This page is not built out yet. If you are seeing this page, please contact an administrator.

TIC 3.0 Will Remove a Significant Cloud Barrier

By: Stephen Kovac, Vice President of Global Government and Compliance at Zscaler

The Office of Management and Budget in coordination with the Department of Homeland Security recently proposed an update to the Trusted Internet Connections (TIC) policy: TIC 3.0. Still in draft form, TIC 3.0, proposes increased cloud security flexibility for federal agencies, and the opportunity to use modern security capabilities to meet the spirit and intent of the original TIC policy.

During MeriTalk’s Cloud Computing Brainstorm Conference, I had the opportunity to present a session with Sean Connelly, Senior Cybersecurity Architect, CISA, DHS – or as I like to call him “Mr. TIC.” We discussed how the revised TIC 3.0 policy will remove cloud barriers and accelerate Federal cloud transformation. Connelly, who has been with DHS for the last 6 years, helped lead the TIC initiative, including recent updates to TIC 3.0.

Challenges for TIC in today’s environment

Connelly first explained that the policy originated in 2007 as a way for OMB to determine how many external connections were being used by Federal networks. The number of connections was “eye-opening” – and, OMB found the security surrounding these connections wasn’t consistent, even within the same agency. The original policy required external connections to run through the TIC with a standard set of firewalls to give agencies baseline security. But today, as the number of mobile devices and cloud adoption expands, the perimeter is dissolving. This evolving landscape makes it difficult for agencies to determine what connections are internal or external to their network.

Where do we go from here?

When I asked Connelly how TIC 3.0 will modernize internet security, he echoed Federal CIO Suzette Kent by saying “flexibility and choice”. Instead of having two choices – internal or external – TIC 3.0 allows three different choices: low, medium, and high trust zones. He said, “it changes the game entirely.” Agencies now have a responsibility to determine the appropriate trust zone for their networks.

Connelly added, “If you look at today’s environment, you’ve gone from fixed assets and desktops – and now you have mobile assets, mobile devices, and pretty soon the platform is not even going to matter… so we have to make sure the policy and reference architecture can support all three models going forward.”

Catalog of use cases

One important aspect of the draft TIC 3.0 policy is the addition of use cases that encourage moving TIC functions away from perimeter-based, single-tenant appliances to a multi-tenant, cloud service model. As agencies develop TIC 3.0 solutions, it is vital they share them across government, providing other IT leaders the opportunity to compare their security requirements, review the viable and tested options, and avoid reinventing the wheel.

Connelly shared that the use cases will come out on a consistent basis and will result in a “catalog approach to use cases.” Agencies can propose pilot programs through the Federal CISO Council; then DHS and OMB will work with the agencies on their pilots. The pilot programs will provide agencies with the use case examples and lessons learned.

When can we expect the final policy?

The final TIC 3.0 policy will be issued later this year. Connelly confirmed the final policy will look “very similar” to the draft policy.

Increased cloud adoption across the federal space will lay the foundation for emerging technology, shared services, and the ability to meet the expectations of a federal workforce that wants simple, seamless access to applications and data.

TIC 3.0 is an important step forward to expand cloud security options and remove a significant cloud barrier. With these flexible new guidelines, we should see accelerated cloud adoption in government. I’m excited to see the innovation ahead.

Is Your AI Program Stalled? Consider “as-a-Service”

Two months ago, the President signed an executive order to accelerate the research and development of artificial intelligence tools in government. It laid out six strategic goals for federal agencies:

Promote “sustained investment” in AI R&D with industry, academic and international partners.
Improve access to “high-quality and fully traceable federal data.”
Reduce the barriers to greater AI adoption.
Ensure cybersecurity standards to “minimize vulnerability to attacks from malicious actors.”
Train “the next generation” of American AI researchers.
Develop a national action plan to “protect the advantage” of the United States in AI.

While the order does not provide for additional funding, Agency heads were directed to set aside funding in their 2020 budget. Without additional funds, these AI programs will compete for budget allocation with operational and maintenance requirements, data center modernization and other infrastructure requirements. One option to mitigate the financial pressure while forwarding an AI strategy is to look to an as-a-Service model. By 2023, the AI as-a-Service market is expected to grow at a Compound Annual Growth Rate (CAGR) of 48.2% going from $1.5 Billion in 2018 to $10.8 Billion in 2023. (Markets and Markets Press Release)

AI as-a-Service can mean many different things. On one hand, cloud-based APIs are playing a role in helping organizations speed up their AI programs to analyze data and add different application features based upon their requirements. On the other end of the spectrum, AIaaS can mean AI ready infrastructure delivered in a consumption-based model, where hardware and software are consumed through a OpEx funding model. It could be a fully managed service, or the agency could choose to manage it themselves. They may also opt for professional services with data scientists and analysts available on a contract basis, or they can leverage internal expertise and resources. The balance of how an agency uses as-a-service is unique to their requirements, but it should be a consideration as they develop a strategy to ensure a successful AI implementation.

Information Age identifies 7 Steps to a successful AI implementation which include:

Clearly define a use case.
Verify the availability of data.
Carry out basic data exploration.
Define a model-building methodology.
Define a model-validation methodology.
Automation and production rollout.
Continue to update the model.

While we typically associate AI with technology, for a successful deployment, it is equal parts planning, process and infrastructure. As agencies move forward with their AI plans, they should consider what phases of this process can be as-a-service to reduce their burden for budget, expertise, resources and technology. This not only can alleviate financial pressure, but accelerate the speed to value and provide an agile acquisition model to pivot when necessary. When coupled with a marketplace that enables fast acquisition of technology and an easy resource to manage the as-a-service environment from end-to-end, agencies will be well positioned to deliver against AI mandates, while maintaining their existing IT infrastructure.

To learn more about how -aaS options can jumpstart agency AI progress, download the “AI and the Infrastructure Gap” Infographic.

Scott Aukema is Director of Solutions Marketing at ViON Corporation with 15 years of experience supporting public sector commercial, and enterprise segments.

The Next Computing Wave: Ultra Powerful, Ultra Accelerated, Ultra Connected

Never, in human history, have we seen this much technological change in such a short period of time. As technology grows more powerful, every facet of society has raced to adapt. It is exciting (and perhaps a bit daunting) that approaching advancements will probably hit faster, and may be even more dramatic, than changes that came before. More specifically, several emerging technologies – Bluetooth 5, 5G, WiFi 6, and quantum computing – are poised to profoundly change our lives. They are all wireless technologies, so our wearable and carryable devices will generate and process more data much faster and help us navigate our paths more effectively than before.

While it’s still early in deployment, 5G will deliver unprecedented wireless access speeds. Case in point: It will take less than four seconds on a 5G network to download a two-hour movie, while it takes five or six minutes on a 4G network today. With that much speed and power at our fingertips, it’s difficult to fully anticipate how we will use it, but its impact will be striking, and it will undoubtedly play a critical role in emerging businesses and applications, like self-driving cars, augmented reality, or the Internet of Things (IoT).

Another breakthrough technology in the wireless arena is WiFi 6 (or 802.11ax). It’s coming soon, and it’s built for IoT. It will connect many, many more people to mobile devices, household appliances, or public utilities, such as the power grid and traffic lights. The transfer rates with WiFi 6 are expected to improve anywhere from four times to 10 times current speeds, with a lower power draw, i.e. while using less electricity. The benefits may not be explosive as 5G, but its impact will be consequential.

In the hardware space, quantum computers could revolutionize everything from encryption to medicine. It’s hard to remember a time in recent history when quantum computing wasn’t considered a distant dream. After decades of research, though, we may finally see actual benefits of quantum computing. It won’t happen tomorrow – in fact, it could still be a few years off – but when it hits, it will fundamentally change how we use technology, possibly spawning new industries we couldn’t even conceive of in the 20th century. And… we’re actually testing it now, several years before we thought we could use of it.

One key thing to note about this new technological terrain – it wouldn’t be possible without the cloud. The network revolution mentioned above is (simply put) built to handle the supernova explosion of Internet of Things (IoT) devices. These devices (aka sensors) are going to create and store massive amounts of data into the cloud – all the time. The flexibility of the cloud allows service providers and developers at home and in enterprises to modify applications in near-real time. In fact, almost all AI-based applications or machine learning programs will be built in the cloud, including the wireless apps used in retail, manufacturing, transportation, and more. Two key accelerator techniques are serverless computing and edge computing. We will cover these topics in depth in a future communication.

At NASA JPL, we expect the new wave of computing technologies to have a materially positive effect on our work. Here are but a few examples: Use of GPUs have sped processing up to 30 times faster. We use machine learning to create soil moisture data models, which is key for crop forecasts. Deep learning helps us detect spacecraft anomalies. AI has proven effective in use cases as diverse as from defending the network from attacks to finding interesting rocks on Mars. IoT helps us measure particles in clean rooms, improve safety, reduce energy usage, control conference rooms, and much more. The cloud reduces the cost – but increases the speed – of experimentation, encourages innovation, and provides the flexibility that allows us to pivot when we fail. We are accelerating the speed of processing by “using high performance computing and specialized ultra-efficient processors such as GPUs, TPUs, FPGAs, quantum computers, and more, all in the cloud. This increased pace of innovation is necessary as the future is barreling at us at interstellar speed, but as we have our work firmly planted in the cloud, we are eagerly looking forward to it.

Tom Soderstrom is the IT Chief Technology and Innovation Officer at the Jet Propulsion Laboratory (JPL). He leads a collaborative, practical, and hands-on approach with JPL and industry to investigate and rapidly infuse emerging IT technology trends that are relevant to JPL, NASA, and enterprises.

Why Cyber Security and Cloud Computing Personnel Should Be BFFs

Keeping up with hackers is no small task, particularly since some attacks can be sustained in near-perpetuity. No doubt, securing cyberspace is a daunting responsibility. But focusing on security and using emerging technologies can help us meet the challenges. In particular, when the cyber security personnel of cloud providers and cloud customers work closely together, they become a force-multiplier, proactively defending the enterprise from attacks, and reacting more quickly when breaches occur.

Thanks to advancements in artificial intelligence (AI) and supercomputing, federal networks could soon be entirely self-fortifying and self-healing. The goal is to use AI-driven algorithms to autonomously detect hackers, defend the network from cyber-attacks, and automatically respond at lightning speed to an assault. Until that day, though, we rely on a handful of tools to defend our networks from phishing, vishing, or Distributed Denial of Service (DDoS) attacks.

The burden of securing a network and the devices no longer falls exclusively on systems administrators or security professionals but requires the active participation of every single network user. Continuous user training, especially role-based training, in which individuals receive customized security courses based on their specific tasks, is a good supplementary defense. A senior or C-level executive, for example, may need to be trained to identify suspicious emails that contain fund transfer requests; IT professionals may receive more technical training about different types of attacks and possible responses.

Role-based training isn’t enough in itself, though. We’re exploring how to incorporate emerging technologies into our overall cyber security strategy. Default encryption, in which data is encrypted by default during transit and at rest, is now possible (if not commonplace) in the cloud. We are now calling on all industry innovators to advance the industry so that memory can be encrypted and protected as well. In fact, by partnering our own cyber security teams with those of the cloud providers, we can significantly advance our cyber security defense. So, how do we combat all the scary bot attacks we hear about? Well, why not use the intelligence and data gathered from the Internet of Things (IoT) sensors and the power of AI and the cloud to predict, act, and protect our assets? Why not, indeed.

Blockchain, an incorruptible distributed-verification ledger, could be useful to ensure that the data has not been tampered with. While we’re taking a wait-and-see approach to blockchain, the potential is rich and the technology is developing at a tremendous pace. Several new database announcements from the cloud vendors may help provide many of these benefits and are worth investigating.

There are countless budding technologies that may become integral to our cyber security infrastructure in the future – everything from biometrics to quantum computing. The latter could have huge implications on both encryption and decryption. But every tool we use today requires that we have the agility and ability to move resources and experiment at a moment’s notice. Securing the network isn’t just a matter of protecting corporate secrets – in the case of federal organizations, it’s a matter of defending national interests. The cloud provides the computing power and scalability to secure our most valuable assets. We now have to step up to the plate to build in cyber security into everything we do – because when the easiest path for the end user is also the most secure, we’re on the right one.

Cheaper, Faster, Smarter: Welcome to the Age of Software Defined Everything

The benefits of Software Defined Everything (SDE) – in which a physical infrastructure is virtualized and delivered as services on demand – will change the way we design, build, and test new applications. In a virtual environment, operational costs drop precipitously as the pace of innovation accelerates. Containerization – a way to virtually run separate applications without dedicating specific machines for each application – allows organizations to build, fail, test, repair, improve, and deploy new apps at a breakneck pace. Application Programming Interfaces (APIs) allow us to build and reuse other peoples software packages quickly and inexpensively.

What’s the growth path for programmers in the US? I’ve seen many numbers and predictions, and I think most are too conservative. Why? Because the nature of “programming” is expanding. JPL, NASA, Facebook, Uber, etc., all employ traditional software engineers. And we will still need even more. But what about all those who program Alexa or Google Home, or program their 3D printers, or their home automation systems, or compose music on their computers? They are using software to define their environment and that’s the essense of SDE, where everything becomes programmable or configurable.

If programming will become democratized, what will be the most popular languages? Today, Python seems to be growing the fastest. Tomorrow, I think it’ll be APIs that will prove the most valuable because they can access pre-written software libraries and change their own environment in minutes. This assumes that people can get to the underlying data and combine it with other data. The cloud will come to the rescue as most data will already be stored there. The companies that are able to take advantage of this agilty – and use data from inside and outside their organizations – will quickly establish a competitive advantage.

If an environment can be accessed through software, it can be automated through artificial intelligence (AI). The combination of: data available in the cloud; accessible APIs; Internet of Things; automation skills; AI skills; open source code available; and distributed serverless computing to inexpensively execute the automation will speed progress towards a self-configuring and self-healing environment for the companies that will become the leaders.

SDE, for example, is one of the most technologically revolutionary things we’re adopting as it promises to dramatically decrease the cost and increase the agility of dealing with our networks. The cloud enables these changes, in part, because capacity and bandwidth can be sliced on the fly. It’s a departure from what we see today, where network engineers set up a physical infrastructure that can be narrowly used by specific people for specific purposes.

SDE touches upon every aspect of an organization’s technology strategy, ranging from security to storage. It will allow systems administrators to view and manage an entire network over a single screen. Increasingly, it also allows networks to run themselves, particularly in cases where there is simply not enough manpower for the job. Netflix, for example, found, in at least one region, it was making a production change every 1.1 or 1.2 seconds. The solution? The company built a self-healing network that automatically monitors production environments and makes real-time operational decisions based on problems that are identified through AI.

The move toward SDE also means that proprietary technology – such as application programming interfaces (APIs) – will become differentiating factors for businesses. In fact, it will become so important, we may see programming taught in schools, along with reading, writing, and arithmetic. Those coding skills could be used to customize anything, from home appliances to self-driving cars.

It’s reasonable to assume that in the not-too-distant future, federal agencies will run software-defined networks that are auto-scaling, self-fortifying, and self-healing. As precious resources are freed up, government organizations can better solve real-life problems, closer to agencies’ missions, and further away from the labor-intensive effort of maintaining a physical infrastructure. And, of course, it doesn’t hurt that it will save the government millions of dollars in the process.

How Can We Benefit from Changing Work Habits?

It’s hard to know for certain what the U.S. economy will look like in 10 years’ time, much less what the work day will look like. One thing we do know: As younger generations enter the workforce, they will bring new habits, technology, conventions, and expectations that will likely transform business and government.

With the rise of the “gig economy,” (that is, the rise of independent contractors who work on a task-by-task basis) younger generations already expect a certain amount of freedom and autonomy in their careers. And that’s probably a reasonable expectation, given that they walk around with supercomputers in their pockets, just a click or voice command away from talking with anyone – or controlling equipment – at any time.

Just as millennials eschew traditionally wired conventions, such as cable TV and fixed phone lines, but embrace the sharing economy, such as ridesharing, and open work spaces, the next generation of workers may not value the same things that people want today. They may not be motivated by a base salary, corner office, or a lofty title.

Businesses may also want to provide customized work experiences for their employees in the not-too distant future. Instead of an email notification for an upcoming meeting, an intelligent digital assistant may remind an employee of the meeting and automatically book transportation to the meeting based on the individual’s schedule, traffic conditions, and so on. While this already exists, the scope will be greatly expanded.

Gamification strategies could play a key part in helping businesses better understand what drives its employees. When we talk about gamification, we’re not talking about turning everyday tasks into cartoonish video games, but rather figuring out how to keep employees engaged. This includes setting up structures that allow them to compete against themselves or others (individually or in teams) in the completion of certain tasks or training exercises. They will likely use open spaces and Internet of Things (IoT) with wearables, augmented reality, and in-the-room sensors to collect data. The outcomes or effectiveness will be measured and communicated in real time using analytics employing massive amounts of data from both inside and outside the organization, all stored in the cloud. JPL has already tested this with scientists and operators navigating the Mars rovers, and it has proved to be very effective.

At JPL, we’re trying to meet the changing needs of the business by benefitting from these trends. For example, to quickly and inexpensively help solve a problem of finding parking at JPL, we held a month-long hackathon where teams of interns created prototype mobile phone solutions. There were two winning teams and their ideas were incorporated into a mobile solution now used every day by JPLers. As you approach JPL, your mobile phone will speak and tell you where there is parking available. You can also look at historical data to know what time to leave home or when to go to lunch so you can find parking when you arrive. The data is also used to predict parking during public events.

Other examples include interacting with intelligent digital assistants for many things, including finding conference rooms, hearing what’s happing on Mars, or when the International Space Station will be overhead.

As we approach what will likely be a rich and exciting decade, the most important thing organizations can do right now is lay the groundwork for change in two areas.

Technologically speaking, that means embracing cloud computing, IoT, and the wireless network improvement waves that are rapidly approaching. In particular, serverless computing is cost-effective and it allows organizations to innovate and to experiment with things like artificial intelligence or augmented reality. Edge computing allows business to employ these capabilities at huge scale and speed, which will further solidify the real time gamification and wireless communication future that our next generation will expect.

Humanologically speaking (yes, I know that’s not a word, but perhaps it should be), we can set up innovation labs and experiment in our own environments to quickly decide what to abandon and where to double down. From our experience so far, you will find willing participants in the new workforce and experiments in a safe, protected environment will serve as training opportunities and quickly evolve to produce lasting positive outcomes. And, in case you wonder, yes, it’s fun.

How NASA Is Using Ubiquitous Computing to Bring Mars to Earth

When the term “ubiquitous computing” was first coined in the late 1980s, it was envisioned as a sea of electronic devices “connected by wires, radio waves, and infrared,” that are so widely used, nobody notices their presence. By that definition, the era of ubiquitous computing arrived some time ago. Everything from movie theater projectors to plumbing systems have gone digital, paving the way to meaningful, data-driven change in our daily lives.

A lot of people remain skeptical of the Internet of Things (IoT). They may not realize that they already depend upon it. While IoT often conjures images of futuristic devices – senselessly superpowered refrigerators or embarrassingly smart toilets – there are good reasons why Americans are buying thousands of programmable appliances every month. Smart devices provide an improved service to consumers, and the data we can collect from them are invaluable, with the potential to revolutionize everything from traffic management to agriculture.

It also means that the idea of a computer – as some sort of electronic box typically used at a desk – is woefully outdated. In fact, the new super computer is the one we have in our pockets, the SmartPhone, which is rapidly becoming our ever-present intelligent digital assistant. Ubiquitous computing is changing the way we interact with everyday objects. We don’t flip on light switches, we instruct a digital assistant to turn our lights on for us; or, in some cases, we just push a button on our phones to turn a light on. If a smoke alarm goes off, we don’t need to get out the ladder and manually turn it off – we can see the source of the smoke on our phones and turn the alarm off with a mere swipe.

The Curiosity rover, the most technologically advanced rover ever built, has 17 cameras and a robotic arm with a suite of specialized lab tools and instruments. It required the work of 7,000 people, nationwide, to design and construct it over the course of five years.

At JPL and NASA, one of countless ways ubiquitous computing has woven its way into our work is through augmented reality (AR). Today, if anyone wants an up-close look at Curiosity, they need only use their phones or a pair of smart goggles. JPL built an augmented reality app that allows you to bring Curiosity anywhere – into your own home, conference room, or even backyard. The app lets you walk around the rover and examine it from any angle, as if it were actually there. In addition, scientists can don AR glasses and meet on the surface of Mars to discuss rocks or features – all from their own homes or conference rooms scattered across Earth.

AR may feel like magic to the end user, but it’s not. It’s the culmination of decades of technological advancements. It requires an assortment of sensors (light and motion), cameras, as well as substantial data processing power – power that only became affordable and available via mobile devices in recent years. In fact, we are now seeing the initial swells of a major ubiquitous computing wave hitting our shores within the next few years. The entire wireless networking industry is being revolutionized to meet the needs of exponentially more devices communicating to each other and to us all the time. That’s when we all become IoT magicians in our daily lives and when that second brain (the SmartPhone) fires on all neurons. (More about that in a future blog.)

Now we can use AR for more than just finding Pokemon in the wild – we use it to review and build spacecraft. We can get a detailed look at a vehicle’s hardware without actually taking it apart, or we can see if a hand might fit in a tight space to manually turn a screw. Among the many advantages of augmented reality: It’s cost-efficient for multiple people to work together over a virtual network and it could easily be used for hands-free safety training, testing, or maintenance.

While AR is dependent on a slew of technologies, perhaps the most critical piece is the cloud. A lot of AR applications would be cost prohibitive without the supercomputing power available over the cloud. Based on our experience at JPL, we estimate that serverless computing can be up to 100 times less expensive than N-tier server-based computing. Not surprisingly, we’re now starting to use serverless computing as often as we can. What it really means is that we don’t have to worry about how a problem is solved, we just have to worry about what problems we’re solving. And that’s a powerful position to be in.

The Rise of Intelligent Digital Assistants

Before we can have a rational discussion about artificial intelligence (AI), we should probably cut through the hysteria surrounding it. Contrary to popular opinion, we’re not talking about machines that are going to rise up, steal our jobs, and render humans obsolete.

We already rely on AI in countless daily tasks. The AI embedded in your email, for example, identifies and blocks spam; it reminds you to include an attachment if you’ve forgotten it; it learns which sorts of emails are most important to you and it pesters you to respond to an email that’s been neglected in your inbox for a few days. Chatbots, robot vacuums, movie recommendation engines, and self-driving cars already have AI built into them. Right now, its impact may be subtle. But, in the future, AI could save lives by, for example, detecting cancer much earlier so treatments can be that much more effective.

Why is AI exploding right now? A unique mix of conditions makes this the right time to surf the AI technology wave. They include the availability of supercomputing power, venture capital, oceans of data, open source software, and programming skills. In this sort of environment, you can train any number of algorithms, prep them and deploy them on smart computers in a very short time. The implications for most major industries – everything from medicine to transportation – are tremendous.

At NASA JPL, we’ve integrated AI into our mission in a variety of ways. We use it to help find interesting features on Mars, predicting maintenance of our antennas, and finding expected problems with the spacecraft. We’ve also come to depend upon intelligent digital assistants in our day-to-day operations. After a brainstorming session about how to experiment with applied intelligent assistance, we decided to throw AI on a mundane – but time-consuming – daily challenge: Finding an available conference room. Later that night, we built a chatbot.

Chatbots are fast, easy to build, and they deliver value almost immediately. We build ours to be easy to access with natural user interfaces. We then add the deeper (and more complex) AI on the back end, so the chatbots get smarter and smarter over time. You can text to them, or type to them, or speak to them through Amazon Alexa or Lex, and we collect user feedback to constantly improve them. Every “thumbs up” or “thumbs down” helps improve the next iteration. We can mine the thumbs down to see which areas need the most work. We now have upwards of 10 emerging chatbots used for functions like acquisitions, AV controls, and even human resources. By thinking of this as a “system of intelligence,” we can extend the life of – and get more value from – the legacy systems by teaching them how to respond to deeper questions. While applied artificial intelligence can conquer any number of menial tasks, it’s bound to have a significant effect on some of our bigger challenges, such as in space exploration, creating new materials to be 3D printed, medicine, manufacturing, security, and education.

AI has especially rich potential in the federal government, where one small operational improvement can have an exponential effect. If you work in a large agency and you’re unsure of how to approach AI, you can start playing in the cloud with any number of cloud-based applications (such as TensorFlow and SageMaker). Chatbots are a natural starting point – they deliver value right away, and the longer you use them, the smarter and more effective they become. In the cloud, experimentation is inexpensive and somewhat effortless. The goal, after all, is to have AI work for you, not the other way around.

The Next Tech Tsunami Is Here: How to Ride the Wave

Our lives are very different today than they were even 15 years ago. We walk around with computers in our pockets and do things like share our locations with loved ones via satellite technology. Still, the changes we’ve experienced so far are nothing compared to the tech tidal wave that’s approaching.

A convergence of computing advancements ranging from supercomputers to machine learning will transform our daily lives. The way we learn, communicate, work, play, and govern in the future will be very different.

The question most IT decision makers are asking themselves right now is what they should do to prepare for the technology waves that are barreling at them. The short answer: Jump in. The only way to stay in the game is to play in the game. A certain amount of failure is inevitable, which is why it’s critical to experiment now and adapt quickly. Given the rate at which technology is evolving, anyone who takes a wait-and-see approach in hopes of finding a perfect, neatly wrapped, risk-free solution will be left out entirely. Or, alternatively, they will be left with a hefty bill for the dubious pleasure of playing catch-up.

The good news: Anyone with a cloud strategy is part-way there. The future of technology is the cloud. Every significant emerging advancement is predicated on it. Without it, the tech revolution would cost too much or take too long. The only practical and affordable way to store, collect, and analyze the massive volumes of data we’ll be bombarded with–data that’s generated by everything from smart watches to self-driving cars–will be through a cloud-based computing system. The tools we will use to make sense of our modern lives will be deployed in the cloud, because it’s the simplest, fastest, and most affordable way to use them.

In this series, we’re going to highlight the six technology waves that we expect will make the biggest impacts in the coming years. They are: Accelerated Computing, Applied Artificial Intelligence, Cybersecurity, Software-Defined Everything, Ubiquitous Computing, and New Habits. Tech waves are plentiful, but not every wave is meant to be surfed by every organization. This series aims to help you distinguish which ones are right for you.

A Golden Age of Government Innovation, Courtesy of The Cloud

Federal agencies are not often known as cradles of innovation, but the adoption of the cloud has helped usher in a new era of government–one that improves transparency, cost efficiency and public engagement.

Technology changes constantly, but many bureaucracies do not. In some cases, government organizations that have adopted the cloud still mainly use it as a glorified filing cabinet. Others, however, are finding new and innovative uses for the virtual infrastructure that have made meaningful changes in people’s lives.

Case in point: In the Virginia Beach metropolitan area, the average elevation hovers around 12 feet above sea level. The region, home to the world’s largest naval base, Naval Station Norfolk, is expected to see sea levels rise another foot by 2050, according to one report, and the estimated cost of flooding has already surpassed $4 billion. Given that the sea level has risen an astonishing 14 inches since 1950, it follows that flooding is a consistent problem.

These days, it doesn’t take much rain to cause nuisance flooding. While researchers and engineers are exploring long-term solutions, the City of Virginia Beach helped roll out StormSense, a cloud-based platform that uses a network of sensors to help forecast floods up to 36 hours in advance of major weather events.

It was not a minor undertaking. The public initiative, dubbed “Catch the King”, was meant to encourage “citizen scientists” to use their GPS-enabled devices to help map the King Tide’s maximum inundation extents. The data allows researchers to create more accurate forecast models for future floods; determine new emergency routes; reduce property damage and identify future flooding mitigation projects.

Volunteers–all 500 of them–were directed to different flooding zones along the coast during the King Tide on Nov. 5, 2017. (A “King Tide” is a particularly high tide that tends to occur twice a year, based on the gravitational pull between the sun and moon.) As the King Tide came in, volunteers walked along designated points in 12 Virginia cities, saving data in a mobile phone app every few steps. Ultimately, there were more than 53,000 time-stamped GPS flooding extent measurements taken and 1,126 geotagged photographs of the King Tide flooding.

Not only was the initiative a scientific success, it was incredibly cost effective. Without the help of the hundreds of volunteers, it might have been cost prohibitive to tackle.

“It’s really, really amazing to see all these people out there mapping all over the region,” Skip Stiles, executive director of Wetlands Watch, a Norfolk, Virginia-based told The Virginian-Pilot. “It would take numerous tide gauges costing thousands of dollars each to gather the data collected for free by so many volunteers.”

The initiative, which was backed by seven cities, a county, and a handful of academic partners, began when Virginia Beach’s Public Works department decided to fund a USGS installation of 10 new water-level sensors and weather stations to measure water level, air pressure, wind speed and rainfall. Later, as part of the StormSense initiative, an additional 24 water-level sensors were installed, bringing the total to 40, up from the original 6 sensors that were in place in 2016.

The benefits of the data collection have not been entirely realized yet, but the region is already better prepared for future floods because StormSense operates on a cloud platform, which allows emergency responders to access flooding data from any mobile device. The City of Virginia Beach has also been working to develop an Amazon Alexa-based Application Programming Interface (API) so residents can ask an Amazon Alexa-enabled device for timely and accurate flooding forecasts or emergency routes.

Not long ago, the notion that the government could use the internet to communicate directly with citizens, in real-time, with pertinent, useful or critical information, might have seemed like a pipe dream. These days, thanks to innovative new initiatives, it’s a reality.

Derailing Old-School Asset Maintenance

Eighteen years into the 21^st century, and one of the most important systems contributing to our economy and quality of life is stuck in the past. Transportation infrastructure, which delivers us from point A to point B and back, has yet to catch up with the digital revolution.

It does not have to be that way. The advent of the Internet of Things (IoT) and cloud computing makes the time right to digitize crucial maintenance functions. A technology-based solution is safer and will save time and resources.

A Time article on how technology can better help maintain America’s infrastructure calls out the Washington, D.C. subway maintenance catastrophe as an illustration of the need for change. The technology exists to revolutionize transportation maintenance, and that means creating a high level of integration among data management, analysis, and deployment environments. It is not a leap to say this technology can help build a crash-free system that is always in service.

Eliminating Paper

Previously, transit agencies relied solely on paper-based tracking procedures, using forms and spreadsheets to monitor and manage critical assets. That is not sustainable, especially for Federally funded agencies that typically store seven years’ worth of data. Paper-based systems are also inefficient and costly. Trying to find a specific document quickly in the case of a safety inspection or funding review can be nearly impossible. This manual process is susceptible to inaccuracies and risk. Without a system in place to unify how data is recorded and analyzed, each inspector can have his or her own way of describing things. The resulting information is open to interpretation, enabling systematic irregularities and human error.

Saying Goodbye to Siloes

There has been exciting innovation in using wireless sensors attached to crucial parts of assets–including engines, brakes, and batteries. Those sensors then feed performance information directly into a centralized system. Thresholds and parameters are preset, while APIs collect and process the data into workable and actionable information.

Aside from eliminating error-prone and time-consuming manual processes, deploying this system in the cloud streamlines and integrates information across the organization. This real-time data helps not only to predict, but to pinpoint maintenance needs. That means avoiding removing perfectly working assets from the system.

With intelligent, real-time data, maintenance issues are only addressed when there is an actual issue or if a threshold has been crossed–reducing mechanic time and parts purchases. Lastly, this optimizes traveler communication. By monitoring the state of vehicles and to schedule maintenance, riders can remain informed about transport schedules and locations.

That is what it comes down to: Living in a connected society, where immediacy and information access is constant. Technology is here to bring our aging infrastructure systems into the digital world, and our antiquated maintenance system is a smart place to start.

Kevin Price, Technical Product Evangelist and Product Strategist, Infor EAM

DevOps in Government: Balancing Velocity and Security

The Federal government isn’t known for its progressive approach to IT infrastructure, and agencies aren’t usually early tech adopters. Yet, agencies are increasingly deploying cutting-edge DevOps methodologies to achieve agility and reduce operating costs.

The Department of Homeland Security, General Services Administration, Environmental Protection Agency and Veterans Affairs are among those breaking the mold. They’re modernizing IT infrastructures, and taking strong steps forward in the digital transformation journey.

But that doesn’t come without risk. Several government agencies and organizations–including the National Security Agency (NSA), Pentagon, Republican National Committee and others–have experienced firsthand what can go wrong when environments aren’t properly secured.

The NSA, for example, rocked headlines late last year when it made top secret data publicly accessible to the world on an Amazon Web Services (AWS) bucket. A simple misconfiguration credited to human error was to blame.

The truth of the matter is DevOps tools often have interfaces designed for human users, and misconfigurations are all too easy and common. Some of the most notable breaches can be traced back to misconfigurations of the perimeter, making it all the more important that security controls are implemented across identities and environments.

Introducing Risk Through An Expanded Attack Surface

As agencies adopt new cloud and DevOps environments, they expand their attack surfaces, creating heightened levels of risk. To mitigate risk against internal and external threats, agencies need to continuously monitor privileged account sessions across every aspect of their network–including DevOps.

The DevOps pipeline comprises a broad set of development, integration, testing and deployment tools, people and resources, so it only makes sense that the attack surface grows alongside IT network expansion. This expanded attack surface is primarily propagated by the increase in privileged account credentials and secrets that are created and shared across interconnected access points. Agencies need to secure these non-human identities just like they would a human identity. Robotic actors can be compromised, and they need access controls just like their human counterparts.

That’s not always such an easy feat, however. The sheer scale and diversity of the DevOps ecosystem can make security challenging for three main reasons:

Each development and test tool, configuration management platform and service orchestration solution has its own privileged credentials, which are usually separately maintained and administered using different systems, creating islands of security.
Secrets (passwords, SSH keys, API keys, etc.) used to authenticate exchanges and encrypt transactions are scattered across machines and applications, making them nearly impossible to track and manage.
Developers often hard code secrets into executables, leaving the Federal government vulnerable to attacks and exposure of confidential data from attackers with stolen secrets.

Although security can be a major pain point when it comes to DevOps implementation, not all is lost. Government agencies have the potential to achieve both velocity and security. The answer lies in secrets management and collaboration.

Lifting the Curtain on Secrets Management

Secrets are integral to the DevOps workflow, but their proliferation across IT environments can have unintended, potentially catastrophic consequences if exploited by attackers.

A secrets management solution can help prevent that from happening. By implementing a tool that can seamlessly connect with DevOps tools and other enterprise security solutions, Federal agencies can get a better view of unmanaged, unprotected secrets across their networks, while still meeting important compliance regulations.

With a prioritization on secrets management, Federal agencies can secure and manage secrets used across human and non-human identities and still achieve superior DevOps agility and velocity.

Eliminating Friction and Prioritizing Collaboration

Agencies and organizations alike often fail to make security easy for DevOps practitioners. Not only does that cause friction, it creates opportunity for failure.

Developers aren’t–nor should they be expected to be–security practitioners. They’re responsible for features and functionality–not figuring out how to manage credential collaboration and security for those key assets.

With that being said, it’s essential that DevOps and security teams be tightly integrated from the outset. This collaborative approach will help build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released.

Implementing and securing DevOps processes can seem daunting, but it’s no reason to adhere to business as usual and avoid change. When it comes to DevOps, the benefits far outweigh the risk if risk is managed properly.

That’s why it’s so important that agencies prioritize secrets management and collaboration to protect every aspect of their network. Only then will they be able to achieve security and velocity.

Elizabeth Lawler is vice president of DevOps security at CyberArk. She co-founded and served as CEO of Conjur, a DevOps security company acquired by CyberArk in May 2017. Elizabeth has more than 20 years of experience working in highly regulated and sensitive data environments. Prior to founding Conjur, she was chief data officer of Generation Health and held a leadership position in research at the Department of Veterans Affairs.

It’s Not About the Machines – How IoT, AI, and Massive Automation Maximize Human Potential

There are currently more than 8 billion connected devices on the planet, and by 2031 the number of devices will grow to more than 200 billion.* While the federal government is in the early stages of adopting the Internet of Things (IoT) and Artificial Intelligence (AI), it is increasingly evident these technologies will create new opportunities to maximize human potential and modernize federal missions.

Agencies are already making demonstrable progress with emerging technology. Consider how and where IoT is in use. Federal buildings are equipped to maximize energy efficiency and employee productivity using a variety of sensors and monitors. Fleet telematics monitor the location and performance of vehicles in the field and automatically schedule service as needed. Smart devices automate agricultural data collection and track how public transportation systems handle peak travel times. And, the Department of Defense uses IoT technologies to track military supply levels, battlefield conditions, and even soldiers’ vital signs, activities, and sleep quality.

When IoT is paired with automation and AI, the potential is even more transformative – a government that can fully leverage the vast amount of data at its fingertips, in real time. Dell’s research partners at the Institute for the Future (IFTF) recently noted that we’re entering the next era of human machine partnership. AI, IoT, and automation will empower the workforce by efficiently choosing the most important information and enabling teams to quickly make better decisions that reduce costs and improve service to the citizen.

AI will also open new doors for humans, as we will need IT professionals proficient in AI training and parameter-setting, and many new roles that we have not yet imagined.

Ray O’Farrell, Dell’s new IoT division general manager says, “Harnessing the full potential of IoT requires adding intelligence to every stage. Smarter data gathering at the edge, smarter compute at the core, and deeper learning at the cloud. All this intelligence will drive a new level of innovation.”

Federal agencies need this innovation as they work to overcome the limits of legacy technology and meet changing citizen and employee expectations around responsive services, access to information, and many other areas. Over the next several years, the human-machine interface will evolve to the point where technology becomes a seamless extension of its users, rather than merely a functional tool. The real potential for IoT and AI is not to replace human beings, but to free human beings to do the strategic thinking and planning that has taken a back seat to managing the nuts and bolts of technology and federal missions.

By: Cameron Chehreh, Chief Operating Officer, Chief Technology Officer & VP, Dell EMC Federal

*Michael Dell, Dell World 2017

The Case for Innovation: Let’s Broaden Other Transaction Authority

The recent Pentagon announcement of a $950 million (ceiling) production contract to nontraditional defense contractor REAN Cloud has sent reverberations through the acquisition community. This Production Other Transaction (OT) agreement follows a similar, although smaller production award by the Defense Innovation Unit Experimental (DiUX) to the cybersecurity firm Tanium (Full disclosure, Tanium is a client of mine).

These Production Other Transaction Authority (OTA) agreements (they are not technically “contracts”) have created quite a buzz in the acquisition community. The awards flowed out of the prototype development work of REAN Cloud and Tanium with the DiUX office in Silicon Valley. Both agreements reflected successful proof-of-concept work that the companies had undertaken with the Department of Defense (DoD) under specific prototyping procurement authorities that have been largely under the radar for many years but were recently expanded in the annual defense policy bill, the NDAA.

Other Transaction agreements are an interesting procurement approach, not so much for what they, as what they are not. The key attribute of Other Transaction Authority is that they are not a Federal Acquisition Regulation (FAR)-based procurement.

Legally, an OTA based agreement is not a contract, grant, or cooperative agreement, as those terms are usually understood, and there is no statutory or regulatory definition of “other transaction.” OTA agreements fall outside of the cumbersome and lengthy procurement processes associated with the Federal Acquisition Regulation.

Folks who claim this is “new thing” are mistaken. OT agreements have been around for a while, having been originated at NASA as so-called “Space Act” agreements. They are limited in terms of who can use them–only those agencies that have been provided OTA may engage in other transactions. Their core purpose is to accelerate access to, and adoption by, certain select agencies within government (currently mostly DoD and NASA, although the Department of Homeland Security has had OTA on an intermittent basis for some time). This authority grants access to innovative technologies from companies that otherwise would have no interest in dealing with the red tape and compliance burden created by a standard procurement relationship.

Because they are “outside” the FAR, OT agreements do not require such cumbersome oversight and audit requirements such as those imposed by the Truth in Negotiations Act, cost and pricing data or an expensive Cost Accounting System (CAS) qualified financial system. CAS compliant financial systems can cost company millions of dollars to implement and maintain–and are therefore a significant, if not potentially fatal, barrier to government market entry for startups and small, innovative companies. These requirements tend to reinforce the “legacy advantage” of large traditional contractors, who can afford to hire and staff these requirements with large staffs of accountants and lawyers.

OT agreements are also not protestable, at least at the Government Accountability Office (GAO). The lack of the ability to protest an award to GAO is an undoubtable factor that plays into the appeal of OTAs to agency procurement officials.

Freed from adhering to the FAR, OTA agreements also allow an agency to tailor the engagement terms to the needs and circumstances of specific requirements. For example, if DoD wants to spur the development of new jetpacks, an OT agreement would allow a customized set of deal terms and intellectual property allocations that the FAR might otherwise prohibit. And those FAR terms that are irrelevant or even obstacles to developing jetpacks need not apply.

But perhaps most importantly, my Silicon Valley clients inform me that unlike the FAR, OTA agreements do not require them to surrender control of their intellectual property rights that is common practice under standard FAR-based procurements.

All these attributes make OTA agreements an ideal “toe in the water” for government market engagement for cloud and startup companies from Silicon Valley (or elsewhere). It’s simply a fact that many innovative start-ups will not remotely consider contracting with the government given the compliance risk, oversight burdens and loss of control over key assets, especially their intellectual property.

Traditional government contractors often complain that OT agreements are an “end run” around the FAR. And it is true that OT agreements have been abused in the past–to the point where the Government Accountability Office has expressed concerns regarding their use.

I am not one who believes that the FAR should be lightly disregarded. Recent work by such luminaries as the Section 809 Panel hold great promise for streamlining FAR-based procurements, with, for example, a reinforcement of the use and value of commercial item procurements and recommendations to open the internet for certain types of commodity purchasing by the government. We will wait with enthusiasm how these reforms will play out.

But until these halcyon days of a streamlined FAR arrive, it is simply a fact that the FAR creates a voluminous tangle of mandates and requirements that require entire staffs of experts to navigate. Regardless of where you stand on the value and necessity of the FAR, there is no question that it hinders access and implementation to innovation and technologies from those small companies that are the source of much of the creativity and innovation for which America is famous.

For OT agreements, it is their flexibility that is the key. The best way to prevent abuse of OTs is through skilled oversight and management by DiUX and the government customer. Use of iterative, agile procurement approaches that curtail a program that goes off the rails–before millions are wasted–might be one way to address this concern.

Perhaps OT agreements should be restricted to short-term deliverables of minimally viable product in structured milestone segments? In that event, OT program abuse could be quickly curtailed before money is wasted.

OT production agreements may require a new, different form of program oversight and management. Let’s talk about that. But in the final analysis, we believe that OTA agreements should be acknowledged and recognized–not as an “end run” around normal procurement methods–but as an important supplement to regular acquisition procedures.

If new oversight standards are developed, we would go so far as to recommend expanding OT production authorities to the rest of government, and specifically the 24 CFO Act agencies. Sure, there is potential for abuse. But it is not as if the FAR has eliminated waste and fraud in government contracting.

Richard Beutel is the founder of Cyrrus Analytics. Rich is a nationally recognized expert in IT acquisition management and cloud policy with 25 years of private sector experience and more than a decade on Capitol Hill working on procurement issues.

MGT: A Launchpad for Tech’s Tomorrow

The Modernizing Government Technology Act (MGT) is moving forward. Signed into law in December as part of the National Defense Authorization Act, the White House just published guidelines for agencies who want to access MGT’s $500 million central revolving capital fund. Agencies will submit proposals to a board of experts who will evaluate the proposals based on public impact, feasibility, outcomes, and security.

The law represents the correct prioritization for the federal government, where 75 percent of the $80 billion spent on IT goes toward maintaining outdated systems. With more than $7 billion in technical debt that needs to be eliminated through executing on modernization projects, this $500 million fund only represents a starting point in enabling the work that needs to be done.

The bill’s co-sponsors – Rep. Gerry Connolly (D-Va.) and Rep. Will Hurd (R-Texas) – are to be commended for their vision and tenacity in pushing the bill over the finish line. MGT puts a foundation in place for agencies to enact real change and transform their IT systems.

The ability to reprogram money saved through IT efforts will have a massive impact on agencies that have traditionally shied away from making bold moves that would help streamline tech and save money. Prior to MGT, money saved was money lost.

Agencies are now rewarded, rather than penalized, for taking steps to modernize their systems. Subsequently, they can move quickly to effectively improve their cyber security postures, accelerate service delivery, and save taxpayers’ money.

Agencies can start to establish a strong framework for digital transformation and begin to achieve some of the goals set forth in the Cybersecurity Executive Order, the White House’s IT Modernization Report, and the Data Center Optimization Initiative. In short, agencies need funding and budget planning authority to truly transform their IT systems, and MGT supports this much-needed progress.

As they set off on that journey, federal CIOs need two things: a comprehensive inventory of their IT assets, and strong collaboration between mission functions and the IT teams. IT modernization will not happen overnight. Agencies will still need to maintain legacy systems for some time, as they modernize data centers. Technologies like virtualization, flash, and software-defined storage will play important roles throughout this transition while helping agencies meet key mandates.

To accelerate modernization, agencies will continue to move more and more systems to the cloud as data volumes simultaneously skyrocket in the age of artificial intelligence and the Internet of Things. While there are very real efficiency, cost savings, and speed benefits with the shift to cloud, the evolution can be complicated. Flexible, software-based solutions help streamline and support tomorrow’s technology innovation while enabling agencies to continue to meet today’s mission objectives. MGT is the catalyst for much of this change – empowering agencies to make decisions that will best support their transformation. Now the real work begins.

By: Steve Harris, Senior Vice President and General Manager, Dell EMC Federal

Cybersecurity: The Next Geopolitical Battleground

We tend to think of international cyber attacks as a new phenomenon: threats only created by recent mass digitalization. But, in reality, they have been around since the Cold War. Back in 1982, the CIA accessed the control system for a Soviet gas pipeline and triggered a massive explosion. At the time, such events were known as ‘logic bombs’.

The difference today is that awareness of cyber attacks has grown, and so has their scale and frequency. For example, last year it was revealed that Russian hackers had infiltrated U.S. voter databases and software across 39 states during the presidential race; placing the entire electoral system in jeopardy. In 2016, Federal agencies reported no fewer than 30,899 information security breaches, 16 of which were considered “major incidents.”

Clearly, the cyber world has now become the next geopolitical battleground.

This brings us to one vital question: with Federal, business, and media interests dependent on robust digital security, how should the government be fighting the hackers?

Intra-Governmental Cooperation

Compared to modern hacking operations, the cyber exploits of the 1980s were small-time. In the current digital landscape, security organizations must contend with extensive attacks launched by national players such as the Russian Internet Research Agency or, potentially, the Korean Lazarus Group–which means disjointed cyber defenses are no longer enough.

The government has already recognized and made several changes to resolve this issue. In 2005, the office of Director of National Intelligence was established to consolidate information gathered by different agencies and bolster defenses after the events of September 11, 2001. In 2016, it increased cybersecurity spend by $5 billion and created the first Federal Privacy Council to improve communication between privacy officials and data usage guidelines. The Department of Homeland Security (DHS) has also continuously been working to safeguard government departments and share intelligence with states and global partners.

While these efforts enhance U.S. defensive abilities, greater internal unity is still needed. Inconsistent security processes continue to leave systems vulnerable: see the infamous 2015 Office of Personnel Management breach, caused by stalled authorization activity. A report on 552 local, state, and Federal organizations found erratic software updates, patching, and IP address protection leave multiple systems at risk.

To combat increasingly well-resourced hacker cells, departments must deploy a centralized approach to applying protective measures and distributing information. In other words, the government must build a cohesive security structure that has the muscle required to take on attackers.

Leveraging Enterprise Expertise

As data have become integral to everyday business functions–from delivering utilities such as electricity and gas, to running social media networks–the importance of protecting it has increased. Consequently, many companies in the private sector have built up a vast pool of knowledge about cyber safety: insight that could be a valuable asset for the government.

By strengthening relationships with influential enterprises, Federal departments can harness lessons they have learned about identifying, isolating, and removing threats to inform their security strategy, and avoid similar issues. Moreover, they can also replicate the techniques developed by private companies to reduce and highlight cyber crime.

For example, amid the spate of fake content in 2017, Facebook built a tool that allowed users to check whether they had unwittingly liked Russian propaganda. With perpetrators posing as American users, employing names such as ‘Being Patriotic’ and ‘Heart of Texas’, distinguishing between real or bogus posts was a tough task. Analyzing activity against known fraudulent accounts, Facebook was able to identify those linked to Russia’s Internet Research Agency and help audiences steer clear. The tool, which was shared with congress, has been heralded as a “serious response” to requests for increased transparency and provides a strong example of assets the government can gain from the private sector.

Bringing Order to State-Level Chaos

The complexity of U.S. security and privacy regulation is not news to workers in the Federal IT sector: most already know that the existing legislative framework is a convoluted web of state-specific rules. But the effect this has on national safety is unacknowledged. With every state following its own policies and benchmarks, security levels across America are hugely varied as is the government’s ability to protect against attacks.

For example, in Virginia, judges have ruled that the frequency of hacking and volume of data collected by internet service providers means individuals should not expect computer usage to stay private; i.e. immune to searches by security agencies. While states such as California take a different view. Ranked as the highest protector of privacy in America–with a rating of almost 86 percent–California recently introduced a bill that would require Internet of Things (IoT) device manufacturers to build security and data protection processes into all products.

With a single set of universal laws about how information should be collected and protected, the government can provide robust security and make better agreements with corporations concerning data sharing. Not to mention negating costly legal battles, such as the notorious Federal case against Apple.

Fortifying International Bonds

Cyber hacks are not just a U.S. issue; late last year the UK was also hit by a Russian hack that breached multiple email accounts. Once national discrepancies have been resolved, the U.S. would also do well to consider improving links outside its borders: after all, closer global ties can facilitate access to vital insight and improve combined power to defeat attackers.

Of course, international bonds have been forged before. The U.S. has previously made informal agreements with countries such as China, and participated in discussions at global events, including the Council of Europe Convention on cyber crime. Yet discord regarding the way intelligence is leveraged has also caused friction: in 2013 Brazil’s President Rousseff cancelled a visit due to apprehension about international monitoring activity and Germany’s

Chancellor Merkel made statements against electronic possible espionage.

By establishing clearly defined and formalized agreements for cyber security, including frameworks such as Privacy Shield–which protects data in transit between the U.S., EU, and Switzerland–the government can avoid international confusion, while creating a culture of mutual cyber support. In short, creating an alliance of the world versus cyber criminals.

International attacks may not be an innovation of the digital age, but it has spawned hackers who are better equipped and more powerful than ever. To keep them at bay, the government needs to pool resources both at home and overseas. By unifying internal processes and national rules, as well as enhancing business and global relations, the U.S. can ensure victory on the new cyber-focused geopolitical battlefront.

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a U.S. congressional committee; assist in developing policies for the White House; and, in the UK, share her insight with a parliamentary subcommittee on recreating trust in the global economy.

Are You Complying with the Executive Order on Cybersecurity?

In May 2017, the President issued an Executive Order on Cybersecurity. Among other requirements, the order holds agency heads accountable for appropriate cyber defenses:

“Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 11, 2017. The order also mandates the use of the NIST Cybersecurity Framework (https://www.nist.gov/cyberframework) in managing cybersecurity risk.

The Threats

Is your agency complying with the order? Over the last few years, cybersecurity threats have evolved from traditional data theft into data destruction and ransomware attacks. These newer threats are vastly different because they directly impact and threaten the operation of IT infrastructures.

Ransomware itself has grown into a significant threat. Originally, ransomware might attack and encrypt a single endpoint, such as a desktop. To expand their reach, criminals quickly added capabilities to encrypt not just the host, but other devices and shares that could be accessed from the host; and then started moving laterally to other devices before starting the encryption process. These new capabilities threatened not only production servers and data, but also the backup infrastructure.

A Risk-Adjusted Approach

These new threats are precisely the type of attacks contemplated by the classic evaluation approach required in the order: assessing both the risk (probability) and magnitude (scope of harm) for threats.

The risk of a ransomware or destructive attack is high – 60 percent of organizations were hit by ransomware in 2016. By mid-2017, more than half of organizations had been hit by a ransomware attack at least twice (Druva Ransomware Report 2017).

The magnitude of harm from a ransomware or destructive attack can also be significant. In 2016, a utility in the Midwest spent about $2.5M recovering from a single attack, and a healthcare organization estimated its losses and recovery costs at $10M. In the for-profit space, several organizations reported losses of over $200M from the NotPetya attacks of June 2017.

What Should You Do?

The high risk and magnitude of ransomware and destructive threats means that agencies must address this problem under requirements of the order.

Many experts, including several who work for federal agencies, recommend a backup as the best defense to a ransomware attack. So while a layered defense including employee training, anti-malware and other defenses are important, the specific response to a ransomware threat requires a “recover” strategy as outlined in NIST’s Cybersecurity Framework.

The backup strategy itself can be tailored to match the value of the data. We recommend protecting data for cybersecurity recovery at different levels, based upon its criticality. Three levels of protection – in increasing levels of security – can be deployed:

Standard backup – including a backup for data stored in the cloud;
Backup stored on a hardened backup infrastructure – deploying least privilege, network segmentation, securing CIFS / NFS shares (or better yet, using a different protocol such as Boost), deploying retention lock / WORM capabilities, etc.; or
An isolated backup protected with an operational, logical “air gap.” This backup infrastructure is minimally exposed to the outside world and ready for quick restores (unlike a tape backup which is undependable and can have a very long recovery time).

Conclusion

Cyber defenses should match the threats that we are all seeing today. Make sure that your infrastructure is protected from ransomware and destructive attacks with appropriate defenses.

Dell EMC recommends Data Protection Backup and Isolated Recovery for efficient, cost effective backup and recovery.

Learn more, here:

Data Protection Backup: https://www.dellemc.com/en-us/data-protection/index.htm

Isolated Recovery: https://www.dellemc.com/en-us/solutions/data-protection/isolated-recovery-solution.htm

By: Jim Shook, Director, Cybersecurity and Compliance Practice, Dell EMC

AI is Dragon Glass and Valyrian Steel–Cyber Winter Is Here

Kevin Cox is Jon Snow in the war against cyber threats–for the cyber night is here and full of terrors. And, winter isn’t coming–it’s already here. As Continuous Diagnostics and Mitigation (CDM) rounds out phases I and II, our government needs automation, artificial intelligence (AI) and machine learning (ML) to hold back the ugly cyber hoards. AI, ML, and cloud are the dragons, dragon glass, and Valyrian steel that the Department of Homeland Security (DHS) needs to combat the hacking white walkers. Okay, so how to separate fact from fairytale?

AI is Changing the Cyber Game

The web emits 10 million new malware files every month. Do the math. Yesterday’s signature-based approach to combating malware–deriving signatures one file at a time–is a losing proposition.

For most security scenarios, AI enables capabilities that go far beyond identifying known threats. AI models can determine a file’s maliciousness with no previous knowledge of the file, relying instead on analysis of the file’s innate properties.

As if this dated approach to malware detection isn’t bad enough, 60 percent of current intrusions are malware-free in nature. Hackers leverage memory-only threats and living-off-the-land techniques like the use of legitimate Windows tools, such as PowerShell and WMI. It’s significant to note that the most sophisticated and dangerous attacks fall heavily into this fileless category. To defend against them, you need an AI-based cyber strategy.

Machine Learning and Cloud

A domain within AI, machine learning, analyzes security-related data, including file “features” and behavioral indicators across massive data sets. Billions of events are utilized to “train” the system to detect unknown and never-before-seen attacks based on past behaviors. By training machine learning algorithms with data-rich sources and augmenting them with behavioral analytics, you can deliver next-generation defenses. Realistically, most companies don’t have the threat telemetry to train machine learning and that limits the effectiveness of the algorithms. But CDM, Einstein, and the Federal government certainly do.

Let’s examine that point further. The value that machine learning brings to the table largely depends on the data available to feed into it. Machine learning can’t create knowledge, it can only extract it. The scope and size of data are the critical elements impacting machine learning effectiveness. CDM can draw on data from across the federal government and also take a leadership role by establishing much needed public-private partnerships for data sharing and analytics.

Importantly, this is where cloud or elastic computing changes the game. Modern threats blend into the environment and only subtly differ from legitimate usage patterns. Detecting them requires looking at a larger amount of data and establishing contextual awareness. So it’s not so much securing the cloud as it is security through the cloud. You need both massive volumes of data and lightning speed analysis to stay one step ahead of today’s determined adversaries. That’s something only the cloud can deliver.

We’re all waiting on tenterhooks for CDM phases III and IV. The undead better bring their A game–Kevin “Jon Snow” Cox has some new weapons in his arsenal. It’s AI and cloud to the rescue.

Join MeriTalk and CrowdStrike on Jan. 18, 2018, from 4:30 to 7:30 p.m. at the W Hotel to network and dialog further on this proactive approach to more effective cybersecurity for public sector organizations. Click here for more information and to register.

Data Loss Prevention: Protecting Data Wherever It Resides

Federal agencies have a data problem. Data that was traditionally inside four walls is now everywhere. Employees and vendors access it from all kinds of devices, located in all kinds of places, making it increasingly challenging for security teams to see what those users are doing with that data.

In a nutshell, agencies have lost control of their data, devices and users. We have seen the repercussions in the headlines. Contractors leaking classified reports, employees getting infected with malware, Harold Martin III. As we head into 2018, agencies must shift their approach. The traditional strategy of fortifying the perimeter is no longer effective. The strategy of the present and future must focus on protecting data wherever it is.

If you’re a security practitioner at a Federal agency, you most likely are all too familiar with Data Loss Prevention (DLP) technology. It was known as the security solution for blocking the transmission of data outside the organization. Considering today’s data problem, DLP is going through a rebirth. Its capabilities are expanding so it can protect sensitive data both inside and outside the organization, while not overburdening limited analyst resources.

The expansion entails DLP being integrated with newer technologies such as Cloud Security Access Broker (CASB) tools to protect data not just on premise, but also in the cloud. Encryption is being added to the mix to protect the data while in transit. Tagging is another important technology to leverage DLP. The tool enables agencies to label documents (i.e. classified, not classified) to give their DLP technology hints as to what’s important and what’s not. For example, if a document is tagged “classified” then DLP knows to block or encrypt it. Multi-factor authentication is also important because it requires the user receiving the data to properly identify herself before the data can be opened.

One more technology that also integrates with DLP, and serves as the glue for tying the other tools together, is User and Entity Behavior Analytics (UEBA). UEBA technologies collect the telemetry data created from the tools mentioned above, identifies potential malicious and non-malicious insider and outsider activities, and delivers a prioritized list of the most critical incidents that DLP analysts must investigate immediately. The integration significantly reduces false positives because, whereas DLP focuses strictly on the data, UEBA determines whether the user that’s elevating the risk of the data being compromised is indeed a threat or business-justified.

For example, let’s say “Joe” from accounting was working on a lengthy project that required him sending a series of classified documents over an extended period of time to a third party contractor outside the agency. Every time Joe sent over the data, DLP would flag it and alert analysts, who would then waste their time investigating each alert and questioning Joe (interrupting his work and potentially lowering morale). And it would all be for nothing, an action that was business-justified.

UEBA would prevent this situation from happening. The technology would learn the first time that Joe’s actions were business-justified, and white label the event as business as usual so that analysts would never again receive an alert about Joe’s behavior.

On the flip side, if Joe was not given permission to send the information, UEBA would prioritize the alert based on the fact that the information was classified, and that Joe’s behavior was unusual compared to himself, his peers and overall team.

Under either circumstance DLP, integrated with UEBA and the other tools mentioned above, is protecting data well beyond the four walls of the agency. The technology has evolved to help analysts understand what’s truly sensitive in terms of data, which data does and does not need protecting, how data should be tagged, how it should be protected, whether it needs to be encrypted, who is handling it and what’s important to investigate. The goal being to protect agencies’ most sensitive data, enable collaboration, discover malicious behavior and prioritize investigation. That’s the DLP of today, tomorrow and beyond.

Automated Authorization: A New “Streaming” Service for Federal IT

Before you say “no,” Federal cybersecurity professionals, hear us out. To borrow a line from Riggs in Lethal Weapon 2, “C’mon, say yes! Be original, everyone else says ‘no.’”

Even with all the discussion around efficiency and modernization, the typical Certification and Accreditation (C&A) process takes six months and costs more than $100,000 to complete. For larger IT systems, doubling those totals isn’t out of the norm. With a large number of organizations, this process is updated every six months and then redone every three years for each system. So, over a five-year-period, certifying and accrediting a system can cost more than $500,000. Wow, that’s a lot of money!

With an increasing attack surface resulting in millions of new threats every year, partially updating C&A documents every six months, re-mediating a few Plan of Action and Milestones, and updating all docs every three years, won’t, and doesn’t, keep the bad guys out of Federal networks.

This compliance process, designed and refined over the past 15 years, was sorely needed when conceived–and still remains the primary means of governing Federal IT systems. Mainframes, client server, and early three-tier architectures ruled the day, with an eventual light sprinkle of this new tech called virtualization. Cybersecurity was an afterthought, meaning build everything and bolt on cyber at the end of the process. Moving typical systems from procurement to implementation took years. Now a server, and even an application, can be provisioned in minutes and the first release can happen in one month. The times and technology have changed, yet updates and adoption have lagged significantly.

Depressed? Don’t be, there’s some help on the way. The latest Risk Management Framework was released for comment and some of the 800 NIST publications are also being revised. The Department of Homeland Security led Continuous Diagnostics and Mitigation program is rolling out across Federal agencies, providing an opportunity to increase visibility and analytics capabilities for applications and systems on their networks. And since we started writing this article, 20 new cyber companies have entered the U.S. market that will help better identify cyber threats, quantify, and qualify risks based on threats, vulnerabilities, and cost to mitigate. The greatest minds are collectively updating the guidance and the conversations grow in numbers…so why are we still not broadly considering the idea of automating security controls and authorizations?

From a technology perspective, the Lego pieces are in the box to get started building the Millennium Falcon. In terms of FISMA compliance, today’s Federal CIOs, CISOs, and Program Managers have access to more than 70 FedRamp Certified FedRamp providers, including a few with high controls. Early adopters of DevSecOps have worked alongside assurance professionals and shifted cybersecurity left in the process and embedded cyber into the DNA of secure automation workloads, from development to production. Automation at every level is possible and can be utilized to achieve assurance and reliability previously unavailable with human implemented processes.

Is it perfect? Nope. Nothing is. This is not about perfection, rather risk management and responsible evolution. The tools are in the toolbox.

So, how do agencies get started? How about a mission-critical mainframe? Ah, no. Well then how about a FIPS moderate back office system on a few virtual servers? Close, but not quite. Let’s instead start with a “net new,” moderate-level data system. Even better, if you can take advantage of the incoming Modernizing Government Technology (MGT) Act to actually rethink a business process/application, rather than carry the same less-than-optimized processes to a new environment and call it modernization.

Some of the criteria to qualify: this is a new project, not a bolted-on enhancement to an old system. Must be hosted in a FedRamp cloud provider. Automate as much as possible, including your security controls, in partnership with your security operational and policy professionals. The development environment should be provisioned using good DevSecOps best practices. Make sure you embed cyber hygiene and analytics at the lowest level of code possible. Lather, rinse, repeat for testing. Then once satisfied the app and cyber is implemented correctly, light up production. Repeat, the key to success is a collaborative and transparent partnership among all stakeholders that include operational and policy professionals…stakeholder engagement.

Beta was overtaken by VHS. VHS got smoked by Blockbuster. Blockbuster got rolled by RedBox. Netflix, Amazon, and Hulu, took out RedBox using mobile phones and broadband. Traditional Federal C&A process, meet Automated Authorization. So, for the traditional certification and accreditation process, “we are getting to old for this.” We couldn’t agree more Sgt. Murtaugh.

Rob Palmer is the executive vice president and CTO for ShorePoint, a privately held cybersecurity services firm serving both private and public-sector customers. Palmer is a former senior executive with the Department of Homeland Security (DHS) where he most recently held the position of deputy CTO and executive director for strategic technology management.

Keith Trippie is a retired DHS IT executive and entrepreneur. He is the founder of Shop4Clouds, digital marketing platform and urMuv, a neighborhood discovery app. He has also launched GotUrSix TV, a digital media platform to share the personal stories of active duty, veterans and military spouses.

Moving Beyond Cloud Security Fears

The federal government has started to embrace the positive impact of cloud on cybersecurity efforts. We first saw this in the May Cybersecurity Executive Order, which outlined a shift to cloud as a key part of cyber security strategy. During a briefing, Tom Bossert, Homeland Security Advisor, said, “We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture.” And, the new Report to the President on Federal IT Modernization, released by the White House Office of American Innovation likewise underlines the importance of cloud and a shift to shared services.

Agencies are gaining cloud deployment momentum now because they are matching the cloud to the mission – in many cases implementing highly secure on-premise or hybrid cloud solutions.

At a recent cloud event, John Hale, Chief of Application Services, Defense Information Systems Agency (DISA) said, “the direction that we’re getting from the senior members of the department is ‘move everything to the cloud now.’” He is working to create Cloud Access Points (CAPs) to protect Department of Defense (DoD) networks from the rest of the public cloud and enable DoD security requirement compliance. The recently awarded MilCloud 2.0 will be a hyperconverged on-premise cloud system that is expected to enable approximately 70 percent cost savings for DoD.

And, on September 20, the U.S. Air Force awarded Dell EMC, General Dynamics, and Microsoft a $1 billion, five-year contract to implement a Cloud Hosted Enterprise Services (CHES) program. This is the largest-ever cloud-based unified communications and collaboration contract in the federal space.

We have many examples of how federal agencies are finally moving past the “devil you know is better than the devil you don’t” mentality. But how does cloud, specifically hybrid and secure on-premise cloud, improve security? Agencies can:

Maintain control and compliance with security best practices
Align data protection services with application demands
Access IT services in the event of a disaster with active provisioning
Integrate existing security tools and services

FDR famously told us that the only thing to fear is fear itself. Digital transformation, powered by secure hybrid and on-premise cloud environments will modernize government services, improve governance and transparency, and keep federal data and systems more secure.

Learn more: https://www.dellemc.com/en-us/cloud/hybrid-cloud-computing/index.htm.

By: Steve Harris, Senior Vice President and General Manager, Dell EMC Federal

Federal IoT: Where Innovation and Cyber Risks Collide

Gartner forecasts that by 2020, 20.4 billion devices will be connected across the Internet of Things (IoT). The IoT brings the promise of new possibilities, but to unlock them, agencies must change how they think about data and how to keep it secure.

There are four primary ways IoT can provide value to agencies and support innovation:

Driving operational efficiency – improve effectiveness while simultaneously reducing cost
Improving constituent experience – discover new ways to engage users
Mitigating risk – improve security by detecting failures before they happen
Driving mission success – discover new paths to mission success through data insights

Both Department of Defense (DoD) and civilian agencies are currently using connected technologies including drones, cameras, sensors, satellites, etc., to support their missions. For example, the Air Force is combining surveillance and flight sensor data to provide detailed threat information in real-time; the Navy is using a network of connected buoys with sonar capability to detect submarines more quickly and efficiently. On the civilian side, the General Services Administration (GSA) is using a network of low cost motion sensors to turn off the lights when employees are not at their desks – reducing environmental inefficiencies and overhead costs.

While the potential for innovation is great, federal IT teams face a number of challenges when implementing and using the IoT. For starters, up to 80% of IoT data will be unstructured, and these data points have to be stored, managed, and analyzed in a methodical way. For agencies, this means preparing their aging infrastructure for the influx of data from IoT devices on the edge.

The biggest challenge, however, is security. As agencies implement new layers of architecture and processors to harness the IoT, they must address cyber security concerns for both operational technology (OT) devices and traditional IT devices – not straightforward, as IT and OT have very different goals and drawbacks. And, there are an enormous variety of IoT devices that will come into play, each introducing a different level of risk.

It is important for federal agencies to be “paranoid, but not paralyzed” when it comes to IoT security. If approached in the right way – by having heavily encrypted storage environments and a cyber plan that provides for the protection of all endpoints/networks – agencies can effectively manage the security risks and take advantage of the significant opportunity ahead.

Learn more: https://soundcloud.com/fedscoop-519204393/iot-in-government-sponsored-by-dell-emc#t=0:00.

By: Ro Dhanda, Director, Federal Sales, Dell EMC

Rally the Troops: Building a Cyber Workforce for the Future

Federal agencies face a continual struggle to attract top talent in the cyber workforce. Why? Because it is difficult for agencies to find qualified personnel, hard to retain security workers, and there is often an insufficient understanding of job requirements. This impacts us all – as it makes it more difficult for agencies to make good, risk-based decisions as they modernize federal IT and work to meet mission objectives.

The Presidential Executive Order on Strengthening the Cyber Security of Federal Networks and Critical Infrastructure required a group of agency leaders to jointly assess the federal government’s efforts to train the cybersecurity workforce, and develop a report to the President with their findings and recommendations.

These recommendations are not yet available, but federal agencies must find a way to provide potential employees with reasons to choose federal service over private sector perks. Representative Will Hurd (R-Texas) is trying to do just that with his proposed cybersecurity workforce program, the Cyber National Guard. The program would provide students a free cybersecurity education, and in return, students will work in federal service for an equal amount of time.

On C-SPAN, Rep. Hurd explained there is still a significant shortage of computing talent across the board – in Texas alone, 42,000 computing jobs went unfilled in 2015, with an average salary of $89,000. In that same year, Texas produced just 2,100 computer scientists. We need new approaches.

Rep. Hurd’s idea for a Cyber National Guard is that if you are going to college, and will study something related to cybersecurity, the federal government will find you a scholarship. In return, when you graduate, you will serve in government for the same amount of time you were in school. Rep. Hurd also explained that once you are finished with government service, the private sector will loan you back for a period of time – one weekend a month, ten days a quarter, or similar. “This will improve the cross pollination of ideas between the public and private sectors,” Hurd states.

Once you have the troops in place, you have to give them the tools to be successful. President Trump put this component into motion when he elevated the U.S. Cyber Command to a full combatant command in August. Trump said in a statement that this will “streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations….and ensure that critical cyberspace operations are adequately funded.” As to be expected, there are hurdles to moving these initiatives forward, including:

Funding for cybersecurity education.
Showing a clearly defined career path for cybersecurity growth within the federal government.
Having a standardized listing of cyber jobs within government to ensure students receive the proper credentials.

Fortunately, most agree across the aisle that improving the federal cybersecurity workforce is critical to our future. When asked about the path forward, Representative Hurd is optimistic, sharing, “There really is a group of us that are committed to a bipartisan solution to this problem. So, we’re going to have a posse.”

That’s good, because we know we are stronger together, and we will need continued collaboration and open dialog with federal agencies, our elected leaders, and between the public and private sectors to keep our information and systems secure.

By: Steve Harris, Senior Vice President and General Manager, Dell EMC Federal

Improved NIST Framework Supports Agency FITARA Goals

With the release of the fourth FITARA scorecard, we saw agencies stall on progress – more agency grades declined than improved, and 15 agencies’ grades remained neutral.

One shining star was the United States Agency for International Development (USAID) – the first agency to ever receive an overall A. How did they do it? According to a USAID official, they focused hard on transparency and risk management – where they received an “A”. This was not the case for most of their counterparts however, as 14 agencies received a “C” or lower in that category.

Risk management is one of the more difficult areas for agencies to see success, but every CIO should be using the National Institute of Standards and Technology (NIST) Framework in that area. NIST recently released an updated version of the Framework for public comment, in the hopes that it would be easier to utilize and implement.

These were the most notable changes to the updated version:

Refined managing cyber supply chain risks – framework now has a common vocabulary so agencies working on cyber supply chain projects can clearly understand cybersecurity needs.
Revised “Identity Management and Access Control” category – framework now has clarified and expanded definitions of the terms authentication and authorization; added and defined the concept of “identity proofing”.
Introduced measurement methods for cybersecurity – framework now gives guidance on how to measure how well an agency is reducing risk and identifies overall agency benefits.

NIST has been gathering feedback on the Framework changes, and is expected to release the final version this fall. Hopefully, federal CIOs can use the updated Framework to effect positive change on their cybersecurity and risk management projects – and in turn, see an upward tick in grades when the next scorecard is released in December.

Learn more about Dell EMC’s portfolio of cybersecurity capabilities for government: https://www.rsa.com/en-us/research-and-thought-leadership/security-perspectives/government-solutions.

By: Cameron Chehreh, Chief Operating Officer, Chief Technology Officer & VP, Dell EMC Federal

The CDM Marathon: How Feds are Keeping Pace

While the Cybersecurity Sprint focused attention on how to generate improvements quickly, one of our most important cyber efforts – the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program – is unquestionably a marathon. Now in its fourth year, the program is maturing agencies’ abilities to identify cyber risks and adopt a risk-based approached to mitigation.

The program is entering Phase 3, but agency progress has been staggered. Every agency started from a different point of cybersecurity maturity, so this is not surprising.

Phase 1 involved mapping networks to determine what they would need to improve threat protection; Phase 2 on identifying who has access to the network and how you handle access management. Up next, Phase 3 focuses on boundary protection and incident response.

What was initially surprising was the degree to which agencies discovered during Phase 1 that they were underreporting device numbers. James Quinn, lead systems engineer on the CDM Program at DHS, said that DHS estimated federal agencies would map approximately two million assets, but agencies ended up finding approximately four million.

We have to anticipate this challenge will continue to grow with the Internet of Things (IoT). Every internet-connected device is a potential vulnerability, so improving asset management and establishing a secure supply chain are critical to securing federal systems and information.

When we think about supply chain risk management, we think about our devices and the systems and software we use to protect them. The CDM Project Management Office (PMO) requires vendors submitting products for the CDM Approved Product List (APL) to provide details on their supply chain risk management policies. See more: CDM Supply Chain Risk Management plan.

RSA Archer, a Dell Technologies company, serves as the platform for the agency and federal dashboards. At the agency level, the dashboard captures data locally from network sensors, scores the data, and shows “worst problems first” for operators – i.e. enables a risk-based approach. Agencies are in the process of deploying their dashboards, and the federal dashboard is scheduled to deploy this year.

As agencies and the CDM Project Management Office move forward, they will be tackling ongoing challenges including the need for acquisition flexibility, how to speed the acquisition process, how to integrate FedRAMP, and what’s next for Trusted Internet Connections (TIC).

That’s an already tall order that will continue to grow – and we do win or lose together in this race.

By: Cameron Chehreh, Chief Operating Officer, Chief Technology Officer & VP, Dell EMC Federal

LPTA is Hurting Employee Relations for Small Businesses

Introduced in June and passed by voice vote with no dissent, HR 3019, the Promoting Value Based Procurement Act of 2017, acknowledges that the Lowest Price Technically Acceptable (LPTA) approach has not produced strong results on contracts. The legislation forces agencies to justify an LPTA approach by “comprehensively and clearly describing the minimum requirements expressed in terms of performance objectives, measures, and standards that will be used to determine the acceptability of offers.” Agencies must exert more control over reporting and standards on LPTA contracts to justify the cost relative to the quality of the product.

This is a welcome step considering the pressure LPTA puts on contractors more interested in quality work with consistently satisfied customers than volumes of one-hit, transactional contracts. LPTA disincentivizes businesses, especially small businesses that lack capital, to be good, responsible employers. Trickle-down effects of LPTA are easy to trace, as unhappy employees perform unhappily, lowering the quality of their work products and the performance of their employers and customers.

The largest expenses, for any employer, are in employee salaries and benefits. When a contractor is competing on an LPTA basis, they must keep these costs as low as possible to remain competitive, leading to a scenario where skilled employees are underpaid and unhappy, or unskilled employees are fairly paid but cannot perform to a high standard. In the former case, according to an Employee Job Satisfaction and Engagement survey conducted by the Society for Human Resource Management (SHRM), compensation and benefits are among the top five measures of job satisfaction. Another study conducted by Harris Poll on behalf of Glassdoor found that 57 percent of respondents said benefits and perks are among their top considerations before accepting a job.

While the perks of a job may sound superfluous, when considering the cost of a disengaged employee it becomes clear benefits are worth the investment. For example, disengaged employees are often poor collaborators, lack enthusiasm for projects, miss deadlines, and don’t take initiative. For companies that do provide multiple benefits, such as wellness benefits, SHRM found that 40 percent of companies saw decreases in unplanned absences, and 33 percent cited a direct increase in productivity.

The absence of good pay and benefits also increases the risk of turnover–a major issue for government agencies that rely on contractors and institutional knowledge to be successful. When employees leave, contractors spend money to replace them. SHRM found that the total costs of replacing an employee can range from 90 percent to 200 percent of their annual income, depending on several factors. Contractors recoup that cost by raising their rates to the government over the long term. This leads to excessive costs for the government in the short term (due to lost productivity and knowledge loss) and long term (due to the higher rates). LPTA exacerbates this issue, leaving government contracts in short-term turmoil and actually raising costs over the long term.

HR 3019’s requirement that agencies justify an LPTA strategy is a good first step, but more action can be taken. Reliance on LPTA inevitably means that contracting firms will drive down prices in order to remain competitive, which will hurt their employees and the government. If the focus is changed from procuring services at a low price to procuring services at a fair, market-based price, the quality of the work the government receives will inevitably increase. While LPTA is well-intentioned–what better way to save taxpayer money than by driving prices down through a simple calculation and competitive procurement?–in practice it has proven to hold less value than strategies focused on performance balanced with cost.

The time has come to move on from LPTA and embrace other, smarter procurement strategies.

The Most Important Technology Trends: A Robotic Ambassador

How can we reach and impact the next generation of explorers? How can we make them care about science, engineering, and technology? How can we prepare them to work for NASA?

The Remotely Operated Vehicle for Education (ROV-E) is JPL’s Robotic Ambassador. (Photo: JPL)

What if we built a cute, smart rover that they can talk with? If we built it, would they engage?

As it turns out, the Jet Propulsion Lab (JPL) actually did build one…and ROV-E is her name-o.

The Remotely Operated Vehicle for Education (ROV-E) was built over the course of about a year by six Early Career Hires at JPL as a way to learn the end-to-end process for building a spacecraft. They designed and built ROV-E to go to schools and museums, drive over people as they lay on the floor, and have expandable USB ports so that future engineers and dreamers can give her new features.

This year, we used these USB ports to give ROV-E a voice through the power of Amazon’s Alexa and Amazon Lex.

We demonstrated ROV-E’s new features at Amazon’s re:Invent conference in December 2016. ROV-E, looking a bit like the Curiosity rover, strutted her stuff in front of several thousand people and they marveled over her prowess and agility.

ROV-E debuted at Amazon’s re:Invent conference. (Photos: JPL)

She drove and answered questions about Mars. She is built mostly from open source software and hardware components, as well as 3-D printed parts. She can take driving commands both from voice commands and an optional remote control. She can automatically follow you around using a camera and a 3-D depth sensor. She can avoid obstacles and even has a blinker to tell us where she’s going. She can do this through a constant Internet connection.

In this series, Tom Soderstrom, the IT Chief Technology and Innovation Officer of NASA’s Jet Propulsion Laboratory, discusses the future of technology: how work evolves, key technologies, and how to engage the next generation.

The grand finale of ROV-E’s demo happened when we turned off the Internet on stage–and ROV-E kept going. This feat constituted the worldwide launch of a new technology called Greengrass, developed by Amazon and JPL. Greengrass, which Amazon launched at the re:Invent conference, allows Lambda and Internet of Things functions to work without Internet. Once Internet is available, the devices reconnect, continue to stream data, and update themselves. This type of technology could be really important to NASA in offline situations such as sending rovers under vast sheets of ice or automatically guiding rovers to help find and rescue stranded miners.

So, did people engage? Yes, they did. ROV-E was the star of the show, with people even asking to take selfies with her. She has also performed at the NASA Booth at the Consumer Electronics Show and has gone to numerous outreach events. We have since released the logic for ROV-E’s voice to the public through a custom Alexa skill called “NASA Mars,” where anyone can get answers to thousands of questions about Mars as well as get the latest updates on what the real Curiosity rover is up to on Mars.

We’ve decided to take the next step and make ROV-E available to the world through inexpensive open source components and a simple instruction manual so that anyone can build one at home or at school. We want to make it cheaper and easier to build than it currently is. We also want to make it into a science platform where citizen scientists of all ages will be able to add their own hardware and program their own experiments.

By the end of this summer, ROV-E will come to explorers and tinkerers of all ages and to a school or museum near you. We hope that ROV-E will be a Robotic Ambassador that will make NASA proud and inspire everyone to participate in NASA’s mission.

GSA’s EIS has Feds Thinking About Cloud Unified Communications

Federal agencies are increasingly taking a serious look at their existing telecommunications infrastructure now that the General Services Administration (GSA) has awarded its Enterprise Information Services (EIS) telecommunications solutions contract. This contract offers Federal offices significant opportunities to not only improve services, but reduce both capital and operating costs. With the need for secure, reliable communications at an all-time government high, the solutions on EIS aren’t just in the “nice to have” category, they’re things your office “must have” if it is to continue meeting critical missions well.

One of the significant benefits offered by EIS is a full range of cloud-based solutions. Everything from applications to total Unified Communications (UC) is available via EIS. While Federal offices may have once been hesitant to move communications to a cloud-based environment, they are no more. Even before EIS, multiple civilian and defense agencies began moving communications-related services to the cloud.

And why not? The cost benefits of cloud solutions have long been established. Capital cost savings, better managed operating expenses, elimination of costly upgrades and repairs are just some of the major saving features of cloud solutions. The financial benefits of adopting cloud solutions are well-documented and accepted among Federal agencies.

Security, too, is enhanced. Contractors must adhere to rigorous FedRAMP and FISMA standards. Cloud systems, themselves, offer advanced survivability features above what is frequently available from more traditional approaches. Secure supply-chain requirements ensure that contractors are offering only properly sourced, secure solutions.

One feature of the EIS contract that’s getting a lot of early attention is the ability for Federal agencies to obtain cloud-based UC solutions. These systems embody the security and reliability discussions above. A good, FedRAMP-accredited cloud UC solution offers Federal offices a complete range of advanced communications capabilities–including voice, call management, unified messaging, video conferencing, and even (if not hosted) centralized Session Initiation Protocol (SIP) trunks. All of these services can be scaled to meet the needs of any customer.

Even better, no longer are customers considering a cloud-based UC solution tied to the proprietary technologies of just one company. Being “locked in” to one Original Equipment Manufacturer (OEM) solution has been a significant factor holding some customers back from obtaining all of the benefits a cloud-based UC solution has. No one likes having their options limited.

Today, however, UC solutions are available via EIS from companies offering true “best of breed” solutions that feature components from a variety of OEMs. Now solutions can be flexibly tailored and properly scaled to focus on what the solution must do to support the customer, rather than requiring the customer to adapt its operations to how the solution, itself, works. Not only do Federal offices obtain the best overall operating solution, they’re not tied in to one company’s technology and can ensure that they pay only for features they will actually use.

The “vendor agnostic” approach to acquiring cloud UC solutions offers Federal buyers significant savings not just over traditional telecommunications offerings, but better functionality and savings vs. a single-OEM approach. Cloud-based UC solutions could be the answer to your Federal office’s efforts to upgrade its current telecommunications infrastructure. They offer security, substantial new capabilities, cost savings, and true freedom to scale while using only the applications you need.

Make sure you ask EIS contractors what they can offer your office in terms of best in breed, cloud-based UC solutions.

The Most Important Technology Trends: Part 2

This is the second article in a series about the most important technology trends. The first article postulated that the key trend is the evolution of how we work. It discussed working like a startup and utilizing new methods of working including: agile development, open source, consumerization, continuous development/continuous integration, iterating with minimum viable products, DevOps, crowdsourcing, maker communities, and reducing wait states.

This article focuses on the key technologies that will deliver maximum benefits, especially when used together. Over the next three years, to work even faster and more effectively, we will use new natural user interfaces (NUI) to easily and seamlessly interact with previously unimaginable amounts of data in the cloud from real-time sensors created through the Internet of Things. We will make data-driven decisions in real time aided by complex algorithms that help make sense of the data through artificial intelligence (AI). And we will proactively measure everything through predictive and prescriptive analytics.

The way we interact with the computing systems will change. Today, we work using a mouse and keyboard, must have knowledge of what data we need, request permission, and then use a keyboard and mouse to access and, often painfully, combine data from different sources. It’s extremely labor intensive and, because of the many wait states, it’s too easy to lose the ever-important momentum and not deliver on time.

Tomorrow, we will simply use a NUI to query the system and receive an answer in seconds. As illustrated in Fig. 1, a scientist, engineer, programmer, or other stakeholder will simply ask a question using her or his voice, gesture to the camera, touch the data on a large touch screen, blink through the smart glasses, and/or think about the problem wearing a smart “helmet,” and the answer will appear. If we are successful, it will seem like AI magic.

So, what’s behind the scenes of this magic? The data will reside in clouds and be accessible through well-known APIs. The stakeholder’s questions will kick off a set of database queries and/or AI code that presents the solutions back to the user. Note that the system intelligently assists the human by presenting the data in the way that the user wants it and specifying the likelihood that the answer is correct. The user then chooses the action. This is the essence of Intelligent Assistance or IA.

IA will evolve to AI at the user’s desired pace. Once the user trusts the IA recommendations, she/he can choose to trust the system to implement the recommendation automatically. At that point, we have reduced an additional wait state and have evolved to true AI for that user and for that use case.

There are many current and future examples. Today, AI software called AEGIS runs on Curiosity. While Curiosity is driving on Mars, AEGIS automatically identifies interesting rocks and tells Curiosity to take photos, which are then sent to Earth. Humans can investigate them using augmented reality through Microsoft’s HoloLens Smart Glasses and ask Curiosity to turn around to drill into the rock (see Fig 2).

If this sounds too simple, we’re on the right track. AI is complicated and many people fear it. However, no one fears Alexa, Siri, or Cortana because of the apparent simplicity and because it’s simply advising the human, who takes the action. Hence the emphasis on IA.

What technologies are needed for us to execute this vision? JPL has experimented with all the below technologies and has found them both promising and useful.

Open source and commercial analytics tools: They are readily available, inexpensive, growing, and evolving quickly.
Cloud computing: This includes the related technologies of advanced and unlimited computing and storage, serverless computing, edge computing, containers, micro services, and API management. The list will continue to grow.
Crowdsourcing: We will partner more within and between NASA Centers and externally to organizations such as Kaggle for data science and analytics.
Internet of Things: IoT will allow us to automatically collect highly relevant data, gain automated situational awareness, and interact in an easy, natural way with any system.
AI frameworks and libraries: We can choose from available open source options and run the calculations in the cloud. Examples include Tensorflow from Google, MxNet from Amazon, Cognitive Toolkit from Microsoft, and Torch, Caffe, Keras, DeepLearning4J, Theano, as well as many more.
IA: By focusing on the user over the technology, we will employ Intelligent Assistance as a way to infuse AI while enabling human end-users to set the pace of infusion.

How can we deploy these technologies?

Question farm: Iterate quickly with end users to find low-hanging use case.
Experiment: Try the minimum viable product quickly with users and developers using small teams.
Focus on the data: Ensure that the data is accessible, consumable, reusable, and understandable.
Build in cybersecurity: Ensure that the solutions and the data are appropriately secured.
Take the quick, easy path: If we can’t get access to the data, we will drop this experiment. Instead, we will do the prototypes/experiments that show value with minimum wait states. We will also make it easy for the users by making the solutions easy to understand, build, and (re)use.
Measure everything: Is there enough end-user value to continue with this experiment?
Double down: If the experiment showed value and had an impact, we’ll iterate quickly.

Whether you think this is the right approach or think that it’s complete and utter hype, we’d love to hear from you about how we can help NASA answer the big questions that affect all of humanity. Next in the series I will discuss IA and AI in more detail and would appreciate hearing about your potential or actual use cases.

The Most Important Trend: Evolving How We Work

As we look at the exciting technology trends of the Next IT Decade (the next three years), one mega trend stands out: We will work very differently.

Why? Because we will need to work faster and more effectively with fewer wait-states (aka “bureaucracy”). Consumer technologies are evolving very quickly and have made us highly productive at home. However, enterprises are slower to adopt these trends, largely because there are legacy technologies and the cost of switching is higher and more time consuming.

So, because the Jet Propulsion Lab (JPL) and NASA are made up of IT consumers, a key disrupter is the adoption of the most meaningful emerging consumer capabilities in the enterprise. If JPL and NASA can do this, we can improve employee productivity and satisfaction, while also delivering the NASA mission faster, more securely, and at a lower cost.

But, which technologies and capabilities will matter and how can we use them? The answer is to predict the human behavior trends as human behavior affects IT, which affects human behavior, which affects IT…you get the point. Simply put, understanding human behavior trends helps us select which technologies are worth prototyping in the near-term, as those technologies are likely to be adopted in the enterprise.

From our research, the key human behavior trends for the next few years are the following:

Who will do the work? Entrepreneurs will come up with ideas. Makers will use 3-D printing, Arduino, and Raspberry Pi to prototype a solution. Crowdsourcing will help us find specific expertise and new, nontraditional partners who will work from anywhere to accomplish the NASA and JPL missions–this will also include public hackathons.
How will they work? They will use an agile approach, as well as open source and consumer technologies in the cloud to rapidly prototype a minimum viable product (MVP) and pivot quickly when needed. Crowdsourcing will be used to create the MVPs, both internally to the enterprise through hackathons and Kickstarters and externally through the NASA Open Innovation contracts, as well as other approaches.
What technologies and tools will they work on? They will apply advanced analytics and deep learning to make smart data from the current big data. They will evolve the cloud as the default development and operations platform, with rapid course corrections when needed. DevOps will be the expected way to work. The key enablers will be Internet of Things, wearables, natural user interfaces, and conversation-as-a-platform.
What are the key challenges they will face? We will no longer be able to lay out a long-term, fixed architecture. Instead, we will need to create a chaotic architecture, where frequent changes with effective and automated analytics is the new normal. Because of the size, scale, and speed of continuous development/continuous integration, manual operations will be replaced with automation and this change can be difficult both technically and culturally. Cybersecurity becomes ever more important and needs to be built in to all the solutions and automated with advanced visual and predictive analytics. Luckily, these challenges are not unique to our enterprise. By collaborating with others, we can meet these challenges quicker.

By paying attention to the human behavior trends, we will evolve the way we work to adopt new technologies faster, create automated and fully scalable solutions, and get effective help from new and varied partners.

Most importantly, this will help us use new techniques to answer the big questions quicker, such as:

Is there life in space?
How can we put humans on Mars?
How can we redirect an asteroid?
Where is Earth 2.0?
How can we help protect Mother Earth?

And that’s what it’s all about. An exciting future indeed!

« Previous 1 … 4 5 6 7 8 … 20 Next »

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.