This page is not built out yet. If you are seeing this page, please contact an administrator.

Feds on the Move

Cubicle farms are dying. Where can I send flowers?

We can work anywhere, but it takes IT smarts to ensure that an increasingly mobile workforce has secure access to whatever it needs, whenever it needs it.

Managing the mobile enterprise is critical, and it’s the focus of next week’s Citrix Mobility 2015 Government Summit, bringing together experts for a deep dive into enterprise mobility management – from mobile device management to secure network access and data security.

Beyond E-Mail
Mobility isn’t just a perk. It’s a prerequisite for getting more work done faster.

In fact, the first goal of the Federal government’s digital strategy is to “enable the American people and an increasingly mobile workforce to access high-quality digital government information and services anywhere, anytime, on any device.”

“Always-on” and “always connected” have become routine. It’s no longer about receiving and sending e-mail from anywhere. It’s also about having access to the documents, data, and applications workers need instantly, without having to return to their desks and without having to jump through hoops.

IT Heavy Hitters on Deck
Howard Schmidt, who served as Special Assistant to the President and the Cybersecurity Coordinator for the United States, will provide the keynote at the Citrix summit. The White House will send the inestimable Lisa Schlosser, who serves as serves as the Deputy Administrator, Office of E-Government and Information Technology, Office of Management and Budget, Executive Office of the President and Deputy Federal Chief Information Officer, to discuss the Federal Information Technology Acquisition Reform Act (FITARA).

Don’t miss the draft guidance on changes to FITARA.

The People Have Spoken
Telework is the original mobility initiative, and it continues to gain favor as it moves from concept to mainstream reality.

In 2014, 29 percent of Federal workers participated in telework programs, up from 26 percent in 2013 and 25 percent in 2012, according to the Office of Personnel Management’s Federal Employee Viewpoint Survey.

Technology is no longer much of a barrier. Among those who don’t telework, 5 percent said that’s because of technical issues, down from 6 percent in 2013 and 6 percent in 2012.

Down on the Farm
At the U.S. Department of Agriculture, our friend and fellow Iowan, Secretary Tom Vilsack, said increased telework has allowed $18 million of cost avoidance in transit subsidies to Agriculture Department employees.

That’s something to moo about. Maybe Secretary Vilsack can find a new use for all those empty cubicle farms popping up at Ag and at other agencies.

How is your agency doing? Does it have a progressive mobility initiative? Let us know. And let us know how your agency can improve mobility for its workforce.

The Citrix Mobility 2015 Government Summit is scheduled for Monday, June 8. Start the week off right by registering here to discover the best mobility strategies, meet interesting people, and hear some great new ideas.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.

FedRAMP Fast Forward?

Forget tuning in for the Indianapolis 500 this weekend. All eyes trained on the Great FedRAMP CSP Acquisition 500 right now. Smaller companies that pioneered the FedRAMP approval process are selling quicker than Express Lane traffic on the Beltway. EMC’s eating VirtuStream. CSC acquired Autonomic Resources. QTS quaffed Carpathia. And, we’ve only in the first lap. We’re going to see a lot more of the FedRAMP frontrunners lapped up as the IT industry giants realize they need FedRAMP – but flinch from the traffic, complexity, and cost of the certification process. What’s the future of Clear Government, CTC, EconSys, SecureKey, Vazata, and more?

Running Into Traffic

The Cloud Computing Caucus Advisory Group annual report, Don’t Be a Boxhugger tells us, as of May 2015, just 35 products were certified as FedRAMP compliant, with another 40 at one stage or another in the review process, and many, many more waiting to engage in certification. According to CSPs, the average cost to complete FedRAMP certification is between $4 million and $5 million. It takes around 18 months to get through the process. In April 2014, 24 CSPs were awaiting certification. One year later, 16 of those same CSPs were still in the pipeline awaiting approval according to the FedRAMP OnRAMP. Each FedRAMP certification submission typically entail 1,000 pages of technical and legal documentation. It’s the importance of the certification to Federal agency buyers and the complexity of the process that’s fueling the FedRAMP CSP buying race.

Inside Lane?

As more of the bigs jump into FedRAMP, it’s going to change the feel of FedRAMP. Today, it’s a cottage industry, that trades on relationships. Companies in the pipeline are more concerned about managing relationships with the FedRAMP PMO – so they can cash in on their certifications. Many of those companies are less concerned about how FedRAMP works as an operating model, the costs associated with maintaining their ATOs, and broader government-wide adoption rates. Too many that have made it through the process see the program’s complexity as an effective barrier to entry that wards off competition on the track.

Oil on the Track?

A host of questions hang over scalability of the FedRAMP process – how can the program office manage the deluge of new CSPs that want to get through the process? We understand that the FedRAMP PMO currently spends as much time and money maintaining ATOs for the handful of CSPs already through the process – which means the program cannot scale.

Further, word is CSPs are running into challenges with the alternative agency route to FedRAMP certifications – as those agencies are bristling at the cost associated with managing those certifications. How can the FedRAMP PMO manage the volume without adequate funding? If there aren’t enough cloud options, how’s the government supposed to move to the cloud? The requirement to move to FedRAMP Rev 4 raises additional questions for industry and government alike.

FedRAMP Fast Forward

Industry wants a front seat in FedRAMP. That’s why MeriTalk, working collaboratively with the FedRAMP PMO at GSA, is hosting a new industry working group. FedRAMP Fast Forward provides a venue to support, inform, and accelerate FedRAMP and broader cloud adoption across government. The group’s structured in three workstreams:

1. Technical Standards and Process

2. Rules, Policy, Interagency Collaboration, and Communications

3. Training, Education, and Transparency

Interested in learning more? Download the working notes from the kick-off meeting or drop a line tofedrampfastforward@meritalk.com. The group will host a breakfast meeting at the MeriTalk Cloud Computing Brainstorm on June 17th.

And speaking of traffic, the Brainstorm features a morning keynote by Tony Scott, NIST Cloud Cyber Security Working Group session. Cloud Computing Caucus Advisory Group panel, as well as theFedRAMP Fast Forward session – so it’s going to be bumper to bumper at the Brainstorm.

The VA’s Wizard of Oz Cybersecurity Moment

Trouble on the Inside

Snowden and Manning introduced the world to insider threats. Not only do we know what that means now, we also understand how difficult it is to stay ahead of such threats.

But with the expansion of mobile technologies and increasingly sophisticated threats – both inside and outside – the whole nature of cyber defense is transforming before our eyes. What worked a short while ago can no longer be expected to do the job.

Guarding the Perimeter Won’t Cut It
“Identify and protect” used to be the standard defense, notes Symantec Senior Vice President and Chief Information Officer Sheila Jordan. But that doesn’t represent an effective approach any longer, she told the Symantec Government Symposium recently.

“Identify and protect is where we have historically been, and for a long time that served a great purpose. But now we need to move to…‘detect, recover, and resolve’ as fast as we possibly can,” Jordan said. “I want to detect, recover, and resolve an incident before a person even knows what happened.”

In the same way, cybersecurity is no longer just about guarding the perimeter. In fact, it’s not even clear where the perimeter is any longer.

Crumbling Walls
The rapid growth of mobile devices and the growing phenomena of the Internet of Things are expanding exponentially both data collection and the ability to access it. More data and more access points make security more difficult.

“The four walls of an enterprise have crumbled,” said Jordan. “There are no four walls anymore. So the data is traversing… in and outside the firewalls, with the devices, back into the devices, oh, and I forgot to mention apps and cloud. So I don’t think we have a choice but to figure out how we’re going to have end-to-end security architecture and how that’s going to traverse around the data so that ultimately we’re protecting that data (from) inside and outside threats.”

Introducing Analytics
Government Acquisitions Chief Technology Officer Prem Jadhwani agreed. Jadhwani, who joined Jordan at the Symantec Government Symposium, said analytics can help organizations look at the mountains of data coming in from various sources and correlate the data.

“I see big data as a perfect solution to solve cyber problems,” he said.

But when?

“It’s happening faster than you think,” Jordan said.

That “Oops” Moment
Not every data breach is the work of a malicious insider, of course. Organizations have a harder time protecting data from well-meaning employees who unintentionally expose information or systems to risk. Well-meaning vendors can also slip and disclose data accidentally.

“Insider threats aren’t just your employees,” Michael Dent, Chief Information Security Officer, Fairfax County, Va., said. “They also are your contractors, your vendors, your volunteers, potentially, that come in and work for you. We had a vendor who took data from the county on a USB, very innocently… and he ended up exposing some county data for over two years on an unsecured file share from his company.”

In fact, 22 percent of data breaches last year resulted from employees accidentally making data public, while only 8 percent were the result of insider theft, according to Symantec’s 2015 Internet Security Threat Report.

Jordan calls unintentional data breaches “a huge learning opportunity.”

Where to Start?
The public sector has a long way to go to build mature insider threat programs, Steve Smith, Insider Threat Program Coordinator at the U.S. Department of State.

“We’re nowhere near where we need to be,” said Smith.

Organizations that want to build an insider threat program should focus on what data they want to protect and then put the technology in place to keep it safe, said Jadhwani. That includes encrypting it and using two-factor authentication.

Institutions then need to understand which employees have access to the data that requires protection.

“Look at your privileged users,” said Jadhwani. “See what they are doing. Rather than waste time on who’s trying to come from outside, let’s look at where our crown jewels are, and let’s focus our attention there. I would say it doesn’t stop with technology. I have an acronym for that – BEST. ‘B’ is the background investigation, ‘E’ is employee behavior, ‘S’ is situational awareness, and ‘T’ is training. If you combine all the policy, tools, and technology together… it will work, and it will pay dividends.”

Learn more: Listen to the full discussion on insider threats, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Digital Services DOA?

One of the three White House IT priorities called out in the 2016 budget request, Digital Services may be the first IT casualty of partisan politics. A series of agencies have reported that their 2016 budget pass backs include a big goose egg in funding for Digital Services. We’ve asked the question of OMB – seems that’s the case. The next question – what’s the future for Digital Services with no funding?

Whistling Dixie

It’s no surprise that Republicans don’t like the idea of the Federal government getting into the state and local business – providing services directly to citizens and growing the Federal budget footprint. Let’s face it, the launch of healthcare.gov was certainly diseased.

Each cabinet-level agency was directed by OMB to ask for $9 million for Digital Services. These agencies built out plans for how to implement those Digital Services. Right now, they’re wondering if that whole effort was a huge waste of time and money.

Self Service

If Digital Services faces a dollar drought, what’s the path forward? Will OMB find additional funding from another budget bucket? Should agencies focus on self-funding models – perhaps charging America a fee-for-service model? Will this drive a series of no-cost contracts? Dozens of questions out here on the digital frontier. Here’s hoping Digital Services makes it out of the neonatal intensive-care unit.

Changing the Narrative on Encryption for Federal Agencies

Our Cloud Learning Curve Continues — and That’s a Good Thing

Lots of people are talking about cloud computing. So listen carefully.

Even if the term is a misnomer, cloud computing is a big deal. Here’s the thing – organizations can do anything in the cloud that they can do on-premises. So why are Federal agencies still investing just a fraction of their IT budgets on cloud computing?

DevOps Trending Up
A new study by MeriTalk, “The Agile Advantage: Can DevOps Move Cloud to the Fast Lane?” helps connect the dots. Agencies want to move more quickly, and 66 percent say they need to move IT services to the cloud faster to meet mission and constituent needs. But it’s not easy. However, some Feds are beginning to see DevOps as an option.

DevOps is an approach that brings software engineering, quality assurance, and IT operations together as an integrated team to collaboratively manage the full application life cycle.

By the Numbers
Just 22 percent of Feds are very familiar with DevOps today, but 60 percent say they can see DevOps in their agency’s future.

That’s not all – 63 percent say DevOps will speed up application delivery and migration, and 68 percent see DevOps as a viable path to improve collaboration between IT development, security, and operations teams.

Speeding Up with DevOps
DevOps is about speeding up software development.

Conventional development cordons off software developers from IT operations and quality assurance. Each team does their thing serially, one after the other. DevOps speeds everything up. It’s automated and collaborative. Management consultant Accenture believes DevOps can result in a 50 percent increase in speed to market, according to its “DevOps: Services Overview.”

The Secret is Out
So here’s a question – can DevOps help agencies migrate to the cloud faster?

Maybe DevOps and cloud computing go hand in hand. Like peas and carrots, apple pie and ice cream, or B.B. King and blues (RIP, B.B.). According to the new study, Federal agencies are just starting to adopt DevOps, but the majority sees it in their future.

Read the full report about DevOps to learn more about how it can help Federal agencies.

And learn more about Federal cloud.

Is DevOps in your future?

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Cloud Christmas?

Chances of snow – remote. But, this week was Cloud Christmas for agencies focused on IT transformation. Like a silicon Santa, Congressman Gerry Connolly unwrapped the Cloud Computing Caucus Advisory Group annual report, “Don’t Be a Box Hugger,” on the Hill on Monday. Based on interviews with CIOs and CFOs, Box Hugger divides agencies into a naughty/nice list of sorts. Pioneers – the early adopters who blazed the trail to the cloud. Fence sitters – who have dipped a toe into the cloud, but aren’t ready to make a mainstream transition. And, Box huggers – the anti-cloud crowd, clinging to their own hardware, software and rising cloud anxieties.

The report provides a sanity check on what’s really happening in Federal cloud – and regrettably, what’s not. Importantly, it offers a rationale to explain the movement or lack thereof, in the marketplace, and makes recommendations on the path forward. Three big takeaways:

Tell the Truth: OMB should set and enforce deadlines as well as increase transparency on the government’s actual cloud spend
Change the Game: Provide additional funding for FedRAMP, streamline acquisition and budgeting, provide incentives and reward success, while nurturing public-private collaboration
Think Bigger: Uncle Sam has already picked the low-hanging cloud fruit, so now it’s time for agencies to identify how the bigger, more challenging cloud solutions can help save money, speed development, improve services, and increase mission effectiveness

And, if you want more data and analysis, Katell Thieleman, Gartner’s Federal lead, took the podium after Gerry Connolly. Playing Santa’s helper, she shot down five myths of federal cloud, a foretaste of what you could read in her new report on cloud in Federal IT – a lot of parallel themes. That and “Box Hugger” are two must-read resources for folks serious about change – you’ll see these reports referenced all around the Beltway.

But Wait, There’s More

We’ve only unwrapped the first gift. The elves at MeriTalk have been busy – we rolled out three significant new initiatives this week to improve the cloud forecast. If you don’t have time to read the book, you can watch the movie .

Government Cloud Shopper

Developed with the government – big thanks to Greg Capella at DHS, the team at GSA cloud, and many more – GCS is a free tool that takes the mystery out of cloud acquisition. This menu-driven “build a bear” for cloud provides cloud migration cost estimates based on FedRAMP-compliant CSP prices, professional services costs, and migration set-up expenses. That’s the full cost picture, not just the cloud services cost. It then allows agencies to go to the next level – design requirements – and submit them to the cloud GWAC procurement shop of their choice – GSA, NASA SEWP, DHS, Interior, etc. Change your requirements to see the cost difference between 99 percent and 99.99 percent uptime. What’s the difference between a naughty and nice cloud? Let us show you.

FedRAMP Fast Forward

As goes FedRAMP, so goes government cloud. It’s a consistent, central theme in Box Hugger. You’ll read the report, so I won’t get into detail here. That said, unless FedRAMP accelerates, there’s significant concern that it will collapse under its own weight. This isn’t just a government problem – industry gets it too. Especially the CSPs and 3PAOs that have invested millions in the certification process. That explains the launch of the new FedRAMP Fast Forward industry working group, comprised of FedRAMP CSPs and 3PAOs. Look for bright ideas – and collaboration with government – on how to enhance the value and efficiency of the FedRAMP process and reduce the costs of achieving and maintaining certifications. Second meeting at the Cloud Computing Brainstorm on June 17th.

FedRAMP 411

Is FedRAMP at the top of your Cloud Christmas list? Then subscribe to the new FedRAMP 411 news source. All the breaking news, profiles of agency successes, and updates from the program offices. That plus status on all FedRAMP CSPs and 3PAOs. If it’s FedRAMP, it’s on FedRAMP 411.

Second Christmas?

And, as if this week’s not enough, mark your calendar for a second helping of Cloud Christmas on June 17th at the MeriTalk Cloud Computing Brainstorm. First up, FedRAMP Fast Forward breakfast meeting. Then, Tony Scott kicks us off with the morning keynote. Then NIST Cloud Cyber Security Working Group. The Cloud Computing Caucus Advisory Group is hosting an industry panel. And, of course, a star-studded program of Federal cloud practitioners sharing their agencies’ experiences in the cloud.

There’s a jingle in the air this Spring – it’s a Merry Cloud Christmas in May.

Cyber Intelligence: Adding Up the Threat Landscape

Numbers don’t lie. These numbers from Symantec’s Internet Security Threat Report are scary, but they describe what’s at stake in the never-ending fight against hackers. Last year:

Attackers targeted five out of six large companies, a 40 percent increase over 2013
24 zero-day vulnerabilities were discovered
317 million pieces of new malware were created

That’s just the tip of the cyber threat iceberg. It all adds up to a big problem.

Making Data Count
So how does law enforcement get ahead of the attackers?

Data and analysis. One of the most important pieces of information for law enforcement in a cyber investigation is the malware, Allison Tsiumis, section chief with the Federal Bureau of Investigation’s Cyber Division, said at the Symantec Government Symposium. Malware can reveal a lot of information, so law enforcement must:

Maintain a current inventory of known malware
Track which malware threat groups use to carry out attacks
Reverse engineer malware once it’s identified and contained to see how it works and what it can do

Law enforcement must also understand the TTPs of cyber criminals – their tactics, techniques, and procedures – including:

Who the hackers target
When they launch attacks
How they carry out attacks
What method they use
What data they target

Connecting all these dots can help law enforcement identify hackers and even capture the bad guys. Understanding the questions law enforcement asks in its cyber investigations can help Federal agencies better understand how they should respond following a cyber attack.

Don’t Count Out the Good Guys
Stopping attacks and identifying the criminals isn’t easy, but methodical data collection and analysis has helped.

The FBI gathered enough data to pinpoint which unit of the Chinese People’s Liberation Army (PLA) was responsible for cyber attacks that led to charges being filed against five people in May 2014. The indictment named members of Unit 61398, which was publicly identified in 2013 as the Shanghai-based cyber unit of the PLA.

“That was really key, to be able to drill that far in with our investigation techniques to get that distinct of an identification of the threat actors. Not just the threat group, the Chinese government, but drill down to their actual location,” Tsiumis said.

The Justice Department’s indictment charged the PLA members with hacking into the networks of Westinghouse Electric, the United States Steel Corporation, and other companies. Jeff Brannigan, a special agent with the Department of Homeland Security’s Immigration and Customs Enforcement, said at the Symposium that the theft of intellectual property, like the thefts carried out by the PLA, “is a pervasive crime that is only going to grow in volume and severity.”

Jason Brown, Assistant to the Special Agent in Charge in the U.S. Secret Service’s Criminal Investigative Division, said that agency’s efforts have allowed it to determine that Russians in former Soviet states represent the leading perpetrators of cyber attacks against U.S. financial institutions.

“There are a lot of other nationalities and actors that are involved in computer crime,” Brown said at the Symposium. “The Secret Service views specifically those attacking our financial infrastructure seem to be mostly emanating from Eastern Europe or are Russian-speaking individuals.”

Listen to the full discussion on cyber intelligence, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Hurd on the Hill, Scott in the Silicon, Spring in the Air

Considering we’re getting down to the dog days of the administration – and CIOs are jumping overboard quicker than you can say FITARA – these are surprisingly heady times in government IT. We’ve got a new tech-savvy leader on the Hill in Congressman Will Hurd (R-Tx). We’ve got a new world-class Federal CIO with operational oil under his fingernails in Tony Scott. And, Amazon’s recent earnings just proved that cloud is not only viable and sustainable – it’s profitable.

Hurd on the Hill – Getting Down to Business

So, what can we expect for the balance of 2015 – and over the horizon in 2016? In a word, pragmatism. That and a real focus on how to actually produce meaningful movement forward. Don’t think Tony Scott’s going to try to leap any buildings in a single bound – but rather nurture the Fed IT workforce and look to stay the course of cloud transformation with a strong eye on cyber security. Now, everybody’s watching for the IT hearing schedule on the Hill and listening hard to the auditors at GAO – we all want to know how and what we’ll measure. It’s not about forcing change, it’s about common-sense IT transformation that really moves the ball forward in delivering quantitative improvements in IT efficiency.

Scott in the Spotlight – Focus on Getting IT Done

Want to hear Tony Scott’s vision for the road ahead? You can join us at the MeriTalk Cloud Computing Brainstorm on June 17th to listen to the man in the driver’s seat talk about Cloud, Cyber Security, the workforce – all against the backdrop of FITARA implementation plans that Tony released yesterday. What a great opportunity to tie everything together in the context of this new CIO empowerment law. Congratulations to OMB for meeting a deadline – evidence of the dawning of a new era.

Cloud Caucus Report – Don’t Be a Box Hugger

All this, and the Cloud Computing Caucus Advisory Group meeting on May 11th on the Hill. We’ll hear from Congressman Hurd’s partner in progress, Congressman Gerry Connolly – and who knows, perhaps Hurd too? CCCAG will roll out its Federal CIO and CFO study – Don’t Be a Box Hugger – the first comprehensive review of the state of cloud in Federal IT. Katell Thieleman, Gartner’s Federal fashionista, will step up to the podium to provide that critical analyst insight – and, we understand, offer tidbits from her new government cloud study. That’s must see IT.

Catch Up Over a Cocktail

Too much to take in via the written word? Then join us next week, Thursday, May 7th, at the State Theatre in Falls Church, to discuss what’s shakin’ and the path ahead as O’Keeffe & Company and 300Brand celebrate 18 years serving the government IT community. Register here. Rumor has it, we’ll see celebrity appearances from Richard Spires and other Federal IT aristocracy.

More as this exciting story unfolds. Look forward to seeing you at the Cloud Brainstorm, on the Hill, and at the State Theatre. Don’t they say that Spring is a time for revitalization? It is in Federal IT.

Is Malware Sneaking in the Back Door? Federal Agencies and Encryption Risks

An Honest Conversation about Cyber

Honesty is the best policy, right?

That’s why honesty has its own day – tomorrow is National Honesty Day. No lie. Funny that it comes at the end of the month that begins with April Fool’s Day. Or maybe that’s ironic…

So let’s be honest. Cyber’s all the rage. So is big data.

While some agencies are using analytics to improve cyber security, many are not, according to a new report from MeriTalk, “Go Big Security.” Or they don’t know how best to use the scads of data they collect to improve cyber security.

Numbers Don’t Lie
All agencies struggle with cyber security. They struggle with protecting data and networks. Remember this line from the White House’s annual FISMA report in February?

“Federal agencies reported nearly 70,000 information security incidents in FY 2014, up 15% from FY 2013.”

Agencies are investing in security technologies, deploying network analysis and visibility solutions, and investing in skills training for personnel. But big data isn’t among the go-to solutions.

While 86 percent of cyber security professionals in Federal, State and Local organizations believe big data analytics would significantly improve their organization’s cyber security, only 28 percent are actually leveraging big data to identify and defend against hackers.

In many cases, agencies have the data but they don’t know what to do with it. According to the report, 68 percent of government cyber professionals say their organization is overwhelmed by the volume of security data.

There’s also a strategic issue at play – 76 percent of cyber security professionals say their security team often is more reactive than proactive.

Tell Me the Truth
So what’s it all mean? Agencies remain incredibly vulnerable to cyber threats. Those threats sneak onto networks and stay there, on average, 16 days before they’re even detected, according to the report. That’s a lot of time to replicate and cause damage.

It’s time to have an honest conversation about using big data to improve cyber security.

Read the full report here, and let us know: Is your agency using big data to boost cyber security? Has it had a demonstrable impact protecting data and networks? Honestly, we really want to know.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

A Party Like It’s 1933?

What’ll it be – Cup of IT, beer, or shirley temple? MeriTalk’s sister organizations, O’Keeffe & Company and 300Brand, are celebrating 18 years in business. Our theme, the 18th amendment, prohibition. Join us to wind the clock back to 1933, when Congress passed the 21st amendment repealing prohibition.

We invite you to help us celebrate our 18th anniversary and the repeal of the 18th amendment at theState Theatre in Falls Church. The party will feature live Irish music from my good friends at Brendan’s Voyage. Everybody’s welcome.

18 years serving our community. What better way to say thank you to our community for your confidence than throw a party where everybody’s invited? Cheers to 18 years.

When Encryption Strikes Out with Malware

Ink!?

Thinking about inking? Quick march to the parlor. Last week, the Army relaxed its restrictions on tattoos. Used to be you couldn’t have more than four tats below the knee or elbow – and no body art could be bigger than a soldier’s hand.

Thinking I’m going to get all Andy Rooney about tattoos? Au contraire. I say do as you will – it’s your body.

My question, where will we get the extra ink? I’d like to make a constructive suggestion. Maybe we should consider the exclamation point. I don’t know if you’ve noticed it, but people can’t seem to resist spilling them into their emails, texts, greetings cards, and even shopping lists. Remember to buy peanut butter! My follow up question – why? Perhaps people should consider if the phrase or observation is really worthy of an exclamation point? You see, exclamation points are like expletives and shouting – if you use them all the time, then they lose their impact. Where’s an exclamation mark really warranted? The second coming of Christ! Oh my God! And, that Steve O’Keeffe’s a real *******!

I’d say the same for awesome. Consider, does it really inspire awe? If not, you might try nice – fewer letters.

If we recycled the ink that doesn’t go into exclamation points and awesomes, we’ll surely have plenty in the barrel for tattoos.

Smile! You’re on Camera

A picture is worth a thousand words. At least. From now until 2020, the digital universe will nearly double every two years, with video surveillance reaching approximately 3.3 trillion hours globally by the same time, according to MeriTalk’s new Video Vortex study.

That’s a lot of words.

Behind the Lens
Surveillance cameras, mobile devices, and even drones give Feds the ability to capture more video data than ever.

An overwhelming 99 percent of Feds believe video surveillance will play a significant role in the prevention of crime, theft, and terrorism over the next five years. Bad guys aren’t like you and me – they don’t like to smile for the camera. How many good mug shots have you ever seen?

The Video Vortex examines video surveillance across Federal IT, from the challenges to the opportunities for agencies to enhance the value of their video data assets.

Time to Hit Pause?
All that data can pose problems. For instance, 54 percent of video data is never analyzed.

Feds already tap into some real-time capabilities as 57 percent use the data to track suspicious behavior, 49 percent use it to monitor traffic, and 38 percent harness it for anomaly detection. Imagine what they could do if they analyzed all the surveillance video they capture.

Focus on Solutions
What’s the answer?

If agencies want to keep up with the unprecedented influx of video information, they must constantly revamp their IT infrastructure – storage, computing power, and personnel. Right now, 91 percent of IT professionals say they need to increase storage, 89 percent believe they need to increase computing power, and 84 percent believe they need to increase personnel.

Once organizations tackle storage and personnel, they can use advanced analytics to gain more powerful insights for better outcomes.

Picture This
What if agencies worked a little harder to define roles and collaborate? A whopping 79 percent of respondents believe their agency needs to improve collaboration between physical security and IT to improve their surveillance programs.

Feds need to reach a consensus over who is in charge – 76 percent of physical security managers currently see video surveillance as a collaborative endeavor, but only 33 percent of IT managers believe it’s a shared responsibility.

Feds that work together are more prepared for the influx of data (81 percent versus 24 percent), more likely to analyze at least 50 percent of their data (63 percent versus 47 percent), and more than twice as likely to operate an edge-to-core platform architecture for surveillance (92 percent versus 44 percent).

A picture is worth a thousand words, but only if you’re ready to handle the video.

Join our free webinar on June 11 to hear about video surveillance, trends, analytics, challenges, and insight from Feds on collaboration and infrastructure. Register here.

Read the full report here. And let us know – how many surveillance cameras do you see in a typical day?

Andrew Doggett contributed to the report.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Common Sense IT Revolution?

Atkins Diet. Metabolism Miracle. Fen Phen. The 25-Point Plan. There’s no shortage of gorgeous slim-and-trim gimmicks. GAO tells us that IT cholesterol is rising – Uncle Sam now spends 80 percent of the $86.4 billion on legacy IT. Yesterday’s blubber’s chocking today’s innovation. So, what’s next? Legacy liposuction, software spanx, perhaps a binary bypass? Maybe, just maybe, it’s time to get clean and sober about fixing Fed IT. Five practical, actionable steps that will make a real difference.

1. Put the Pie Down
If you want to lose weight, the first step is to stop pushing pies into your pie hole. The same is true for trimming Fed IT. We need to find a way to starve out the massive legacy investments so we can transition to more economic, lower-calorie alternatives – cloud or other. It’s binary – if we change nothing, nothing will change.

2. Do What Athletes Do
The world’s most efficient IT organizations embrace the CMM software development maturity model andITIL to align IT investments with desired business outcomes. Ironically, these two pole-star standards for IT excellence were pioneered in government. But for some reason, agencies aren’t required to use these frameworks to improve their IT capabilities. Why not?

3. Change the Company You Keep
Making a change isn’t easy. As I’ve wrestled with smoking over the years, I’ve had to stop hanging out with friends that smoke. More important than FITARA, CIOs need hire-and-fire authority for all IT personnel – and they need to be allowed to reward super performers. There’s a precedent:, Agencies can do this today for cyber security pros. Why not spread it across IT?

4. Multi-Year Money
It’s impossible to change your diet and exercise regimen if you’re living hand to mouth. You can’t prioritize available funds to drive to positive new outcomes – that’s why a lot of street people shuffle to the Golden Arches. That’s true for Fed IT. We look for real, meaningful change, but only provide our IT execs with one-year money. We need to give agencies the ability to access multi-year appropriations to fund significant modernization initiatives. The CDM revolving capital fund provides a precedent. Why not apply it more broadly?

5. Data Diet Plan and Version Control
You are what you eat – and our government ingests and runs on data. And, let’s be honest, our data’sall over the place. This drives up storage cost, it inflates application and professional services expenses, and it balloons our cyber attack-surface vulnerabilities. It’s time for agencies to get data centric – define data models across the enterprise and map to those models at the onset of each new engagement. This discipline will drive huge savings. And, as portion control’s critical to a healthy diet, version control is central to IT wellness. Too many agencies realize false savings by running out-of-data operating systems – XP anybody? Agencies need to stay within one or two versions of the current code. Currency and consistency boost capabilities, as well as cut cholesterol and cyber liability.

Five not 25 steps. Only one mention of cloud. Not that taxing. Who’s up for changing our IT diet?

The Greatest Show on Earth

It’s not the circus. Is that what you thought? Apologies to Cecil B. DeMille.

Cyber’s all the rage. Feds can’t get enough. It touches everything – data, networks, mobile, data centers. Feds are throwing money at security.

Is it enough? Don’t think so. But don’t take my word. Take it from someone who was on the frontlines.

The Ringleader

Robert Mueller led the FBI following 9/11 and cultivated its counterintelligence service so it could aid in combating terrorism. The former Top Cop modernized the agency from a domestic crime-fighting force to what it is today: “…an intelligence-driven and a threat-focused national security organization with both intelligence and law enforcement responsibilities.”

Mueller will be the main attraction at the upcoming Symantec Symposium, where cyber experts will discuss insider threats, mitigating risk, managing information, and information access.

Those are big topics, but Mueller’s the man in the know so it will be a great show.

Under the Big Top

No lions, tigers, or elephants at the Symposium, but there will be a full house.

Nearly 2,000 Feds have registered for the Symposium because… it’s the Greatest Show on Earth. But you knew that.

So get your ticket here.

Marquee Talent

Mueller isn’t the only attraction.

Symantec has secured lots of top-flight talent for its Symposium. Assistant U.S. Attorney General for National Security John Carlin, and Lt. Gen. James McLaughlin, Deputy Commander of the U.S. Cyber Command are two names of note on the marquee.

These two are seriously tapped in to the nation’s cyber security challenges, which is why the room will be full.

Follow Symantec’s Twitter feed here for updates on the Symposium.

You can also go here for information and here to register.

See you there. I’ll bring the popcorn.

Cyber is Serious Business

It may be April Fool’s Day, but cyber’s no joke.

John P. Carlin was confirmed as the Assistant Attorney General for National Security a year ago. He’s a serious gentleman with a serious job. At DOJ’s National Security Division, he heads law enforcement’s cyber security efforts.

Heading Off Disaster
In a speech last year at Carnegie Mellon University, Carlin drew a parallel between terrorist threats and cyber threats. Referring to the work of the 9/11 Commission, he said:

“In its report, the Commission noted that: ‘we are at September 10th levels in terms of cyber preparedness.’ They added that ‘American companies’ most-sensitive patented technologies and intellectual property, U.S. universities’ research and development, and the nation’s defense capabilities and critical infrastructure, are all under cyber attack.’

“I could not agree more.

“As the Commission concluded, ‘One lesson of the 9/11 story is that, as a nation, Americans did not awaken to the gravity of the terrorist threat until it was too late. History may be repeating itself in the cyber realm.’”

Starts with “D”
In other words, let’s not sit back and react.

In the past Carlin also has spoken about the three Ds – “detect, disrupt, and deter.” Those are ideas he likely will cover when he speaks at the Symantec Symposium. He may also discuss legal reforms necessary to support international efforts to prosecute the bad guys.

Cyber Command’s Role
Carlin will be joined at the Symposium by Air Force Lt. Gen. Kevin McLaughlin. He’s the deputy commander of the U.S. Cyber Command, which is positioning itself as the nation’s cybersecurity workhorse. The Air Force is working in tandem with a Defense Department-wide initiative to recruit 6,000 personnel from all the services to be part of 133 cyber teams by 2016, according to the Air Force Times.

That’s a big job. But the lieutenant general is a big deal.

Similar Focus
Like Carlin, Lt. Gen. McLaughlin believes in deterrence. He echoed Carlin’s thoughts in a December interview with Stars and Stripes.

“A lot of what we’re doing today is reacting to what happened, so we spend a lot of our time chasing our tails in the cyber command,” he said.

The command’s goal is to get ahead of such threats, perhaps through the analysis of big data from the network that will reveal anomalies to prevent outside incursions before they happen, Lt. Gen. McLaughlin told reporter Wyatt Olson.

Tangled Web
Suzanne Vautrinot, Major General, U.S. Air Force (ret.), will also attend the Symantec Symposium and talk about how cyber threats have evolved from a minor issue to a major problem. The title of her remarks says it all – “Cybersecurity isn’t About Your E-mail. It’s About Your Life.”

It’s not just about servers. Everything’s connected – 25 billion devices by 2020, according to Gartner – from cars to front doors, and everything inside your house.

Get the big picture on cyber from Carlin, Lt. Gen. McLaughlin, and Vautrinot at the Symantec Symposium. Should be an eye-opener… and a full house.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.

Racing Against the Clock

Was Mandiant Pushed?

Once in a while, it’s good to revisit and reconsider from a distance. It’s just over two years since then-unknown Alexandria-based cyber security company, Mandiant vaulted into the media spotlight. Remember? Mandiant released a report detailing a slew of cyber attacks perpetrated by the Chinese military. More than sweeping accusations, Mandiant identified specific Red Army IP and physical facility addresses in a bold tell-all counter attack on a sophisticated and persistent Chinese cyber offensive on U.S. targets.

It was a cyber shot heard around the world. To be sure, Mandiant shocked the world when it released the report. Many sources inside the Federal government expressed distress and disappointment – their concern, that Mandiant had tipped the U.S. intelligence community’s hand. The rationale, better not to let our adversaries know we were tracking them. Removing the blind signaled to the Chinese hackers that they should simply change their addresses and methodologies.

Did anybody see the movie Imitation Games?

Here’s a question – was our government complicit in the Mandiant report? Was this an early jab in a cyber sparing match between the U.S. and China? In May 2014 – one year and three months after the Mandiant release, our government took the unprecedented step of identifying and bringing charges against a series of Chinese cyber attackers by name. Perhaps the Mandiant report was a proxy offensive designed to put the Chinese on notice?

After all, how did a small firm like Mandiant lay hand on such detailed information? How did it have the nerve to release such a controversial report – which could have capsized the firm by invoking the ire of Uncle Sam?

Let’s say the Federal government did want to leak the report through a proxy – who better than a small firm? Using a major contractor would have been a far more transparent proxy. Further, working through a large organization would have been more complex, taken much longer, and amped up the risk of a leak.

It’s doubtful we’ll ever know for sure, but as Alan Turing would tell us, simple things are rarely simple in cyber space.

Do you think Mandiant was pushed?

It’s March. It’s Madness.

Fans will fill out 70 million brackets this week in an attempt to win an NCAA Men’s Basketball Tournament pool.

Who’s your pick? Kentucky? U Va? Both look strong.

Apparently the odds of picking a perfect March Madness bracket are less than one in 9.2 quintillion (that’s 9,223,372,036,854,775,808), according to Science Daily, which credits DePaul University Mathematics Professor Jeff Bergen with the calculation.

Could you apply Big Data analytics to improve your odds?

Brackets and Big Data
Every statistic is a data point, and lots of fans will rely on those data points this week as they fill out their brackets. Microsoft’s Bing is offering 10 years of data to fans who want to use analytics to fill the intellectual gap.

Like this: teams that travel less than 100 miles win 77 percent of the time, while teams that travel more than 500 miles win 46.5 percent of their games.

That’s a lot higher than your odds of being audited by the Internal Revenue Service. The Internal Revenue Service audited only 0.86 percent of individual taxpayers in 2014, according to the Wall Street Journal’s Laura Sanders. That was the lowest rate in a decade, according to data released by the agency.

Keeping Score
Big Data has Big Implications for the government in many sectors. Cybersecurity and healthcare, for example. It can help agencies hunt down and stop fraud, waste, and abuse. The amount of money the government loses to those three each year is madness…

But do Feds make the most of their data?

A Better Offense
We plan to find out.

MeriTalk has gathered some top IT talent to discuss data management at the Informatica Government Summit on Thursday, April 23, at the Grand Hyatt D.C. They will discuss:

New opportunities in big data analytics – fueled by the Data Act, metadata, and emerging data governance models
The impact of data management on reducing agencies’ attack surface as well as Data Loss Prevention – and how that translates into better security and improved uptime
How data quality, data accessibility, and data security affect data center consolidation, cloud initiatives, mobility, and other IT initiatives

Leading the Fast Break
Joyce Hunter, Acting CIO at the Department of Agriculture, and Dave Dutton, Chief Data Officer at the Energy Department, will sit on MeriTalk’s Big Data panel. They’ll explain how they’re applying data analytics to solve big problems – sharing their insights so you can do the same.

Learn more about the Data Summit and register here. And let us know how your agency uses Big Data. Can you point to tangible results? And good luck with your brackets – I think this is your year.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Encryption’s Role in Cybersecurity

The Great GAO?

How did a wannabee Scott Fitzgerald in college become a middle-aged man fascinated by government audits? Now that’s a question I frequently ask my reflection in the mirror while shaving. But, fascinated I am.

As if it’s not enough to ingest GAO APBs, I recently found myself fascinated by a new analysis of the last 31 years of GAO audits. That’s 1.3 million pages and more than 40,000 recommendations. I tip my hat to the digital detectives at Deloitte, who conducted text analytics against GAO reports dating back to 1983 – an audit of the auditors. This is an astute piece of work – and if Deloitte’s goal was to grab GAO’s attention, then the green light is on.

Top Five in Focus:

The report considers seven questions. I’ll drill down on five:

1. Are GAO Recommendations Effective in Driving Change?

Yes. Agencies completed 81 percent of GAO’s recommendations between 1983 and 2008. Unfortunately, it can take a while – as much as four years in some cases. The report suggests prioritizing recommendations and setting associated deadlines.

2. Where do Agencies Fail?

Feds have issues where data’s part of the problem – doesn’t bode well for the Data Act or new CDO spots. We run into problems when inter-agency or inter-discipline coordination is required – troubling in a collaboration economy. Healthcare and transportation recommendations are common stumbling blocks – what ails healthcare.gov? Ironically, agencies frequently hit the wall when reports call out high-ranking officials or Congress – seems leadership’s more comfortable pointing the finger than getting the finger.

3. Where do Agencies Succeed?

Seems agencies do well implementing IT recommendations – IT has two in the top four most likely to succeed spots. Agencies have successfully implemented 94 percent of GAO IT security recommendations – and 87 percent of overall IT improvement asks.

4. Does Nagging Help?

No, no, no, no, no. Repeated GAO reports on hard problems don’t improve outcomes. Seems the toughest problems really require Congressional intervention.

5. Has GAO Changed Its Focus Over Time?

Not much. GAO consistently focused on the same topics in the ’80s and ’90s. The exception, IT has replaced Natural Resources and Environment oversight since the turn of the century. Watch this space.

Nick Carraway, Gatsby, and the CIO

Let’s try to bring it together for the dismount. While the areas of focus haven’t changed much, GAO has amped up its volume in the top five areas of oversight – from 5,112 recommendations in the ’80s to 10,682 in the ’00s. That growth tracks with the increase in partisan rancor in Congress, and suggests that perhaps Congress is using GAO as a soft power tool to spur change it can’t legislate. The big takeaway for CIOs, weighed down with their new FITARA armor – look for the volume and frequency of GAO IT recommendations to get more intense. That even before IT’s recent debut on GAO’s 30 High-Risk Watch List.

Okay, but here are the difficult questions from Nick Carraway – if GAO’s recommendations are super effective, and Deloitte says that they are, why is Fed IT still in such a mess? Have we succeeded our way on to the High-Risk Watch List? Without commitments to change and effective leadership from OMB – improving IT outcomes is as futile as pursuing Daisy Buchanan. Let’s hope it ends better for Mr. CIO than for Mr. Gatsby. We beat on boats against the current…

Five Takeaways from the New FISMA Report

Continuous monitoring is surging along, but agencies are really bad at authentication.

Cyber attacks were up 15 percent last year.

Agencies spent $12.7 billion on cybersecurity in Fiscal 2014. The annual Federal Information Security Management Act compliance report paints a dismal picture of Federal IT security.

Let’s break it down.

Authentication efforts are lagging. “Numerous agencies have made no progress meeting the Strong Authentication CAP [cross agency priority] goal. SBA, NRC, HUD, Labor, and State were all at 0% Strong Authentication implementation at the end of FY 2014.”

Fifteen agencies “have yet to reach even 50% implementation on the Strong Authentication initiative.”

Fiscal 2014 goal was to have Strong Authentication implementation at 75 percent. That’s a big deal because most cyber threats can be neutralized using Strong Authentication, the report says: “US-CERT incident reports indicate that in FY 2013, 65% of Federal civilian cybersecurity incidents were related to or could have been prevented by Strong Authentication implementation. This figure decreased 13% in FY 2014 to 52% of cyber incidents reported to US-CERT.”

What’s Your Password?
Weak authentication systems plague many agencies, and not surprisingly, those with weak systems suffer more attacks.

“Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering. The following 16 agencies fall into this category: State, Labor, HUD, OPM, NRC, SBA, NSF, USAID, USDA, Energy, DOT, Interior, VA, Justice, Treasury, and NASA.”

Sixteen? Yikes.

Ticked Off? Nope.
But agencies are doing much better implementing Trusted Internet Connections, or TIC. Today, the report says, 92 percent of agencies have TIC 2.0 capabilities. Well that’s one bright spot.

Feds Like CDM
CDM looks like a strong point, too. “Based on the IGs’ reviews, continuous monitoring programs were in place at 19 departments. Seven IGs reported that their department had all components of a continuous monitoring program in place.”

At the end of Fiscal 2014, 1.7 million licenses for security monitoring tools and products had been purchased by and distributed to agencies.

It’s a good thing: Cyber attacks increased 15 percent last year, and they show no sign of slowing down.

Feds Respond
Feds aren’t standing still.

First, President Obama announced the new Cyber Threat Intelligence Integration Center. CTIIC, or “see-tick,” will reside in the Office of the Director of National Intelligence, gathering and coordinating data from cyber programs in the intelligence world and sharing it with civilian agencies, including the Department of Homeland Security and the FBI.

The idea is to ensure that intelligence agencies don’t hoard their information and that more of it gets to DHS’s National Cybersecurity and Communications Integration Center (NCCIC), reports The Hill’s Cory Bennett. The center will also ensure agencies are exchanging cyber data with one another. Intel officials aren’t the only ones being asked to take on leading roles. The administration also issued a new executive order promoting information sharing on cyber security in the private sector.

DISA’s New Role
The Defense Information Systems Agency (DISA) is taking over day-to-day operations of the U.S. Cyber Command from the National Security Agency (NSA).

The change allows CyberCom to focus on strategic operations and coordination between combatant commands. NSA Director and Commander of the Cyber Command Adm. Mike Rogers told Newsweek CyberCom is behind in terms of building its cyber defenses and creating a framework for when and how to go on the offensive, reports Lauren Walker. “We’re not mature, and we’re clearly not where we need to be,” Rogers said. “I just think, between a combination of technology, legality and policy, we can get to a better place than we are now.”

Reading between the lines: Is this more fallout from Snowden and Wikileaks or just an interesting subplot? Do we have to wait for the sequel?

CIA in on the Act
CIA Director John Brennan is getting his agency into the action, too. The CIA will dramatically expand its cyber-espionage capabilities as part of a restructuring plan, reports the Washington Post’s Greg Miller.

Although smaller than the NSA, the CIA has substantial cyber capabilities. Miller writes: The agency’s “Information Operations Center, which handles assignments such as extracting information from stolen laptops and planting surveillance devices, is now second only to the Counterterrorism Center in size.” He continues: “The CIA also oversees the Open Source Center, an intelligence unit created in 2005 to scour publicly available data, including Twitter feeds, Facebook postings and Web forums where al-Qaeda and other terrorist groups post material.”

Cyber Symposium
The cybersecurity plot thickens at the Symantec Symposium April 15, where cyber experts will be laser-focused on insider threats, mitigating risk, managing information, and information access.

Starring experts from DOD, DHS, NSA, FBI, NCIS, DISA, FCC, CERT, and the State Department, the symposium will deliver unique perspectives and expertise from a range of stars and rising stars. And don’t miss former FBI Director Robert Mueller’s keynote.

Let us know what agencies can do better to improve cybersecurity and what law enforcement can do to protect consumers from the next Target-like breach.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Hillary’s Cyber Gaffe: Why Bother Spending on Security?

Revelations that Hillary Clinton exclusively used a personal email account to conduct government business as Secretary of State should scare the hell out of CIOs.

The government spends $14 billion a year on cybersecurity, but no amount of spending or regulations will make a difference if top leaders flout the rules and set up a parallel shadow IT system on unprotected public networks.

This is what should be keeping CIOs and other IT leaders up at night. Nearly 54 percent worry about security for cloud installations, but at least with FedRAMP-approved technologies they can rest assured that the security risks have been mitigated. But that should be the least of their worries if employees are going off the reservation.

“What’s the biggest threat to corporate security?” asked Gregory Millman in a Wall Street Journal piece in 2013. “In many companies, it could be the CEO.”

In government, it could be cabinet secretaries, congressmen, agency chiefs, directors, generals, admirals … the list goes on. All have needs to access vast quantities of critical data and staffs eager to make things easier for them. If rules are made to be broken, leaders are the likeliest to break them.

Going Rogue
Of course, once the staff sees the boss going rogue, it’s not long before they’ll do the same. ‘Do as I say, not as I do’ only goes so far.

John Banghart, director of Federal Cybersecurity with the Cybersecurity Directorate of the White House National Security Council, told a MeriTalk gathering of Federal cyber pros last summer: “We [have] often failed… to do a good job with what you might call the cyber hygiene element, configuration management, vulnerability management, asset management.”

Shadow IT networks are among the worst vulnerabilities, because they exist outside the view of IT managers. You can’t catch that with CDM, no matter how much you spend, if everyone in the agency is in on the deception, as may have been the case with Hillary Clinton.

A 2013 MeriTalk study found half of all Federal cyber officials believed their agencies security policies were violated once a week. The Secretary of State and her staff must have been violating them dozens of times a day.

IT companies are investing millions to help ensure Cloud solutions meet maximum security standards, and they should. But all the money they’re investing in FedRAMP is for naught when leaders or rank-and-file employees decide to do their own thing.

“Despite increases in cybersecurity technology investment, a failure to address human factors and engage employees as part of an integrated security strategy leaves today’s businesses and governments critically vulnerable to cyberattack,” Christian Anschuetz wrote last week in a Wall Street Journal blog.

FISMA Be Damned
The White House put out its annual report on Federal Information Security Management Act compliance last week. It noted Federal agencies reported nearly 70,000 information security incidents in fiscal 2014, up 15 percent from FY 2013.

They didn’t know about Clinton. Her staff said they reviewed “tens of thousands” of pages emails and delivered some 55,000 pages of emails to the State Department. Each email amounts to a potential violation.

Don’t think it stops there. Right now hundreds, if not thousands, of government executives and political appointees are wondering what to do about their gmail, Yahoo, Apple and Outlook accounts. Hillary was not unique.

Snowden Moment?
Clinton’s decision to shun State’s internal email may ultimately offer a silver lining: By bringing the issue to light, it is bound to raise awareness about the cybersecurity risks involved – much like Edward Snowden raised awareness about insider threats. And with Clinton likely to make a presidential run, it’s likely to bring the whole issue into the public debate.

Thank you, Madam Secretary.

What do you think? Did Mrs. Clinton make a major error and put data at risk? Or is this just Beltway bluster?

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.

DISA Cloud Pricing – milCloud Laps RACE?

True to their word, Terry Halvorsen and Major General Alan Lynn released milCloud pricing on Friday. Here’s the chance for industry to see the competitor’s price card. Some observations.

Let’s start with the definition – milCloud is designed as a more cost effective, modern, and multi-tenant computing model provided by DISA. It allows a military activity or “partner” to build virtual machines within the protective DoD envelope.
Bottomline Upfront
DISA pricing seems pretty fair for the services being offered, although the pricing structure, particularly storage, seems more expensive when compared against commercial cloud providers. Compared to RACE, milCloud is an exceptional value.

Big Benefits
Cost savings come from leveraging security provided by DISA. The milCloud model affords the benefits of DISA’s Top Level Architecture in support of NIPR and SIPR connections. Customers will gravitate to “milCloud Plus,” the DoD equivalent of professional services to design, build, and implement a cloud solution. This includes database and admininstrative support. A simple pricing structure for 1G NIPR and SIPR connection sets up predictable network costs, in contrast to commercial CSPs whose outbound charges represent a significant X factor.

Questions
Why no volume discounts? That tips the scales in big deals towards commercial CSPs. How about more definition around published rates? In order to understand the milCloud services, you need smarts on the December 2014 revision of the DISA Enterprise Information Services Terms and Conditions. Why so restrictive on OS options? Today, limited to MS Windows, Red Hat Linux, and Solaris. Is DoD uncomfortable with open source? How about some indication of migration costs in the milCloud pricing model?

Congratulations to DoD for enhancing cloud transparency — and for amping up the competitiveness of its cloud solutions. You have to ask, why DISA continues to offer RACE? Or should we say that milCloud is the logical successor to RACE?

Wanna Get the Skinny Directly from DISA and DoD?

Join us on March 25th at the Newseum for the MeriTalk Data Center Brainstorm to hear from Jack Wilmer, Infrastructure Lead at DISA. If you’re a govie, register for an executive breakfast program with David DeVries, Principal Deputy CIO at DoD.

Hope to see you at the Data Center Brainstorm on March 25th at the Newseum. Register now, seating is limited.

Show Me The Money

The 2016 budget’s out – read six pages in the Analytic Perspective to get smart on what’s important in Fed IT. If you won’t do the homework, this cup’s a must-read. We did the reading so you don’t have to. In addition to the typical yada, yada on promoting innovation, encouraging small business, and chest thumping on questionable savings, there’s some critical data in the budget.

Spending’s Up:

Top line, more tech spending – up 2.7 percent to $86.4 billion. That said, there’s a slowing in growth. From 2001 to 2009, we had a 7.1 percent annual growth, which cooled to 1.7 percent. The administration claims partial credit for slowing growth – citing efficiencies achieved through better management. See See key charts for budget breakdown and trajectory.

Figures:

Three additional hard figures to use in your presentations:

-$14 billion for cyber security

-$105 million to incubate Digital Services at 25 agencies

-$16 million for GSA to administer open data initiative

Three Priorities:

Seems the President’s given up on the 25 point plan – hooray! We’re down to three things. Driving value in IT investments, delivering world-class digital services, and protecting Federal assets. We’re seeing the Feds get into the state space – delivering more services directly to America.

PortfolioStat Portal:

The White House’s doubling down on PortfolioStat – and getting clean and sober on open government. Despite a series of misfires on the IT Dashboard and transparency, the administration commits to making the results of agency PortfolioStats and IT savings performance available on the IT Dashboard. Let’s hope that OMB lives up to this commitment.

Success Stories and Stats:

Bottomline – the White House says we’ve saved $2.7 Billion since 2012, through better IT management. Agile trumps waterfall – Administration claims 40 percent improvement in ability to deliver IT projects on time and on budget. Apparently cloud is happening. Budget tells us that 8.5 percent of the 2015 spend went to cloud “and other provisioned services” – that certainly doesn’t jive with GAO numbers. No disrespect to NSF, which has embraced the cloud – but it’s success is hardly a serious reference point for a major shift to the cloud across government. Big shout-out for data center closures – feds have shuttered 1,136 by August 2014. That said, it’s difficult to believe anybody’s really dead unless we can see the corpse.

Not to be a skeptic, but we’d all like to see more details behind these assertions – please post that math on the IT Dashboard. How about some energy metering data – as well as hard expense costs by civilian agencies for data center operations. After all, Halvorsen committed to posting DISA MilCloud pricing – will Scott do the same in civies? It’s time to address the credibility gap.

Sense of Security?

CDM appears more than any other acronym in the 2016 IT budget. That speaks volumes. The $14 billion allocation for cyber security and flagging of CDM will raise some eyebrows. The 17 CDM prime contractors are starting to ask questions about the program’s direction moving forward. DHS , any thoughts on how to accelerate the pace of the program rollout?

So, that’s the new Fed IT budget flyby. Here’s the full text. Here’s the ADHD version. Spending up. Simplified – three priorities. Show me the money – promise of new transparency.

Three Short Pours

With the snow, don’t want you getting frostbite reading this pour on your mobile. Three short pours. Caution, the beverage you are about to enjoy is extremely hot.

Pause: Cloud Chicken?

Think again. Some new wrinkles in the cloud stuff. DoD CIO Terry Halvorsen and DISA’s Major General Alan Lynn called it like it is at the Cloud Computing Caucus Advisory Group meeting on the Hill last week. Cowboy up – DoD cloud requirements will continue to change. For industry, that means ongoing certifications – read greater cost to play. Halvorsen and Lynn also talked about the emerging requirement for what happens when things go missing in the commercial cloud. The Pentagon’s going to want to root around inside industries’ data centers.

The big questions – and, here’s the cloud chicken. What if industry decides it doesn’t want to play? Or more accurately, what premium will DoD have to pay to convince commercial cloud providers to play? What if that price is more expensive than the legacy systems? Lastly, Halvorsen wants cloud, but can he afford it – especially if he’s bidding against the world’s biggest customer, consumerization?

Paws: Big-Bang Bust Up

Watch out for the claws. GAO doesn’t like the Big-Bang theory – it put IT on the 30 Oversight High-Risk List. Here come the hearings. Great time for Tony Scott to take the wheel. Here’s Scott’s opportunity to use oversight as leverage to make real changes.

Pours: It’s Nice to Share

More tea vicar? Senator Carper may be a Target shopper – that’s why he’s introduced the new Cyber Threat Sharing Act of 2015. Building on the President’s Executive Order – Carper’s proposed bill tells us to share and share alike. Lays out a good framework for industry and government cyber collaboration. Puts National Cybersecurity and Communications Integration Center – NCCIC – center stage. Swings at corporate liability barriers, pushes for faster sharing, and stresses the need for government to share too. The devil lives in the details – curious to see plans to operationalize. We’ll need carrots and sticks to move this stuff forward.

Pause. Paws. Pours. What’s cool and what’s getting you hot and bothered in Fed IT?

Feds and Cloud: 50 Shades of Grey

Fifty Shades of Grey hit movie theaters last weekend, just in time for Valentine’s Day.

Christian Grey and Anastasia Steele have quite an… unconventional romance.

Romantic tension of a different sort is heating up between Feds and cloud computing vendors.

MeriTalk’s new study, “Cloud Without the Commitment,” digs into that relationship. Seems Feds are getting to know the cloud, but they have some trust issues.

How You Doin’?
Cloud is like the stunning woman at the end of the bar. Feds are the geeks at the other end, trying not to stare. Cloud is the answer to all their dreams – cost savings, improved services, cutting-edge technology. But there are risks to all those rewards.

Feds have to break the ice. Fifty-one percent take the first step by looking at their required IT needs and 55 percent start by assessing data vulnerabilities.

“Talk to her!” Before you miss out on the love of your life.

First Date?
Email, Web hosting, and storage are the common pieces Feds have moved to the cloud. In fact, 75 percent of agencies want to get to know the cloud better but are concerned about losing control of their data.

We know agencies are intrigued by cloud, but they are afraid to make it official.

No Strings Attached?
That’s because agencies are afraid the cloud will turn into the old ball and chain – 53 percent say fear of long-term contracts holds them back from getting more involved with cloud.

It’s more than contracts and losing control of data. The portability of data once it’s in the cloud, moving data out of legacy systems, and data security keep agencies from embracing the cloud. Get it?

Open Relationship?
If there’s one thing Feds like about cloud, it’s open source. Feds who are using – or plan to use – open source software report a more positive cloud experience than those who do not.

Just Friends
So Feds like cloud computing, but they aren’t ready for a long-term relationship. How will this story end? Will Feds fall head over heels for cloud? Will the relationship last? Read the full report here. Don’t worry – it’s G-rated.
Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

« Previous 1 … 15 16 17 18 19 20 Next »

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.