This page is not built out yet. If you are seeing this page, please contact an administrator.

Top Cloud Technologists Take the Stage: AWS Public Sector Summit – Washington DC Recap

The Weekend Reader–July 15

Hurd Announces Move IT Act to Update Federal Systems

The Federal government spends $86 billion a year on outdated Information Technology procurement. Rep. Will Hurd, R-Texas, said the bill would ensure that professionals across Federal agencies have up-to-date technologies. He also said that agencies will now be given an awareness of and access to the savings that modernization can offer them.

CNAP Focuses on Recruiting, Scott Emphasizes

The Federal government worked to make more incentives for hiring people because it had a shortfall of about 10,000 cybersecurity professionals and the supply was short. Federal CIO Tony Scott told recruits that they didn’t need to devote their whole career to the Federal government. And Scott focused on employee satisfaction by midcareer by making sure they know what their opportunities are going forward.

NEA Policy Brief Seeks to Protect Student Data

Integrating technology into schools and classrooms certainly has its benefits, from re-engaging disinterested learners to making learning more personalized and improving learning outcomes through analytics. As schools use more and more technology, they also gather more and more personalized data on their students. With this concern in mind, the National Education Association (NEA) released a policy brief earlier this year outlining best practices for securing student data.

What Constitutes a Digital Act of War?

Due to its relatively new and complex nature, there is no straightforward method for categorizing a cyberattack as a digital act of war, according to witnesses at a House Oversight Committee hearing on Wednesday. Witnesses, however, gave no direct definition for what those circumstances would be. “Incidents described as cyberattacks or computer network attacks are not necessarily armed attacks for the purposes of triggering a nation-state’s inherent right of self-defense,” said Aaron Hughes, deputy assistant secretary for cyber policy at the U.S. Department of Defense.

Pokemon Takes Over Federal Buildings

Pokémon Go has taken over Washington, D.C., bringing Federal buildings and employees into the gaming sphere. At the Russell Senate Office Building, staffers and senators alike had a chance to catch a Bellsprout if they’re lucky, but contenders must be quick because Pokémon can move around and even run away from players.

The Situation Report: Hello USDS Truth Teller

“The Bar is Really, Really Low” – Truth Teller

I learned this week from Kavi Harshawat, a member of the U.S. Digital Service working at the VA, that government civil servants are genetically predisposed to hiding bad news stories from the public. Well, OK, maybe it’s not genetics, but it’s a definite, almost measurable, fear. “Congress or the media attacking a project can mean the difference between getting funded for another couple of years and having the project shut down entirely,” Harshawat said in a YouTube video posted this week.

“And as a result, entire groups try as hard as possible to hide as much information—not explicitly—but they’re just afraid of it,” he said. “There’s no incentive to communicating in the public.”

Harshawat, who was speaking about how USDS fixes things that are broken in government, acknowledged that not every project USDS works on has the visibility of HealthCare.gov, for example. “The stuff we work on at USDS is inherently unsexy,” Harshawat said. “We’re not working on self-driving cars, we’re not building spaceships to Mars—as much as we would like to—we’re just bringing the same boring stuff that we see every single day in the tech industry here into the government. The bar is really, really low.”

VA Rising

When the Office of Management and Budget recently released its 2016 Benchmarks for Customer Satisfaction, the Department of Veterans Affairs’ Office of Information and Technology (OI&T) got an unusual surprise.

In a July 12 memo under the subject line “OI&T on the Rise,” VA Chief Information Officer LaVerne Council informed her staff that this year’s OMB rankings show that “OI&T has risen from No. 19 to No. 5 out of 24 Federal agencies. We have improved scores in every subcategory of our evaluation, including Development, Modernization, and Enhancement; Operations and Maintenance; and Help Desk,” Council said.

“But we will not stop at this success. The new hybrid Activity Based Costing (ABC) model will help drive the next stage of OI&T’s transformation by empowering management to make data-driven decisions,” Council wrote. “OI&T will be able to leverage historical information to make decisions now, and forecast near and future requirements. The ABC model will also help IT roles and requirements shift toward building a value- and customer-focused OI&T.”

VA Personnel Plans

The scuttlebutt currently making its way through the VA at the facility level is that CIO LaVerne Council was planning to jump ship by August. However, my Vermont Avenue listening post in Washington, D.C., has picked up strong signals that Council plans to remain in her CIO post until President Obama walks off into the sunset.

In addition, that same listening post reports that Council is but a week or two away from naming a new chief information security officer for the VA. The Situation Report is monitoring closely.

Fed IT is Stuck in the Weak Middle

There is a new philosophy for IT transitions and accelerated cloud deployment called Bimodal IT. Developed by Gartner, this philosophy distinguishes between Systems of Record (called “Mode 1” systems), and Systems of Engagement (called “Mode 2 systems”).

Mode 1 systems are traditional legacy and steady state infrastructure. These are the large, often mainframe-based IT systems that have saddled the government with “fossil” IT for many years. Usually developed using old-school “waterfall” development methodologies, these systems are simply virtualized, implemented upon bare metal and are pervasive throughout government. They often employ programming languages such as COBOL, MUMPS, FORTRAN, and other antiquated and compiled software systems.

In contrast to Mode 1 systems, Mode 2 systems are called “Systems of Engagement.” These modern, mostly cloud-based systems are customer or public facing, mobile, and Web-enabled. They have been developed quickly, using agile development methods, minimally viable product prototypes, and accelerated and modular “dev ops” approaches. Mode 2 systems use scripted languages, have resiliency built right in, and reflect innovation in a fashion that Mode 1 systems are structurally incapable of implementing.

The problem is that the government is awash in Mode 1 systems. This is a problem that Tony Scott, the federal Chief Information Officer, has called “bigger than Y2K.”

A recent GAO report illustrates Scott’s point. It identified numerous obsolete systems throughout virtually every branch of government, often running the most sensitive applications. “Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported” the GAO noted. “Agencies reported using several systems that have components that are, in some cases, at least 50 years old. For example, the Department of Defense uses 8-inch floppy disks in a legacy system that coordinates the operational functions of the nation’s nuclear forces. In addition, the Department of the Treasury uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed.”

Keeping all these IT dinosaurs up and running consumes a huge part of each agency’s budget. This so called O&M (for “operations and maintenance”) spending often exceeds 80 percent to 90 percent of all the budgetary resources possessed by any one individual agency or component. One hapless agency self-disclosed that it was spending 99 percent of its budget on O&M spending!

Just to put this into perspective, the ratio between O&M and DME spending in the private sector is often generally two-thirds to one-third, and even some in the public sector, such as the CIO for the State of Ohio, recently claimed that their spending between maintenance (O&M) and innovation (DME) was approaching 50-50.

Obviously, when such a disproportionate ratio of spending goes to “keep the lights on,” budget to innovate, move to the cloud, or enhance cybersecurity becomes incredibly difficult to find.

So-called “DME” (shorthand for developmental, modernization, and enhancement) projects fall by the wayside. Agencies get caught in a “valley of death”–unable to afford new approaches, new innovations or new, more secure technologies simply because all their resources are going to bubblegum and chicken wire.

As a result, agencies find themselves somewhere in the “weak middle”–trying to modernize but having to use older strategies to do it. Adopting a cloud deployment strategy, for example, but using a waterfall developmental approach to get there.

Applying Mode 1 tools to Mode 2 initiatives rarely, if ever work. It places agencies into the “weak middle”–the worst of all worlds with very little chance of success.

To foster a clean break and accelerate Mode 2 IT deployments developed under agile and dev ops principals, a new form of financing to bridge the valley of death is desperately needed. Vivek Kundra, the nation’s first chief information officer, identified this crisis more than five years ago in his “25-Point Plan” for IT modernization. The answer: Reform the funding model for IT deployments using the inherent flexibilities of a working capital fund.

A working capital fund is a flexible budgetary construct that largely escapes the stranglehold of the current one-year appropriations cycle. The existing structure is too rigid, too slow, and forces agencies into doing contortions to fund the modular, MVP developmental sprints that are the hallmark of Mode 2 development.

Tony Scott gets it too. His proposal, called the IT Modernization Fund, would stand up a flexible budget resource to fund IT modernization. The fund would be housed at GSA, and overseen by a committee of experts. Agencies applying for the new resources would face an OMB “shark tank” process to justify their call for the new money. Such factors as cybersecurity, extent of risk posed by keeping the old system; shared services, and the like would be integral to this presentation.

Parallel to Tony’s initiative is a symbiotic legislative proposal called the Cloud IT Act. This package does many of the same things as the ITMF proposal, but it stands up the Working Capital Funds at the agency level rather than centralized at GSA.

Both approaches have their pluses and minuses. But it is important to note that they do not conflict and in fact, in many people’s opinions, they are complementary.

One of the two, or both of these proposals, needs to be adopted by Congress. Broader budget flexibilities are essential to extricating government agencies from the “weak middle.”

Are You Protecting Your Cybersecurity Investments?

Is your agency throwing money down the drain? Without a comprehensive SSL encryption solution, you could be wasting money and not even know it.

Malware, hidden threats, and additional attacks are constantly trying to break into networks. SSL/TLS encryption delivers the defense agencies need to protect their cybersecurity investments. Increase traffic visibility, address malicious threats, and protect your infrastructure before it’s too late.

Making a List and Checking it Twice: Saying “I Do” to Cloud

According to the MeriTalk “Cloud Without the Commitment” report[1], 75 percent of Feds want to move more services to the cloud – but aren’t really ready to say “I do.” In fact, according to this study, 65 percent of agencies are not adequately prepared before they walk down the cloud aisle.

As agencies approach cloud migration, developing a cloud checklist based on lessons learned increases the probability of a seamless and successful transition.

Stage 1: Establish Your Cloud Strategy

It begins with the foundation. Like any other IT move, cloud requires a strategy. Agencies should ask these fundamental questions before they begin:

What’s our strategy?
How will it impact our application environment? Staff? Budget?
What systems are we going to move to the cloud first?
Do we have a small environment with which we can begin?
Do we have a test and development environment we could use?

Stage 2: Evaluate Your Current Environment

Once agencies have identified goals, objectives, and how the cloud strategy ties into overarching IT plans, they need to examine the current environment – a step that is not taken in all instances today.

MeriTalk “Cloud Without the Commitment” report[2] also reveals 65 percent of Federal IT leaders report they are not completing a workload analysis to define the data/services/workloads to migrate to the cloud or centralizing IT governance; and 60 percent say they are not developing a cost model.

Identifying the status of the current environment enables agencies to choose the right cloud construct – while staying within budget and policy constraints.

What does my current IT environment look like? My apps? What workloads are where (i.e., mainframe, distributed workloads, virtualized VMware, etc.)?
Which apps are the right ones to go to cloud? Which apps are easiest to move?
Which apps are more recently developed? How do they make up my current IT environment – and can they be easily transferred into another?
What type of cloud fits best with my workload?

Some newer applications running in VMware environments, for example, are calling those legacy databases and applications. If you put these applications in the cloud – you have to consider connectivity, security, privacy, and latency between the public cloud application and your legacy system back in your data center. You may incur costs you didn’t anticipate due to the amount of activity between your cloud applications and your own legacy data center.

Stage 3: Explore Your Cloud Options

As agencies work to accelerate cloud migration, it’s important to remember that one cloud doesn’t fit all. When we look at the cloud ecosystem and think about the future, we believe agencies will have some workload in public cloud – while more sensitive data may reside in a private cloud either on-premises or off-premises. Many agencies will harness the power of hybrid activity to best reach their goals.

The majority of Federal cloud providers are building their strategy around private and hybrid due to security, data ownership, and system of record issues in the Federal government.

Many assume public cloud is the most economical choice, however, a private, on-premises option can be more economical depending on the workload and data security requirements.

You can get the economical and operational benefits of cloud with your data in your data center within your firewall; or use a hosted solution with a data center partner. When exploring your cloud options, make sure your agency considers these key factors:

Agency/cloud interaction
Resource allocation
Risk distribution
Specific support offerings
Key SLAs, specifically average response time to an incident, average turnaround time, etc.

Stage 4: Choose a Cloud Provider You Can Trust

Running through a cloud checklist prior – and during the cloud migration process – ensures agencies are prepared for a seamless transition and provides agencies with a full picture of their cloud environment, enabling a smarter CSP choice.

At ViON, we help agencies investigate their current environment and suggest a cloud model that works best for overall IT efficiency. We look at the full cloud ecosystem to avoid potential data portability, security, and interoperability challenges during the migration process – so you can say “I Do” to cloud.

As a trusted cloud provider, we partner with your agency and also assume the risk – capital, operational, and budgetary – so you don’t have to. And that’s the real silver lining.

This blog post was originally published here.

[1] “Cloud Without the Commitment.” MeriTalk. January 2015.

[2] “Cloud Without the Commitment.” MeriTalk. January 2015.

The Weekend Reader–July 8

NTIS Joint Venture Partnership Allows for Big Data Analysis

At an information session, NTIS director Avi Bender announced an industry-government venture program, in which private companies can provide data service to Federal agencies. “This is going to give private companies an opportunity to have a conversation with Federal customers,” Bender said. “Many things can happen when you are able to sit in front of someone and interact.” Bender said one goal of the program is to improve the value of big data for Federal agencies.

VA Initiative Raises Outsourcing Fears

It’s one of the centerpieces of the Department of Veterans Affairs’ transformation effort. But the so-called strategic sourcing initiative has some front-line IT employees worried that it’s really just a code word for outsourcing their jobs to the private sector. It also refocuses VA on buying best-in-class commercial technologies rather than building custom systems. “This is where the rubber meets the road and it’s the least appreciated and most understaffed area in the VA. It is starting to populate this level with contractors,” a source said.

NOAA to Launch New Satellites Despite Concerns

The National Oceanic and Atmospheric Administration will launch two satellites to monitor weather and temperature patterns around the globe, but the agency is concerned about potential issues including data gaps following the expiration of previous satellites. In the past, NOAA and the Department of Defense have worked with international organizations to make up for the gaps in weather data. “We have global coordination activities already in place for meteorological activities across all the major [meteorological] organizations in the world,” said Stephen Volz, an administrator for NOAA.

Small Businesses are Prime Cyber Targets, Experts Say

Small businesses are prime targets for today’s hackers, according to witnesses testifying at the House Small Business Committee on Wednesday. Because small businesses often don’t have the resources or training to thwart cyberattacks, hackers will choose to go after a large number of them for a small sum, rather than a single, large company that poses a greater challenge. “They often lack the capabilities or the resources to pursue strong, entitywide cyber protections,” agreed Nova Daly, senior public policy adviser at Wiley Rein.

The Situation Report: What I Know About Hillary’s Email

While some make excuses for Hillary Clinton’s email troubles, it is clear that Americans are not stupid and can see through absurd explanations that attempt to justify the reckless behavior of senior Clinton staff. And the same holds true for every other Cabinet-level official—Democrat or Republican—who put sensitive national security information at risk because of private email use. Your humble correspondent does, in fact, know more than a thing or two about handling classified information.

The Situation Report: What I Know About Hillary’s Email

Frank A. McDonough is the former deputy associate administrator of the General Services Administration’s Office of Intergovernmental Solutions.

And he knows nothing about controlling and protecting classified data.

That much is clear from his recent string of absurd assertions in Federal Computer Week that Hillary Clinton somehow knew the State Department’s cybersecurity program was so riddled with vulnerabilities that she chose—as if in a stroke of brilliance—to deploy her own private email servers because that’s what the rest of her cybersecurity-savvy colleagues in the U.S. Senate had always done and that proved to be more secure than a centralized server subject to Department of Homeland Security monitoring.

This kind of bizarre analysis ranks right up there with those who argued that using outdated programming languages, like COBOL, is more secure because our nation’s adversaries don’t have the technical acumen to figure out how they work. Yes, this is an argument that seemingly sophisticated cybersecurity thinkers have, at times, actually supported.

Your humble correspondent does, in fact, know more than a thing or two about handling classified information. Having spent seven years in the intelligence community (including time as an Information Systems Security Officer and an officer responsible for Cryptologic equipment), I know what it is like to live in a constant state of vigilance handling top secret, code-word information. And I can give you a real-life example from my career that illustrates the difference between the professionals who understand the importance of protecting intelligence data (note I didn’t say classified data) and the dorm room advisers serving on Hillary Clinton’s State Department staff.

First, we were always concerned with the threat of providing adversaries the ability to derive classified data from large volumes of unclassified data. People have a tendency to think just because a document is not marked with a classification label that it bears no sensitive information. Nothing could be further from the truth. That is true in the intelligence community and perhaps even more so in the world of the secretary of State, where sophisticated adversaries dedicate massive resources to intercept your communications and understand your plans, policies, intent, and negotiating positions.

But even when dealing with documents that are clearly marked with the appropriate classification, there are things you just don’t do. During the height of the war in Bosnia-Herzegovina, I was sent to Europe to coordinate intelligence operations for what we thought at the time would be an opposed landing by U.S. Marines on the shores of Croatia to save the United Nations Peacekeeping force. I traveled alone, wore civilian clothes, and was unarmed.

My first indicator that something was awry came when I walked into Adm. Leighton Smith‘s office in Naples, Italy, and was greeted by my former regimental commander. Small world, I thought—that is, until he smiled and said to another officer, “looks like we found our courier.” After several clumsy attempts were made by “allied” nations to figure out what our plan was, I was approached with a request that, at the time, seemed highly unusual. A senior U.S. officer asked me if I would be willing to physically carry the entire military operation plan for the invasion (known then as OPLAN 40104) back to the U.S. because they were having trouble with their network connectivity.

“Don’t worry. It’s nothing the Serbs don’t already have,” the officer said to me in front of a female U.S. Navy commander, whose eyes became as big as saucers.

I knew almost immediately what was happening and what it would mean for me personally if I said yes to this request. There was a major undercurrent within senior U.S. military circles that the war in Bosnia wasn’t worth the life of a single American soldier, sailor, airman, or Marine. And they seemed willing to do anything to avoid getting involved in yet another part of the world where people had been killing each other for thousands of years over ethnicity and religion.

At the time, all I could think about was that I would be alone and unarmed, and I was operating in a part of Europe that was likely surrounded by Serb intelligence. That would be one hairy trip back to the states, assuming I got that far. I told that officer—who outranked me by four pay grades—that he would have to find another way to transmit the plan because I could not properly protect the classified information contained in its hundreds of pages. At this point, the Navy commander’s eyes had widened to the size of dinner plates. The officer walked out and I never heard about the request again.

I tell this story because the talking heads and the columnists who know nothing about the classification system or why certain information is classified at the highest levels should stop assuming Americans are stupid. Even the uninitiated can see through absurd explanations that attempt to justify the reckless behavior of senior Clinton staff. And to be clear, the same holds true for every other Cabinet-level official—Democrat or Republican—who put sensitive national security information at risk because of private email use.

I refused to carry a highly classified document without proper protection through cities and commercial airports in Europe because I had been trained to understand the impact that the loss of certain types of information could have on my nation’s security—not to mention that I also felt like I was being set up. Even at my level, I knew the risks and I understood the threats were active around me.

Members of the president’s Cabinet need to exercise better judgment. And when they don’t, the career officials who know how information is supposed to be handled and protected—especially career IT and security personnel—need to step up and do their jobs.

The Weekend Reader–July 1

Internet of Things Set to Change the Transportation Landscape

“IoT approaches will allow people and cargo to be transported more efficiently.” Senators and witnesses alike expressed enthusiasm for IoT’s potential to improve freight, better public transportation, monitor infrastructure, and collect data on transportation operations. “By increasing connectivity and real-time data flows between stakeholders, our transportation network and its users will gain productivity,” said Sen. Deb Fischer, R-Neb. Senators and witnesses also commended the Smart Cities participants, whose projects addressed issues of freight truck shipments, space within the cities, and other transportation issues.

Mobility Gains Importance in Health, Citizen Connectivity

The Defense Health Agency is working on a way for a person injured overseas to have instant access to world-class health care. Electronic health records allow doctors to administer care and patients to access their personal information through their smartphones. David Smith, director of state and local government sales for Citrix, said state governments are improving their operating system landscapes and working to streamline their applications in order to connect to citizens.

Top 5 TED Talks for College Students to Watch This Summer

College students might be spending their summers slogging away in an unpaid internship, working in retail, or, if they’re lucky, relaxing by the pool. However, even if school isn’t in session, students can still focus on growth and learning. TED Talks are a valuable and free resource for college students.

Rule 41 Raises Concerns Over Government Hacking Powers

An update to the Federal Rules of Criminal Procedure, specifically Rule 41, which could automatically take effect in December, is once again bringing up concerns of privacy and security in the digital world. George Washington University Law School research professor Orin Kerr described the lack of avenues for law enforcement when they are seeking to search a computer that is hiding its location, which the changes to Rule 41 seek to fix. The second change to the rule was equally contentious, as opponents claimed that it would allow the government to hack into computers of people that had done fundamentally nothing wrong.

STEM Majors Feel Most Optimistic About Job Prospects

Compared to other majors, STEM students are most likely to believe companies will recruit them directly out of college, and 73 percent feel they will receive a good job upon graduation. Using technology in the classroom was reported as improving students’ preparedness for entering the workforce. Eighty-five percent of students surveyed in 2016 felt using technology in classes and as a study tool will make them a stronger job candidate, an increase from 80 percent of students in 2015.

FedRAMP High Compliance in AWS GovCloud (US): Meeting FISMA High Requirements in the Cloud

The Weekend Reader-June 24

FAA Launches Drone Rules

Rules for drone use took flight this Tuesday after the White House released a set of regulations on the use of these unmanned aerial vehicles. The Federal Aviation Administration’s rules pertain to drones used for hobbies, although the administration also addressed future uses for commercial drones. Drone operators will not be allowed to fly their drones over people and should keep their drone in sight at all times.

The Situation Report: VA’s New Power Brokers, Thor, and Creepy Analytics

“As Chief of Staff, Kai [Fawn Miller] will work directly with the leadership team to ensure that our daily activities are balanced with our overall mission,” VA CIO LaVerne Council wrote in an email to staff. Council said OI&T is two quarters ahead of its anticipated plan, meeting four of its seven transformation milestones. “Effective immediately, our IT acquisitions team–led by Luwanda Jones–will transition to be the first fully-staffed function in the strategic sourcing organization,” Council wrote.

FedRAMP Announces High-Impact Baseline

“This release allows agencies to use cloud environments for high-impact data, including data that involves the protection of life and financial ruin,” said the FedRAMP announcement, dated June 17. According to the announcement, moderate- and low-impact data account for only about 50 percent of the Federal IT spend, despite consisting of about 80 percent of total Federal data.

HHS Invests in Tech to Reduce Zika Risk

New investments in pathogen reduction devices may help reduce the risk of transmitting Zika via blood transfusions. This contract also supports an evaluation of safety for Puerto Rico’s blood system, which is currently supporting Zika virus outbreak response. The system is currently used for platelets and plasma, and the HHS funding will help develop its capabilities for red blood cells.

DISA to Upgrade Big Data Platform

“[This data] will not necessarily interact with the rest of the cloud platform.” The BDP update will enable operators to manage mission-focused data sets within the existing solution–running custom analytics against the specified data. “The ability for operators to focus the queries against only the data supporting their mission will greatly decrease the time it takes to visualize the results as well as allow further drill down into each result set,” said Bob Landreth, BDP program manager. “We’re about to see quantum leaps in our ability to rapidly develop, deploy, and utilize analytics for CSAAC,” said Dave Mihelcic.

The Situation Report: VA’s New Power Brokers, Thor, and Creepy Analytics

VA’s New Power Brokers

Department of Veterans Affairs Chief Information Officer LaVerne Council has a new chief of staff. Kai Fawn Miller, the director of IT Strategic Communication for the Office of Information and Technology (OI&T) will assume the role of chief of staff on June 26, according to an email from Council intercepted by The Situation Report.

“As Chief of Staff, Kai will work directly with the leadership team to ensure that our daily activities are balanced with our overall mission,” Council wrote in an email to staff. “She will make recommendations to help ensure consistency across our divisions’ processes and resources, and she will continue to keep leadership informed of the feedback and ideas from all of our employees in order to bring urgent issues, great innovations, and our biggest successes to light.”

In addition to naming a new chief of staff, Council appointed five new authorizing officials for VA IT systems. According to a June 15 memorandum, Council gave the following senior executives “full authority” to authorize IT systems for operation:

Ronald Thompson, Principal Deputy Assistant Secretary for Information and Technology
Susan McHugh-Polley, Deputy Assistant Secretary for Service Delivery and Engineering
Robert Thomas, Deputy Assistant Secretary for Enterprise Program Management
Daniel Galik, Associate Deputy Assistant Secretary for Security Operations
Dominic Cussatt, Executive Director for Enterprise Cybersecurity Strategy

Now the question is: How many VA systems do not have ATOs?

VA Transformation & Strategic Sourcing

Our well-placed moles throughout the VA enterprise have reported that Council is quite pleased with the agency’s progress to date on its so-called transformation efforts. In a June 10 email, Council said OI&T is two quarters ahead of its anticipated plan, meeting four of its seven transformation milestones.

One of those milestones is the formation at a Strategic Sourcing initiative.

“Effective immediately, our IT acquisitions team–led by Luwanda Jones–will transition to be the first fully-staffed function in the strategic sourcing organization,” Council wrote. “As this team continues to oversee the effective execution of our IT acquisitions for the rest of the fiscal year, they will also play a vital and pathfinding role in the formation of the strategic sourcing office. Until our DCIO for strategic sourcing is hired, Luwanda will report directly to me.”

The goal of the new strategic sourcing office is to improve VA OI&T’s speed to market, ensure compliance with the Federal Information Technology Acquisition Reform Act (FITARA), and foster the most responsible allocation of taxpayer resources.

Brian Burns Update

It’s time for your humble correspondent to eat crow. I recently predicted that Brian Burns, the former VA chief information security officer, was lining up to possibly take on the new Federal CISO position. Well, my listening post outside VA headquarters has corroborated signals coming out of the New Executive Office Building that the Federal CISO announcement isn’t likely coming until July.

And an intercepted cable from the Commandant of the U.S. Coast Guard shows that Burns is now the new deputy CIO of the Coast Guard. He’s been in that position since June 12.

Codename: Thor

The Intelligence Advanced Research Projects Agency is seeking technology that will detect when an individual is attempting to spoof a biometric security system. Known as a biometric Presentation Attack, or PA, the process involves using a prosthetic to conceal a biometric signature or present an alternative biometric signature.

Current methods of detecting a biometric spoof attack rely mostly on what is called “liveness detection”—making sure that a fingerprint presented to a fingerprint reader, for example, is from a finger that is attached to a living human being, or that a retina scan detects pupil dilation (another indicator that the body part is attached to a living subject).

IARPA’s new Thor research project will focus primarily on finger, face, and iris biometric scanning. However, the system (or systems, if different hardware is used for each biometric scan) must be able to accurately assess the integrity of the process without a human in the loop. Potential use cases include travel checkpoints, facility access points, identify verification, and cyber authentication.

Return to Creepy Analytics

If you’re old enough to remember Admiral John Poindexter‘s Total Information Awareness program at the Pentagon’s Defense Advanced Research Projects Agency, then you’re old enough to be creeped out by IBM‘s latest patent—Monitoring Individuals Using Distributed Data Sources.

According to the patent document, IBM’s invention “relates generally to the field of security, and more particularly to verifying the location of an individual.” What it actually does, however, is overcome the limitations of existing tracking technologies, such as limited range and requiring the person being tracked to carry a GPS-enabled tracking device.

“An embodiment of the present invention provides multiple sources of information that are used to determine the location of a given individual…[and]…provides authority figures with the option of selecting which types of data sources are used for tracking purposes,” the patent states.

In one scenario detailed in the patent, video cameras that are known to the monitoring program capture images of an individual and feed that image into a facial recognition program. But in cases where the video-capture device is not known to the system, sounds and objects from the surrounding area can be used to determine the location of the person in the video.

“For example, analysis of the video indicates the sound of a train passing by along with lettering that reads ‘XYZ.’ In this example, the user profile includes the names and addresses of the friends of the individual along with a known range of travel of the individual. Tracking program 115 searches the Internet for train tracks, the words ‘XYZ’ and the known range of travel of the individual. Tracking program 115 applies statistical analysis to the results of the search and determines that the individual is most likely at the house of their friend.”

Sure, this sounds great for parents of tweens. But Situation Report is officially creeped out.

Gone Fishing

The Situation Report is off next week. Your humble correspondent will be enjoying surf fishing for record-setting stripers and bluefish, without the tyranny of email access.

Taking Action Against Threat Actors: Good Things Come in Three’s

Reports say 100,000 new malware samples are discovered every day. And, according to a recent survey, 62 percent of DoD IT pros identified foreign governments as one of the greatest source of IT threats. Bloomberg reports the U.S. military, “is seeking $34.7 billion through 2021 to boost cybersecurity capabilities.”

How can agencies identify – and mitigate – threat actors, whether they come from nation states or within the U.S.?

Looking Deep into our Universe with AWS: Pushing the Boundaries of Science

Look Who’s MeriTalking: Mark Schwartz, CIO USCIS

MeriTalk caught up with Mark Schwartz, the chief information officer at the U.S. Citizenship and Immigration Services within the Department of Homeland Security, during the 2016 Akamai Government Forum in Washington, D.C.

Great Scott

The Weekend Reader–June 17

Exclusive: VA Spending on Mobile Apps and VistA Enhancements Violated Appropriations Law

The laws in question prohibit the use of medical care support and services funding for anything other than expenses related to inpatient and outpatient care, medical supplies and equipment, prescription drugs, and nursing homes, as well as caregiver assistance and health care employee salaries. “Of the approximately $51.9 million, VA spent $39.1 million in questioned costs on IT development and enhancement activities instead of medical care and administrative activities,” the IG report states. VHA planned to use mobile health applications on devices such as BlackBerrys, iPhones, and iPads so that doctors and nurses could access medical information and enhance communication with caregivers.

BYOD Challenges Higher Ed Security

Higher education students bring their own devices onto campus, causing universities and colleges to re-evaluate their security and access structure. Campuses now oversee identity and security life cycle management. Mehran Basiratmand of Florida Atlantic University refers to it as a “whole paradigm shift.” And limiting students’ access to resources would affect their educational experience, leaving higher ed institutions to adjust their security postures.

States Unite to Save Big Bucks on Cloud Services

Utah is expected to issue a National Association of State Procurement Officials cloud computing contract in August that helps states get the best deal for equipment and software by bundling their shopping lists into a single bid. “Savings results from volume discount pricing received from the combined purchasing power of multiple states joining together and from reduced administrative overhead resulting from one procurement being conducted for and in benefit of all participating states,” said Kent Beers of Utah. Finding efficient cloud services is on the minds of many state purchasing officers as their terabytes of data continue to explode, and they have no secure place to store the information. New Mexico and Idaho are two of the 36 states that have signed letters of intent to participate in the contract.

Government IT Modernization Plan At Turning Point

Time may be running out on the Federal government’s plan to replace and modernize billions of dollars’ worth of legacy IT systems—some of which date back more than 40 years and control critical programs, including the U.S. military’s nuclear arsenal. The money would serve as a revolving capital fund that agencies would apply for and use to upgrade and replace the billions of dollars’ worth of outdated computer systems. A detailed business case would be required for each disbursement, and agencies would be required to pay back any money realized from savings.

The Situation Report: Great Scott Round II; Federal CIOs on the Move

Federal CIO Tony Scott’s keynote July 14 at the Palo Alto Networks Federal Forum will come at a critical point in his effort to champion the revolving capital fund. If legislation supporting the fund is introduced as planned before the July 4 holiday, Scott’s appearance at the Federal Forum will be an important opportunity to push it across the goal line. That’s why MeriTalk has launched the #GreatScott campaign—an online petition to keep Scott in office through the transition of administrations.

The Situation Report: Great Scott Round II; Federal CIOs on the Move

Great Scott Round II

For those of you who missed the opportunity to hear Federal Chief Information Officer Tony Scott lay out his vision for the $3.1 billion IT modernization fund at this week’s Cloud Computing Brainstorm, you’ll have another chance on July 14 at the Palo Alto Networks Federal Forum. Scott’s keynote will come at a critical point in his effort to champion the revolving capital fund. If legislation supporting the fund is introduced as planned before the July 4 holiday, Scott’s appearance at the Federal Forum will be an important opportunity to push it across the goal line.

But time is running out, and the odds that this money will actually materialize are not good. That’s why MeriTalk has launched the #GreatScott campaign—an online petition to keep Scott in office through the transition of administrations. Scott’s presence and leadership may be the key to making the $3.1 billion modernization fund a reality.

Money Bags

My Capitol Hill listening post has picked up strong signals that there are some big piles of unused money sitting in some Federal coffers that could make the perfect seed money for Scott’s IT modernization fund. According to one source, lawmakers have their eyes on the CIA‘s private investment activities, which have reportedly paid off to the tune of about $4 billion. It wasn’t that long ago when the CIA’s investment arm, known as In-Q-Tel, invested in a company called Keyhole—an investment that blossomed into what we now know as Google Earth.

Take Your Medicine

When is a Dell tablet computer a medical device? Well, that depends on whom you ask at the Department of Veterans Affairs and who’s paying for it. For example, a tablet is a medical device—like a blood pressure monitor—if it is used to run a mobile medical app, according to the Veterans Health Administration’s Office of Connected Care. But when those tablets are purchased to replace aging desktops—clearly an IT investment—then the use of an estimated $5 million in medical funding becomes a legal problem.

My Vermont Avenue observation post in Washington, D.C., has uncovered evidence that nearly 2,000 tablet computers purchased by VHA’s Office of Connected Care have been sitting in a warehouse for the past year. Adding salt to the wound is the fact that because VA does not currently support Windows 8 or Windows 10 operating systems, those new tablets are in limbo. The Office of Connected Care, according to reports, is searching for ways to either return the tablets to the manufacturer or transfer them to the Office of Information and Technology (OI&T).

Big Apple Bound

My remote monitoring station outside the New Executive Office Building has picked up signals that Tony Scott is making travel plans. No, he’s not leaving Washington, D.C., for good (at least not yet). But he is taking all of the Federal agency CIOs on an off-site educational trek to New York City to meet with industry counterparts. Reports indicate the Feds will be in the Big Apple most of next week.

Breaking the Traditional Federal Cloud Mold: ViON’s Agile Cloud Platform (ACP) with vCloud Suite

Cloud isn’t a new concept for government. Approximately 8.5 percent – or roughly $7 billion – of the government’s IT spending goes to provisioned services like cloud[1] today.

But, even greater opportunity for savings is ahead, as agencies focus hard on legacy migration. The costs associated with maintaining outdated infrastructure have reached the impossible point. OMB’s legacy systems report, out last month, found many agencies use outdated, unsupported software languages and hardware parts.

Agencies reported using systems that have components that in some cases, are 50+ years old.

Cloud offers a migration opportunity, but navigating the skies isn’t easy. Agencies are challenged with forecasting and managing cloud budgets, and with ensuring that data is protected and secure.

Protecting constituent data is top priority as agencies consider cloud models, and keeping systems current is key. Cloud enables more frequent updates, improves overall efficiency, and helps agencies make the shift to using OpEx vs. CapEx dollars.

The ViON’s Agile Cloud Platform (ACP) with vCloud Suite software (private cloud, with JAB-based FedRAMP Provisional Authorization), for example, enables agencies to store data locally behind their firewall, access both on- and off-premises, and reduce waste by paying only for the capacity they use – addressing budget and data protection concerns.

Operating under a unique “Pay-as-you-Consume” billing model, ACP provides scalable, customized capacity to migrate and manage sensitive data.

Importantly, the implementation is modular. IT teams select and implement what they need, adding services into their portfolio as their mission evolves, and as they build success with initial cloud service offerings.

The ACP with vCloud Suite also enables Federal IT teams to:

Monitor the environment and perform self-healing tasks based on well-defined scripts
Connect to public cloud providers and services for a hybrid cloud design, should they choose to modify

As an enterprise-class solution, the vCloud Suite comes with a vSphere hypervisor, which creates the foundation for add-on components such as vCenter Server, vCloud Automation Center, vRealize Operations Manager, and vRealize Business.

These add-on components help to make the most of the cloud offering and scale to meet changing agency workloads.

For example, with the vRealize Automation Center, agencies create and present a service catalog with available IT resources to automate processes, reduce provisioning time required by the IT team and freeing resources to work on strategic projects.

ViON’s cloud offerings provide more control with a modular migration path – that’s the real silver lining.

Learn more about flexible IT – and find out how your agency can benefit from IT on-demand.

This blog post was originally published here.

[1] https://www.whitehouse.gov/sites/default/files/omb/budget/fy2016/assets/ap_17_it.pdf

The Weekend Reader–June 10

World Oceans Day: Book Uses Data to Increase Understanding

An e-book published to coincide with World Oceans Day hopes to bring together researchers, government agencies, students, and technology to better the understanding of the world’s oceans. Dawn J. Wright is chief scientist at Esri and editor of the second edition of Ocean Solutions, Earth Solutions, a book aimed at compiling and bettering the data surrounding ocean research.

Agency Resources Help Patients Understand Rights

Despite eight in 10 individuals who have viewed their health information online saying the information was useful, 41% of Americans have still never even seen their medical record. The ONC’s new infographic also provides a series of tips on how to gain access to and safely share medical information, including: You cannot be refused access to your health information because you haven’t paid your medical bill. Your provider is no longer responsible for the security of your health information after it is sent to a third party.

Data Drives Personalized Learning

Data provides parents, educators, and policymakers with the information they need to personalize and support student learning. “It’s incredibly important that the individual classroom teacher… [is] able to use data and access data to drive learning in their class,” said Chip Slaven, counsel to the president and senior advocacy adviser for the Alliance for Excellent Education. Measure what matters: Be clear about what you want to achieve for students and have the data to ensure it gets done.

The Situation Report: VA’s Culture War and CCX Brainstorm Takes Washington

We’ll be exploring everything from cloud migration strategies and security, to agency cloud collaboration and the value of open source, and open standards. And over at VA, Bob McConald has had his missteps along the way, but he has surely tried and has made some solid progress in reforming one of the most broken of all government bureaucracies. This has been particularly true in the Office of Information & Technology.

82% of Hospitals Electronically Exchange Medical Information, Study Shows

In 2008, 41 percent of non-Federal, acute care hospitals electronically exchanged key medical data with outside providers; today, that number is 82%. The study defines non-Federal, acute care hospitals as any acute care general medical or surgical, general children’s, or cancer hospitals owned by private/non-for-profit, investor-owned/for-profit, or state/local government and located within the United States. The four key domains of data sharing are electronically sending, receiving, finding, and integrating or using key medical information.

What Agencies Need for a Secure Cloud Transition

IT is evolving and agency security needs are changing with it.

There needs to be a “fundamentally different way that we secure [IT] services,” said Rob Palmer, deputy chief technology officer, DHS, during a recent webcast.

“It took us a decade or more to get a good support model in place for what we are now considering legacy IT,” Palmer continued. Now agencies are hoping to transition from legacy IT to the cloud.

FedRAMP Accelerated Program Could Leave Some CPSs Behind

Earlier this spring, the Federal Risk and Authorization Management Program (FedRAMP) announced sweeping process changes in an effort to accelerate the accreditation of cloud solution providers (CSPs) to better meet agencies’ needs. The intent of the announced changes is to reduce the time and cost associated with receiving accreditation. This article will examine the potential pros and cons of FedRAMP’s new approach and discuss critical considerations for CSPs to successfully navigate the changes.

The Reported Advantages:

Speed: According to GSA, CSPs currently fill out hundreds of pages of documents and turn them over to the FedRAMP office for vetting. Currently, the vetting takes on average between three to nine months to complete just to earn the FedRAMP Ready Status. The fastest FedRAMP approval to date took five months, while most reviews are now taking nine to 18 months. The proposed FedRAMP Ready changes suggest CSPs can earn an ATO in under six months, possibly three. Needless to say, this is a fundamentally better timeline for many CSPs that need accreditation as part of their route to market.

Stronger Capability Assessments: Currently, documentation reviews are lengthy and don’t necessarily involve a direct view of the CSP’s systems and security controls. Under the proposed process, a 3PAO will provide the initial system analysis. This real-world analysis may remove some of the risks for the government of going through the program.

The inclusion of a Capability level is the strongest outcome of this change. By clearly defining the assessments for CSPs, the FedRAMP PMO could in the near future look at the success or failure of CSPs in retrospective terms. CSPs also have a clear measure how they may promote or distinguish their system.

Figure 1: FedRAMP Readiness Capability Level Factors Showcase

See https://www.fedramp.gov/provide-public-comment/draft-readiness-capabilities/

Some Potential Limitations:

Fewer accreditation options: The FedRAMP PMO is eliminating the CSP Supplied compliance path. In addition, not all CSPs will be allowed to go through the P-ATO or FedRAMP Accelerated paths anymore. The P-ATO path will likely be used less and less and if a new, innovative CSP has the opportunity to have an agency review their package, the P-ATO path may not be used at all. The CSPs that do not meet the outlined criteria will have a really hard time getting accredited or may fall behind their competitors, leaving them at a substantial market disadvantage.

Increased need for documentation and added (hidden) costs: As most companies doing business with the government know, more documentation does not necessarily equal more security. At the same time, compliance documentation increases costs to CSPs in the following areas:

Overhead for documentation or consultant help in documentation to meet the FedRAMP standards and processes.
Clearly, large businesses or technology innovators with deep pockets or more generous investors will more likely have fewer hurdles to the Federal market. Small businesses and new innovators are likely to struggle because they will need sufficient investment to meet capability levels prior to earning any revenue.
Additional 3PAO costs for the CSP related to the FedRAMP Readiness Assessment Guidance (RAG).
Additional 3PAO risks and costs for the real and potential liabilities related to attestation. This includes the liabilities a 3PAO may face from the CSP and the costs of defense related to suggested credibility issues from the FedRAMP PMO, especially if a breach or leak of CSP data occurs after having been through FedRAMP Ready.
Potential political costs for the FedRAMP PMO if CSPs have accomplished FedRAMP Ready but are not approved or viewed by the FedRAMP PMO as worthy for selection to the P-ATO JAB process. The cost to the CSP would be frustration and inability to unplug government sales of innovative, new solutions.

Regardless of the accreditation path a CSP is taking, the FedRAMP process is all about understanding and demonstrating security and documentation due diligence. CSPs need to understand their strengths and weaknesses vis-à-vis the requirements and proactively work with their selected 3PAOs to close security gaps.

Maria Horton is CEO of EmeSec, an accredited 3PAO supporting customers in adopting the cybersecurity and risk mitigation best practices they need to build competitive advantage in today’s connected world. Since 2003, the company has been working with government and private sector organizations to help them protect their missions, reputations, and growth engines, while harnessing the power of security and automated technologies.

The Situation Report: VA’s Culture War and CCX Brainstorm Takes Washington

This is a special Tuesday Situation Report, as your humble correspondent will be traveling for the rest of the week. So for those of you who are used to reading your inside baseball on Thursdays, I apologize. But this is not one you would want to miss.

Brainstorm–June 15

The November election may be playing havoc with agency appointments and senior leadership positions, but there are two things that aren’t going away any time soon: cloud computing and the Federal Information Technology Acquisition Reform Act (FITARA).

That’s not to say that things related to cloud and FITARA aren’t changing–because changing they are, and fast! But MeriTalk is hosting some of the biggest names in government IT on June 15 at the annual Cloud Computing Brainstorm. Even better, we’re opening the day with a FITARA breakfast session featuring OMB, members of Congress, and a keynote presentation from U.S. Chief Information Officer Tony Scott.

We’ll be exploring everything from cloud migration strategies and security, to agency cloud collaboration and the value of open source, and open standards.

VA’s Culture War

It’s fair to say that you have to give Bob McDonald credit for trying to turn those lemons at the Department of Veterans Affairs into lemonade. Sure, he’s had his missteps along the way, but McDonald has surely tried and has made some solid progress in reforming one of the most broken of all government bureaucracies.

But my reporting during the last two weeks has uncovered a disturbing trend–even after the ouster of former VA Secretary Eric Shinseki and the many early retirements of more than a few bad apples (retirements that should not have been allowed), there remains a major undercurrent of distrust and genuine dislike for many senior VA leaders. VA is losing the people battle. This has been particularly true in the Office of Information & Technology.

When LaVerne Council replaced Stephen Warren as VA chief information officer last July, technology newsrooms around Washington, D.C., filled with a sense of hope–an outsider was coming in to replace a career Federal employee whose management style had not won many hearts and minds.

Council squandered the opportunity. Upon her arrival, the mentality at OI&T quickly shifted in the wrong direction. “Transparency has a different meaning there. The prevailing attitude there now is that what is good for the assistant secretary is what’s good for the organization, not the other way around,” said a longtime OI&T insider, known to The Situation Report.

Those who knew Steph Warren almost long for the days when they would be left trying to figure out his social awkwardness. People just “didn’t get Steph,” said one of his former close advisers. “He has a unique personality that if you don’t know him can seem aggressive or condescending. But that was more social awkwardness. I actually thought he was an incredibly good leader and he had the best of the organization at heart. He was a good person and he worked with the best intentions.”

What about Council? The situation there is less clear. Even as recently as April, the MyVA Advisory Committee–a group of about a dozen of the most senior officials in VA, as well as Secretary McDonald and Deputy Secretary Sloan Gibson–made a point to advise Council to “embed sustainability” within her own organization rather than to complain about her staff’s lack of skills or the tendency of components to deploy “shadow IT.”

“Council is all about Council,” said a former VA official who worked for both Warren and Council. “She was personally very nice to me. But her style is management by territory building and aggressive behavior that borders on bullying. She surrounds herself with sycophants and is not open to debate.”

Some also have serious questions about the technical qualifications that Council and others, like Brian Burns—the former VA chief information security officer that The Situation Report believes may be only days away from becoming the first Federal CISO. According to some, neither Council nor Burns have an in-depth grasp of the technological aspects of their jobs.

The bottom line is this: VA’s reputation has been destroyed. It can’t fill the 43,000 job vacancies it currently has, and it can’t find senior leaders willing to join from outside the government. This has happened not because government is inept, but because this one agency allowed itself to become the place where third stringers could get ahead by jumping from one gig to the next, and where kingdom builders can get away with it as long as they have cover from the top.

McDonald can’t change this by November. After that, it’s anyone’s guess how long it will take to win the VA culture war.

See you next week.

Got a Situation Report you want to share? Send in confidence to dverton@meritalk.com

The Weekend Reader – June 3

Exclusive: VA Chief Information Security Officer Resigns

Brian Burns, the Department of Veterans Affairs’ chief information security officer, has resigned, according to an internal agency memo obtained by MeriTalk. His last day with VA will be June 10. Burns took over the CISO post last November.

The Situation Report: Is This The New Federal CISO?

Burns first entered Federal service in 1997, after a 13-year stint in commercial IT. I think there’s a better than 50-50 chance he’s the chosen one. The employee responsible for leaving the documents on the lawn has been disciplined, according to the VA report on the incident.

Girls Outperform Boys in Technology and Engineering Assessment

A recent study pointed to a lack of science, technology, engineering, and math (STEM) role models for females, but it’s not slowing down females’ knowledge of technology and engineering. A national assessment of eighth graders’ technology and engineering literacy reveals female students outperformed their male peers. Overall, female students scored three points higher than male students.

Solar Panels Have Soft Costs, New DOE Podcast Says

The first episode discusses solar panels and the associated costs. Solar panels absorb energy from the sun and turn it into usable electricity. They do not give off pollution, and they drive down the costs of electricity bills.

Innovation Can Close Gap Between Patient Expectations and Experience

“Many of us still have issues getting or accessing our health information, and if you are like me, it seems to be a never-ending saga,” said Lana Moriarty, director of consumer health at ONC. The average patient has several interactions with the health care system in a given year, meaning multiple patient portals and a continuous burden on the consumer to gain their health care information where and when it is needed. Christine Bechtel, coordinator of Get My Health Data, described the issues most patients have with securing their patient records, despite their expectation that personal medical data should be easy to obtain.

The Situation Report: Is This The New Federal CISO?

Federal CISO Decision Imminent

The Situation Report has picked up strong signals from the Old Executive Office Building that Federal Chief Information Officer Tony Scott has made his final decision on who will be the first Federal chief information security officer and plans to make an announcement as early as next week.

If our intelligence is correct, that would place Scott’s public announcement within about 48 hours of Brian Burns‘ last day as CISO at the Department of Veterans Affairs. It was also unusual for Veterans Affairs CIO LaVerne Council to announce Burns’ resignation only from his role as deputy director of the Interagency Program Office (IPO). One would think that if your CISO is moving to another government agency, you might address the fact that you are soon to be without a CISO.

While there is one other viable candidate known to The Situation Report to have been on Scott’s short list, Burns certainly has the chops and the background to be a serious contender.

Burns first entered Federal service in 1997, after a 13-year stint in commercial IT. But his government resume is impressive: He’s held senior IT positions at the Department of Defense, Department of the Air Force, Department of the Navy, Department of Education, Department of the Interior, Department of Health and Human Services, Department of Treasury, and the Internal Revenue Service.

Will Burns be the first Federal CISO? I think there’s a better than 50-50 chance he’s the chosen one.

Veterans Data Breach Report

A VA lawn maintenance worker in Bay Pines, Fla., recently came upon a small pile of documents sitting on the lawn outside the VA facility where he worked. Turns out the papers were a Housing and Urban Development Veterans Affairs Supportive Housing (HUD VASH) Veteran contact list.

The employee responsible for leaving the documents on the lawn has been disciplined, according to the VA report on the incident. However, a privacy violation memo was issued and 103 veterans were notified that their personal information was involved.

Veterans’ personal data seems to be in constant danger at VA, from the lawns in front of facilities to even the highways. Last month, the VA’s Data Breach Core Team opened an investigation into a VA employee who left an envelope full of unapproved claims, billing documents, and tort claims information on the top of a car. The employee then drove off and went home.

The documents were found by an unknown citizen spilled across a section of highway nowhere near the VA facility. The VA sent 28 veterans an offer of free credit protection services.

Of course, things could be worse. A VA facility in Hampton, Va., lost three encrypted hard drives in April. As of the latest security incident report, they remain unaccounted for. VA is not concerned about the drives because they were encrypted. In addition, there were two other similar incidents that took place during the same reporting period, but VA left them out of the report “because of repetition.”

Shadow Cloud

Should Burns get the nod for the Federal CISO post, he will have his hands full when it comes to gaining control of unauthorized government cloud services.

One of my remote Silicon Valley listening posts recently detected a serious disturbance in the Federal cloud computing force. A recent assessment of a major government agency “with very strict cloud usage policies” uncovered more than 3,000 “unique, unsanctioned cloud services” that were being accessed routinely over a three-week period. Some of the things discovered included private storage devices that were used for backing up data, and “hundreds of risky data sharing, collaboration, and social media sites.”

Recover Mission-Critical Systems: Back up, store, & recover IT

Look Who’s MeriTalking: Akamai’s Fran Trentley

MeriTalk caught up with Fran Trentley, the vice president for Global Security and Government Services at Akamai, during the 2016 Akamai Government Forum in Washington, D.C.

The Weekend Reader – May 27

Data Breaches Cost Health Care Industry $6.2 Billion

Data breaches are costing the health care industry an estimated $6.2 billion, with 89% of organizations represented in a new study by the Ponemon Institute having experienced a data breach in the past two years and 45% reporting more than five breaches in the same time period. Fifty-one percent blamed a lack of vigilance in ensuring their partners and other third parties protect patient information as a top reason for their vulnerability, and 44% say it’s due to a lack of skilled IT security practitioners. “In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving.“

Marketers Target Students Through Online Learning

Students are directed to go online for schoolwork, and corporations are reaping the benefits by subjecting these students to targeted marketing. “Parents are very concerned about how their children’s personal data is being outsourced to ed tech companies, who are using the data for commercial purposes and tracking them online,” said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy. For example, Google and Facebook are widely used by schools and both “spend millions of dollars to influence lawmaking and keep regulation at bay,” said the report.

Politics Stands in the Way of IT Modernization, Officials Say

“We can start talking politics and we still don’t get where we need to go.” Committee members said they were disappointed and baffled over the degree of outdated technology in Federal agencies, some in mission critical systems. A major concern was the use of 8-inch floppy disks in DOD systems, as 3.2 million disks would equal just one flash drive. One congressman questioned whether such outdated technology could remain a secure means of storing classified data.

CMS Release of Medicare Data Sets Includes Standardized Payment Amount

The information was part of the third annual release May 5 of the Physician and Other Supplier Utilization and Payment public use data. The data set contains information for more than 986,000 health care providers who received more than $91 billion total in Medicare payments in 2014. The Obama administration has directed CMS to prepare these public data sets in an effort to make the health care system more transparent to patients, doctors, and consumers.

The Federal IT Papers–Part 2

MeriTalk is running a series taken from a book-length work authored by a senior Federal IT official currently working in government. In this installment, the writer says: I think that the best starting point is in architecture because, “If you don’t know where you are going, any road will take you there.” I worry that the way we have run enterprise architecture has been an exercise in futility. It asks, what do you have now, what are you aiming for, and what is the plan to get there?

Are Candidates Concerned About Cyber?

As the 2016 election grows closer, IT pros are wondering when the Presidential candidates will tackle ongoing cyber security concerns and questions. CBS News reports, “Fifty-five percent of information security professionals believe cyber security should be a key issue in the 2016 election.” But is it?

Blue Coat’s Chief Operating Officer, Michael Fey, prompts five cyber questions each candidate should consider.

The Situation Report: 3.1 Billion Reasons Government IT Will Remain Outdated Into 2017

$3.1 Billion Modernization Fund on Life Support

Bottom line: My Capitol Hill listening post has picked up strong signals that the White House’s proposed $3.1 billion IT Modernization Fund has but a 50-50 chance of finding its way into legislation this year.

Sources say the current political climate, along with presidential election politics, makes it highly unlikely that the revolving capital fund will find its way into the appropriations process. Even if the fund makes it into a bill, sources say Ohio Gov. John Kasich has a better shot at winning the Republican nomination for president than Federal CIO Tony Scott has of actually seeing the $3.1 billion materialize.

And that’s a shame, because reports coming from our Office of Management and Budget observation posts indicate that Scott—who’s knee-deep in transition planning at the moment—has pegged the cost of replacing all of government’s legacy IT systems at the full $3.1 billion mark.

The pair of wild cards in this hand are Reps. Jason Chaffetz, R-Utah, and Will Hurd, R-Texas. Chaffetz, chairman of the House Oversight and Government Reform Committee, gave off strong signals at the May 25 hearing on legacy IT modernization that he’s “warming up” to the idea of a revolving capital fund. And while Hurd, chairman of the House IT subcommittee, has supported the idea from the start, our San Antonio listening station reports the congressman faces an uphill re-election battle and may not be around to help champion the fund.

AWS Calling

The Situation Report intercepted a phone call this week from a recruiter working for Amazon Web Services. Apparently, the company is planning to hire a vice president for its U.S. Public Sector business that will report directly to Teresa Carlson, AWS’ current vice president of worldwide public sector.

Initial reports raised questions about Carlson’s future plans. But our sources report that she is no longer in danger of Jeff Bezos’ public relations Siberia after a brief incident a while back involving an on-the-record quote provided to a reporter without permission. The new position is simply a response to AWS’ solid growth in government.

18F’s New Procurement Officer

Last week, we learned that the General Services Administration decided to move a contracting officer from the Federal Acquisition Service (FAS) to its newly established Technology Transformation Service. Sounds like a great idea, and the Federal IT media largely bought it as just another fascinating and innovative move to support all of the new innovators at 18F who are busy working on wildly innovative websites.

Fine.

But our remote listening post operating in the vicinity of Room 5340 of GSA’s Washington, D.C., headquarters building has picked up reliable reports that the new contracting officer position has more to do with providing 18F air cover for the coming assault by the GSA inspector general and an upcoming “beating” in June by the Government Accountability Office. Accordingly, the new contracting officer has their hands full making sure there are no illegal contracting activities in place when those two reports—and their corresponding congressional hearings—hit the street in June.

18F’s State & Local Loophole

There’s been a lot of talk recently about the GSA’s digital consulting arm, 18F, and its newly launched state and local government IT practice. Many observers point to what is clearly illegal—it’s against the law for GSA and 18F to do work directly for state and local governments, except for programs that fall under the handful of Cooperative Purchasing Program schedule contracts.

But The Situation Report has debriefed a longtime GSA mole, who said GSA is using a simple scheme to get around those restrictions and entangle 18F’s front-end tentacles in as many places as possible before the change of administrations. According to our source, GSA Administrator Denise Turner Roth has come up with an ingenious plan: institutionalize 18F digital services into all Federal grants to state and local governments. Under that model, 18F isn’t working directly for state and local governments, but for the Federal agency responsible for issuing the grant.

Holes in Obama’s Cyber Net

President Obama’s Executive Order 13694, issued in April 2015, declared a cybersecurity emergency due to the volume of cyberattacks against the U.S. originating in foreign countries. The order was viewed at the time as the ammunition the country needed to go after these hackers, many of whom are believed to be acting on behalf of foreign governments.

But a newly released report from the Treasury Department dated Oct. 1, 2015, provides a surprising assessment of the order’s impact on national cybersecurity during its first six months. The emergency powers invoked by Obama cost the government at least $760,000 (mostly in Federal salaries) but failed to identify a single hacker to target with sanctions.

“No entities or individuals have been designated pursuant to E.O. 13694,” wrote Treasury Secretary Jacob Lew.

« Previous 1 … 9 10 11 12 13 … 19 Next »

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.