Tag Archives: government policy

How Pandemic Response Is Shifting federal IT

Standard
Image: London School of Economics and Politiacl Science

FCW”

The pandemic response has shown the traditional 12 to 36 month acquisition planning cycle is not how we need to do things“, says Harrison Smith, Deputy Chief Procurement Officer, at the IRS.

COVID-19 has underscored the need for us to move ahead in a more agile manner but also balance that quicker capability with responsible spending”

______________________________________________________________________________

“From supply chain, to acquisition, to automation, the federal response to COVID-19 is changing what IT means to agencies, according to several top federal IT managers.

As the pandemic grew, the Small Business Administration ramped up its telework efforts and surged its personnel and IT to support disaster and small business loan portals, the agency was told there were potential shortages desktop and laptop computers and lagging supplies of peripheral devices such as mice and monitors, according to agency CIO Maria Roat. That shortage, however, didn’t slow the efforts down, as the General Services Administration and NASA’s SEWP contract had enough to support SBA’s efforts, she said, but it showed a potential problem.

With other agencies, including Health and Human Services and the Veterans Administration looking for similar IT gear, “the supply chain on the hardware side was stressed,” said Roat during an April 30 ACT IAC teleconference.

Cross-agency teamwork, she said, is a critical piece of such a huge response. SBA’s dozens of field offices, for instance, can now rely on IT support from GSA and Agriculture Department IT field personnel because of collaboration through the Federal CIO Council, according to Roat. “I haven’t used that yet,” she said, but it’s helpful to know the help is there.

In setting up its telework and loan platform efforts, Roat said SBA has leveraged software defined networking, collaborative technologies, such as Skype, and Microsoft Teams.

In support of the loan platforms, said Roat, SBA has turned up its Gigabit bandwidth on Ethernet backbone circuits to handle the traffic on the portals. The agency, she said, plans to add more capabilities, as well hone existing capabilities in the coming weeks.

“We’re now getting ready for release five” of those portal efforts, she said. The agency will add additional features, such as chat boxes, a way to view active cases and additional workflow refinements, as well as additional personnel, she said.

The COVID-19 response, said Harrison Smith, deputy chief procurement officer, at the IRS, has shown the federal government needs faster, more responsive methods to get what it needs in times of crisis. The pandemic response has shown the traditional 12 to 36 month acquisition planning cycle “is not how we need to do things,” he said.

COVID-19 “has underscored the need for us to move ahead in a more agile manner” but also balance that quicker capability with responsible spending, he said.

That could mean making a way for agencies to shift to more creative ways of getting things on the fly, possibly forgoing interagency agreements for say, shared services, for instance, according to Smith.

GSA, said Beth Killoran, the agency’s deputy CIO, is learning to leverage drones, data analytics and virtual capabilities to handle more of its federal building management duties. The agency is using geotagged images to track contractors’ construction or repair work on its buildings, to save local and federal building inspectors from having to make a trip to sites, she said. The agency is tasking drone aircraft to do exterior building inspections, as well. GSA has also tapped public data of COVID-19 hotspots at federally-owned medical facilities, to inform where its cleaning crews can safely do their work.

Modernized IT, said Roat, Killoran and Smith, is key to responding to such a huge crisis. The workforces at GSA, SBA and IRS, they said, have adapted quickly to telework because they had begun to move toward telework before the crisis.

House lawmakers previously proposed a $3 billion bump for the Technology Modernization Fund in a COVID-19 bill that ultimately went nowhere, but future additions are possible. Roat, who is on the TMF board that approves projects for funding said it’s unclear if any new funding will be approved.

SBA, she said, spent 50 intense days planning and executing a plan to implement IT to support public-facing portals and services for COVID-19 response.

“From where I sit, I’d bet other agencies are doing the same” reflection on how to move ahead from here, she said. “How would we use that $3 billion to look at the bigger picture?” Should it concentrate on shared services, she wondered. “Everyone is at home right now. Everyone is digital. We need to ramp up out digital citizen interaction.”

https://fcw.com/articles/2020/04/30/covid-changing-federal-tech-rockwell.aspx?oly_enc_id=

COVID-19 Enhances Pentagon Cyber Policy Commission Report Recommendations

Standard

FIFTH DOMAIN

“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government .

So that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Co-Chairman Rep.Mike Gallagher, R-Wis. Gallagher

______________________________________________________________________________

“A co-chairman of the Cyberspace Solarium Commission said April 22 that the fiscal 2021 defense policy bill could include about 30 percent of the group’s cyber policy recommendations.

According to Rep. Mike Gallagher, R-Wis., who co-chairs the Cyberspace Solarium Commission, which released a report with more than 75 cyber policy recommendations March 11, said on a webinar hosted by Palo Alto Networks that commission staff is working with the appropriate congressional committees and subcommittees to put about 30 percent of its recommendations into this year’s National Defense Authorization Act.

The report proposed a three-pronged strategy for securing cyberspace, called layered deterrence: shape behavior, deny benefit and impose cost.

The report also takes U.S. Cyber Command’s “defend forward” policy, which allows the military to take a more aggressive approach in cyberspace. It also suggests broadening the policy to encompass the entire federal government.

Gallagher didn’t specifically identify recommendations he thinks will be included in the NDAA, but given that the bill focuses on authorizing Defense Department programs, Pentagon-specific recommendations are the likeliest to be in the legislative text.

The recommendations for the department focus on ensuring that the Cyber Mission Force is adequately equipped; establishing vulnerability assessments for weapons and nuclear control systems; sharing threat intelligence; and threat hunting of the networks of the defense-industrial base.

The spread of the new coronavirus, COVID-19, disrupted the commission report’s rollout, which included congressional hearings on the commission’s recommendation. Those hearings have been canceled. But the pandemic also highlights the need to implement recommendations made in the report, Gallagher said, specifically the establishment of a national cyber director in the White House.

“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government so that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Gallagher said

Before the spread of the coronavirus, congressional committees had planned to host hearings on the commission report, but those were canceled after the coronavirus spread throughout the United States. Congress is currently wrestling with how to remotely conduct voting and committee business, as the pandemic is restricting gatherings of large groups of people.

“Even though coronavirus has complicated some of … our commission rollout, we’re continuing the legislative process right now, and I’m pretty optimistic about our ability to shape this year’s NDAA,” Gallagher said.

As for the other recommendations, Gallagher said they aren’t germane to the NDAA and will take “some time.”

https://www.fifthdomain.com/congress/capitol-hill/2020/04/22/cyber-policy-suggestions-for-pentagon-could-be-implemented-this-year/

Amazon’s “Ring” On The Congressional Privacy Hot Seat

Standard

“FCW:

The House Oversight and Reform Subcommittee on Economic and Consumer Policy, asked for a range of information, including copies of all agreements the company has reached with local governments going back to 2013, details on integration of any facial recognition tools and instances where law enforcement has requested video footage from Ring.

Click to access 2020-02-19.RK%20to%20Huseman-Amazon%20re%20Ring%20%281%29.pdf

COMMITTEE ON OVERSIGHT AND REFORM


“The Subcommittee on Economic and Consumer Policy is writing to request documents and information about Ring’s partnerships with city governments and local police departments, along with the company’s policies governing the data it collects,” Krishnamoorthi wrote.  “The Subcommittee is examining traditional constitutional protections against surveilling Americans and the balancing of civil liberties and security interests.”

Ring reportedly works closely with local governments and police departments to promote its surveillance tools and has entered into agreements with cities to provide discounts on Ring products to their residents in exchange for city subsidies.  Reports also indicate that Ring has entered into agreements with police departments to provide free Ring products for giveaways to the public.

Ring reportedly tightly controls what cities and law enforcement agencies can say about Ring, requiring any public statement to be approved in advance.   In one instance, Ring is reported to have edited a police department’s press release to remove the word “surveillance.”

“The Subcommittee is seeking more information regarding why cities and law enforcement agencies enter into these agreements,” wrote Krishnamoorthi.  “The answer appears to be that Ring gives them access to a much wider system of surveillance than they could build themselves, and Ring allows law enforcement access to a network of surveillance cameras on private property without the expense to taxpayers of having to purchase, install, and monitor those cameras.”

The Subcommittee demands Amazon provide information about these partnerships dating back to January 1, 2013.”

https://oversight.house.gov/news/press-releases/oversight-subcommittee-seeks-information-about-ring-s-agreements-with-police-and

Future-Proofing Government By Fostering Connections

Standard

FCW

More interagency collaboration, greater engagement with stakeholders and seamless interactions between agencies and the public are some of what’s needed for the federal government to excel in the years ahead.

__________________________________________________________________________

“That’s according to the Partnership for Public Service, which published a report on the future of IT, the federal workforce and data modernization efforts.

The report, written in collaboration with EY and published Feb. 5, is the product of months of interviews and workshopping with policy makers, industry experts and agency leaders. Some of the solutions addressed common complaints like siloed IT systems, inefficient competition between agencies and unsatisfactory customer experiences. It encouraged agencies to collaborate internally and with other agencies and to increase engagement with private-sector partners and the general public.

“When IT modernization first took place and we started with the Centers of Excellence, it was really about one agency taking a particular problem, solving that problem, and then sharing it,” Department of Agriculture Chief Information Security Officer Venice Goodwine said in a panel discussion on the report. “There’s no need to spend the money building something that’s already been built. To [build an interconnected government], we need to leverage investments that other agencies have already made.”

Goodwine said the ideal model would be having one Center of Excellence for each shared service that could act as the point of contact across the federal government.

Department of Veterans Affairs’ Deputy Chief Veterans Experience Officer Barbara Morton said that as customers have become accustomed to quick, frictionless service from private companies such as Amazon, federal agencies look slow and inefficient in comparison, leading to frustration. Reorienting services to address customers’ needs would be a key first step to changing the government’s reputation as unreliable and inert.

“In the next five or 10 years, the way we meet demand will be by listening and orienting around customers’ needs, rather than putting the bureaucracy first,” Morton said at the panel. “The expectations for us are being set outside of government. … It is our obligation to be able to catch up and meet those new needs.”

Nancy Potok, the former chief statistician for the Office of Management and Budget, concurred, adding that increasing engagement with external organizations would be one solution.

“Agencies should be encouraged to partner with outside companies and entities that are really good at this,” she said. “It’s true that the public has been now very well trained to expect instant service.”

Focusing on customer experience skills during hiring and in employees’ daily work would also help foster accountability and a service-oriented culture so workers can better meet the new demands being made of their agencies. 

“When people get supervisor training, they learn the rules. They learn compliance and how to fill out a performance evaluation. That’s not the skill set we need in today’s world,” Potok said. “We shouldn’t let anyone into a supervisory position until we’re sure that they have collaboration skills, that we’ve worked on their emotional intelligence, that they’re problem solvers, that they’re willing to take some risks.”

Agencies like the VA have taken the extra step of not only encouraging those skills in their workers, but actually writing them into official policy.

“In the department, we have core values and characteristics codified into our regulations such as integrity, commitment, advocacy, respect and excellence,” Morton explained. “We amended the regulations to include customer service principles as part of our core values. We updated our [Senior Executive Service] performance metrics as well, to include customer experience. To drive this culture change, to reorient, we need to consider customer service to also be part of our regulations and our core values.”

https://fcw.com/articles/2020/02/07/future-of-government-russell.aspx

DOD’s CMMC Standards for Contractors Coming This Week

Standard
Image: cmmcaudit.org

FEDSCOOP

The Department of Defense’s new cybersecurity certification standards for contractors are officially arriving later this week, and the plan is to have about 1,500 companies certified by next year as the requirements start to pop up in contracts, officials said Tuesday.

_____________________________________________________________________________

“For now, the program’s newly formed certification board is preparing to train and certify assessors, but it does not have a projection as to how many of the cybersecurity specialists will initially be available and when, board member Mark Berman said. The board, a nonprofit, is housed outside of DOD.

The Cybersecurity Maturity Model Certification process will subject all DOD contractors to third-party cybersecurity assessments, with the goal of protecting the military’s entire supply chain. The program is replacing the DOD’s current reference document — the National Institute of Science and Technology’s standards for cybersecurity — with a five-level rating system.

The vast majority of contractors will need only to meet the first level, but even that level of accreditation will still require an in-person assessment by a certifier, officials said.

Industry must move away from self-assured “checklist” security and have continuous security principles baked into its work, said Katie Arrington, special cyber assistant to the assistant secretary of defense for acquisition who has led the creation of CMMC.

“CMMC is meant to create critical thinking around cybersecurity,” Arrington said during an explanatory event Tuesday hosted by Holland and Knight.

The move away from self-certification is one of the major changes that will appear in the finalized CMMC model after the department has circulated several rounds of drafts and parts of the plans in the past months. Arrington and others admitted the existing reliance on self-certification has been a failure with defense technology being stolen by adversary nation-states and criminal organizations alike.

“They are done because they have not worked,” Arrington said of self-certifications.

Implementing CMMC will be a “team sport,” Ty Schriber, another accreditation board member, said during the panel discussion.

Despite large pushes from Arrington and others to get the word out in Washington, D.C., and on listening tours around the country, a recent study found low recognition of the program from defense contractors. Only a quarter of surveyed defense contractors could accurately identify what CMMC stands for.

The DOD projects a slow rollout of CMMC into contracts but hopes the transition will be smooth as businesses realize the threat from cyberattacks. Arrington assured contractors that the government will work “hand-in-hand” with companies as they start the certification process and encounter contracts with the new requirements.

U.S. allies are also being brought into the discussions, Arrington said. The United Kingdom, Sweden, Canada and others will be incorporated into the model to continue partnerships on defense technologies, Arrington said.”

Taking Washington’s Revolving Door To A Criminal Extreme

Standard
(Illustration: CJ Ostrosky / POGO)

THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)

The Public Company Accounting Oversight Board (PCAOB) was created after accounting scandals at major companies such as Enron and WorldCom wiped out thousands of jobs and cost investors billions of dollars.

The supposedly independent regulator is inextricably tied to the industry it oversees, a Project On Government Oversight (POGO) investigation found.

______________________________________________________________________________

“On a spring day in 2015, his last day on the job at the board that oversees corporate auditors, Brian Sweet stuffed an external hard drive containing confidential board records into his computer bag along with hard copies of other confidential board documents.

Then Sweet said goodbye to his life as a regulator inspecting the big accounting firm KPMG and walked through the revolving door to a new job at KPMG’s Park Avenue offices in New York. The partnership at KPMG came with pay of $525,000, more than double the approximately $240,000 he had been getting at the oversight board.

Only a thin, porous border separates the auditing regulator from the auditing industry.

As Sweet would later testify, his bosses at KPMG soon made clear how they expected him to earn it.

KPMG had been performing disastrously on inspections conducted by the Public Company Accounting Oversight Board (PCAOB), and it was under pressure to improve. In the annual inspections, the oversight board scrutinizes a sample of the audits that major accounting firms perform on companies listed on U.S. stock markets. Advance word of which audits the PCAOB planned to inspect would give KPMG an edge.

On Sweet’s first day at the firm, over lunch at a posh Mediterranean restaurant, KPMG brass pumped him for information on the PCAOB’s inspection plans. His second day on the job, in a tête-à-tête in an executive conference room, as Sweet recalled, his boss’s boss referred to the uneasiness Sweet had shown divulging such information and told him he needed to remember where his paycheck came from. His fourth day on the job, while Sweet and his new boss, Thomas Whittle, walked back to the office from lunch at a Chinese restaurant, Sweet told Whittle that he knew which audits the oversight board planned to inspect that year—and that he had taken PCAOB documents with him.

That evening, “Thomas Whittle came by my office where I was sitting and he leaned against the door and asked me to give him the list,” Sweet testified.

Ties That Bind

Brian Sweet was part of a pipeline that funneled confidential information from KPMG’s prime regulator to KPMG. 

The conspiracy took Washington’s notorious revolving door to a criminal extreme. According to the Justice Department, KPMG partners hired PCAOB employees, pumped them for inside information on the oversight board’s plans, and then exploited it to cheat on inspections. Meanwhile, PCAOB employees angled for jobs at KPMG and divulged regulatory secrets to the audit firm.

The case laid bare inner workings of the revolving door in detail seldom seen.

The case has led to a series of convictions and guilty pleas—and a $50 million administrative fine against KPMG. It also laid bare inner workings of the revolving door in detail seldom seen.

Beyond the conduct labeled as criminal, in little-noticed testimony the case revealed a series of side contacts between senior KPMG partners and top officials of the PCAOB—one, or in some cases two, members of its five-member governing board. The low-profile meetings at locations such as the Capital Hilton, which is steps from the PCAOB’s Washington headquarters, gave KPMG leaders a preview of questioning they would later face at periodic meetings with the full board.

But all of that is just part of a larger picture: The supposedly independent regulator is inextricably tied to the industry it oversees, a Project On Government Oversight (POGO) investigation found.

Hundreds Pass Through Revolving Door

Based on an analysis of profiles from the professional networking site LinkedIn, as of November 2019, it appeared that more than 40% of PCAOB employees had worked for the so-called Big Four audit firms—Deloitte & Touche, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC), POGO found. The Big Four overwhelmingly dominate auditing of the biggest corporations.

A search of LinkedIn turned up more than 340 people whose profiles said that they were currently employed at the PCAOB and that they previously worked for at least one of the Big Four. The oversight board’s budget for 2019 included a staff of 838.

At the same time, LinkedIn profiles showed more than 160 people working for the Big Four who had previously worked for the PCAOB. Scores have gone back and forth.

The numbers may not be complete; they include only people on LinkedIn whose profiles POGO could locate and access.

For current employees who went directly from the Big Four to the PCAOB or vice versa, half of the LinkedIn profiles indicated they did so with a gap of two months or less.

Ties like those may help explain why a supposedly strong and independent regulator has a history of bending to industry.

How an Agency You’ve Never Heard of Is Leaving the Economy at Risk

A federal watchdog you’ve probably never heard of is supposed to be protecting your financial security. But in key respects it’s been doing a feeble job.Read More

For example, as POGO has documented, the accounting oversight board has a weak record of disciplining Big Four auditors for apparent violations identified by its own staff. When it does take disciplinary action, it has shielded auditors and their clients from public scrutiny by withholding key information from public records.

Though Congress empowered the oversight board to write new rules for auditors, the PCAOB has to a significant extent preserved the industry-written rules it inherited—rules that can make it difficult to hold auditors accountable. Recently, it has watered down rules meant to keep auditors relatively independent from the companies they audit.

In addition, the oversight board has ultimately refrained from adopting some of the most far-reaching reforms it has considered, such as requiring companies to periodically change audit firms. That would assure that, from time to time, new firms would step in with a strong incentive to expose any fraud or error their predecessors condoned or overlooked—lest they become liable for those problems themselves.

PCAOB spokesperson Torrie Matous did not respond to questions for this story.

Promises Unfulfilled

The PCAOB was created after accounting scandals at major companies such as Enron and WorldCom wiped out thousands of jobs and cost investors billions of dollars. Its mission is to protect investors, including anyone who is depending on a pension fund, 401(k) account, or individual retirement account to support them in retirement. It oversees the audit firms that certify corporate financial statements. More specifically, it is responsible for writing, checking compliance with, and enforcing auditing rules. The goal is to reduce the danger that companies will cook their books or otherwise mislead investors.

The Public Company Accounting Oversight Board, Explained:

When Congress designed the oversight board in 2002, lawmakers said it would provide an independent check on corporate auditors. They said it would end a system in which corporate auditors largely regulated themselves.

“This legislation establishes a strong independent accounting oversight board, thereby bringing to an end the system of self-regulation in the accounting profession which, regrettably, has not only failed to protect investors, as we have seen in recent months, but which has in effect abused the confidence in the markets,” Paul Sarbanes (D-MD), the chairman of the Senate Banking Committee at the time and chief author of the legislation, said on the Senate floor.

“This legislation builds a strong and independent board to oversee the accounting industry,” echoed Senator Mike Enzi (R-WY). “It will eliminate the climate of self-regulation that has historically guided accounting.”

As the connections between the regulators and the regulated illustrate, the promises of independence were overstated.

Swamped

The revolving door is hardly unique to the PCAOB. It’s endemic to Washington, and it’s one of the reasons federal Washington is known as a swamp. Though the revolving door is subject to various ethics rules, it’s not inherently illegal.

It can infuse regulatory agencies with knowledge of industry and expertise. It also comes with risks. Will revolvers use regulatory power to serve the public interest or to advance the private agendas of once and future employers in the private sector? Can regulators who come from industry escape the culture, values, and world view of the firms that shaped them?

When they move from agencies to industry, will they use the knowledge and relationships they developed working as regulators to help their employers game the system and gain an unfair advantage? Fundamentally, will the regulatory agency be captured by the industry it regulates?

Captured: Financial Regulator At Risk

The revolving door between the Big Four audit firms and their regulator, the Public Company Accounting Oversight Board, spins in many troubling ways.Read the related story

To some extent, it may be unsurprising that people who oversee corporate auditors have a background in corporate auditing, and that people who leave the regulatory agency go on to earn livelihoods that draw upon their professional knowledge and experience.

“It is essential that regulatory bodies understand market developments and that firms incorporate regulators’ views when implementing new technologies and techniques,” Julie Bell Lindsay, executive director of Center for Audit Quality, an industry-funded advocacy group for audit firms, said in an unsolicited statement for this story. Lindsay was responding to inquiries POGO had made to audit firms.

Ernst & Young spokesperson John La Place expressed a similar view.

“In the ordinary course of its business, EY hires qualified professionals who have prior experience at government entities,” he said by email in response to questions from POGO. “These individuals contribute valuable insights and diverse perspectives that enhance the firm’s quality of service to clients in addition to addressing risks, complying with regulations and upholding our values and commitment to independence.”

But in the depth and breadth of its ties to four huge firms that wield highly concentrated power, the accounting oversight board appears to take the revolving door to an unusual extreme.

The agency and any agency employees contemplating future private-sector careers related to auditing are exceptionally dependent on the very oligopoly they are responsible for overseeing.

Combined with the PCAOB’s extreme lack of transparency and public accountability—it operates largely in secret, makes limited public disclosures, and is immune from the Freedom of Information Act—it’s a recipe for trouble.

Pumped

By the end of 2014, KPMG was in deep trouble with its overseers. That year, the firm failed 54% of its inspections.

At a December 2014 meeting with the PCAOB’s governing board, KPMG leaders were sharply rebuked.

Looking back on it from the witness stand, a senior KPMG partner named Thomas Whittle remembered the meeting as “sort of a punch in the gut.”

Whittle shared managerial responsibility for improving the firm’s inspection results, and his turnaround strategy included recruiting a PCAOB employee named Brian Sweet. Sweet understood KPMG’s problems better than most, because he was one of the people assigned to inspect the firm.

To welcome Sweet to the firm, several KPMG partners, including David Middendorf, the head of the firm’s national office, took him to lunch at Avra, a Greek restaurant near KPMG’s Manhattan executive offices where the current fare includes octopus carpaccio and tuna tartare. By Sweet’s sworn account, the conversation moved far beyond pleasantries. As they sat in a curved booth, Sweet testified, Middendorf and another partner asked him about the PCAOB’s still secret inspection plans for the year.

In Sweet’s telling, he acknowledged that he knew which audits the oversight board planned to inspect. They asked if a company called Stonegate Mortgage was one of them. Sweet recalled that he “confirmed it to them without trying to just come right out and say yes.” Middendorf asked if a big block of time the PCAOB had already indicated it had reserved for an inspection in San Francisco was for Wells Fargo.

Botched Audits: Big Four Accounting Firms Fail Many Inspections

In the most recent annual inspections of the U.S. arms of the Big Four for which the oversight board has reported results, inspectors found that each firm botched at least 20% of their audits.Read More

“I remember kind of shrugging my shoulders and indicating, ‘Well, could it be anyone else?’” Sweet testified.

As Sweet recalled, Middendorf slapped the table and exclaimed, “I knew it.”

Why didn’t Sweet just say yes? “Because I knew that by directly answering ‘yes’ was a very clear violation of the PCAOB’s ethics code because it was such confidential information,” Sweet testified when Middendorf went on trial last year for his role in the affair.

Testifying in his own defense, Middendorf described the lunch in more benign terms. He testified that he told Sweet, “I only want you to share what you’re allowed to share.” He added that he did not feel he pressured Sweet.

The day after the lunch, Sweet met with Middendorf in an executive conference room. Middendorf was Whittle’s boss. As Sweet recalled, Middendorf referenced Sweet’s uneasiness confirming Stonegate Mortgage and indicated “that while I might have felt that that was a gray area, that I was there at the firm to share insight and add value wherever I could and that was his expectation of me.” Middendorf urged him to maintain strong contacts with his former colleagues at the PCAOB, Sweet testified.

“I remember that David Middendorf also indicated or told me that I needed to remember where my paycheck came from and that I was now a partner at KPMG,” Sweet testified.

According to the Justice Department, KPMG partners hired PCAOB employees, pumped them for inside information on the oversight board’s plans, and then exploited it to cheat on inspections.

By Sweet’s account, he got the message.

Later that week, as Sweet and his immediate supervisor, Whittle, walked back to the office from lunch at a Chinese restaurant, Sweet told Whittle that, not only did he know the PCAOB’s inspection plans for the year, but also he had taken PCAOB documents with him. That evening, “Thomas Whittle came by my office where I was sitting and he leaned against the door and asked me to give him the list,” Sweet testified.

Sweet told Whittle he needed a few minutes. In part, he needed time to think. Then, he fished out one of the documents he had taken with him from the PCAOB, a partial list. “I went over to Tom’s office and went to his desk and handed him the list.”

Sweet described taking the document back and then returning to his hotel room for the night.

Whittle remembered those events somewhat differently. According his testimony, as best he could recall, the list didn’t come up until he stopped by Sweet’s office, and he initially balked at accepting it. Before taking such a serious step—a step he thought was wrong—he wanted to check with Middendorf, he testified. According to Whittle, Middendorf told him to get the list.

There’s no dispute over what happened the following morning. By email, Whittle asked Sweet to give the list to his executive assistant. “Brian, could you have Lisa scan and send me the banking selection list? Thanks,” Whittle wrote.

Sweet gave Whittle’s assistant more than just the list of bank audits the PCAOB planned to inspect.

“I’d appreciate the team’s discretion to make sure it isn’t too widely disseminated.”

BRIAN SWEET IN AN EMAIL TO THOMAS WHITTLES

“Just so you know, it is actually the full list of anticipated inspections (including non-banks),” Sweet told Whittle by email. “I’d appreciate the team’s discretion to make sure it isn’t too widely disseminated,” he added.

“Brian, got it and understand the sensitivity,” Whittle replied. “Have … a great weekend. Enjoy your DOM.”

The “DOM,” Sweet explained, was a bottle of Dom Perignon champagne the firm had sent to welcome him as a newly minted partner.

But, during Sweet’s early days at the firm, Whittle also offered a warning, Sweet testified. “I remember him telling me that I was most valuable to him the first day that I joined KPMG and effectively that I had less value as time went on.” In other words, “That my usefulness was only because of the role that I played in the PCAOB and that the utility of what I knew, the benefit that the firm got from what I knew would decline over time.”

Whittle recounted that conversation in similar terms.

“I told him that he was of most value because he had just come from the PCAOB and knew how they operated and knew what their issues were, but over time that information will be less relevant as they make changes in personnel and they come up with new issues,” Whittle testified.

Whittle also said he wanted to make sure that, as time passed, Sweet was “seen as adding value to the firm in other ways.”

Sweet and Whittle pleaded guilty to federal charges and testified for the prosecution as cooperating witnesses when Middendorf stood trial in early 2019. The case offered a view of the revolving door’s inner workings and showed that only a porous border separated the auditing regulator from the auditing industry.

“Anonymous Email”

Sweet was part of an expanding network that connected KPMG to the PCAOB, according to his testimony and other evidence presented in court.

When Sweet decided to leave the PCAOB for a partnership at KPMG in 2015, he recalled, he shared the news with a PCAOB colleague named Cynthia Holder, who, like him, worked on inspections of KPMG.

“She was very happy for me but also told me that if the firm, KPMG were hiring other people, that she also wanted to leave the PCAOB and would love to join KPMG,” Sweet recalled.

During his first days at the firm, Sweet called Holder and requested a favor. Could she remind him about some information that he had helped draft for a report the PCAOB was preparing about KPMG?

“She was very happy for me but also told me that if the firm, KPMG were hiring other people, that she also wanted to leave the PCAOB and would love to join KPMG.”

TESTIMONY OF BRIAN SWEET

Less than two weeks after Sweet arrived at KPMG, he got an email from Holder’s personal AOL email account. The subject line: “Anonymous Email.” The body of the email contained only a smiley face. But attached was the information Sweet had requested.

It was, he testified, “very valuable” to KPMG.

Within several weeks of arriving at KPMG, Sweet testified, he got a call from Holder on a different matter. Holder was working on a PCAOB inspection of a KPMG audit, and she wanted Sweet’s advice. She was considering citing a potential problem with the audit, and she wanted his opinion, Sweet testified.

Sweet said he advised her not to write it up. He testified that she agreed, saying, “OK, yeah, that’s what I thought too.”

Later that year, Sweet testified, he helped Holder get a job at KPMG. Following his example, he said, she brought confidential PCAOB records with her.

KPMG made a concerted effort to recruit others from the oversight board, and the firm tapped Sweet to identify candidates, Sweet and Whittle testified. Like Holder, some were involved in inspecting KPMG and had expressed an interest in joining the firm.

One sent Sweet a copy of his résumé—and then cut KPMG slack on an inspection, Sweet testified.

The recruitment effort yielded 10 or more hires, Sweet estimated.

“Stealth” Cleanup

At KPMG, Holder maintained a running dialogue with a colleague of hers still at the PCAOB named Jeffrey Wada, who fed her information, Sweet testified.

On March 28, 2016, Holder texted Sweet to phone her as soon as he could, “with three exclamation points,” Sweet recounted. When they connected, Holder told him that Wada had given her the names of the KPMG bank clients whose audits the PCAOB would inspect in 2016.

“She explained to me that Jeff had gone into the PCAOB’s IIS system [Inspections Information System] and had accessed the planning information for the PCAOB’s KPMG inspection team and had specifically gone into the schedule,” Sweet testified.

Sweet said he understood that the audits on the list had already been completed but were still in the 45-day window when KPMG could revise or augment the audit documentation without flagging the changes.

What ensued was an urgent, “stealth” effort by KPMG personnel to scrutinize the records of the audits on the list that had the highest stakes, Sweet testified.

“I remember Tom Whittle specifically saying that we needed to maintain a circle of trust, that only the people in that room were to know the real reason for why we were doing these rereviews,” Sweet said.

“This was confidential information that had been stolen from the PCAOB, and rather than report it back, we were deciding to take action to do things to improve, potentially manipulate the PCAOB’s inspection results.”

TESTIMONY OF BRIAN SWEET

“This was confidential information that had been stolen from the PCAOB, and rather than report it back, we were deciding to take action to do things to improve, potentially manipulate the PCAOB’s inspection results,” Sweet said.

As part of the effort, Sweet recalled proposing changes to audit records.

The review of one audit uncovered “very significant audit deficiencies,” prompting KPMG to change the conclusion of its audit, Sweet said. By preemptively flagging problems at that company, KPMG deterred the oversight board from inspecting that audit.

The covert program succeeded, Sweet said. Generally, inspections of the audits subject to the “stealth rereviews” showed “significant improvement,” Sweet said.

In a presentation KPMG prepared for a meeting with the PCAOB, the audit firm attributed the improvement to its internal quality control efforts. The results, the presentation said, had been “terrific.”

But Whittle worried that the success might be hard to repeat. “On the one hand, I was very pleased that our inspection results were so—were so good, but also concerned that if we didn’t have that same information in a subsequent period, that we could see a return of deficiencies that would be difficult to explain,” he testified.

“Sell Myself to KPMG”

The following year, Holder again obtained inside information.

On January 9, 2017, Holder told Sweet that Wada had given her a list of audits the PCAOB was likely to inspect that year, and she conveyed the information.

After midnight that night, Wada poured out his hopes and frustrations in an email to Holder.

“I am now trying to sell myself to KPMG,” Wada typed.

The email included a copy of his résumé and brought into sharp relief what a tangled web connects the oversight board and the industry it oversees.

Wada had gone from the big audit firm Deloitte to the PCAOB, and said he dreamed of moving to a new job at KPMG.

“It’s funny how I was on the fast track to partner and clearly recognized for my talents at Deloitte and then I ended up at this effin place with all the BS politicking that I loath [sic] and now I can’t get a GD promotion to save my life just because I refuse to kiss people’s asses and spread the political rhetoric,” Wada wrote. “God, this place sucks.”

As potential references, Wada cited KPMG auditors whose work he had inspected—people over whom he had served in a watchdog role.

“I can give you a list of names of the partners I inspected over there in Tokyo. One of the senior partners on the Honda Engagement Team really liked my style and respected my approach,” Wada wrote.

In the late-night email, Wada asked, “Please let me know what else you need from me.”

Weeks later, Wada texted Holder, “Okay, I have the grocery list.” Then, a minute later, “All the things you’ll need for the year.”

The next day, in a 48-minute phone call, Wada read Holder the complete confidential list of KPMG audits to be inspected by the PCAOB in 2017, according to an indictment.

Barbecued Evidence

Then it all unraveled.

In February 2017, as he moved to exploit the extraordinary information, Sweet got careless. Going outside the tight circle of trust, he told members of KPMG audit teams that their audits were slated for inspection. One was appalled that the firm had acquired and planned to act on inside information. As she reported it up her chain of command and word spread, others were similarly outraged. KPMG initiated an internal investigation.

Holder, a former FBI agent with experience in organized crime cases, coached Sweet on how to carry out a cover-up, Sweet recalled. “Cindy suggested that we get burner phones. Cindy and I talked about using Instagram as a code that if either of us posted a picture, like a direct message in Instagram of a college football team picture, that that would be a code to then dial into a conference call number,” Sweet testified.

“I was trying to cover my tracks.”

TESTIMONY OF BRIAN SWEET

Holder claimed to have hidden confidential PCAOB information in an electrical socket, Sweet said.

Sweet resorted to more basic tradecraft. After being questioned by a KPMG lawyer, he burned some of the evidence in his backyard barbecue.

“I was trying to cover my tracks,” he testified.

Cooperating

“KPMG immediately notified regulators and took decisive action to separate partners and personnel who behaved inappropriately from the firm, and cooperated with the government and our regulators to investigate and remediate this matter,” KPMG spokesperson Andrew Wilson said in a statement to POGO. “We learned from this experience and we are a stronger firm today due to the steps taken to strengthen our culture, governance and compliance program.”

Firms typically settle enforcement actions brought by the Securities and Exchange Commission (SEC) without admitting or denying wrongdoing. Extraordinarily, in 2019, when KPMG agreed to pay $50 million to settle the SEC’s administrative case, the accounting firm admitted the facts laid out by the SEC. KPMG also acknowledged that its conduct violated a rule requiring it “to maintain integrity” and “to comply with ethics standards,” the SEC enforcement order said.

It appears that, in reaction to the scandal, KPMG has changed its hiring practices.

“We do not recruit directly from our regulatory agencies, nor directly hire anyone who worked on KPMG matters in a regulatory capacity,” Wilson told POGO by email. “In the rare instances when we hire professionals with regulatory experience for our Audit practice, our goal is to ensure that our firm and our clients are up to speed on the latest professional standards and regulations so that we can continue to deliver high quality audits that the capital markets can rely upon.”

Wilson wouldn’t say when or why KPMG adopted that approach to hiring.

Lawyers for Sweet, Holder, and Whittle did not respond to emails for this story.

Airport Rendezvous

KPMG had another special channel to the PCAOB. It went straight to the oversight board’s governing board.

There’s no suggestion it involved any criminality, though when it came up in court there were questions about how it comported with the PCAOB’s ethics code.

In 2015, the two seats on the PCAOB governing board reserved for accountants were held by Jay Hanson and Jeanette Franzel. Franzel was formerly a government auditor; she had worked at the Government Accountability Office. Hanson had spent more than three decades at the accounting firm McGladrey & Pullen, now known as RSM, where he rose to the position of national director of accounting.

Called as a witness for the defense when KPMG’s Middendorf went on trial, Hanson was asked about a series of contacts he had with Middendorf and other senior KPMG partners. Those contacts preceded periodic meetings at which KPMG leaders faced questioning by the PCAOB’s full governing board.

Hanson said he invited the contacts. “Sometime after I started with the board in 2011, I was approached by a member of leadership of another firm with just a request that they wondered if I would be willing to meet with them before their scheduled meeting with the board to share my personal views on what I thought was most important to get out of the meeting,” Hanson testified. “And after having several meetings like that with other firms, I made it known to all firms that I could that if anybody wanted to talk to me before the meeting, phone call or meeting, I would be willing to do that.”

Hanson said he believed that the so-called “preboard” meetings would help KPMG be better prepared for the actual board meetings. He said he generally reviewed the agenda with Middendorf for the upcoming board meeting.

Under questioning, Hanson said Franzel sometimes accompanied him to the preboard meetings.

“Generally other than Ms. Franzel, I did not make it a habit of telling my fellow board members about the meetings,” Hanson said.

One meeting took place at the Capital Hilton, about a block from the oversight board’s Washington headquarters. Another took place at the elegant Hay-Adams hotel, just north of the White House and only slightly farther from the PCAOB.

On a third occasion, the men from KPMG met Hanson outside Terminal B at Washington’s Reagan National Airport, at a spot called Cibo Bistro & Wine Bar. “I recall that they flew in to meet with me,” Hanson testified.

At each of those preview meetings, Hanson—or Hanson and Franzel—“handed us a draft agenda of the meeting with the PCAOB board that would take place sometime after,” Middendorf later stated.

There was also a preview by phone, the result of a request Middendorf made by email on September 6, 2016.

“Jay, I hope you had a great Labor Day weekend,” Middendorf wrote. “I wanted to reach out and see if you and Jeanette would have some time to meet with Scott Marcello [of KPMG] and myself before the meeting with the board to help us prepare and get some idea of what may be on the agenda.”

“We have not had our internal prep meeting yet and I can’t find that it has been scheduled,” Hanson replied. “However, let’s get something on the calendar to talk.”

KPMG was officially given copies of the agendas shortly before the board meetings. The meetings with Hanson gave KPMG more time to prepare, Middendorf testified.

“I don’t believe what I did was wrong. I thought it was probably stretching the limits in a gray area, but not something that I did wrong.”

TESTIMONY OF DAVID MIDDENDORF, THE FORMER HEAD OF KPMG’S NATIONAL OFFICE

Hanson testified that he didn’t “recall specifically” whether at any of the preboard meetings he gave draft agendas to Middendorf.

“My general practice was meeting with the firm when they had the agenda in their hands, and sometimes just for pure logistics to get something on the calendar . . . expecting that by the time I came, the firm would have the agenda from the board—or from the staff . . . as a basis for the discussion,” Hanson said.

“I do recall a meeting where, to my surprise, the agenda had not been provided to the firm yet and I used my personal copy of the draft agenda with my views of what the agenda should be,” Hanson said.

With supporting exhibits, Middendorf described returning to New York with the fruits of encounters with Hanson and Franzel and promptly meeting with KPMG executives such as the CEO, the chief operating officer, and a vice chair to go over the information. He recounted that, after one of his trips to Washington, KPMG executives sprang into action to prepare for their upcoming meeting with the full PCAOB board. He said they wrote a script.

In a similar vein, Whittle said he recalled “at least one time we did get a draft or something through one of the board members.” Whittle said KPMG used it “as if it was the actual agenda, and we tried to prepare remarks that would be responsive to it.”

Section EC9 of the PCAOB’s ethics code says: “Unless authorized by the Board, no Board member or staff shall disseminate or otherwise disclose any information obtained in the course and scope of his or her employment, and which has not been released, announced, or otherwise made available publicly.”

At Middendorf’s trial, Hanson was asked if he violated that rule during the meeting where he acknowledged using his copy of the draft agenda.

“No,” he answered.

“Why is that?” he was asked.

“I had the draft that I believed should be the agenda and discussed my views on that but did not represent it as a board agenda, represented it as my personal agenda,” he said.

Pressed as to whether he actually told Middendorf that he was merely expressing his personal view, Hanson waffled.

“I don’t recall explicitly doing that,” he said.

Hanson abruptly resigned from the PCAOB on December 23, 2016. When he testified in March 2019 during Middendorf’s trial, he described himself as retired.

During the trial, at a sidebar conference with lawyers in the case, the judge said that information that might have been used to impeach Hanson—in other words, to challenge his credibility—was filed under seal. “I can say it relates to the terms of Mr. Hanson’s separation from the PCAOB. Beyond that, I don’t think I can go into it,” the judge said.

POGO tried unsuccessfully to contact Hanson via telephone, LinkedIn, and FedEx.

Interviewed for this story, Franzel declined to discuss the preboard contacts in any detail. “As a regulator I had contact with the firms because we regulated the firms,” she said. “And it was always in the context of my regulatory role and responsibilities.”

Since leaving the PCAOB governing board in 2018, Franzel has joined an advisory board of the Center for Audit Quality. That group describes itself as an advocacy organization for audit firms. The advisory board offers “a forum for dialogue and a source of guidance” for a program on research grants, the group’s executive director, Lindsay, said in a statement.

Franzel also became an adviser to Ernst & Young (EY), one of the Big Four audit firms.

“Her insights and experience are of great value to EY as we deliver on our commitment to the highest quality in audits,” John La Place, the spokesperson for EY, said in an email to POGO. “EY and Ms. Franzel are aware of the ethical requirements resulting from her role as a former PCAOB Board member, and we are confident of her and our ongoing compliance with those obligations,” he added.

Under the PCAOB ethics code, people who leave the oversight board “shall not practice before the board” on particular matters they worked on while at the board and must wait a year before practicing before the board on other matters.

Franzel deflected questions about her relationships with EY and the industry group.

Today, Middendorf is free on bail while appealing his conviction. He has been sentenced to a prison term of one year and one day—not for his meetings with Hanson, but rather for participating in what the Justice Department has summarized as a scheme to steal confidential PCAOB information and cheat on inspections.

Middendorf had no comment for this story, his lawyer Nelson Boxer said.

However, in court, Middendorf reflected on his role in the effort to exploit inspection secrets. If nothing else, his defense reflected the values of one former boss at one of the major audit firms.

“I don’t believe what I did was wrong,” the former head of KPMG’s national office told the jury. “I thought it was probably stretching the limits in a gray area, but not something that I did wrong.”

https://www.pogo.org/investigation/2020/01/how-accountants-took-washingtons-revolving-door-to-a-criminal-extreme/

Bipartisan Cyberspace Solarium Commission Will Report In Early 2020

Standard
Image: “LinkedIn

“CYBERSCOOP”

The Cyberspace Solarium Commission, a bipartisan group tasked last year with devising a strategy for defending the U.S. against cyberattacks, is almost ready to reveal its proposals to the world.

__________________________________________________________________________

“The commission’s final report, expected to be issued in March or April, may include new reporting requirements for the private sector that would incentivize better security practices, the commission’s co-chairs, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., said Tuesday during a Council on Foreign Relations summit in Washington, D.C.

While the final language is unclear, the report is expected to include a sweeping set of proposals ranging from an overhaul of congressional oversight on cybersecurity issues to an assessment of the Pentagon’s offensive and defensive readiness. Whether there’s broader appetite outside of the 14-member commission to implement the recommendations, however, remains to be seen.

One idea the commission has entertained is convincing insurance companies to offer better rates to clients who follow specific guidelines meant to bolster their cybersecurity, King said. Insurance companies already are incentivizing clients to work with cybersecurity vendors considered more likely to stop data breaches, as CyberScoop has reported.

“How do we ensure they are at some minimal level of cybersecurity?” King said. “The insurance company will say to the company if you do these things your rate will be ‘x,’ if you don’t do these things it will be ‘2x.’”

The commission also has considered reporting requirements that would encourage companies to decrease the time it takes them to detect, evaluate, and remediate possible network intrusions.

The so-called 1:10:60 rule has been helpful in debating possible requirements, Gallagher said. That rule encourages firms to detect intrusions in one minute, have an analyst evaluate it in 10 minutes, and remediate it within 60 minutes. Meeting this benchmark, according to CrowdStrike data, would eradicate most hackers before they’re able to move beyond their initial entry point.

“You can imagine a world in which we require regulated companies or critical infrastructure to collect 1:10:60 data or something similar,” Gallagher said.

The focus of any such proposal would be to hold companies accountable in case of a breach, Gallagher said.

How the exact proposal on reporting detection and remediation might be adopted, however, is still being debated. In the meantime, Gallagher noted, the federal government could improve its own internal reporting, perhaps by sending Congress quarterly updates about agencies’ detection and remediation times.

Changing behavior in Washington, too

The Solarium’s report may present Congress with some structural proposals that could enhance its oversight of cybersecurity issues, the co-chairs said.

The commission is unanimous that Congress needs to change how it conducts cybersecurity oversight, according to King, and the Solarium report may present lawmakers with proposals on how to expands their visibility into cybersecurity gaps. One way to do that could be to create a select committee to oversee cybersecurity issues, he said.

For now, it seems, many of the commission’s proposals will be focused on “enhancing” the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Hiring initiatives may be a priority, Gallagher suggested.

Recommendations for the White House could make an appearance in the final report as well.

“There is near unanimity on the need to get a focal point in the White House to do oversight of the cyber community,” Gallagher said.

The White House cybersecurity coordinator, a role that then-national security adviser John Bolton eliminated in 2018, has not resurfaced despite Bolton’s departure.

The commission also will mandate the Pentagon conduct internal assessments of the operational capacity of different cyber personnel in the Department of Defense. Such a change could provide insight on how U.S. Cyber Command personnel, for example, are functioning under a new Pentagon strategy of being more aggressive in cyberspace, known as “defending forward,” according to Gallagher.

The commission has also been debating how hiring can and should be different for cybersecurity posts at the Pentagon.

“Do you need a cyberwarrior to do 100 pushups? We don’t want to lower the standards of the military, but we need to be able to tailor the requirements to the job,” King said.”

Department Of Defense Updates Mid-Tier And Urgent Acquisition Policies

Standard
Image: Roper Center, Cornell University

FCW

The Defense Department issued updates to mid-tier and urgent acquisition policies that allow the military to quickly develop prototypes and field systems. The policies took effect in the last days of 2019.

_____________________________________________________________________________

“Reworking the DOD 5000 series instructions that govern acquisition practices has been a top priority for DOD acquisition chief Ellen Lord, who told reporters Dec. 10 the changes “the most transformational change to acquisition policy in decades.”

The Pentagon has said it expects to publish the adaptive acquisition framework in January, which will include acquisition pathways specific to “the unique characteristics of the capability being acquired,” Lord said.

The mid-tier acquisition instructions address rapid prototyping and fielding and are meant to serve as a path to “accelerate capability maturation before transitioning to another acquisition pathway or may be used to minimally develop a capability before rapidly fielding.”

Lord said the new mid-tier instructions under an 18-month pilot facilitated a dramatic increase in the number of programs.

“Since our pilot started 18 months ago, we have gone from zero middle-tier programs in November 2018 to over 50 middle-tier programs today delivering military utility to warfighters years faster than the traditional acquisition system,” Lord said in the media briefing.

The urgent instructions focus on capabilities needed during conflict that can be fielded in less than two years but cost less than $525 million in research and development funds or $3 billion for fiscal 2020 procurements.

Lord said the department’s changes to the acquisition would make it easier for professionals to match programs with acquisition pathways as well as reduce lead time for pathfinder projects.

The rewrites for major capability, software, defense business systems and services acquisition are pending release.”

https://fcw.com/articles/2020/01/06/dod-5000-update-williams.aspx?oly_enc_id=

Government Improving The Sharing Of Cyber Security Threat Information

Standard
Image: “Fifth Domain”

FIFTH DOMAIN

“A new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.”

______________________________________________________________________________

“Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it.

The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels.

Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

Information sharing within the IC has also improved due to the creation of several websites within its top-secret networks that contain threat indicators and several different types of summary reports on cyber activity and vulnerabilities.

Technological change is molding the future of information sharing within the government. With the rise of cloud computing at various classification levels throughout the government, the IC SCC told IGs that it plans to expand the ICOAST threat intel capability to work in secret and unclassified clouds. That is in the “planning and development” stages, according the report.

“At the secret and unclassified levels, the ICOAST instances will interface with multiple DoD components and other federal entities that have the responsibility for distributing cyberthreat information to federal, state and local entities and the private sector,” the IGs wrote.

According to the report, an IC SCC official told the IGs that they wanted to deploy ICOAST in those environments by the end of calendar year 2019. A spokesperson for the ODNI didn’t immediately respond to a question about the availability of ICOAST.

The IC SCC is also working with the Department of Homeland Security’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency, to improve information within CISA’s threat intelligence platform, Automated Indicator Sharing (AIS), for integration with ICOAST.

Barriers to sharing

Though the government has made marked improvements in its info sharing, the IG noted several ongoing challenges to better information sharing.

CISA’s AIS solution, a system through which the federal government and the private sector can share threat intelligence in near-real time, has its own participation challenges. In December 2018, the IGs found, there were 252 federal and non-federal organizations signed up for AIS. But in June 2019, only four agencies and six non-federal entities were using the platform for information sharing. DHS told auditors that the lack of participation hindered improvement.

“DHS reported that the limited number of participants who input cyberthreat information to AIS is the main barrier for DHS to improve the quality of the indicators with more actionable information to mitigate potential cyberthreats,” the IGs wrote.

The most common complaint was that AIS threat information lacked proper context to be actionable, a complaint similar to that heard from state governments receiving threat intelligence from DHS and the FBI during the 2016 election. Therefore, cybersecurity officials at several agencies couldn’t “determine why the indicator was an issue.”

“As a result, the entities did not know what actions to take based on the information received from AIS without performing additional research,” the IGs wrote.

CISA officials told the IGs that they were working on improving the quality of information with AIS.

Meanwhile, agencies also noted that the classification levels of certain threat intelligence prevented widespread info sharing. Aside from officials lacking proper clearance being prevented from viewing certain information, auditors also noted that classified threat information couldn’t be uploaded into the sharing platforms that aren’t cleared for storing that information, further hampering sharing efforts. Some agencies have worked with the owners to downgrade the classification level, according to the report.

“Sharing cyberthreat indicators and defensive measures increases the amount of information available for defending systems and networks against cyberattacks,” the IGs wrote.”

https://www.fifthdomain.com/dod/2019/12/30/how-good-is-the-government-at-threat-information-sharing/

2020 NDAA Cyber, IT Personnel And Acquisition Policy Changes

Standard

“FCW”

The 2020 National Defense Authorization Act was signed into law Dec. 20, and with it comes a range of cyber, IT personnel and acquisition policy changes.

Here’s some of what FCW will be tracking in the New Year

_____________________________________________________________________________

Consumption-based solutions. A consumption-based acquisition provision was originally recommended by the Section 809 panel’s suite of acquisition reforms. And while most of the panel’s suggestions weren’t expected to make it into the NDAA for 2020, this one did. Doing the study, which is due in March, allows DOD to evaluate how consumption-based solutions, which involve an agency getting billed for how much it uses, would affect its contracts.

Space Force acquisition challenges. Since the 2020 NDAA authorizes the standing up of Space Force, there could be new acquisition changes needed. The bill mandates a report due in March on whether there needs to be a new acquisition assistant secretary for space policy.

Report on edge computing technology. DOD’s acquisition chief will have to report to Congress on commercial edge computing technologies and best practices for warfighting systems.

More cybersecurity oversight is coming to DOD, starting with a mandatory cyber review every four years. This requirement begins in 2022 and includes an assessment of costs, benefits, and whether, possibly like Space Force, a cyber force should be a separate uniformed service. There will also be quarterly reviews on cyber mission force readiness.

Zero-based review for IT and cyber personnel. The Defense Department has until Jan. 1, 2021, to complete a zero-based review of cyber and information technology contractors, military, and civilian personnel.

The review will assess staffing needs and effectiveness and also evaluate whether job descriptions, duties, and “whether cybersecurity service provider positions and personnel fit coherently into the enterprise-wide cybersecurity architecture and with the Department’s cyber protection teams.”

Information operations. The military services have increasingly emphasized the importance of information warfare and operations in the wake of the 2016 presidential election and the aftermath of public and Congressional scrutiny.

The 2020 NDAA affirms this by requesting DOD appoint a “principal information operations advisor” to the secretary on “all aspects of information operations conducted by the Department.” In a separate but somewhat related provision, the bill authorizes research for “foreign malign influence.”

https://fcw.com/articles/2019/12/20/acquisition-changes-ndaa-williams.aspx?oly_enc_id=