This page is not built out yet. If you are seeing this page, please contact an administrator.

So You’re Moving to Windows 10–Now What?

How Microsoft’s Latest OS is Your Agency’s Springboard to Innovation

In late 2015, DoD CIO Terry Halvorsen announced that all Federal combatant commands and agencies within the Department of Defense (DoD) would need to migrate to Windows 10 by January 2017 as part of a new Windows Secure Host Baseline. Recently, that mandate was pushed back to January 2018—not because defense agencies want to continue to operate on Windows 8, Windows 7 or–wait for it–Windows XP, but because the sheer magnitude of the migration encompasses more than 4 million machines spread out across the most complex organization in the world.

The department’s decision to move to Windows 10 remains solid. As Microsoft’s most secure operating system (OS) ever deployed, Windows 10 offers significant security features baked right in–including secure boot hardware, TPM support, biometric authentication, conditional access and device health attestation. No one is arguing that Windows 10 shouldn’t be standardized across the DoD and civilian agencies at large. What’s slowing the effort at many agencies, however, is the actual migration process–it’s time-consuming, expensive, and unattainable within a year’s time frame.

It doesn’t have to be.

Server virtualization revolutionized Federal data center operations, and that same technology can be applied to the desktop and its underlying applications to revolutionize OS migration, management, and security. Built on the software-defined data center (SDDC) that integrates compute, networking, and storage into a centrally deployed and managed virtual platform, virtual desktop infrastructure (VDI) is unlike the traditional desktop management model that groups the physical device, OS, and applications into a bundled architecture requiring considerable IT involvement. VDI replicates the physical desktop environment by running applications in the data center and enables multiple user desktops to run as separate virtual machines (VMs) that are then remotely presented to end-user devices

Windows 10 is a platform that integrates beautifully with end-user computing (EUC) technologies such as VDI, EMM, and application virtualization while maintaining traditional PCLM functionality. Not only does VDI preserve the use of mission-critical legacy applications and existing hardware, but it greatly reduces OpEx by centralizing and streamlining desktop and application management. Additional methods of virtualization by way of enterprise mobility management (EMM) and delivery technologies like application publishing lend themselves well to workforce mobility and productivity initiatives in non-DoD computing environments. With EMM, agencies can apply the same virtual management and security philosophies to mobile devices running Windows 10–including laptops, tablets, and smartphones.

Legacy applications running older versions of Windows should also not impede migration efforts. While Windows 10 will likely not have the same number of application compatibility issues as older versions of Windows, there will inevitably be some apps that are not compatible on Windows 10. Placing those apps onto a RDSH platform allows agencies to move these problematic apps into the data center and use a remote display protocol to deliver the problem apps into their newly upgraded Windows 10 desktops where the applications won’t run successfully natively.

Government agencies–DoD in particular–are at a fork in the road when it comes to migrating and managing Windows 10. The good news is that they have multiple options, all of which call for the successful deployment of Windows 10 across devices. Yet the DoD mandate in particular is truly the Federal government’s calling card for IT innovation. Agencies can either choose to refresh the old-fashioned, laborious, and expensive way or use Windows 10 as an opportunity to leverage next-gen EUC solutions such as VDI and EMM to radically improve operations, cybersecurity, and user experience across devices, locations, and missions.

To learn more, visit: http://www.vmware.com/solutions/industry/government.html.

Electing a Cloud Winner: Hybrid Gets the Vote

While the final presidential debate is a wrap, the Federal cloud debate (slightly more quiet) continues. Like the election, cloud has the potential to impact government for many years to come, from ensuring soldiers have the needed intelligence to make good decisions on the battlefield, to NIH having the ability to pool medical research and find new cures for disease.

But let’s consider a few questions: how can Federal agencies be in position to best realize cloud’s potential? How much progress have we really made to date? And how can we accelerate progress?

Most agencies that have deployed cloud have migrated non-mission critical applications – web hosting, email, collaboration, and backup services. It appears those moves are going well, as 85 percent of Federal cloud adopters say their agency will increase cloud spending in 2017, according to a recent MeriTalk, “Destination Cloud” study.

However, overall spending on cloud is still falling far short of target.

As agencies progress with cloud plans, most recognize they can’t focus on a private or public model – they need a blended environment and solutions that bring the combined strength of both public and private cloud. They must balance the dual goals of security and access. And, they have to understand application requirements and define mission success.

Ultimately, agencies want an “Anything-as-a-Service” (XaaS) environment where IT teams can deliver needed resources in an OpEx environment – as quickly as their mission requires. They recognize many applications will never enter a public cloud environment, since private cloud meets most of their critical needs.

With ViON’s hybrid cloud environment, agencies get a unique on-premise private cloud that can be leveraged on a consumption-only basis, tailored to meet stringent data controls, security demands, and enterprise-class infrastructure for the most demanding application environments. Agencies buy what they use, and data stays 100 percent within their control. Then, ViON assists agencies in leveraging this solution to connect to multiple public clouds, as appropriate for workload performance and security needs.

ViON also helps agencies lay the groundwork before deploying a hybrid environment, walking through initial questions including:

What is the end goal?
Are there security or compliance mandates to uphold?
Which applications are “cloud-ready”?
What is the migration strategy?
Is there adequate support across the cloud lifecycle?
And, are we confident our service provider is up for the task?

From here, agencies can determine how to best use cloud to create an XaaS environment:

Create a Statement of Objectives that summarizes what your agency wants cloud deployment to achieve. This streamlines acquisition and provides agencies with a more flexible solutions selection process.
Use either a single-contract award or a multi-year contract with options. This simplifies the task of managing and monitoring performance, and helps keep the contract financially viable.
Weigh best value over best prices. This ensures your agency is receiving the cloud that will best achieve mission success.

Learn more about laying the groundwork for cloud migration and deploying XaaS:

eBook: Build Your Cloud Strategy With Confidence.
Video: Power and Flexibility to Achieve More
More: VION Agile Cloud Platform

I’m voting for hybrid to meet IT modernization goals based on workload, security, and operational requirements. A more efficient, more flexible IT environment will pave the way for improved services at lower costs.

This blog post was originally published here.

The Weekend Reader-Oct. 28

Industry Insider: What’s Happening in IT

MeriTalk compiles a weekly roundup of contracts and other industry activity. Stay up to date on everything that’s happening in the Federal Information Technology community. MeriTalk.com keeps you informed about the topics that mean the most to you and creates a targeted platform for cooperation, public-private dialogue, highlighting innovation, and sharing informed opinions. This week: News from Dell EMC, GAI, DHS, University of California-San Diego, and more.

IG Questions Business Practices, Major Losses at 18F

The General Services Administration’s digital services organization, known as 18F, has consistently overestimated revenue projections by tens of millions of dollars, allowed IT staff to spend more than half of their time on non-billable projects, and continued to hire employees at the top of the Federal pay scale despite losses that now amount to more than $31 million, a new inspector general report found. The report found that 18F overestimated revenues for each year since its founding in 2014. Despite these revenue discrepancies, 18F continued to hire new staff from Silicon Valley. The report also found that “less than half of staff time was spent working on projects billed to Federal agencies.” The remaining time was spent promoting 18F projects, developing 18F brand, and developing a timekeeping system.

State Department Moves to Modular Data Centers

The Department of State has moved from leased data center facilities to data centers on government property by using a modular approach. Two years ago, the State Department mandated that the agency start to use government-owned property data centers. The agency moved from using an 11,000-square-foot lease facility to an 800-square-foot modular data center.

Speed is Essential to Get to Cloud, IT Modernization

When Tony Summerlin, senior strategic adviser at the Federal Communications Commission helped write the first Federal Risk and Authorization Management Program, he said he envisioned the program as a much quicker and sleeker version of what it is today. Summerlin, who spoke at a panel at ServiceNow’s Now Forum on Oct. 26, said his goal was to draft a plan that would accelerate people to the cloud. Instead, it turned into a 1,500-page bureaucratic exercise that he said “wasn’t the point” of the document. According to Summerlin, speed is one of the biggest challenges to Federal initiatives across the board, not just in the application of FedRAMP.

DOJ Aims to Reduce its Data Centers to 3 by 2019

The Department of Justice plans to have three physical data centers by 2019, according to Mark Busby, program manager of data center transformation for DOJ. Busby said that he and his team are still working to optimize data centers and shared services, as well as manage colocation facilities. Colocation facilities offer space, power, heating, and cooling for agencies seeking to store hardware. “The less I get to put into physical data centers, the better.“

GSA, the IG, and Third Time’s a Charm?

So, you heard it here first–GSA does indeed have its underpants full of alligators. This week’s IG report on GSA’s 18F $31 million flutter makes the $800,000 Las Vegas boondoggle look like a pocket-change indiscretion. And, we understand the IG’s not finished yet–not one, but two more IG reports on the way in November and December. After the election, good time to take out the trash–also provides time for any criminal action.

But the waves outside the building at 18th and F Streets pale beside the tempest inside the four walls. The PR spin machine’s bailing hard–look at the posts back on the blog–but the boat’s taking on water fast. And, as folks duck for cover, there’s more dysfunction afloat. 18Fers trampling one another in a scramble to find billable work. At the same time, 18F, FedRAMP, and the OCIO all feuding over long overdue ATOs. Rob Cook will need all his experience working with Monsters, Inc.

MeriTalk got up close and personal with GSA’s dysfunction when working with 18F/TTS and FedRAMP on a Sept. 13 program. Denise Roth approached MeriTalk about using the platform as a jumping off point for broader collaboration to fix significant structural challenges with her two most troubled children. Despite Roth imploring her 18F and FedRAMP leadership to cooperate and answer simple questions, the event was an embarrassing disaster for all involved–here are GSA’s “responses” to the questions we posed on 18F/TTS and FedRAMP. 100-plus attendees were treated to yours truly upbraiding GSA’s 18F/TTS and FedRAMP leadership–here’s that speech. Congressman Gerry Connolly took the lectern next–and told GSA to get its act together or face new legislative action.

Will GSA’s keel-less course capsize the $3.1 billion IT modernization fund? How can the Hill trust GSA to manage the money? What new revelations will come in the next two IG reports?

Vegas or no Vegas, I’d wager there’s change ahead for GSA. Congratulations to those stalwarts in the agency that had the sense to engage the IG–pity leadership didn’t heed your counsel.

The Situation Report: Hello Experienced, Meet Edgy

After 20 years as a working technology journalist in Washington, D.C., I finally made it to the ACT-IAC Executive Leadership Conference this week. So, what did I think?

Well, I was amazed at how many of the same faces from my early days covering government technology still haunt the grounds of Colonial Williamsburg every year, only now those faces are capped by mostly gray and white hair. And while that doesn’t necessarily bode well for the pace of change in government, the sea of gray and white set the stage for one of the most relevant sessions of the two-day event: the airing of grievances between the “experienced” and the “edgy” (aka, the baby boomers and the millennials).

It’s no secret that the Federal government is scrambling to figure out how to attract and retain millennials to help chart the future course of digital government. It’s also no secret that millennials bring some unconventional (ahem, unrealistic?) expectations to the table when it comes to a career in government. And that’s what stuck out like a sore thumb during this session.

Emily Hsu, a strategic programs manager at Agile Defense and one of the panel’s millennial representatives, literally almost caused a mass cardiac arrest when she began explaining how millennials want to work from home in their pajamas. “So what if I work in my pink slippers,” she said. “Would you really think differently of me?”

The scene in the room at that moment was priceless. It looked like a Sanford and Son convention with everybody holding their chest and muttering at the same time, “This is the big one, Elizabeth! I’m comin’ to join ya, honey!” It was a close call for this year’s government chair, FCC Chief Information Officer David Bray. There’s no way the Williamsburg Lodge had 600 defibrillators available to handle that kind of emergency.

But Bray’s insistence that 25 percent of this year’s presenters be millennials served its purpose. It showed the old guard where their leadership and mentoring had fallen short and the precise nature of the culture change the government is heading toward. When she wasn’t asking to work in her pajamas, Hsu was lamenting how everything in the military is based on “hierarchy,” and pushing for a safety net to catch her when her big ideas fail.

What was missing from the discussion, however, was how it’s sometimes beneficial for developing leaders to fall squarely on their face. Good managers build safety nets for their people and try to protect them from every perceived stumbling block. But good leaders teach you to navigate the stumbling blocks and pick you up when you fall.

The truth is, we’re all edgy on the way to experienced. And government needs a healthy mix of both qualities to succeed.

The Weekend Reader–Oct. 21

Industry Insider: What’s Happening in IT

NSA Contractor Will Be Charged Under Espionage Act

The U.S. government is charging Harold T. Martin III under the Espionage Act after concluding that the National Security Agency contractor took home 50 terabytes of classified data, which was first reported by the Washington Post. Martin also had the cyber weapons that the hacker group the Shadow Brokers were attempting to sell online, although prosecutors can’t find the link between Martin and the group. It doesn’t appear that Martin’s computer was breached. Martin also took six banker’s boxes full of documents, which he stored openly in his home and shed.

State Laws Govern Student Data Privacy

Educational technology has demonstrated numerous benefits for both educators and students; however, recent advancements are not without concerns. As ed tech becomes more prevalent in the classroom, privacy rights activists and the Federal government are growing concerned about how sensitive student data is being handled and secured. The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.

International Law Applies Pretty Well to Cyber War, Experts Find

Current international laws surrounding warfare can be applicable to instances of cyber war, according to experts. However, concerns of attribution and automation can complicate the degree of response a nation is legally allowed to take. Michael Schmitt, chairman of the Stockton Center for the Study of International Law at the United States Naval War College and professor of public international law at the University of Exeter, focused on what a nation-state could legally do in the event of a cyberattack by another country or non-state actor.

Northwestern University Makes Dorms Smart

By 2018, students at Northwestern University will not carry metal room keys. The university is in the process of updating student identification cards to grant access to dorm rooms. The majority of students at Northwestern swipe their identification cards, or Wildcards, to access the library, the dining hall, the recreation center, and their dorm buildings; they use conventional keys to get into their dorm rooms.

Securing Federal Networks in a Post-OPM Breach World

After the OPM breach in 2015, what has the government learned? What would be done differently with today’s technology?

During a Federal News Radio interview, Aubrey Merchant-Dest, Federal CTO, Blue Coat, pointed to guidance from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) as ways for agencies to prevent another breach

Mobile Security Depends on Software, Hardware, and Sense

You may have heard the phrase “this is a marathon, not a sprint” used when discussing important programs launched by organizations. That might be the case with some business initiatives, but it doesn’t necessarily apply to Federal IT.

Last year, when U.S. CIO Tony Scott called upon Federal agencies to take steps to protect information and improve network resiliency, he named the initiative the 30-day Cybersecurity Sprint. The directive implied that government IT, as currently constituted, was too beholden to outdated legacy systems and ineffectual security policies, and was woefully unprepared to manage today’s increasingly complex networks.

Mobility is a driving factor behind these challenges. The mobile Federal workforce is using thousands of devices with different operating systems to access Federal networks through multiple end points. Data is being retrieved and shared via the cloud, and is at risk both while in flight and at rest.

There seems to be little that you, as a Federal IT professional, can do to stop this rising tide. You, who are used to maintaining control over every system and application operating over your network, have had to adjust to a new reality.

But there is something you can do.

Software and Hardware’s First Line of Defense

First, take heart that there are a number of new software and hardware features that help mitigate persistent threats derived from mobile devices such as laptops and tablets. Today we have operating systems and processors that work together to deliver tamper-resistant, lock-down security that can help prevent suspicious activity and compromised data.

New operating system (OS) features include virtualization-based security capabilities that make it possible to isolate critical data from the OS and restrict access to certain areas of the software. This isolation can prevent someone from being able to remotely gain control of a specific device.

On the hardware side, processors have also gotten some upgrades; software guard extensions can now be used by applications to set aside private regions of data and code. Here, legitimate software can be housed inside of an enclave and protected from attacks.

Together, these solutions form a solid first line of defense for these end-point devices–but even this is not enough to adequately protect against threats caused by mobile proliferation. Software and hardware security must be accompanied by policies regarding the segmentation of data and users, and the application of basic, common-sense security principles.

Segmenting data and users

Strong, two-factor authentication policies are a must in today’s mobile and cloud-based environment. These policies should be based on the identification of high-value assets that are classified as high, medium, or low impact. For example, data granted a “high” classification would receive the utmost level of security, and so forth.

Segmenting users into role-based profiles is also an effective tactic. This can make it easier to identify and choose devices for each individual, and allow for greater control over that individual’s access privileges. This approach gives you back a measure of control over your workforce’s mobility, while still allowing workers to use mobile devices to their benefit.

Common-sense Scurity Principles

The alternative is to simply let users bring in the mobile devices of their choice, but that can set you up for some serious risks. While it’s becoming increasingly acceptable to allow users to bring these devices into their agencies, you should still make sure that:

All devices are patched and include up-to-date software.
The only data that can be accessed through the device is the data the user absolutely needs (and only agency-approved applications should be allowed).
The device uses a modern operating system, such as iOS, Android, or Windows 10.

This is a pretty straightforward checklist, but it can make the difference between a device that’s safe and one that can introduce unwanted risks to your network. Thankfully, many of today’s laptop and tablet devices include authentication built into the hardware and operating system, which can help make developing and managing rules-based access much easier for you.

It’s somewhat ironic that even though mobile usage has changed the way you handle many of your agency’s IT processes, managing security still comes down to a traditional combination of technology and policies. Today’s operating systems offer a powerful and unprecedented level of protection against mobile threats. When this technology meets sound, baked-in security policies, it creates an exceptional security posture that’s worth running toward.

Calling All #ChangeAgents

The world, our nation, and our public service are all experiencing exponential changes with technology. What we do is increasingly interconnected.

In the midst of change, individuals can choose to maintain the status quo or become #ChangeAgents, leaders who “illuminate the way” and manage the friction of going beyond the status quo. The public mandate is clear: deliver results differently and better. Now more than ever, public service needs #ChangeAgents.

With the upcoming presidential transition, now is the time to develop new proposals to transform how the totality of public service–industry, government professionals, and concerned members of the public–works together. One of our objectives is to deliver nonpartisan, positive #ChangeAgent proposals for the next administration to consider.

The 2016 Executive Leadership Conference (ELC) will gather #ChangeAgents for training and education and showcase examples of #ChangeAgents who are already making a difference today. We need to provide “safe spaces” to experiment on doing public service differently and better.

As an attendee, you will be part of the pivotal movement for public service #ChangeAgents. You’ll have the unique opportunity to:

Participate in executive-level collaboration, focus, and training to identify solutions within transformational leadership, agile government, and disruptive technology.
Discover the transformational changes undertaken in Denmark and find out how they’re exceeding citizen expectations.
Judge the “Voices of Change”–“TED”-like talks on what’s already working in public service and can be scaled. The winning presentation will be presented to the next administration.
Hear the “Perfect Pitches”–“Shark Tank” presentations on ideas for OMB to deliver results differently in 2017.
Get dual perspectives in “Experienced vs. Edgy Debates”–experienced executives and new, rising leaders engaged in provocative discussion on conference sessions, ideas and comments from speakers.

For more than 20 years, ELC continues to be the premier government IT event connecting senior government and industry executives with innovative opportunities to engage, learn, and collaborate.

I’d like to thank my ELC co-chair, Teresa Bozzelli, senior vice president, Sapient Government Services, for her passion and dedication to making ELC 2016 a must-attend event in our industry.

For those who have already registered, I look forward to seeing you in Williamsburg, Va., Oct 23-25. If you have not registered yet, there is still time to do so at www.actiac.org/ELC

The Weekend Reader–Oct. 14

Industry Insider: What’s Happening in IT

White House Announces $300 Million in Tech Funding Ahead of Frontiers Conference

The White House announced that it will provide more than $300 million to support science and technology on the day of the White House Frontiers Conference in Pittsburgh. John Holdren, director of the White House Office of Science and Technology Policy, said these projects prove President Obama’s seriousness about innovation and technology policy; $70 million from the National Institutes of Health will be given to researchers to understand Alzheimer’s and Parkinson’s diseases, depression, and traumatic brain injuries. And $16 million and four partners will be added to the Precision Medicine Initiative to expand its national research study, which seeks to improve medical care.

How David Bray Is Bringing Change to the Executive Leadership Conference

Federal Communications Commission CIO David Bray, who’s been an outspoken proponent of creating so-called #ChangeAgents at every level of an agency’s organizational structure, is bringing his unique brand of thinking to this year’s Executive Leadership Conference (ELC), an annual event hosted by the American Council for Technology-Industry Advisory Council (ACT-IAC) that brings 800 government and industry executives together for two and a half days of leadership development and collaboration. In an extensive interview following the IT Boardwalk session, Bray outlined his plans for shaking things up at ELC.

Robots Will Be Ready to Support Human Life in Space by 2030s

In order to settle on Mars, robots and humans have to work hand in hand, which will be possible soon, according to Red Whittaker, professor at the Robotics Institute at Carnegie Mellon University. “The robotics that support human life on Mars will be an entirely new class of robots,” Whittaker said. “There’s a clear sense of what’s called for and we’re going to come through.” The robots that are on Mars for exploration purposes will have to be updated in order to perceive, plan, and process to solve problems in space. “They have to be compatible with humans,” Whittaker said.

Touhill Expects Full Tour of Duty as Federal CISO

Gregory Touhill is optimistic about his ability to remain in his position through the presidential transition and has many plans that he hopes to carry through that transition. “I expect to be here through the transition,” Touhill said. “I want to have a cyber desktop exercise,” Touhill said, explaining that if senior leaders can spend even an hour understanding what to do in the event of a cyberattack, it can improve overall agency capability.

The Situation Report: One Transition Is Not Like the Other

My remote listening post in Tysons Corner, Va., has picked up increasing concerns about the upcoming presidential transition and its potential impact on Federal IT.

One veteran Federal analyst tells The Situation Report that the “average” presidential transition ushers in 5,000 new appointments, 1,000 of which require Senate confirmation. But the upcoming transition promises to be a unique experience, regardless of who gets elected.

Sources say although a Clinton administration would be viewed as a third term for President Barack Obama, Clinton has staked out some independent turf when it comes to IT policy. In fact, analysts tell The Situation Report that the future of the U.S. Digital Service and the General Services Administration’s 18F digital consulting arm remain up in the air. Both remain “top candidates for change,” according to Tysons Corner intercepts.

“If it’s not in statute, it’s likely to see some changes and, even if it is in statute, how it’s implemented will change,” according to one analyst intercept.

All bets are off, however, if Donald Trump wins the White House, analysts say. Even the most experienced hands in Federal IT policy are hard-pressed to offer predictions of what a Trump administration would mean for Federal IT policy, contracting, and spending.

Transition teams for both candidates are hard at work at GSA identifying issues to focus on and potential key appointees. And while policies can sometimes carry over from one administration to the next, the policies governing how those ideas are put into practice “can change dramatically,” say analysts.

Modernizing Security Clearance Systems

According to the latest Quarterly Progress Update on Insider Threat and Security Clearance Reform, the National Background Investigations Bureau (NBIB) Transition Team, created this month to help stand up the new agency, has partnered with the Defense Department to enhance the security of existing Office of Personnel Management IT systems.

To date, “DoD has identified IT and security requirements for a new and modern ‘eApplication’ system, which will replace OPM’s current application system (electronic Questionnaire for Investigations Processing (eQIP)).”

But the government has a long way to go before significant changes to the security clearance process and insider threat program begin to take effect.

Should CIOs and CISOs Be Talking Security or Resiliency?

Many individuals are running to grab a seat on the cybersecurity train. A clear sign is the sheer number of new companies and vendors at last year’s RSA conference. Most are trying to secure a portion of the network to prevent the latest flavor of cyber threats—crimeware, Web app attacks, DDoS, etc. While their intentions are good, these individuals overlook a crucial part of enterprise security, the business.

Often we’re so focused on locking down data access that we lose sight of whether our business can continue when data is lost, stolen, or compromised.

Instead of asking if your network is secure, step back and ask yourself, “Is my network resilient?”

The Federal government can learn a lot from the commercial sector when it comes to cyber resiliency. Take, for instance, the banking industry. Think about it. If someone denies you the ability to use your money or even steals it, you generally can still get it at the end of the day.

Banks have accomplished this through a level of coordination that extends beyond cyber and information systems to include a series of business processes that allows them to fight through the adversity caused by a cyber incident. They’ve become resilient.

CIOs and CISOs can start to filter through what they need to focus on by asking themselves, “If I were to be attacked today, are we resilient enough to still do business?”

By adopting resilient business and technology practices, business activities will continue regardless of the circumstances. This will reduce the risk of incidents, and it will give you the ability to translate information technology issues into a language that resonates with policymakers and higher-level stakeholders.

Here are some questions to start thinking about when moving toward a resiliency mind-set.

What services deliver the most value to your business and what quality of service is needed for your customers to be satisfied?

How aligned are you to the goals of business owners, and do your security priorities match theirs?

Are you spending more time on threat prevention than threat remediation?

How much do everyday employees know about the latest cyber threats and the impact they can have on their organization?

Resilience should be not only considered, but implemented, exercised, and debriefed to further strengthen given business models.

And remember, there’s nothing wrong with the cybersecurity train, just so long as you know your final destination before you jump on.

For more on cyber resiliency, take a look at “Six Principles of Resilience to Manage Digital Security,” by Gartner contributor Heather Pemberton Levy.

You can also visit our website for free white papers, case studies and blogs on the topics of security compliance, risk mitigation, threat remediation, technology architectures, and much more.

The Weekend Reader–Oct. 7

Industry Insider: What’s Happening in IT

MeriTalk compiles a weekly roundup of contracts and other industry activity. Stay up to date on everything that’s happening in the Federal Information Technology community. MeriTalk.com keeps you informed about the topics that mean the most to you and creates a targeted platform for cooperation, public-private dialogue, highlighting innovation, and sharing informed opinions. This week: News from Intel, Department of Energy, Cyberspace Solutions, RAND Corp., and more.

The Situation Report: Contractors and Clearances in the Post-Snowden Era

The FBI in August arrested NSA worker Harold Thomas Martin III, who, like Edward Snowden, was an employee of Federal contractor Booz Allen Hamilton. Former senior officials who’ve worked at both Booz Allen and in the intelligence community as government employees are now questioning the efficacy of the security clearance process and the hiring practices of the firm that provides one of the largest pools of cleared Federal contractors. A former senior career intelligence official, who spoke to MeriTalk on condition of anonymity, said this latest incident doesn’t reflect poorly on Booz Allen but rather highlights the urgency to once and for all reform and modernize the security clearance process.

Headhunters are Stalking Your Cybersecurity Experts

Nearly half of cybersecurity professionals are solicited to consider a job at a different company at least once a week, making for unstable jobs and an artificially inflated job market, according to a recent survey. “People go job shopping all the time or are being asked to job shop.” This has a negative effect on organizations, as an already limited number of cybersecurity professionals end up getting moved too much to maintain constant practices. This bodes well for Federal cybersecurity positions, as government leaders have said that those who choose to work for government often have patriotic motivations.

U.S. Can’t Touch Microsoft’s Overseas Data Centers

Microsoft is building data centers in Germany that are tailored toward customers who want the most stringent privacy protections. Access to information in these data centers will not be allowed to anyone, including Microsoft, without the permission of the customer or data trustee. The German data regulations ensure that customers would be able to see where and how their data is processed.

Patent Office Makes Big Data Open to the Public

Since the official launch of the U.S. Patent and Trademark Office’s Open Data and Mobility program at the end of April, the data platform has accumulated 25,000 unique users and 375,000 page hits. The Open Data and Mobility program makes the agency’s data available to the public, allowing people to view information on patents and research history.

Clouds Mature for Business: Current Trends in Cloud Adoption

As Cloud Computing matures as an engine of cost savings, improved agility, and enhanced security, options have grown beyond the “one-size-fits-all” offerings available to early users. Organizations can choose between a mix of on-premises or off-premises clouds, or implementing hybrid architectures that combine the best features of all these choices into a tailored solution that meets their own unique needs. When choosing cloud services, consider these factors:

Hyperconvergence is Collapsing Infrastructure, Labor, and Cost in the Data Center

The last several years have seen dramatic advances in “hyperconvergence”–the prepackaged consolidation of compute, memory, storage, networking, and virtualization within scalable building blocks. Hyperconvergence is collapsing the equipment stack and gutting the labor needed to integrate, configure, and operate the complex infrastructure of a world-class data center. In addition to savings in cost and labor, hyperconvergence make it possible to dramatically accelerate infrastructure standup and modernization, speeding delivery of savings and efficiencies to tenant end-users.

Data Center Modernization and On-Premises Clouds

Many customers are using this as an opportunity to modernize IT operations and offer internal cloud services to users, building new capabilities within facilities they already own and control. These on-premises, private clouds are an excellent way to bring innovation to users while still retaining full control of infrastructure and operations. Hyperconvergence’s simplicity and cost savings make the on-premises cloud even more achievable and cost effective than ever before.

On-Premises or Off-Premises: Tradeoffs in Control, Cost, and Business Agility

For customers with legacy IT infrastructures and compelling security requirements, on-premise private clouds are becoming the preferred approach to leverage the benefits of cloud. While this “do-it-yourself” approach allows customers to retain complete control over all aspects of their IT infrastructure, cloud service providers (CSPs) such as Microsoft, GDIT, and others offer commercial alternatives.

Security in the Cloud: Are my Data, Applications and Users Safe?

The cost savings obtained by moving workloads off-premises to a commercial CSP can be significant, and CSPs offer additional advantages in scalability, geographic distribution, and pace of innovation that can be difficult for on-premise solutions to match. Leveraging these advantages requires organizations give up a level of control over their infrastructure; the key in making that tradeoff is ensuring the data, applications, and users are safe in the off-premises CSP’s environment.

For U.S. government applications, the Federal and DoD standards that CSPs must meet to certify the security of their clouds are strong and getting stronger. While the security certifications held by CSPs are already sufficient for protecting most commercial and government workloads and data, several vendors are expecting FedRAMP Impact Level 5 approval before the end of 2017. This means that organizations can rely upon the security of CSPs for protecting their data, applications, and users for everything except classified information.

Best of Both Worlds: Secure Hybrid Clouds

As the security and features offered by CSPs continue to grow, organizations should look to realize savings by migrating workloads to commercial infrastructures while still maintaining on-premises clouds for more sensitive (or classified) workloads. As a result, organizations are finding themselves with a requirement for managing a hybrid cloud environment comprised of both sensitive on-premises workloads and less sensitive off-premises workloads. Hybrid cloud solutions provide the best of both worlds: maximizing cost savings by leveraging CSP services, while still protecting highly sensitive information by retaining control over their most sensitive workloads and data within on-premises clouds. As CSPs continue to improve the security of their offerings and IT organizations gain additional experience–and trust–in their hosting, migrations of workloads to CSPs will accelerate.

Beyond Infrastructure: Application Rationalization, Migration, and Modernization

GDIT is helping organizations achieve additional savings by using the migration to the cloud as an opportunity to rationalize their applications architectures and remove redundancy in equipment, licenses, and duplicative services. GDIT has found that modernizing legacy applications to take advantage of native cloud services–such as containers, “serverless-compute” and shared micro-services–can deliver new capabilities while significantly reducing the amount of code that must be maintained. The end result is better business value for users and cost savings for the IT organization.

On-premise, off-premise, or hybrid–cloud infrastructure modernization is delivering transformational benefits to IT organizations today. The future of IT looks bright with a 100 percent chance of clouds!

The Situation Report: Contractors and Clearances in the Post-Snowden Era

When news broke this week that the FBI in August had arrested another NSA employee for allegedly stealing and hoarding highly classified information in his home and car, many immediately raised questions about the efficacy of the security reforms put in place at the agency in the aftermath of the leaks by Edward Snowden.

Such questions are absolutely valid and logical. In the aftermath of the Snowden incident—arguably the most damaging intelligence leak in U.S. history—why was Harold Thomas Martin III able to walk out of what is believed to be one of the most secure buildings in the world with top secret documents and digital information over the course of a decade?

But there are more fundamental questions at stake in this case. Like Snowden, Martin was an employee of Federal contractor Booz Allen Hamilton. Former senior officials who’ve worked at both Booz Allen and in the intelligence community as government employees are now questioning the efficacy of the security clearance process and the hiring practices of the firm that provides one of the largest pools of cleared Federal contractors.

A former senior career intelligence official, who spoke to MeriTalk on condition of anonymity, said this latest incident doesn’t reflect poorly on Booz Allen but rather highlights the urgency to once and for all reform and modernize the security clearance process.

“We have silos that have to be changed and we have to do it now,” said the former official, who’s worked for decades throughout the intelligence community. “The OPM backlog on investigations and periodic re-investigations is also a huge problem, as is the need for better identity management and user authentication.”

The former official, who knows many of the senior leaders at Booz Allen personally, defended the company. “Booz is the largest intel community firm I know. I don’t think there will be any repercussions from this. They’re as good as anybody,” the official said. “What is certainly needed now is moving the continuous evaluation program out of pilot phases more rapidly. We’re going to be moving into a rapid period of modernization and we should use this incident as an opportunity to move faster.”

The Obama administration last month tapped former Northrop Grumman chief of security Charles Phalen to lead the newly established National Background Investigations Bureau. But Phalen and the new NBIB have inherited a massive backlog of investigations and will have to find a way to deal with what one former official described as the out-of-control growth of the contractor workforce.

“When I worked at Booz Allen they were considered the best, at the top of their game,” the official said. “I mean, I wanted to get my Booz Allen shirt to wear so everybody knew I was with the best. Then I moved into government and in 2011, shortly after the company announced their initial public offering (IPO), they underwent this massive expansion. If you had a college degree, they were hiring you. And I immediately began to see a significant decrease in the quality of the employees that they were detailing to my office,” the former official said. “The profit motive was very strong.”

According to the company’s latest SEC filings, it employs 22,600 people, of which more than 15,000 hold a government security clearance.

But one official pointed to a challenge faced by the entire intelligence community: a major generational disconnect between the secrecy requirements of intelligence operations and the millennials entering the workforce. More than 65 percent of the intelligence community workforce date their entrance into the profession to during or immediately following the terrorist attacks Sept. 11, 2001. And many have brought with them fundamentally different views of secrecy.

“Many millennials view access to government secrets as a right, when in fact as a member of the intelligence community it is a privilege,” said a former Department of Homeland Security official. “The old Cold War warriors are all but gone now. But with companies like Booz Allen, where are they hiring from? They’re hiring kids right out of college, who sometimes bring with them the most liberal ideologies and ideas of government secrecy that are so rampant today on college campuses.”

According to the most recent statistics from the Director of National Intelligence, more than 2.8 million people hold a government security clearance. Of those, more than 860,000 are private contractors.

What’s the Big Idea: How Thinking Differently is the Key to True Transformation

The Federal government is not traditionally known as being on the bleeding, or even leading, edge of technology. Yet agencies are being challenged every day to innovate, modernize, and “think outside the box”–many times with limited resources. And these challenges are coming from everywhere: from inside the agency, from outside forces such as hackers, and even from constituents who are engaging with agencies in a digitally transformed world. Anyone can tell you it costs a lot of taxpayer money to dream big.

Or does it?

In reality, the big ideas are already tested and validated in the commercial sector. Sometimes, you can match up the big idea with a transformative approach to realize dramatic change…and equally dramatic savings. Most agencies tend to think of IT modernization in strictly hardware and software terms. But modernization is a different strategy…a different way of thinking that includes human beings as well as machines.

All you need to start with is a mission to transform your thinking.

The Mission

To think differently you need to collaborate in entirely new ways. We’ve done this at Dell EMC and we see it all the time within our customer community. The successful groups, the ones that really transform, start by gathering a small but diverse group of people to help. If you’re not the CIO, then invite the CIO. Now add long-tenured IT staff Federal employees, front office administration, a person from finance, one from human resources, a field officer, and then sprinkle in a millennial or two for good measure. You can’t have fresh ideas by using the same thinking and strategies that you use today.

Start with the core mission of your agency, and identify the tech-enabled tools that are helping you accomplish that mission every day. How well are those tools working? How smoothly is the system functioning? Separate them into three lists – good, average, fail – and then triage the “failing” group by assigning priorities based on a function’s criticality to accomplishing the agency’s mission. How much time, money, or resources will it take to correct each problem you’ve identified? Your workgroup will have different ideas about which challenges are merely challenges, and which are outright roadblocks. Allow them to determine your IT priorities.

Traditional, IT-centric projects focused on by managers operating in silos within an agency, simply do not align with an agency’s mission. An antiquated system of servers, storage, and networking cannot deliver information quickly enough or across enough devices. IT priorities have evolved to both create the new information delivery system and make old systems deliver information to that new infrastructure.

We say a future-ready Federal agency is one whose IT infrastructure is the engine of efficiency, not the anchor that prevents it from moving forward. One whose IT infrastructure not only allows change, but is prepared for it. One that enables IT to unlock greater value from its investments, adopt emerging technologies more rapidly, and focus more on new areas of innovation. Digital transformation is an imperative. It is the difference between a successful mission and utter failure.

The transformation has already begun in the workforce and among your constituents. People are witnessing the myriad ways technology is changing the way they conduct daily life, and they expect to have access to those tools when they get to the office. Providing the latest app-enabled tools creates a workforce that grows more connected even as more employees work remotely.

Next Steps

By simplifying and automating an existing IT infrastructure and updating when and where it’s possible, your agency will discover it can actually free up funds for innovation–even with a flat budget. Dell EMC has worked with numerous Federal agencies, here and abroad, to achieve both savings and modernization.

It takes a strong team to break with tradition, think differently, and apply new strategies to doing business. Change doesn’t just happen organically, and it won’t happen if we continue to rely on old modes of thinking. But if there’s a willingness–to spend differently on different priorities driven by a different strategy–then there’s a clear way to IT transformation that aligns with your agency’s mission, not just IT’s mission.

Is GSA Breaking the Law?

Word on the street is that two new IG reports on GSA 18F/TTS will see the light of day in October. We understand that the reports were supposed to hit the street this summer–but that the IG keeps finding new issues and interviewing more folks at GSA and across the government.

So, do the delays mean there’s more than smoke? Is it true that the Department of Justice is engaged and looking at bringing criminal cases? Word is folks are leaving 18F to avoid prosecution. And, speaking of folks coming and going, it’s interesting to observe how 18F/TTS has been busy hiring like crazy until scent of the IG report triggered a hiring freeze a month ago. Why would you keep hiring folks when you’re only 30 percent billable–rumor has it that 18F/TTS has been busy cooking the figures of late to make it look like they’re 40-plus percent billable. We’ll look forward to reviewing the numbers from that FOIA request. And, returning to hiring practices, we understand that 18F/TTS has not been hiring folks with skill sets that map to government agency customer demand–but why would you?

Some questions we hope the IG report covers: What does 18F have to show for American taxpayers’ $100 million investment? At a recent joint GSA/MeriTalk event, David Shive, GSA CIO and acting lead for TTS and FedRAMP, said TTS will break even by 2019–and that it will lose less money than last year. So, how does TTS’ balance book look? Where are TTS’ happy government customers? How does TTS avoid competing with industry? And, of course, the big question, how should we measure success for TTS moving forward? A Government Technology article provides additional insight on 18F/TTS financials from a source inside GSA. So, MeriTalk’s not the only media platform barking up this tree.

Everybody knows government IT’s badly broken. We need new thinking that understands and respects government’s mission. We applaud the initiative that founded the Federal innovation core. Here’s hoping that GSA’s clean as a whistle.

GSA has not responded to MeriTalk’s request for confirmation and response to this story or on our previous blog post, FedRAMP Not FedRAMP’d?

“And you will know the truth, and the truth will set free you.”

John 8:32

FedRAMP Not FedRAMP’d?

Word is that www.fedramp.gov–and even the new, shiny FedRAMP dashboard–are running in a cloud without a FedRAMP ATO. Now, that’s embarrassing. We hear that this is all part of a force play by Noah Kunin, director of delivery architecture and infrastructure services at 18F/TTS. But, it’s not just FedRAMP that’s naked and afraid–it’s usa.gov, digitalgov.gov, businessusa.gov, challenge.gov, performance.gov. Oh, and to make matters more interesting, presidentialtransition.usa.gov is also on the list. In fact, 70-plus government sites, central to the digital revolution that is 18F/TTS, have no FedRAMP ATO–and may all be shuttered immediately.

Huh? Good question. 18F/TTS just received $18 million in funding from the GSA FAS Acquisition Services Fund for the new cloud.gov on a cost-recovery basis–and Mr. Kunin needs to get some paying customers to keep the lights on. Conspiracy theorists might speculate one way to do this–force workloads off the existing Content Management Platform cloud onto cloud.gov by saying CMP’s not FedRAMP ATO’d. Where’s GSA CIO David Shive in this mess? Another question: Who approved the $18 million FAS investment in cloud.gov?

Here’s another little chuckle for agencies and vendors who’ve danced with the FedRAMP/I8F monster. We understand that 18F/TTS is having issues getting its FedRAMP certification for cloud.gov. FedRAMP Accelerated was supposed to certify cloud.gov in November–but now that’s slipping to December. And, one month slip has a nasty habit of leading to another. Go sit on Father Goodrich’s knee and tell him what you want for Christmas. Open government, anyone?

Telling it Like it is: Actionable Items From CNAP 2016 and the Cybersecurity Sprint 2015

From Cybersecurity Sprint 2015 to CNAP 2016, the Federal government is building on previous cybersecurity-focused Executive Orders to bring cybersecurity to the forefront of the American public and national security discussion.

Much of the focus is in providing “experts” and “manufacturers” to help the government come up to speed and address these issues at an aggressive pace. As Einstein simply stated, “Insanity is doing the same thing over and over again and expecting different results.” Before we start, understand one thing: Einstein might have understated his premise.

The U.S. government has historically used multiple vendors to create a fair and even playing field. The creation of infrastructure and cybersecurity standards at many U.S. government facilities has created multiple gaps, voids, overlaps, and in many cases complete lack of usability. Going to the “cloud” for their resources has not appeared to fare any better with examples such as up to $1,000 to turn on or off a Virtual Machine, and one week to accomplish. Modernization and security cannot exist in this environment.

Most people will focus only on the goal without actually solving the problem, or gap. All actors need to understand what the final goal should be in order to create the best possible environment for success. The one glaring mistake that generally occurs is not having an understanding of the current situation. This is generally because vendors, IT personnel, stakeholders and even a project manager will have a microscopic view of their own “piece” of the project based on “their” product. Most vendors feel if you will only use their newest or latest and greatest “fill in the blank,” they can continue to “help you.” But, in reality, without understanding how all the pieces work together and understand where you are today, you will do nothing but create a larger problem for yourself moving forward. Speaking from more than 30 years in the industry, and building artificial intelligence ahead of the new technologies we are seeing, I can tell you without reservations, that “no one vendor has all the answers.” And if any vendor tells you they do, they are most likely lying to you.

The cybersecurity market is continuously driven by aggressive customer needs around the ability to recognize and analyze threats from outside the confines of the “classic” walls of the defined network and correlate them to the activities and resources of the users within the environment. Every day there are more than 200,000 new malwares, and more than 30,000 bad URLs being created. By the time you patch a system or purchase and install a new product, it is old or outdated. The biggest drawback is that each vendor has several “products” that work to secure pieces and parts of an environment, not end-to-end. Customers largely depend on staffs of analysts to continue to monitor threats and make changes within the environment after a threat has been determined.

If you as a customer only have $100 to spend on a solution, there are too many threat vectors, and personnel choices, to even begin to determine what might be the correct solution for you. You need to know which ones will directly affect you and your environment.

Fork lifting everything you have in your environment generally costs quite a bit of money and exchanges old problems for new ones that you may not understand, or have identified. Knowing how to install products as part of a “solution” vs. “stand alone” is the most difficult task if you are looking for best of breed, and need to work with different OEMs. First things first… PATCH YOUR ENVIRONMENT! More than 80 percent of all security breaches and vulnerabilities could be solved by simply patching your systems.

The nirvana in the industry has always been to realize threats in real time with mitigation, and adequately provided responses to these threats in real time. Therefore, applications in the sourced environment would not simply suggest, but automatically reconfigure and redeploy, the environment to maintain optimal utilization of resources while maintaining application performance.

Why are we not looking for the most probable threats today while closing gaps created from legacy products?

The Weekend Reader–Sept. 30

Industry Insider: What’s Happening in IT

Estonia CIO Calls U.S. Open Data ‘So Last Century’

U.S. thinking about open data is outdated, according to Taavi Kotka, CIO of Estonia, one of the first countries to go fully digital in its government information. “The way we talk about open data, especially here in the U.S., at least how it seems to me, is government takes information form the databases and puts it in some kind of data portals,” he said. “Open data in the meaning that you’re actually going to take data out from the database and put it somewhere in the portal, it’s just so last century.” He explained that digital governments rely on a fully standardized way of storing and using data, as well as a single way of identifying citizens across a variety of fields. “We only use this one unique identifier for the same person,” said Kotka, adding that this ID is used for government, health care, and private sector transactions.

Engage Communities to Build Smart Cities, Feds Say

The most important components for smart cities are engaging communities and forging partnerships, according to Federal officials. “That type of goal setting…might give people a concept of what might happen in the future.” One initiative that seeks to bring agencies together to form goals is the Department of Energy’s Better Communities Alliance. “Since 2008, and probably before, we’ve experienced an energy revolution in this country,” said Janine Benner, associate assistant secretary of energy efficiency and renewable energy at the DOE.

Online Access Codes Throw Students Under the Bus

University students have turned to online sources as avenues to avoid purchasing print textbooks, which can cost hundreds of dollars. However, with online access codes, the Student PIRGs report suggests that costs may have caught up with them. Online access codes are serial numbers that students use to unlock learning software, such as digital textbook passages, homework assignments, and exams.

National Parks App Pulled Without Explanation

“Initially they gave us the approval for this and they took it away,” said Matt Jagunic, geographic information systems specialist at NPS. The app highlights activities in the area such as hiking and paddling. However, neither Jagunic nor Mike Land, digital media specialist for the National Park Service Chesapeake Bay, know when the app will return to the market.

The Situation Report: Beware of Those Parachutes From Silicon Valley

Is the Obama administration’s election year lust for Silicon Valley’s dead presidents destroying the future of the career Federal technology leader?

My remote listening post picked up some interesting chatter along 17th Street near the New Executive Office Building that indicates a few very capable career Federal chief information officers have been given the cold shoulder by the General Services Administration during the search for a commissioner of the newly formed Technology Transformation Service (TTS).

Signals intelligence indicates that one of the Federal government’s most experienced and capable CIOs was told by GSA that they didn’t bring enough “management experience” to the table. In fact, the executive search firm that is responsible for guiding Silicon Valley types through the Federal job application process also went dark once they realized this CIO was already a Federal employee.

“This administration seems to be making an effort to place industry executives with deep pockets in career Federal IT positions,” said a senior Federal technology leader with nearly 20 years of government service. “It’s an election year.”

Proof? Well, we know that the former associate administrator for the Office of Citizen Services/18F at GSA—Phaedra Chrousos—co-founded and sold two tech start-up firms before joining government as a political appointee. But that’s hardly a smoking gun.

What is more compelling, however, is the fact that one of the career Federal CIOs who was unsuccessful in their bid to land an interview at GSA was told by a senior official at the Office of Management and Budget that the handful of candidates who were invited to an interview each had a net worth of at least $300 million.

Boom.

Follow the Security Money

There’s a lot of money behind the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program. So far, DHS and the General Services Administration have shelled out more than $110 million worth of task orders, the latest being Task Order 2F for continuous monitoring as a service.

There have been reports, however, that the pace of the CDM program is frustrating some in industry. My Tysons Corner listening post has intercepted raw reports that some agencies are simply delaying some cybersecurity investments because they know future task orders under the CDM program will cover them.

Symantec’s Ken Durbin recently told The Situation Report that CDM is where most of the action is right now in Federal cybersecurity.

“You can’t ignore the impact of CDM,” said Durbin, Symantec’s unified security strategist. “Of course, there’s money behind CDM and it’s controlling what our customers actually do.”

Whistleblower Award

My online sensor network has picked up strong signals that the Office of the Director of National Intelligence is working on an award program for national intelligence professionals who effectuate change “by speaking truth to power, by exemplifying professional integrity, or by reporting wrongdoing through appropriate channels.”

Too bad, Edward Snowden. That was so close. If they would just ditch that “appropriate channels” language, you might be able to come in out of the cold.

Picking the Right Cyber Event

The only thing that is possibly growing more rapidly than the number of cybersecurity risks is the number of cybersecurity events. So why attend the 7th Annual AFCEA DC Cybersecurity Summit? Here are six reasons why Cybersecurity Summit on Oct. 11-12 is a must-attend event:

Over 50 percent government attendance – This is an event that explores the many cyber challenges and issues facing the Federal government and is actually attended by government. Last year’s attendance was just about 50 percent government and this year’s event is pacing beyond that. Cybersecurity Summit allows you the opportunity to not only learn from the excellent panels and keynotes, but also network and collaborate with colleagues, piers, partners and customers.
Over 30 cyber experts – Some of the top names in cybersecurity will be speaking at this event, and also participating in breakout sessions with groups of peers and colleagues digging deeper into the challenges they face every day.
Special classified day – The classified session of the 7th Annual Cybersecurity Summit on Oct. 12 offers cleared attendees an opportunity to learn and network with leading cybersecurity experts. Hear senior executives express their thoughts on cyber threat, possible origins and the sharing of information across the government. This will also give you one of the first chances to hear from recently named Federal CISO Brig. Gen. Greg Touhill (USAF, Ret.) who will be participating on a panel. This session is cleared at the TS/SCI level.
Cyber Shark Tank – Join cyber entrepreneurs as they bring their ideas to fruition. Watch as they present their ideas to cybersecurity experts, who are successful in their own field, from government, industry, and the venture capital community. The contestant’s objective is to persuade the sharks to choose their cyber technology over the other presentations.
Give back to the community – This event is put on by AFCEA DC which is a nonprofit and volunteer organization that focuses on creating informative events, providing ethical networking and facilitating discussions with leaders of the Department of Defense, intelligence community, national security and military health-related agencies. In addition, AFCEA DC provides a number of STEM scholarships to area high school students.
Continuing Education Units – AFCEA Washington, D.C., will be providing sessions approved to support continuing education requirement for maintaining CompTIA and/or GIAC certifications.

So get the most bang out your cyber buck, register for this exciting two-day event on Oct. 11-12. For more information and to register, click here: http://bit.ly/2cIwPkB

The Weekend Reader–Sept. 23

Industry Insider: What’s Happening in IT

Introducing 21st Century State & Local

Executive Editor Dan Verton writes: It is my pleasure to introduce 21st Century State & Local—a new online publication from the leading government IT media organization, MeriTalk. For many years, MeriTalk has helped drive the national technology and policy conversation in Washington, D.C., through forward-thinking and candid editorial products in print, online, and in person at our events series. Now, we’re bringing this same editorial leadership that we’ve built over many years in the Federal sector to the brave new world of state and local IT.

Special Report: Security is on the Ballot for Nov. 8

When Americans go to the polls Nov. 8, they expect their votes to be secret and secure. But recent hacks of two state voter databases make some question that expectation. One report said it would be easy for hackers to access voting systems, but many state and industry officials are confident in their security. Ballots cast overseas have a different set of challenges. Meanwhile, the act of voting is changing through innovative technologies. 21st Century State & Local takes a look at security at the ballot box.

White House Makes New Open Data Commitments

The White House released a progress report on its third Open Government National Action Plan and added new commitments to the plan. “These efforts and more demonstrate the United States commitment to an open government, one that is more transparent, collaborative, and participatory,” Megan Smith and Cori Zarek said. “Over the coming months, the administration will continue to work hard to deliver against all of our open government commitments and to further expand peer exchange opportunities.” The United States is working with other OGP countries to develop technologies that increase civic engagement.

Colorado Students Discover World Through Mystery Skype

Mystery Skype pairs classes from undisclosed locations around the world for video chat sessions. In the span of a class period, students must ask each other “yes” or “no” questions to figure out where their collective Skype dates are from. Toni Olivieri-Barton, Library Technology Educator at Fountain Valley School in Colorado Springs, said many of the partner classes come from within the United States because it is easier to logistically coordinate the time zones; however, sometimes her students will chat with their peers in Latin America and Asia.

Shadow IT Means Dark Clouds – How Do You Protect Your Agency?

FITARA aims to empower CIOs by granting them authority over IT investments. But, shadow IT weakens FITARA efforts, leaving CIOs in the dark. What can agencies do to control shadow IT in order to protect data, but enable innovation?

The Situation Report: The Not-So-Secret Secret Service & Commercial Intelligence

The Not-So-Secret Secret Service (NSSS)

There’s something about the name of the U.S. Secret Service that has me wondering about the following imagery intelligence recently intercepted by my LinkedIn sensor network.

Special Agent Training Class 323 completed basic training and were sworn in by Secret Service Director Joseph Clancy on Thursday, Sept. 15, 2016. And if you’re curious, here’s a photo the agency released of all of the agents without their standard-issue Ray-Bans.

Private Intelligence Firms

If you want to know what whiz-bang technologies the CIA is researching and investing in, just look at the advertising technology industry. According to Chris Darby, president and CEO of the CIA’s venture capital firm, In-Q-Tel, ad-tech firms are generating identity intelligence in real time and at a granular level that many in the intelligence community are barred from collecting.

“These companies are intelligence agencies on their own,” said Darby, speaking Tuesday at the Third Ethos and Profession of Intelligence Conference in Washington, D.C.

“We’re trying to take the best technologies that are being deployed to these commercial entities and transfer it into the [intelligence] community. And they’re really good at it. They understand the notion of big data, they understand deep learning, and the algorithms that are necessary to pinpoint behavior,” he said. “To me, it’s almost a negative. What keeps me up at night is the notion that the commercial sector is going to be shaping individuals or digital tribes on their own, for their own benefit.”

One of the new focus areas within the CIA’s new Directorate of Digital Innovation has its roots in this growing commercial intelligence market. Andrew Hallman, deputy director of Digital Innovation at the CIA, said the agency has stood up an “anticipatory intelligence unit” that leverages emerging capabilities in big data and computing power to help the agency’s analysts stay ahead of developing situations around the world.

“The old saw in the intelligence community is that the IC is great at secrets and terrible at mysteries,” said Chris Inglis, the former deputy director of the NSA. “In the future, there are going to be fewer and fewer secrets as physical phenomena and the spoken word have fewer places to hide as the senors and the analytic power essentially reveals all things almost concurrent with the execution of those things.”

Homomorphic Encryption

The Intelligence Advanced Research Projects Activity, known as IARPA, is investing in research into homomorphic encryption—a potential game-changer in the worlds of privacy and security that enables encrypted queries of encrypted databases. Why would you want to do that? Well, it allows you to search sensitive or classified databases without decrypting either the database or the query.

“The goal of that effort is to balance the privacy and security interests in a way that allows for lawful queries against a database,” said IARPA Director Jason Matheny, who spoke Tuesday at the Third Ethos and Profession of Intelligence Conference in Washington, D.C. “For instance, if [the National Counterterrorism Center] was looking for a particular individual on a TSA list of passengers on an airplane, can we query for a match on just that individual’s name without giving up the entire list of all passengers? This also has applications in electronic health records and a range of other domains in which there has to be a balance of privacy and security.”

Synthetic Biology

But what really keeps Jason Matheny up at night? You guessed it—synthetic biology. My listening post stationed near George Washington University detected signals this week that Matheny is concerned about “advances in biology that either due to accident or intentional misuse could create pandemics that are worse than those of natural varieties.”

Matheny knows a thing or two about the topic, having once worked at the Center for Biosecurity at Princeton University. According to Matheny, scientists created the first synthetic virus from scratch about 14 years ago. “Our capabilities have gotten a lot more advanced since then and we’re racing to catch up with the security implications.”

Introducing 21st Century State & Local

It is my pleasure to introduce 21st Century State & Local—a new online publication from the leading government IT media organization, MeriTalk.

For many years, MeriTalk has helped drive the national technology and policy conversation in Washington, D.C., through forward-thinking and candid editorial products in print, online, and in person at our events series. Now, we’re bringing this same editorial leadership that we’ve built over many years in the Federal sector to the brave new world of state and local IT.

As I write this, 21st Century State & Local is less than three days old. But we’ve been actively planning and producing content for state and local IT decision-makers for the past six months. We’ve focused on an honest, data-driven view of the hot-button technology issues facing state and local governments across the United States.

Our launch edition features a special report on election security, in which our cybersecurity reporter Jessie Bur investigates both sides of the voting system cybersecurity debate. In addition, Kate DeNardi reports on how states across the country are using innovative voting technologies to improve access, shorten wait times, and enable easier reporting of results. And Morgan Lynch explores the unique challenges that our deployed military members and overseas citizens face when trying to cast their ballots.

We’re also introducing an exclusive technology column by veteran technology reporter John Breeden II—21st Century Tech Talk. John will bring his two decades of IT reporting experience to the technology pages of our site.

We pledge to continue to mix IT up with new ideas, covering news, trends, and perspectives on technology that are of most use to state and local IT decision-makers, and we’ll do so with the in-depth analysis you need and deserve. Our connections to an extensive network of national IT policymakers and practitioners help us to not only report on the latest trends, but also investigate proposed solutions, expose potential pitfalls, and recommend best practices unlike any other publication.

I invite you to follow us on Twitter and Facebook, and visit us online to subscribe for free to our weekly newsletter.

Welcome, and thanks for reading.

Look Who’s MeriTalking: Cameron Chehreh

MeriTalk caught up with Cameron Chehreh, Federal chief technology officer, Dell, in anticipation of this year’s Dell EMC World 2016, Oct. 18-20 in Austin, Texas. We spoke with Chehreh about Federal IT modernization efforts and what’s driving agencies toward a more digital government.

MeriTalk: In your opinion, what has been the most significant development–positive or negative–in Federal IT in the last year?

Cameron Chehreh: The most significant development in Federal IT in the last year comes down to Tony Scott, U.S. Federal CIO, and the modernization momentum we see with FITARA, Data Center Optimization Initiative (DCOI), and Move IT. There is strong bipartisan support–from leaders on the Hill including Congressman [Gerry] Connolly and Congressman [Will] Hurd and hopefully this will continue into the new administration.

Overall, we’ve seen a lot more dialogue and energy around modernization strategies. And, we’re not just seeing movement toward the cloud to gain efficiencies; we’re also seeing a practical realization that we really have to harden the attack surfaces across government–creating greater focus on cybersecurity. It’s a unique element that is driving the modernization efforts this year, and we’re seeing burgeoning success stories of organizations moving in this direction rather quickly.

MeriTalk: The introduction of DCOI earlier this year has changed the game significantly for Federal CIOs, long focused on the Federal Data Center Consolidation Initiative. As Federal CIOs and their teams prepare to meet DCOI Optimization and Cost Savings and Avoidance targets for FY2018, where do you anticipate the greatest hurdles, and why?

CC: Many of the hurdles are going to center around the legacy applications that agencies rely on today. Many have been in place for years and there’s a reluctance to work on them or have any sort of significant disruption given their 24/7 mission-critical nature. This concern spans DoD, civilian agencies, as well as the intelligence community. We need to attack this mind-set and issue. Federal CIOs should consider taking a modular and flexible approach to modernizing their applications. It doesn’t have to be big-bang changes all at once, but rather adopting incremental modernization strategies to realize important progress and gains.

MeriTalk: Are there specific areas where CIOs should start to help them create a general road map? And, what can CIOs do today to begin eliminating these hurdles and easing the path to compliance?

CC: CIOs should focus on getting as many legacy applications to a cloud-based format to achieve milestones more quickly–creating greater agility and greater mission capacity but at the same or lower cost. Focusing on cloud computing is the ideal low-hanging fruit for back-office applications and will help CIOs declare early successes on the path to compliance.

Another area CIOs should focus on to achieve compliance is modernizing endpoints. Most vulnerabilities lie in the user community and endpoints used to access these legacy applications. By leveraging modern devices, CIOs can eliminate hurdles on the path to compliance.

MeriTalk: The focus on flipping the 80/20 ratio–80 percent of budget spent on maintaining legacy vs. 20 percent spent on new initiatives–is gaining momentum in Federal IT. What type of progress are you seeing to even out–and ultimately flip this ratio–and what is the secret sauce for those agencies making the most progress?

CC: We are seeing progress, successes, and adopters. For example, David A. Bray, CIO for the Federal Communications Commission (FCC), is driving a successful IT modernization effort across multiple divisions of the FCC–not just in mission context but also in back-office segments. Part of Bray’s secret sauce is focusing on cultural involvement, getting his team involved from the very start to drive a culture of being able to fail (reasonably and rapidly) and succeed even faster.

It’s also important to establish incremental modular capabilities to create a track record of success along the way. This enables organizations to celebrate incremental, and important, successes as they happen while providing them with the information needed to mitigate risk factors.

MeriTalk: What is the single best investment that an agency can make today to jump-start the creation of a future-ready infrastructure that can support scalability, changing requirements, and a productive, mobile workforce?

CC: I think the best investment is in what I’ll call a modern cloud strategy. Most of what we hear today in government is about the public cloud. However, agencies should consider looking at hybrid cloud options to better balance risk and where workloads are being deployed. With hybrid clouds, agencies can acquire modern capabilities in very small digestible chunks–both financially and technically–so they can spur agility earlier and scale up or down rapidly. This modular format provides agencies with the freedom to create modern interfaces for the digital workforce using modern devices. At the same time, they’re able to preserve the legacy risk postures and data so they can modernize the back end over time.

MeriTalk: Recent years have brought significant expansion to the realm of Federal IT decision-makers. How are you seeing the roles of CIOs and CTOs change, especially in light of the emergence of CDOs?

CC: The classic role of the CIO is to deal with technical and digital infrastructure of an organization, and it’s typically perceived as a back-office function. Today, FITARA is helping to optimize the structure of the CIO role, bringing it to the forefront with more accountability. The CTO role, in turn, is evolving to resemble the traditional CIO role; that is, CTOs are implementers of new solutions. The CTO could be considered a chief innovation officer (CINO) because today’s digital transformation requires rapid new solutions and innovation to drive new infrastructures and architectures.

It’s interesting to watch. We’re making history every day with these roles. As we move forward, we should create greater definition and accountability around the Federal CTO and emerging CDO roles.

MeriTalk: Any final words?

CC: As agencies work to meet FITARA and DCOI goals, the strategies and underlying infrastructure modernization efforts must be front and center, as we transform into a digital government and economy.

With the upcoming election, it is important for us to understand across Federal sectors that we can’t keep kicking the can down the road. Driving the need for change includes budgetary pressures, a historically high deficit, and digital natives becoming an increasingly large segment of the workforce. This is the time for us to be engaged and transform government into the digital world, which we will address at Dell EMC World this October.

MeriTalk: Time for predictions…Will the Nationals make it to the Series this fall?

CC: Considering I’m an Orioles fan, I’m OK if the Nats make it or not.

Clinton Offers Best Chance of Moving Government Technology Forward

We are a group of former Federal IT leaders, technology industry executives, and journalists. We believe the technology priorities embraced by the next President of the United States will be central to our nation’s ability to remain secure, competitive, open, innovative, and responsive to the needs of citizens.

Contrary to the virtual absence of technology priorities coming out of the campaign of Republican Donald Trump, Democrat Hillary Clinton has outlined clear positions on most, if not all, of the technology issues facing the government, including modernization and digital government, cybersecurity and privacy, research and development, workforce and education challenges, the need for patent reform, and support for innovation.

That is why we are endorsing Hillary Clinton for President of the United States.

We believe in crafting a deliberate strategy to take Federal IT systems out of the era of black-and-white television and into the age of the cloud and the Internet of Things. Clinton would expand and make permanent the U.S. Digital Service—the Federal government’s internal tech startup that pairs industry tech talent with career public servants. Although it is in desperate need of more oversight and accountability, the USDS concept underscores the government’s willingness to adopt industry best practices. Trump has no plan for modernization and his only answer to the e-government challenge is to upgrade the systems at the Department of Veterans Affairs.

We believe not in cybersecurity sprints, but in running a better, faster, more agile cybersecurity marathon. Although legitimate questions still linger about the wisdom of using a personal email server to conduct official government business, Clinton’s stated policies on cybersecurity are clear. She would expand investment in cybersecurity, enhance public-private partnerships, and give greater authority to a new Federal chief information security officer. Trump has offered no real ideas for improving the nation’s cybersecurity posture, other than potential confrontation with nations engaged in cyberespionage.

We believe the “R” in research and development (R&D) is the engine that drives innovation. Clinton has pledged to grow the research budgets of the National Science Foundation and the Defense Advanced Research Projects Agency, and has specifically voiced support for R&D funding in supercomputing and machine learning. In addition, Clinton would set aside a portion of Federal R&D funds for commercialization of new products and technologies through accelerator grants.

Trump would pour money into current brick-and-mortar infrastructure projects—which are sorely in need of support—but he would do so at the expense of forward-looking innovation.

Significant progress on IT issues has been made during the last eight years under President Obama, from the Federal Information Technology Acquisition Reform Act to the appointment of the first U.S. Chief Technology Officer, among many other initiatives. But the Obama White House can’t claim victory on the technology front just yet.

A President Hillary Clinton must do more to increase the speed and scale of critical technology programs, and introduce new answers and a new sense of urgency to tackle the nation’s most vexing technology challenges. Based on her stated policy positions, she is off to a good start.

Select Members of the MeriTalk Editorial Advisory Board

Steve O’Keeffe

Roger Baker

Alan Balutis

Richard Beutel

Scott Hastings

Richard Spires

Dan Verton

Look Who’s MeriTalking: The Symantec Cyber Award Winners

The Cyber Awards, announced at this year’s Symantec Government Symposium Aug. 30, recognize individuals who have demonstrated excellence and leadership in government cybersecurity through their personal contributions to programs that protect critical data and systems. Nominees go above and beyond each day to do the important work needed to keep government secure.

Nominees are evaluated on the following: expertise in their field, contribution to cybersecurity programs that protect critical government data and systems, development and use of new strategies/programs that address government cybersecurity challenges, and key metrics and benefits achieved.

MeriTalk caught up with four of the 2016 winners.

« Previous 1 … 7 8 9 10 11 … 19 Next »

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.