FedTech Magazine - Technology Solutions That Drive Government

3 Ways to Stay Ahead on Supply Chain Security

Elizabeth_Neus_pdwC — Wed, 09 Oct 2019 12:31:04 +0000

3 Ways to Stay Ahead on Supply Chain Security Elizabeth_Neus_pdwC Wed, 10/09/2019 - 08:31

Supply chain risk is on the rise. Security firm Symantec reported a 78 percent increase in supply chain attacks in 2018, while 62 percent of federal agencies say they’ve experienced a breach or near breach in the past six months.

To combat the potential for fallout in the information and communications technology supply chain, the federal government has brought both industry expertise and executive powers to bear.

The Cybersecurity and Infrastructure Security Agency’s Information and Communications Technology Supply Chain Risk Management Task Force recently released its interim report, and a May 15 executive order placed restrictions on specific supply chain sourcing.

While increasing oversight should help organizations make smart supply chain decisions and limit potential exposure, many federal agencies are leveraging third-party providers to assist with management of ICT infrastructure because their ICT supply chains are growing — and increasing in complexity.

With National Cybersecurity Awareness Month in full swing, it’s worth taking a step back to focus on three factors that impact ICT risk and discover how federal agencies can stay ahead of supply chain security.

Doug Bonderud

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

Blockchain's Effectiveness Relies on Breaking Down Tech Barriers

phil.goldstein_6191 — Tue, 08 Oct 2019 11:04:25 +0000

Blockchain's Effectiveness Relies on Breaking Down Tech Barriers phil.goldstein_6191 Tue, 10/08/2019 - 07:04

Blockchain, one of the hottest technologies in any sector, could be a valuable tool for government. It could increase transparency in public service operations, increase supply chain visibility to combat counterfeits and automate paper-based processes to improve service delivery to citizens.

Interest in the technology is spreading worldwide. Research and Markets, a market research service, determined the global blockchain market was valued at $411.5 million in 2017 and will grow to $7.7 billion by 2022 — an astonishing annual growth rate of nearly 80 percent. In some areas where the Department of Homeland Security is working, blockchain is rapidly moving from hype to reality.

The technology is relatively simple; it’s a shared database managed by a network of computers around the world. The technology is highly resistant to data modification; transactions in a blockchain network are recorded as blocks of information in a chronological chain of data.

Each chain is copied and kept synchronized across multiple nodes or computers making the system highly resilient to attacks or data loss. Data can be added to a blockchain, but no information in it can be retroactively modified or deleted without alerting users.

William N. Bryan

William N. Bryan is the Senior Official Performing the Duties of the Under Secretary for Science and Technology at the Department of Homeland Security.

Follow the 5 R’s of Rationalization for an Effective Cloud Migration

Elizabeth_Neus_pdwC — Mon, 07 Oct 2019 13:00:20 +0000

Follow the 5 R’s of Rationalization for an Effective Cloud Migration Elizabeth_Neus_pdwC Mon, 10/07/2019 - 09:00

Whether you’re part of the Department of Defense IT team waiting to hear which cloud provider wins the $10 billion JEDI contract, or the solo practitioner at a small agency in charge of your entire IT infrastructure, the beginning of the fiscal year is a good time to think about evaluating your operations.

Knowing the exact contents of your software and hardware infrastructure is valuable information, critical when your agency is making decisions about what IT project to tackle next. And that holds true whether you’re planning to move to the cloud or just trying to update some on-premises equipment.

Once you know what’s on hand, you can start making the determination of what should move to the cloud and what should stay — not as simple a decision as it may seem, particularly if your agency is among those relying on legacy infrastructure.

Evan Doty

Evan Doty is a senior field solution architect at CDW focused on hybrid cloud and Microsoft Azure. His areas of expertise include LAN and WAN network design and implementation, Windows system administration, project management, call center management and deployment, and IT vendor management.

U.S. Census Bureau Fights Misinformation for the 2020 Count

phil.goldstein_6191 — Thu, 03 Oct 2019 17:35:36 +0000

U.S. Census Bureau Fights Misinformation for the 2020 Count phil.goldstein_6191 Thu, 10/03/2019 - 13:35

The U.S. Census Bureau is continuing to take steps to secure the 2020 count from disinformation and ensure that the count can withstand potential disasters.

The bureau has also created a “fusion center” to monitor social media for misinformation during the count, according to Federal News Network.

Atri Kalluri, senior advocate for decennial census response security and data integrity, recently stood up the fusion center, Enrique Lamas, COO for the bureau, tells the publication. The goal, he says, is to monitor “things that are being said that need further clarification from the Census Bureau.”

The bureau is working to counter rumors about the census to boost the response rate across the country. In September, the agency began promoting an email address where people can report “confusing” or “false information about the 2020 census.”

Census Works to Keep 2020 Count Secure

The 2020 count will be the nation’s first census where households can respond over the phone or via the internet. Those who do not respond will be contacted via enumerators who will collect information via mobile devices.

The Department of Homeland Security has been working with the intelligence community and private-sector vendors on cybersecurity for the count. Earlier this year, the bureau conducted a “red team” test to hunt for vulnerabilities. A red team is an inside group that explicitly challenges an organization’s strategy or ideas and looks at them from the point of view of an adversary to find weaknesses and avoid mistakes.

In terms of internal threats, like attacks on the census’s self-response site or the enumerators’ mobile devices, the bureau has said that the data will be encrypted both in transit and at rest, according to FedScoop. Network activity will be heavily monitored and that the data will be collected and isolated from the internet. Enumerators’ devices will only contain data until it is transmitted to Census systems, and the data will in no way be retained.

According to Federal News Network, DHS, at a closed-door briefing earlier this year, “told congressional staff that the 2020 census will receive as much support from DHS as the 2020 election.”

Census Bureau Ramps Up Disaster Resilience

The Census Bureau is also taking steps to enhance resilience for the count in case of disasters. The agency launched its Decennial Rapid Response Team after Hurricane Dorian hit Florida in September, and shut down two active area census offices, in Florida and Georgia, for several days, according to Federal News Network.

Al Fontenot, the associate director for decennial census programs, tells the publication that canvassing staff continued operations in areas that were not evacuated, at the discretion of the “local management on the ground.”

“Our first is to ensure the safety of our staff, our equipment and our facilities. Our second goal is to ensure our ability to achieve our mission to complete the count as well as possible,” Fontenot says. The agency will work with the Federal Emergency Management Agency when working in disaster zones. If a natural disaster should happen during the count, the agency could use administrative records to estimate the household count in an impacted area.

Phil Goldstein

Twitter

Phil Goldstein is a web editor for FedTech and StateTech. Besides keeping up with the latest in technology trends, he is also an avid lover of the New York Yankees, poetry, photography, traveling and escaping humidity.

5G Promises More Speed, Less Lag for Modernizing Agencies

phil.goldstein_6191 — Thu, 03 Oct 2019 13:10:53 +0000

5G Promises More Speed, Less Lag for Modernizing Agencies phil.goldstein_6191 Thu, 10/03/2019 - 09:10

As wireless carriers race to roll out the next generation of mobile broadband, federal agencies are in a race of their own. Those who depend on mobile connectivity need to understand what benefits 5G will offer — and what security concerns may emerge.

On the up side, the Federal Communications Commission paints a rosy picture of the ways in which 5G’s low latency, enhanced speed and bigger data capacity will improve productivity across the government workspace.

“5G will enable faster communication services, plus myriad new services and applications, including expansive IoT, smart transportation networks, telemedicine, smart cities, blockchain and robotics,” says FCC spokesperson Neil Grace.

How much better is it? Tech trade group IEEE estimates the new networks will deliver data with less than a millisecond delay, compared with 4G’s 70-millisecond lag. Peak 5G speeds could reach 20 gigabits per second, versus 1Gbps on 4G.

More Network Bandwidth Can Deliver Enhanced Productivity for Feds

Big bandwidth and low latency should translate to improved productivity. “Federal agencies’ core missions will be enhanced by the wave of innovation that 5G will bring,” Grace says.

Those enhancements could span a broad base of government users. “We can think of all the federal agencies that have folks who carry mobile devices,” says Patrick Filkins, senior research analyst with IDC’s Network Infrastructure group, who offers some hypothetical examples:

The U.S. Postal Service could leverage high data rates and expanded bandwidth to more precisely track drivers and packages.
The Defense Department could take advantage of 5G’s low latency to deliver information to war fighters and commanders in near real time. (In fact, the DOD this summer made the deployment of 5G a priority, hoping to avoid Chinese-based 5G networks.)
The Federal Emergency Management Agency and other disaster response entities could use 5G’s small form factor to create pop-up networks, enabling local connectivity and forging communications links between first-responder teams.
Veterans Affairs could utilize 5G to send data-rich, high-resolution images wirelessly from the imaging room to a doctor working on another floor.

“You can put more devices on the network than you could before,” Filkins says. “It’s like going from your backyard pool to swimming in the ocean. Now we can start to connect things, we can automate, we can accrue data" and make better decisions.

5G Security Must Be Addressed with Carriers

Government won’t have direct responsibility for addressing the security of the 5G network. The wireless carriers who roll out 5G will need to ensure it comes with appropriate safeguards. Given the higher level of network-oriented threats, there will be a growing need for the government to vet carrier offerings with security top of mind.

One place to check for good security practices by the carriers would be the mobile packet core network, the place where mobile carriers sometimes piggyback their signal on the public internet.

“Carriers plug into that, but they don’t own it,” Filkins says. “We may need to see more security around that core network, mechanisms that lock down the service provider in relation to the internet.”

All this could happen soon. The FCC has conducted multiple auctions this year for spectra that would enable 5G rollouts, and analysts predict large-scale commercial deployments in the next two to three years.

Adam Stone

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Security Management Infrastructure Is a New Tool for Federal Cybersecurity

phil.goldstein_6191 — Wed, 02 Oct 2019 15:22:29 +0000

Security Management Infrastructure Is a New Tool for Federal Cybersecurity

Federal agencies face a different cybersecurity environment today than they did even a few years ago. Threats are becoming much more sophisticated in both their targeting and techniques. State-sponsored adversaries have access to resources that match or exceed the current defensive capabilities of government agencies. At the same time, agencies struggle to protect themselves against some of the most insidious attackers: agency insiders who misuse their authorized access. These changes in the threat landscape require that agency cybersecurity teams adapt their thinking and defensive posture to protect government resources.

In years past, agencies followed a strategy widely adopted throughout the private sector: Create a strong perimeter defense that keeps malicious actors out of the network. That approach is woefully ineffective against today’s threats. The idea of drawing a boundary between networks and labeling them “good” and “bad” simply doesn’t work in an era of cloud computing and a mobile workforce.

This requires a different type of response. Security Management Infrastructure (SMI) provides this capability by allowing agencies to detect and respond to attacks that take place within their environment. This new solution category provides the tools agencies need to deal with sophisticated threats, including malicious insiders.

phil.goldstein_6191 Wed, 10/02/2019 - 11:22

Document File

mkt38127-federal-smi-wp.pdf

Phishing Still Catches Federal Employees Unaware

phil.goldstein_6191 — Wed, 02 Oct 2019 14:52:01 +0000

Phishing Still Catches Federal Employees Unaware phil.goldstein_6191 Wed, 10/02/2019 - 10:52

Last year, the Defense Information Systems Agency reported that the Defense Department had fended off 36 million malicious emails containing phishing ploys, malware, viruses or all three. And that’s just one federal agency.

The bogus emails that con or coerce users into disclosing key personal data are a major weapon in successful cyberattacks. Nearly 90 percent of successful data exfiltrations and breaches in the federal government over the past few years were the result of phishing attacks, according to William Evanina, director of the National Counterintelligence and Security Center.

While education has helped slow the rate of successful phishing attempts, there are still gaps where the misleading messages can get through. One thing to think about during National Cybersecurity Awareness Month, which kicked off Oct. 1: About 18 percent of those who clicked on test phishing links in 2018 were on mobile devices, according to Verizon’s “2019 Data Breach Investigations Report,” which says that mobile users can be more susceptible to phishing.

The pace of federal work can also feed the phenomenon. “People are constantly filling out forms, constantly replying to messages. Everyone is in a hurry to get things done; it’s a constant barrage. That is when people will click automatically,” says Alex Grohmann, a director on the Information Systems Security Association’s international board.

Adam Stone

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

DHS to Focus CDM Program on EMM Data, Cyber Risk Scores

phil.goldstein_6191 — Mon, 30 Sep 2019 17:38:46 +0000

DHS to Focus CDM Program on EMM Data, Cyber Risk Scores phil.goldstein_6191 Mon, 09/30/2019 - 13:38

As fiscal year 2020 rolls into view, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program is not just getting a new governmentwide cybersecurity dashboard. It will also be homing in on new areas of cybersecurity data.

Kevin Cox, DHS’ CDM program manager, said earlier this month that the program will look to integrate federal agency management mobile asset data into agency CDM dashboards, MeriTalk reports.

Additionally, starting Oct. 1, agencies will be able to compare their cybersecurity risk scores to the federal average as part of the dashboards, according to FedScoop.

“We’re going to, out of the gate, have better visualization of the data for agencies, but we’re also looking to bring in better analytics, better business intelligence, as well as, ultimately, machine learning capabilities — being able to apply that to the data so that agencies are getting maximum benefit from their cybersecurity data,” Cox said Sept. 5 while speaking at the Billington CyberSecurity conference in Washington, D.C., Fifth Domain reports.

DHS Lays Out Technology and Data Priorities for CDM

Automated discovery tools at agencies have discovered 75 percent more assets on federal networks than agencies found via manual discovery, Cox said, according to Fifth Domain.

However, there are millions of devices on agencies’ networks. “We want to help the agencies get full understanding of all the privileged users,” Cox said.

Over the past year, the CDM program gathered more data about the cloud service providers agencies are using and their cloud environments. CDM plans to launch proof-of-concept work on cloud security, Cox said.

According to Cox’s presentation slides, the program office plans to “work with the DHS team, agencies, system integrators, and DHS Cybersecurity Division partners to determine the right approach and scope for a cloud security proof of concept,” MeriTalk reports.

DHS will also expand pilots with additional agencies to protect their high-value assets. The agency expects to “explore the possibility of having at least one pilot per DEFEND group,” according to presentation slides, referring to the Dynamic and Evolving Federal Enterprise Network Defense task order.

Machine learning will also be a factor in agencies’ cybersecurity postures in the future, Cox said. CDM collects network data in a way that’s “aligned” for machine learning analysis, Cox said, according to Fifth Domain. “We’re helping the agencies get those fundamentals in place so they can benefit from these new technologies,” he said.

Agencies Will get to Compare Cyber Risk Scores

Starting Oct. 1, agencies that have access to the new dashboard will be able to compare their cybersecurity risk scores, known as the Agency-Wide Adaptive Risk Enumeration risk-scoring algorithm, or AWARE.

As FedScoop notes, AWARE “measures how agencies are doing on basic security practices like vulnerability, patch and configuration management in near real time. A smaller cumulative score represents a smaller cyberattack surface.”

When it comes to AWARE, 23 Chief Financial Officers Act agencies and 30 other smaller agencies are scheduled to get AWARE scores, with 40 more coming sometime thereafter, Cox said, according to FedScoop.

“We want to be careful not to share the scores out publicly because we know adversaries will be looking to see which agencies are having problems so they can go target them,” Cox said. “But there may be ways where, once everybody feels comfortable with their AWARE score — all the data is in good shape — that we share it with the deputy secretaries and everybody sees everybody else’s score.”

Phil Goldstein

Twitter

IRS, Other Agencies See Great Promise in RPA Technology

phil.goldstein_6191 — Thu, 26 Sep 2019 13:00:00 +0000

IRS, Other Agencies See Great Promise in RPA Technology phil.goldstein_6191 Thu, 09/26/2019 - 09:00

In April, the General Services Administration created a community of practice (CoP) for robotic process automation technology (RPA) to help federal IT leaders collaborate and determine how they could best use RPA.

Now, it’s starting to gain traction — at least at certain agencies such as the IRS, the Food and Drug Administration, and the Defense Department.

Speaking at the CoP’s first industry day earlier this month in Washington, D.C., Federal CIO Suzette Kent said the Trump administration can speed the deployment of RPA and automation technology in government by fostering a “strong working relationship” between the mission and technology leadership at agencies, according to Federal News Network.

RPA allows organizations to automate certain repetitive tasks — often mundane and tedious work that users do not want to spend much time doing.

“Just because automation can minimize repetitive, manual tasks, that doesn’t mean we should automate an ineffective process just because it’s easy or you hate doing it. We should continue to aspire to design better processes,” Kent said, according to Federal News Network.

True digital transformation via RPA will come when agencies reconsider how they do tasks and coordinate with other agencies. “This not only changes the nature of work. It changes how we work together,” Kent said.

The IRS, FDA and DOD Embrace RPA

The IRS is one of the agencies that have been enthusiastic about RPA. The agency expects to save more than 18,000 work hours through RPA pilots it rolled out in its procurement office. They help out IRS staff in the last quarter of the fiscal year, when workloads pick up.

Harrison Smith, the IRS’s deputy chief procurement officer, said that the amount of work his office has had to complete in the fourth quarter of each fiscal year has increased by 10 percent over the past five years, Federal News Network reports. At the same time, funding has decreased.

“Continually asking personnel to do more and more with less and less — it’s not something that’s feasible or tenable in the long-run,” Smith said in a call with reporters.

IRS Commissioner Chuck Rettig told Congress in April that roughly 45 percent of the IRS’ total workforce will be eligible for retirement within the next two years.

“With those numbers, 100 people could walk out today,” Smith said. “And so, helping folks do the work within a reasonable amount of time — helping those folks understand how they can shift out of maybe doing manual paperwork tasks into something that’s more relevant and more pertinent is simply going to enable and empower and make them more enthusiastic.”

Smith notes that RPA deployments will vary from agency to agency. “They’re not all going to look the same,” he said at the industry event, according to Nextgov. “You have to make sure that if it’s an automation solution for another environment that you have the technology [people] and you have the systems integrators able to talk to the people who are actually performing the work.”

Meanwhile, the Food and Drug Administration’s Center for Drug Evaluation and Research has been developing seven RPA projects as it looks to free up staff to focus on higher-level tasks, FedScoop reports.

CDER ensures drugs on the market are safe and effective and regulates them throughout their lifecycles, according to FedScoop. Many CDER employees have pharmaceutical science or medical degrees but often spend a lot of time on repetitive, manual tasks.

“Some of the activity is done by staff, with very advanced degrees, that would rather not do these kinds of tasks,” Ranjit Thomas, CDER informatics program management lead, told FedScoop. CDER estimates its RPA projects in development will save 24,000 work hours per year, including those in which bots schedule meetings and assign letters.

The Pentagon is also enthusiastic about RPA. At a Sept. 18 Association of Government Accountants event, Erica Thomas, the RPA program manager for the DOD’s Comptroller’s Office, said that RPA has the potential to reshape how federal workers get their jobs done.

“When computers were introduced into the workforce, however many years ago, there was a lot of concern that these are going to replace people's jobs,” Thomas said at the event, according to FCW. “Now when you look around, people have different jobs, they have different things to focus on, they’re more efficient. So, I don't view RPA as a replacement factor at all, it's more of an upscaling and redirecting resources to appropriate tasks.”

Phil Goldstein

Twitter

DOD to Lay Foundation for AI-based Cybersecurity

phil.goldstein_6191 — Wed, 25 Sep 2019 14:32:51 +0000

DOD to Lay Foundation for AI-based Cybersecurity phil.goldstein_6191 Wed, 09/25/2019 - 10:32

The Defense Department’s artificial intelligence strategy, released in February, calls for the use of standardized processes in areas such as data, testing and evaluation, and cybersecurity. Now, the DOD is starting to make that a reality.

The Pentagon’s Joint Artificial Intelligence Center plans to work with the National Security Agency, U.S. Cyber Command and numerous DOD cybersecurity vendors to standardize data collection across the department, JAIC chief Lt. Gen. Jack Shanahan said earlier this month, as Nextgov reports.

Speaking earlier this month at the Billington CyberSecurity Summit in Washington, D.C., Shanahan discussed how the DOD wants to create a consistent way to curate, share and store cybersecurity data from across the Pentagon’s entire IT environment. Doing so will make it to easier to deploy AI-powered cybersecurity programs, he said.

“Data challenges are a particularly hard one for the cyber piece,” Shanahan said, according to a news article on DOD’s website.

DOD Seeks Streamlined Cybersecurity Data for AI

AI tools can analyze all manner of data, including video, language, images and more. Generally, it is relatively easy to classify objects. The same thinking applies to predictive maintenance and humanitarian assistance applications, Shanahan said. However, data in the cybersecurity realm is more ambiguous and thus more difficult to classify.

To do so effectively, the DOD needs to establish a more solid baseline. “What does normal look like so anomalies and variances in the system can be detected in the data?” Shanahan said, according to the DOD.

The DOD has about two dozen different cybersecurity vendors, and each collects data in its own unique way. Without standardization, the Pentagon will find it more difficult to train AI-based cybersecurity solutions to sift out when there is anomalous behavior.

“What does normal look like? If we’re trying to detect anomalous behavior, I have to know what the baseline is,” Shanahan said, according to Nextgov. “[That’s] much more challenging on cyber than it is on full-motion video or predictive maintenance or even in our humanitarian assistance [efforts].

Standardized data is also crucial for creating AI algorithms. To fully take advantage of AI, “the data problem has to be addressed,” Shanahan said, according to the DOD.

To do that, the JAIC is working with the NSA and Cyber Command to create a starting point for data curation, content, sharing and storage.

“Just on that agreement, I think we'll have much more success down the road as we bring in commercial vendors to do product evaluation,” Shanahan said. “The challenge right now is they didn't know the data they’d be seeing.”

Phil Goldstein

Twitter