Ten federal chief information officers are working on their resignation letters. Sometime over the next 70 days, CIOs from the departments of Veterans Affairs to Commerce to Homeland Security to the federal CIO will notify the incoming Trump administration of their plans to leave their posts.

These 10 are politically appointed CIOs, and unlike most of their colleagues, they are out of a job after Jan. 20 — unless President Donald Trump asks them to stay on.

There isn’t anything surprising here. These 10 executives knew their fate when they took the job. But the question we come back to every four years is whether the CIO position should be politically appointed and/or Senate confirmed.

If you ask a CIO who was politically appointed, they likely will tell you having that title is a difference-maker in many regards. Roger Baker, the former VA CIO, has said over the years that being a CIO is less about technology and more about running a large company, so being a political appointee has its benefits.

Others will tell you it’s not about the title, but the person in the position.

“If I was in charge, I’d ask those CIOs to stay on who accomplished the most results because there is very little about the IT domain in government that is truly political, therefore there should be little differentiation who a Republican and Democrat President would appoint,” said Tim Young, a former deputy federal CIO under the administration of President George W. Bush and now a principal with Deloitte Consulting. “Agnostic of whether or not the CIO is politically appointed or Senate confirmed or a career civil servant, in order for them to be successful as a federal CIO, they have to be able to build authentic alliances with individuals across political affiliations, agency boundaries and ideologies to include career civil servants, the Office of Management and Budget, Congress, industry and media.”

House lawmakers under early versions of the Federal IT Acquisition Reform Act (FITARA) tried to make all CIOs political appointees but that didn’t make it in the final bill.

But with a new President and a Congress spending more time on technology and cyber issues, the question is sure to come up again.

Under the Obama administration, the number of these positions ebbed and flowed, but overall grew to the 10 today.

(more…)

What is a major cyber incident? Seems like a simple enough question to answer. But the Office of Management and Budget has been refining the definition for the better part of a decade.

It first defined a cyber incident in a 2007 memo, defining a category 1 event where a hacker gets access to systems, data or a breach of physical security controls.

In 2015, OMB honed the definition as part of the Federal Information Security Management Act (FISMA) guidance to agencies, meeting the requirement Congress laid out in the 2014 FISMA updates law.

But for whatever reason, that year-old definition just wasn’t quite perfect enough. So now the administration took another swing at the definition of a major cyber incident on Nov. 8 in the 2017 FISMA guidance to agencies.

OMB says a major cyber incident is one that “is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

It’s pulled from the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) Cyber Incident Severity Schema, which details level 3 (orange) or higher.

OMB also says a major incident would include an attack where personal information of 100,000 people or more is taken, modified, deleted or otherwise harmed, or personal data that would impact national security, public safety, public health or civil liberties.

(more…)

One of the biggest holes in cybersecurity has been understanding the who — as in, who is on the network and what data and information are they allowed to see, change and share.

This is commonly referred to identity and access management, and it’s one of the most important pieces to any cyber system trying to stop the ever-growing threats and attack surface.

That is why the General Services Administration and the Homeland Security Department’s award to CGI Federal for the Credentials and Authentication Management (CRED) task order under phase 2 of the Continuous Diagnostics and Mitigation (CDM) program is so important.

First, let’s talk about the basics of CRED. GSA, which acts as the procurement arm for the DHS program, awarded CGI a $102 million contract on Nov. 1.

“Under this agreement, CGI will provide the participating agencies with tools, sensors, and services to implement certain aspects of credential management, a key activity of the CDM Phase 2 Program that will strengthen policies and practices for all authorized users at participating agencies,” said a CGI spokeswoman. “CGI will also help federal agencies working to comply with the White House’s Cybersecurity Strategy and Implementation Plan (CSIP), which requires strong authentication for network accounts of unprivileged users. We are proud to provide this vital support to the Department of Homeland Security and provide our identity management solutions for all federal agencies involved in the task order.”

To add a finer point to what CGI will do under the task order, DHS wrote in a webinar presentation earlier this year that “CRED binds a type of credential or authentication mechanism to an identity established in TRUST with a level of assurance and is used to grant access (physical and logical).”

DHS offered further discussion in a recent presentation to CDM prime contract holders, saying CRED “addresses regular users, and ensures that they have the appropriate suitability, clearance, security training to access only the information they need to accomplish their duties and no more.”

(more…)

Agency reorganizations tend not to make a lot of news. They tend to impact only that agency or bureau or office, but rarely do the changes matter to a wide audience. But the General Services Administration’s Federal Acquisition Service (FAS) turns both of these conventional thoughts on their head.

For one, every agency uses FAS to spend more than $35 billion through GSA’s schedules, governmentwide acquisition contracts and assisted acquisition services programs. Second, FAS’ shuffle is directly related to the Obama administration’s category management initiative, which it’s codifying in a new circular — comments on the draft are due Nov. 7.

Both of these reasons make it important for federal employees and contractors to take notice.
While GSA still is working out all the specific details, here is what we do know. There are four “orders” that are mainly focused on improving FAS’ key business processes.

GSA says the overall changes to the FAS structure are minimal, with the majority of FAS organizational units remaining unchanged and employees will not be moving duty stations or changing functions. GSA says the majority of current FAS organizational units will remain as they are, and those that are moving are primarily “lifts and shifts,” with the teams remaining intact.

(more…)

Reciprocity has been a hill the government has tried to climb for decades. From security clearances to cybersecurity to financial management systems, the “review once and use many” mantra has been as popular as a bear at a picnic —everyone runs in different directions, yelling and screaming.

The Federal Risk Authorization and Management Program (FedRAMP) cloud cybersecurity program has probably come the closest to successfully taking on this issue of “trust but verify” across the government. But even FedRAMP hasn’t made climbed the Mount Everest of federal culture change.

So the Defense Department is taking a different approach specifically around cybersecurity.

Terry Halvorsen, the DoD chief information officer, signed a memo on Oct. 18 mandating reciprocity of all authorization and accreditations of systems in use across the military.

“Components will maximize reuse of assessment and authorization evidence developed by prior system authorization and deployments within sister DoD components,” the memo stated. “Any such cybersecurity assessment, authorization and testing conducted by another component shall be evaluated before additional assessment or testing is undertaken. Assessments, authorizations and tests by another DoD component shall be presumed to have been correctly completed, and that assessment, authorization and testing, and the resultant test evidence, will be accepted by all DoD components as a basis for assessment and authorization.”

In a nutshell, Halvorsen is strongly encouraging trust and speed over doubt and protracted reviews.

(more…)

It’s easy to poke holes in the cloud security effort known as the Federal Risk Authorization and Management Program (FedRAMP). Few, if really any, governmentwide programs don’t go through growing pains, including learning how to meet the needs of its customers.

FedRAMP is no different. No one would argue that it was perfect from the start. But many agency chief information officers and vendors will tell you Matt Goodrich, the director of the FedRAMP program management office, and his team are making real progress.

And FedRAMP’s 2016 accomplishments and 2017 goals are more evidence of the office’s efforts to listen, learn and evolve.

Federal News Radio got a sneak peek at FedRAMP’s 2017 plans and they are focused around three main areas:

• Bringing on more cloud service providers for agencies to choose from

• Continuing to transform the security authorization process

• Maintaining and improving communications with industry and government partners

(more…)

The White House is losing one of its key cyber leaders. Trevor Rudolph, the chief of the Office of Management and Budget’s Cyber and National Security Unit, will be moving to the private sector after almost five years in the White House.

Sources confirm Rudolph is joining a cyber startup called Whitehawk, run by Terry Roberts, the former deputy director of naval intelligence, vice president for cyber engineering and analytics for TASC, which was bought by Engility in 2015, and executive director of the Carnegie Mellon Software Engineering Institute. Along with Roberts, Luis Jose Cruz-Rivera is the chief technology officer. He comes from industry, spending 14 years at TASC and ManTech.

Sources say Rudolph will become chief of business operations and cybersecurity at Whitehawk. The company’s mission is to mainly help small- and medium-sized companies improve their cyber postures through a series of tools, assessments and services. Whitehawk plans to launch the first-ever cybersecurity online community focused on enabling mid-sized and small businesses to make more informed cybersecurity decisions.

As chief of business operations and cybersecurity, Rudolph will manage the company’s customer operations while also providing thought leadership within the global cybersecurity industry.

Rudolph’s last day at OMB will be toward the end of November. It’s unclear who will replace him, especially with expected changes to the office’s structure now that retired Air Force Gen. Greg Touhill has taken over as the new federal chief information security officer.

(more…)

Editor’s Note: A comment from the Interior inspector general’s office was added to the story on Oct. 26.

There’s a problem with many reports from federal auditors that doesn’t get mentioned often enough in government. Many times these inspector general or Government Accountability Office reports are just snapshots in time and could be as much as 6-to-12 months old in terms of the actual state of the federal agency.

This is not to say auditor reports are not worthwhile. Just the opposite, these studies put agencies on notice about problems that need immediate attention.

The problem comes in when reporters and members of Congress believe the most recent report still is accurate.

The latest example is with the Interior Department’s IG report on the agency’s implementation of the continuous diagnostics and mitigation (CDM) program from the Homeland Security Department.

The IG released a report on Oct. 17 highlighting what seems to be major problems with Interior’s implementation of this key cybersecurity program. Among the most eye-opening findings from auditors were it will take Interior five years longer than first planned to reach “steady state” of CDM in 2019, and the agency is not doing a good enough job in protecting high-valued assets, including leaving more than 90,000 critical and high-risk vulnerabilities unpatched for more than two years.

At first glance, the “wow” factor is huge — 90,000 unpatched vulnerabilities and a five-year delay with CDM.

But if you dig a little deeper, you’ll find why auditors’ reports sometimes shouldn’t be taken at face value. (more…)

A little over a year ago, the House Oversight and Government Reform Committee released its first set of grades for how agencies were implementing the Federal IT Acquisition Reform Act (FITARA). The grades, as expected, weren’t good. By May, when the committee released its second report card, some agency scores had improved, but many agency chief information officers started to see the shortcomings in how lawmakers were holding them accountable.

A Federal News Radio survey of CIOs in August and a recent effort by the Censeo Consulting Group, Cyrrus Analytics and the Hettinger Strategy Group both found while CIOs are supportive of the goals of FITARA, the metrics the House committee and the Government Accountability Office are using need some work.

“What we found is not anger toward FITARA scorecards, but more of a general feeling that the scorecard was unfair and didn’t take a holistic view of agency efforts in meeting FITARA,” said Kareem El-Alaily, a managing director at Censeo. “All stakeholders involved GAO, the Office of Management and Budget, agencies and Congress are trying hard to make this work. The issue is that no one is tying this all together to say how it should work. All the agencies have different roadmaps in how they are implementing FITARA and all this effort is overcomplicating things. What is needed is a reset to get all the stakeholders back on the same page and marching towards a unified end goal.”

Rich Beutel, one of the leading forces behind FITARA when he was a staff member on the House Oversight and Government Reform Committee, said they surveyed eight CIO IT teams about their opinions of the scorecard and how it could improve.

(more…)

The General Services Administration proved change can happen quickly in the federal government. Since April, when GSA launched the Making It Easier campaign to address several challenges around its multiple award schedules program, the agency solved one major complaint of vendors — how long it takes to modify existing Federal Supply Schedule contracts.

Kevin Youel Page, deputy commissioner of GSA’s Federal Acquisition Service, said through the Making It Easier initiative, the agency made more than 2,260 modifications and on average it took two days to complete them.

That’s a huge change from what normally takes, on average, 10 to 15 days.

Additionally, GSA says it awarded contracts to 108 new vendors, a majority of them small businesses,  in 31 days on average through the Fast Lane program, instead of the 120 day average for non-Fast Lane offerors.

Judith Zawatsky, the MAS Transformation Program Manager, said the modification improvements came from having a dedicated team focused on modifying contracts under the Fast Lane program.

She said GSA hasn’t taken away any of the requirements but asked industry to be more proactive with FAS by letting them know and responding back in a timely manner.

Youel Page said GSA is building on these and other successes to move the Making It Easier campaign into phase two.

(more…)