heading for difficult times. The most notable was the early talk by the winning bidder about changing the solution that they proposed. In a recent interview, Gerry Fasano, head of Leidos’s Defense Group, acknowledged that the network “has continued to evolve, and so we’ll update ourselves from what we proposed and then worked through our transition plans.” Read this to mean: get ready for lots of change orders as the company attempts to make good on all its commitments.

In late April, the Department of the Navy’s Chief Information Officer, Aaron Weis, said in an interview that the Navy has been looking to “jumpstart” modernization—which is the right thinking—but expressed concern that the recently-awarded NGEN contract was the best path forward: “One of the first things we really talked about was do we stop NGEN-R and reset it given what we thought we needed to do. The reality is, given the acquisition timeframes, it probably would’ve set us back another year.” In hindsight, that would not have been a high price to pay.

The Navy’s plan to modernize its IT networks is likely to be dead in the water for an extended period while the NGEN contract transitions and networks struggle to deal with the new reality of communications in the era of COVID-19. While the acquisitions folks won’t feel a bit of pain, the Sailors and Marines and the state and local communities they are trying to help certainly will.

The NGEN-R award is currently in protest. But whatever the outcome, the Navy should take the opportunity to reconsider its rush towards an unpredictable future. The Navy needs a different approach, one that doesn’t put its networks and thus its pandemic response at risk, much less the security of the Nation and tens of thousands of Sailors and Marines. It would be wise for the Navy to suspend the NGEN-R contract and pursue a new competition.”

https://www.realcleardefense.com/articles/2020/05/16/a_pentagon_procurement_program_that_seems_doomed_to_fail_115296.html

Need For Security Clearances May Drop As Teleworking Expands

Standard
Image: Startacybercareer.com

FCW

Having a top-secret clearance may no longer be the insignia of an intel worker, according to the intelligence community’s national counterintelligence chief.

The IC’s [Intelligence Community] culture used to look at having a top-secret clearance as a “pass-fail” test to get in, [William] Evanina said, but that doesn’t mean employees can’t do their jobs from home — as long as it’s done securely.”

______________________________________________________________________________

“We are just as successful, with some exceptions, with people working at home than we were before. And I think we have to be flexible and look at our private-sector model and maybe extrapolate that into our intelligence community,” National Counterintelligence and Security Center Director William Evanina said during a May 13 INSA virtual event.

Evanina said he could see not requiring clearances for some positions in the next few years due to teleworking abilities. “Just because you work in the IC, and just because you have a top-secret clearance, does that mean that everything you do is classified?”

“Right now, our communications from home to work is not safe, whether it’s in the private sector, especially not in the government,” he said. “We have to find effective security solutions to get to where we want to be.”

The federal government has been working to improve the security clearance process and reduce its backlog, which once reached more than 700,000 active investigations on agency personnel and contractors that handle sensitive materials.

The government rolled out its much-criticized Trusted Workforce 2.0 framework in 2019, aiming to reduce the amount of time needed to clear new employees and re-investigate those moving across agencies.

The IC merged two hiring processes, for security clearances and employee suitability, into one earlier this year. The move was meant to clarify the role of human resource officers in ensuring candidates were right for job demands.

Evanina said the security clearance backlog has dropped to 180,000, with upwards of 50% more new applications coming in compared to 2019. That target beats the one set by the President’s Management Agenda at a 200,000 caseload of active investigations, and it is a significant dip from the reported 231,000 cases in January.”

New Frontier In “Challenge Procurement” At Veterans Administration

Standard
Image: Shutterstock

FCW By Steve Kelman

The basic idea behind a procurement challenge is that the government announces a problem it seeks to have solved. Anyone may then submit their solution, and the government chooses a winner or winners. 

You don’t need to be an expert on government procurement to submit an entry. There is no proposal — it is a great example of the idea of “show, don’t tell” that should be more important in government procurement in general.

_____________________________________________________________________________

“Many blog readers will be aware that I have over the years been a big fan of challenges (also known as prizes) as a procurement technique. 

When it announces a challenge, the government also specifies a monetary prize (hence the moniker “contest”) and further steps the government might take to support the winner or winners.

I first wrote enthusiastically about these way back in 2009, based on a DARPA contest for developing an all-terrain vehicle. Most recently I wrote about the Army using a challenge to develop a better and cheaper ventilator in the context of COVID-19. I have written, and continue to believe, that the use of challenges in procurement is the most significant procurement innovation of the last decade.

Challenges have varied from very elementary and not very consequential (e.g. a contest to develop an agency logo) to much more mission-critical. For example, a few years ago the IRS conducted a challenge to design an online experience that more clearly and easily organizes and presents a person’s tax information, including ways to more easily use tax data to help people with other financial decisions, such as applying for a loan.

However, even more difficult and complex challenges have up to now been one-off efforts: the government publishes the challenge, bidders respond, and the government chooses winners. Now, though, the Department of Veterans Affairs has published an RFI for a challenge that will take this procurement tool where it has never been before. VA officials are seeking to develop approaches to reduce suicide among veterans

The agency is envisioning creation of a user-friendly platform where veterans (and possibly others in at-risk groups) can gain enhanced access to a range of suicide-prevention services, such as scheduling, assessments and mental health resources, while preserving their identities and privacy. The VA also hopes to personalize and customize services to directly meet veterans’ needs and recognize certain risks in users’ personal lives, information about care paths and more.

The VA’s vision is that the platform would involve automated learning to update information provided the user. Data analytics and AI would learn from the “user journey” through the VA ecosystem, adapting and responding to the individual user’s needs, fears and concerns. Over time, the information presented to that user would be increasingly curated for their specific needs. 

Not only is the topic of the challenge difficult and high-visibility — about as far from designing an agency logo as you can get — but the way the challenge will be organized will be far more ambitious than any the government has attempted in the past. The VA will be doing a procurement not for the challenge itself but to manage challenges that then would be put out for submissions.

As the VA puts it in their RFI, “the chosen partner would need to provide management support services necessary to help build the program from the ground up—and seamlessly execute the competition from beginning to end. The dedicated collaborator would support the delivery of everything from the timeline, scope and design of the complex challenge, to technical support, Though VA would provide some of those funds, said. in raising money for the prizes winners will receive. “the hope is the vendor would be able to facilitate outreach and increase fundraising for the prize purse, so that it’s not just taxpayer-funded money that goes to support this effort, but actually potentially private funds from companies and others who are interested in solving this problem,” the VA states.

This will be a complex and large enough activity that the VA doesn’t have the bandwidth to do it with in-house resources. So, to allow development of challenges at scale, it is actually seeking to let a contractor organize that effort.

This is a first, and an amazing innovation by the VA. The idea has been shepherded by the VA’s Chief Innovation Officer Michael Akinyele. It was in the works before COVID-19, but the explosion of unemployment will make the suicide problem worse and hence has prompted the VA to move the effort faster.

If this works, it will add an important new tool to the government’s contracting toolkit, available to others across government. VA, congratulations on a great idea, and good luck making it work.”

https://fcw.com/blogs/lectern/2020/05/kelman-va-challenge-at-scale.aspx

Is Short Term Economic Focus On Earnings Killing U.S. Innovation?

Standard
Image: “Saracanaday.com

DEFENSE SYSTEMS

The U.S. risks losing its competitive edge over China in terms of technology because companies care more about quarterly earnings than research and development.

Solutions involve incentivizing U.S. companies to focus on long-term investments and research.

______________________________________________________________________________

“That’s the message Michael Brown, director of the Defense Innovation Unit, the Defense Department’s innovation arm, shared at a Brookings Institution virtual event May 8 on China’s technological impact worldwide.

“You’re never going to win in a technology race with defense,” Brown said. Instead, the U.S. needs to focus on being more productive and “invest in itself” with more basic research.

“What do we do to reform our business thinking and our capital markets to move away from short-term thinking to be more long-term oriented,” Brown said. Ways to focus U.S. companies on building and maintaining a competitive edge include stricter export controls and more scrutiny of foreign investments in U.S. companies, particularly technology startups.

Brown, formerly CEO of Symantec, said the corporate focus on quarterly earnings and stock prices is counterproductive to competing with China.

“They all feed into this short-term thinking in our business community,” said Brown, “we have to reform this or we’re not going to be successful in competing with China.”

Incentives could include tax advantages for focusing on long-term growth and research and development, Brown said. And on the punitive side, there is the possibility of establishing penalties for U.S. companies that off-shore manufacturing or spinning off hardware businesses whose domestic presence can support U.S. jobs and military production.

“The irony is that U.S. companies focus on profits often driven by market dominance ends up aiding China’s cause,” Tom Wheeler, former Federal Communications Commission chairman, said during the event. “The market control, market dominance that we’ve seen from the principal big tech companies thwarts competition driven innovation.”

“It is doubtful that we will be able to out implement China,” said Wheeler, referencing that country’s tightly controlled, one-party system of government. “But we can out-innovate China if we have policies that will encourage this competition driven innovation.”

The big question for DIU is whether it can take advantage of U.S. tech talent, startups and research dollars to maintain a long term advantage over China, which is able to dictate its priorities to industry.

“The Defense Innovation Unit spends all day every day trying to encourage innovative companies to work with the Defense Department,” Brown said. “And General Secretary Xi [Jinping] accomplishes this by fiat. So we have to recognize that there are some advantages to their system.”

Brown said he maintained some doubts about the ultimate success of the “civil-military fusion” practiced in China.

“I don’t know how well that’s going to work for them, but that certainly keeps me up at night,” he said.”

Other Transaction Agreements (OTA) Best Practices For Success

Standard

NATIONAL DEFENSE MAGAZINE

The intent of OTAs is to leverage commercial technologies for military purposes, improve the nation’s industrial base and allow for more cost effective and affordable solutions without extreme bureaucracy.

Opportunities are available to traditional defense industry partners and nontraditional defense contractors, such as academia, non-profits and other small businesses.

_________________________________________________________________________

“Imagine this. The Defense Department had an urgent need for armored vehicles to protect warfighters from new threats during a time of war. By applying a unique and tailored acquisition approach with specific attention to time and similar solutions already available in the commercial marketplace, it successfully started fielding new vehicles only 18 months after identifying the warfighter need.

The program referenced here was the mine-resistant ambush protected vehicle program, which began in 2006. Was the program a success? Absolutely. Was it a risk-free or perfect solution? No. Although the MRAP program was timely in helping mitigate the threat and associated warfighter casualties, there were challenges related to operating field conditions, training, sustainment, transportation and costs. The program, however, ultimately enabled the creation of other military vehicles that are still widely used today and supports how tailored acquisition approaches can produce successful outcomes.

A popular and continuously growing phenomenon within the department is the other transaction authority, or OTA. It permits Defense Department entities to award OTA agreements for research, prototyping and production efforts critical to national security. They are not an acquisition approach or strategy; however, they are flexible options that can support an acquisition approach or strategy.

Given leadership’s priorities for the increased application of adaptive acquisition methods, it is highly likely OTAs will be a key ingredient for success.

OTAs are binding agreements between Defense Department organizations and industry partners that are different than Federal Acquisition Regulation contracts, grants and cooperative agreements. While they are an innovative and flexible option that are not subject to all acquisition laws and regulations, they require vigorous program management.

Here are some points to remember:

OTAs are not new to the department. Although it received limited authority in 1989, the authority has significantly expanded since 2015. As a result, more agencies and industry partners are working together on the agreements. OTAs vastly differ from contracts because negotiations are not limited by FAR-based restrictions and allow for more robust terms between parties. This includes, but is not limited to, intellectual property rights, title to property, payment terms, project schedule or duration, cost or price analysis, financial and project status reporting, disputes, remedies and termination.

Congress specifically provided the authority to foster business flexibility for certain circumstances. Unfortunately, there is not a universal process or checklist for all parties to follow when planning or executing the agreements. This is intentional because universal processes across the department could hinder innovation and expanded industry participation.

Since OTAs will differ between agencies, these entities should individually create and maintain some form of standard business processes to support how to execute them from initial planning through completion. Examples of standard business processes include organizational policies, instructions, directives, guidebooks and standard operating procedures. These resources are foundational for success as they can provide tremendous assistance and value to not only the parties seeking to do business with the defense organization, but also the personnel leading or supporting the process.

There can also be immense benefits for industry partners who have not previously done business with the department. It currently has an “OT Guide” published in November 2018 available to the public; however, it is very broad and not unique to individual DoD organizations. Creating and maintaining standard processes can enable consistent and efficient operations, prevent miscommunication, minimize noncompliance with laws and assist organizations during evaluations or audits.

Since there is not a one-size-fits-all option to execute OTAs, defense authorities and industry partners should be aware of the various options available. Specific to prototype OTs, the most widely used type of OT, there are primarily four options for execution. Figure 1 provides helpful information associated with each option.

Agencies should carefully evaluate all options prior to option selection, depending on the specific need or the entity’s experience with OTAs. Evaluation can be done by market research and other means to effectively support the strategy and objectives. For example, if an organization is seeking a prototype that could be created by start-up companies or existing commercial firms, it may be in the best interest to award an OTA on its own, through the Defense Innovation Unit, or to a consortium.

Alternatively, if an agency is seeking a prototype similar to one another government agency is concurrently seeking through its own prototype OTA, it may be in the best interest — and the most economical option — for it to leverage the other government agency’s agreement. The Government Accountability Office reported in 2019 that the majority of funding for prototype OTAs between fiscal year 2016 and fiscal year 2018 was awarded to consortiums.

Further, the GAO reported that the department — in response to congressional direction — is improving its reports on OTA usage to provide more data and transparency. Given the options available for executing OTAs, it is critical that both defense organizations and interested industry partners are cognizant of the options and their individual characteristics.

Another factor for success is sound planning and identification of technical performance parameters.

Failing to plan is planning to fail. Since parties can negotiate and tailor many OTA elements, it is critical for all parties involved to complete sound planning efforts prior to execution. Also, because they promote “outside the box” business practices, risk management is not a choice, but the backbone of the effort from cradle to grave. Agencies should start planning with a clear needs statement or defined problem supporting a capability gap.

Next, the entity must perform adequate market research and requirements analysis to determine if solutions already exist or whether the capability is possible among industry partners. Adequate market research efforts must consider existing commercial products and practices, technological stability and current similar Defense Department or federal government efforts.

Entities must ensure OTAs will comply with codes, depending on the effort’s characteristics. The agency must collectively and clearly articulate what success looks like and how success or performance will be measured. Is the end game a report as a result of extensive research? Or is the end game follow-on production if the prototype OTA successfully meets the capability gap?

The government shall give full consideration to key areas related to cost, schedule and performance throughout the project’s life since OTAs do not eliminate the need for effective program management. Thus, consideration shall be given to vital technical characteristics or performance parameters, such as cybersecurity, intellectual property, technology transfer, testing, integration, interoperability and life cycle sustainment/supportability. Parties involved should continually ascertain when to continue or terminate the effort based on cost-benefit analysis.

Planning efforts should also encompass the means by which the government will publicize and solicit OTAs. Publicizing activities should target relevant and capable industry partners identified from market research. Solicitation activities must be creative, through fair and reasonable methods, to foster maximum competition. Methods include white papers, commercial solutions openings, requests for proposals, panel pitches, industry days, LinkedIn and Twitter.

OTAs require critical thinking and can be incredibly complex. Besides the many aspects of cost, schedule and performance to be considered and evaluated, they have minimum predefined requirements and are accompanied with unique negotiations requiring advanced levels of business acumen from various perspectives. OTAs are a team sport and should have diverse participation by technical and non-technical personnel.

Standardized OTA training or credential programs are not widely available to Defense Department or industry personnel. Personnel should seek to complete some form of OTA training. Nontraditional contractors should also complete training on the electronic invoicing system that will be used to submit invoices for work performed on OTAs. Invoicing the department can be cumbersome, especially for smaller firms with operations largely dependent on timely cash flows.

OTAs also require sufficient documentation since they have more flexibility and fewer internal controls when compared to other business options. Documentation is also vital to support OTA-related actions were fair, reasonable, transparent and legal. The need for sufficient documentation applies to both government and industry partners.

Appropriate documentation assists organizations in establishing beneficial continuous feedback loop mechanisms to replicate best practices and learn from shortcomings. Documentation also allows independent or unbiased individuals to follow OTA-related business decisions and funding. Documentation is even more meaningful as defense organizations spend greater amounts of taxpayer funds on OTAs and Congress seeks additional details on their usage.

Also, the law requires that all prototype OTs above $5 million include a clause that provides the GAO full access to records. As a result, all parties involved need to make documentation efforts a priority throughout the life of every OTA. Lack of existent or appropriate documentation could cause all the parties to receive undesired scrutiny from

Congress and defense leadership. Congress could also reduce or eliminate the authority if parties do not create or maintain sufficient OTA documentation.

The ability for the nation to maintain a sustainable competitive advantage and efficiently leverage adaptive acquisition methods depends on OTAs. It is all but certain they will continue to grow in popularity.

Although they are a bright and shiny object drawing significant attention from expanded usage, the department, its agencies and industry partners must carefully plan and execute OTAs from cradle to grave.

While they are flexible alternatives, they are accompanied by risks, not appropriate for every situation, and do not have a universal pathway for guaranteed success. OTAs must be treated as a privilege rather than an authority that will remain indefinitely.

Appropriate use in accordance with Congress’ intent could produce tremendous value for the Defense Department and industry partners. Alternatively, inappropriate use could result in inefficient use of taxpayer resources and Congress limiting or eliminating the modernized authority.”

https://www.nationaldefensemagazine.org/articles/2020/4/15/other-transactions-best-practices-to-enable-success

F-35 Full Rate Production Challenges Include Failing Engine Tests And Replacing 1,005 Turkish Parts

Standard
 Image: Senior Airman Quay Drawdy/U.S. Air Force

DEFENSE NEWS

According to the GAO, the number of F-35 parts delivered late skyrocketed from less than 2,000 in August 2017 to upward of 10,000 in July 2019. At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.

And those supply chain problems could get even worse as Turkish defense manufacturers are pushed out of the program, the Government Accountability Office said in a May 12 report.

__________________________________________________________________________

 “Lockheed Martin’s F-35 Joint Strike Fighter is on the verge of full-rate production, with a decision slated for early 2021. But a congressional watchdog group is concerned that as the company ramps up F-35 production, its suppliers are falling behind.

The number of parts shortages per month also climbed from 875 in July 2018 to more than 8,000 in July 2019. More than 60 percent of that sum was concentrated among 20 suppliers, it said.

“To mitigate late deliveries and parts shortages — and deliver more aircraft on time — the airframe contractor has utilized methods such as reconfiguring the assembly line and moving planned work between different stations along the assembly line,” the GAO said.

“According to the program office, such steps can cause production to be less efficient, which, in turn, can increase the number of labor hours necessary to build each aircraft,” which then drives up cost, the GAO added.

Those problems could be compounded by Turkey’s expulsion from the F-35 program, which was announced last year after the country moved forward with buying the Russian S-400 air defense system. Although Turkey financially contributed to the development of the F-35 as a partner in the program, the U.S. Defense Department has maintained that Turkey cannot buy or operate the F-35 until it gives up the S-400.

The Pentagon has also taken action to begin stripping Turkish industry from the aircraft’s supply chain, a process that involves finding new companies to make 1,005 parts, some of which are sole-sourced by Turkish companies.

Ellen Lord, the Pentagon’s undersecretary for acquisition and sustainment, had hoped to stop contracting with Turkish suppliers by March 2020, but in January she said that some contracts would extend through the year, according to Defense One.

While the Defense Department has found new suppliers to manufacture the parts currently made in Turkey, it is uncertain whether the price of those components will be more expensive. Furthermore, as of December 2019, the new production rates for 15 components were lagging behind that of the legacy Turkish producers.

“According to program officials, some of these new parts suppliers will not be producing at the rate required until next year, as roughly 10 percent are new to the F-35 program,” the GAO said.

“Airframe contractor representatives stated it would take over a year to stand up these new suppliers, with lead times dependent on several factors, such as part complexity, quantity, and the supplier’s production maturity. In addition, these new suppliers are required to go through qualification and testing to ensure the design integrity for their parts.”

The F-35 Joint Program Office disagreed with the GAO’s recommendation to provide certain information to Congress ahead of the full-rate production decision, including an evaluation of production risks and a readiness assessment of the suppliers that are replacing Turkish companies.

In its statement, the JPO said it is already providing an acceptable number of updates on the program’s readiness for full-rate production.

Hard times for the F-35’s engine supplier

Not all F-35 production trends reported by the GAO were bad for the aircraft. Since 2016, Lockheed has made progress in delivering a greater proportion of F-35s on schedule, with 117 of 134 F-35s delivered on time in 2019.

However, one of the biggest subsystems of the F-35 — the F135 engine produced by Pratt & Whitney — drifted in the opposite direction, with a whopping 91 percent of engines delivered behind schedule.

At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.

According to the Defense Contracts Management Agency, “there have been 18 engine test failures in 2019, which is eight more than in 2018, each requiring disassembly and rework,” the GAO wrote. “To address this issue, the engine contractor has developed new tooling for the assembly line and has established a team to identify characteristics leading to the test failures. Plans are also in place for additional training for employees.”

https://www.defensenews.com/air/2020/05/12/some-f-35-suppliers-are-having-trouble-delivering-parts-on-schedule-and-turkeys-departure-could-make-that-worse/

The Heavy Cost of Ignoring Biosurveillance

Standard
https://dod.defense.gov/News/Special-Reports/1012_biosurveillance/

NATIONAL DEFENSE MAGAZINE”

It’s crucial that any such network be independent of governments and left in the hands of public health officials. The data it gathers should not be filtered through bad actors such as the Chinese Communist Party, or elected officials who may have a political agenda.

One day — hopefully soon — big international meetings will return and the next Biosurveillance Conference will be held in a bigger venue with a lot more participants.”

__________________________________________________________________________

“It was Aug. 28, 2012 in a Washington, D.C., hotel near Union Station where the National Defense Industrial Association held its first and only Biosurveillance Conference.

It was lightly attended — if memory serves. I’ll be charitable and say there were 75 attendees in the smallish room.

At least one of them — myself — was in the wrong place. Biosurveillance? I thought it would be about sensors. I was expecting to hear about typical defense and homeland security technologies designed to detect bioweapons — something akin to the Department of Homeland Security’s BioWatch program, or what the Joint Program Executive Office for Chemical and Biological Defense wanted. The agenda included Defense Threat Reduction Agency personnel.

No, actually, the attendees were mostly in the public health field, and they were talking about a worldwide database where doctors, public health officials, veterinarians and the like could report what they were seeing as far as new infectious diseases.

They likened the concept to weather reports. The world has a network of sensors that tells meteorologists what’s happening in the atmosphere. With the data, they can warn people if a storm is coming and citizens can prepare. The public health officials wanted to do the same for infectious diseases: manmade or natural. And the far-term goal would be to do predictive analysis — just like weather forecasts.

Here is an example: let’s say a doctor in China — let’s just say Wuhan, China — noticed an unusual number of cases of patients with a new respiratory disease marked by an unusually high fatality rate. He would then input that information into a database accessible to public health officials throughout the world. Then, let’s just say, doctors in South Korea or Italy, noticed the same thing. Analysts could connect the dots and sound the alarm. Hospitals could stock up on items such as, let’s say, face masks and respirators.

What I learned at that one-day conference ended up being part of a story that ran in the November 2012 issue. NDIA members with their expertise in information technology could have a lot to offer building such a network, I reasoned, so it was worth reporting.

Let’s pull some quotes out of that 2012 story.

Harshini Mukundan, a scientist at Los Alamos National Laboratory, said diseases emerge from people, plants and animals.

“They are all interconnected, and having separate agencies monitoring each one defeats the cause.”

Laurie Garrett, an analyst at the Council on Foreign Relations, said the technical part of setting up a biosurveillance network could be completed in five to 10 years. Policies and procedures were the roadblocks. “I don’t believe we have the capacity or the will to implement” it, she said. U.S. political gridlock would prevent the idea from moving forward, she predicted.

Jason Pargas, special assistant to the DTRA director, sounded an optimistic tone. It could all come to fruition in five to 10 years. Prediction models, applied math and advanced computing would make it so.

The reporting that emerged from this conference ended up in the article, “Top Five Threats to National Security in the Coming Decade.” We ranked “Bio-Threats” as No. 1. Yikes. I don’t even want to mention what the other four were for fear of a jinx.

I would like to say that National Defense consistently reported on this issue and that we kept up a constant drumbeat for the need of a worldwide biosurveillance network, but that is not the case. Public health really isn’t in our wheelhouse.

However, two years later in 2015, we did an update online, which was reported from an Armed Forces Communications and Electronics Association homeland security conference.

No progress had been made on a biosurveillance network, Jeff Runge, former chief medical officer at DHS, said at the conference. That year saw a deadly strain of the flu that killed many children and an Ebola outbreak.

“The rate and scope and spread of the illnesses were not detected before severe consequences occurred,” he said. “These are cautionary tales underscoring the need for better biological intelligence.”

Navy Cmdr. Janka Jones, then the director of medical programs in the office of the assistant secretary of defense for nuclear, chemical and biological defense, said, “We’ve got a lot of capability. We don’t have a lot of money to build new capability.”

Transparency, openness and data sharing would be key, she said. Jones helped the Obama administration in 2012 put together the first-ever national strategy on biosurveillance. It was released in July, shortly before the NDIA Biosurveillance Conference. It included a technology roadmap on how to build the information-sharing network.

“Biosurveillance — including early detection — is one of our first lines of defense against these threats,” President Barack Obama wrote in the introduction to the strategy.

National Defense took its eye off the ball when it comes to biosurveillance — but so did a lot of people, apparently. That won’t be the case in the future.

Granted, there are policy, procedure and diplomatic hurdles to overcome, but how much funding would it have cost to set up an initial biosurveillance network — $100 million, $200 million? Seems like a paltry investment when more than $1 trillion is being spent on an economic bailout, lives have been lost and entire industries brought to their knees.”

https://www.nationaldefensemagazine.org/articles/2020/4/21/the-heavy-cost-of-ignoring-biosurveillance

How The Private Sector Including IBM Is Pivoting To “Distance Work”

Standard
Image: “Digday.com

WASHINGTON TECHNOLOGY By  John M. Kamensky

As coronavirus has disrupted society over the last few weeks, some of the distancing measures that once seemed drastic have become acceptable — in a few cases even preferable to the way things worked before.

Nowhere has this been truer than the workplace, where companies and employees have found remote operations far more feasible than expected.”

____________________________________________________________________________

“University of Chicago researchers recently analyzed government employment and income data by industry and concluded that 34 percent of U.S. jobs can “plausibly be performed at home.” Journalist Liz Farmer predicts that “the long-expressed resistance of companies and individual bosses to WFH arrangements will decline markedly after they see how well the arrangement has worked.”

But COVID has also taught us that leading an entire organization through the transition to distance work in a matter of days or weeks can be wrenching, akin to passing through the five stages of grief. In an article about how corporations are adjusting to COVID-mandated remote working arrangements, Australian start-up accelerator Steve Glaveski sees a broad spectrum of adaptation beyond pre-COVID practices:

  • No deliberate action. This is where most companies were at the beginning of the COVID-19 outbreak, with little to no capacity for widespread remote work.
  • Recreating the office online. This is where most traditional organizations have landed. More effective companies offer access to e-tools, but without any redesign of how work gets done.
  • Adapting to the medium. These companies are investing in better equipment (for example, they may provide employees a cash grant to improve their lighting for video calls). Their work favors text-based communication, with fewer meetings that have clear agendas and include only ‘must have’ participants.
  • Asynchronous communication. These companies are structured more in line with how work gets done than where or when. They are typically global and recognize that presence does not equate to productivity.
  • These companies field purely distributed teams that work better than in-person teams. There are a handful of companies like this, and most are in the tech industry.

Glaveski acknowledges that moving across this spectrum won’t work for all industries, and he notes three common challenges to effective distance work that need to be addressed: team building and bonding, the value of informal office communication, and endpoint security.

How IBM Made the Transition

Fletcher Previn — IBM’s chief information officer — recently offered a candid description of how he and his colleagues grappled with these challenges and others as they pivoted the organization’s global workforce of 350,000 people to working from home over a four-week period this spring. Pre-COVID, Previn said, about 30 percent of IBM’s global workforce predominantly worked from “other than a traditional office” (i.e., from a client site or home). This figure shifted to about 95 percent within a matter of days.

He explained that there were two key components to this transition – technological and cultural.

Previn says that the company benefited from having a longer-term internal IT strategy to enable workers to self-service. This began with mailing employees their mobile devices instead of delivering them in person, and creating an internal app store to distribute software. Those measures meant that all employee hardware and software could be delivered outside the office, making it easier to transition quickly to remote work.

IBM had also adopted a standardized set of tech tools to enable collaborative work across the globe through remote meetings, file sharing, remote access and cybersecurity (the company is shifting from a VPN-based to a zero-trust model). Over the past year, Previn created a common “tool box” that employees can access based on their job function (e.g., consultant, scientist, analyst):

  • Slack for collaboration
  • Box for document repository
  • Trello for project management
  • WebEx for meetings
  • Mural for design thinking and whiteboarding

In terms of security, Previn says that his team detects a lot more cyberattacks and fraud attempts on home-based workers. In response, they’ve increasing training to identify phishing and tightened endpoint controls on inbound emails and other traffic. In addition, they are using AI to look for unusual behavior based on a user identity, location and the device being used.

While the tech tools are a necessary prerequisite for working from home, Previn noted that there are also cultural issues. For example, traditional ways of balancing work and personal life need to be redefined as employees work in new settings with new routines. He advocated a model of small three-person teams interacting with each other and with other teams not only through scheduled meetings but spontaneous communications that help maintain human bonds and trust. Previn said he schedules virtual happy hours with his team to bring people together informally rather than just for agenda-driven meetings.

To help ease the cultural transition to distributed teams, IBM HR developed a series of training guides and online modules on how to lead remotely, and tips for remote workers and their managers.

Long-Term Benefits of the Transition

One factor that enabled IBM and many other companies to respond quickly to COVID was the longtime use of distance work tools to improve cross-organizational collaboration, even when the parties at both ends of the line sat in offices. A 2013 survey by McKinsey Consulting found multiple expected benefits to these measures, such as reduced travel costs and increased employee satisfaction.

But the survey also discovered that there was faster access to internal experts and corporate knowledge when using collaborative tools. This implies that in both the private sector and government contexts, it’s less important where you do knowledge-based work than it is how you do it – using collaborative tools in a team-based work environment.

In the last two months, the corporate world has gradually come to realize that it cannot wait to adapt these tools fully to an at-home workforce. Companies have shifted from a strategy of “do what is most urgent and feasible now and postpone everything else until we return to the office” to “we have to make everything work remotely because who knows how long this will last and we can’t push things off any longer.”

For most companies, that means mastering levels three and four of Glaveski’s remote work hierarchy by embracing text-based communication, fewer meetings and asynchronous schedules.

And a few small tech companies have even reached the “nirvana” state that Glaveski describes. For example, Pipedrive, a new software company with staff in both the United States and Europe, responded to COVID by becoming a completely virtual company inside of 24 hours, according to futurist Heather McGowen. And one tech company, Automattic (the company behind WordPress, which powers 35 percent of all websites on the internet), beat COVID to the punch. It is 15 years old and has nearly 1,200 staff scattered across 75 countries – and no offices!

It is easy to think of the current disruption in workplace operations as a temporary shift that will reverse itself after the COVID threat recedes. But as McGowan suggests in Forbes, this pandemic “might be the great catalyst for business transformation,” producing changes in months that might have otherwise taken years to transpire.

“We’re seeing changes that affect work, learning, and daily life,” she writes, “changes that will become a new normal and that take place against a backdrop of several fundamental shifts.”

For example, a slow evolution in corporate culture even before COVID was giving employees greater autonomy and an increased role in meeting business goals. Companies are beginning to recognize culture, creativity and innovation as ingredients of success, and managers increasingly trust their people to “do the right thing.” Corporations have started to consider employee welfare as a central goal in addition to profit. These trends too are bound to accelerate as social distancing continues, and will persist long after it ends.

Future columns will explore these distance work approaches further and how they can be adapted to a government context.”

https://washingtontechnology.com/articles/2020/05/08/insights-kamensky-adapting-to-home-work.aspx

* * * * * *

Note: This post is the second in a series on distance work. Click here to read part 1.

ABOUT THE AUTHOR:

John Kamensky (@JMKamensky) | Twitter

John M. Kamensky is a senior fellow at the IBM Center for the Business of Government and a fellow at the National Academy of Public Administration. He can be reached at john.kamensky@us.ibm.com.

New Cybersecurity Regulations ‘On Track’ Despite Virus

Standard

“NATIONAL DEFENSE MAGAZINE”

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

_________________________________________________________________________

“Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.

The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.

Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.

“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”

Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.

The biggest sticking point will be conducting in person audits, as is required, Arrington said.

“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn’t stopped and we’re still doing our absolute best to stay on track.”


Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. 
“A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “I don’t think it’s going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.


Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.

“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn’t an option for any of us right now.”
 She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. 
“Do your best to be diligent and remember that … the weakest link is where the adversary will come in,” she said. “Don’t be the weakest link.”


Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.

“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”

Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom’s numerous vulnerabilities are not unique to them because every software company and application has them. Zoom’s links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”

Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.”

https://www.nationaldefensemagazine.org/articles/2020/4/22/new-cybersecurity-regulations-on-track-despite-virus