NASA’s cyber woes continue to mount. New reports by the agency’s inspector general and a private company, called Security Scorecard, both highlight the struggles around management and the controlling of malware on their network.

The NASA IG found the space agency has weaknesses in continuous monitoring management, configuration management and risk management.

“We believe that weaknesses in these areas stem from missing requirements related to the agency’s information system security program,” auditors say. “NASA lacks an agencywide risk management framework for information security and an information security architecture. In our judgment, this condition exists because the Office of the CIO has not developed an information security program plan to effectively manage its resources. In addition, the office is experiencing a period of transition with different leaders acting in the senior security officer role, which has caused uncertainty surrounding information security responsibilities at the agency level. As a result, we believe NASA’s information security program could be improved to more effectively protect critical agency information and related systems.”

The IG said NASA has made progress over the last five years, but more is needed.

At the same time, Security Scorecard continues to highlight the vulnerabilities in NASA’s network.

The company issued a report on the U.S. government’s cybersecurity — it includes federal, state and local governments — and found NASA was the worst among all 600 organizations it surveyed.

(more…)

For the second time over the last nine months, federal contractors are paying close attention to the Supreme Court. The eight justices heard arguments on April 19 about a False Claims Act case that could have wide-ranging effects on industry and agencies alike.

On the surface, the case, Universal Health Services, Inc. v. Escobar, has little to do with government contracting. But should the Supreme Court decide for Escobar, every government contract from pens and pencils to professional services to IT hardware to fighter jets could be at risk of violating the False Claims Act.

“Government contractors are following this case closely because the implied certification requirement would be expanded if Escobar wins. That means every bill a contractor submits could be subject to False Claims Act violation,” said Eric Crusius, an attorney with Miles and Stockbridge. “So that means if there are any regulations that a contractor didn’t comply with, and there are myriad of regulations that contractors have to comply with, they could be subject to a lawsuit.”

The Illinois Institute of Technology Chicago Kent College of Law’s Oyez Project has all facts and details of the case. And it’s well worth giving it a quick read.

But long story short, the case revolves around Medicaid payments and whether a subsidiary of Universal Health Services submitted a false claim for allegedly not having properly credentialed medical professionals caring for a patient.

(more…)

The Postal Service quietly named a new chief information officer while the Veterans Affairs Department continues to shift technology executives.

First, USPS called on Kristin Seaver to step into the CIO and executive vice president roles in April after spending the last two-plus years working as the vice president of area operations for the Capital Metro Area.

She replaces Randy Miskanic, who was Postal Service’s acting chief information officer since May 2015.

Jim Cochrane was the last permanent CIO, but moved to become the acting chief marketing and sales officer at the same time Miskanic was named acting CIO.

Seaver will oversee USPS’ initiatives to become more mobile and take better advantage of networked devices, commonly known as the Internet of Things (IoT).

She also will focus on everything from business analytics to cybersecurity to improving the Postal Service’s infrastructure around intelligent mail and payment technologies.

(more…)

It had been years since the White House created the kind of buzz in the federal community over a technology initiative that we’ve seen over the last few months. But that’s what happened when the Obama administration announced it wanted $3.1 billion from Congress to modernize, and therefore better secure, federal IT.

There have been many doubters about the initiative, saying “It’s dead on arrival.” Or, “Why did the administration wait until now to propose something that has been needed for so long?”

Well, the concept just got some more legs late on April 8 when the White House submitted its legislative proposal for the IT Modernization Fund to Congress and a powerful House member said he plans to introduce legislation to make the fund a reality this week.

“This bill will rapidly upgrade our federal IT systems that are most in need of upgrading, either from being cybersecurity risks, inefficient, or costly to maintain,” said Rep. Steny Hoyer (D-Md.), the minority whip. “It will implement the upgrades using the latest best practices from our innovation economy in Silicon Valley and all across our country. The new upgrades will enable agencies to create new user-friendly apps and services, and will allow agencies to share data to root out fraud and abuse. The ITMF model has a proven track record in the private sector of reducing long-term costs, and I hope Democrats and Republicans can work together to advance this legislation in the weeks ahead.”

Sources say the Office of Management and Budget also is sending its troops to Capitol Hill to discuss and convince lawmakers and their staffs why such a fund is important and needed.

(more…)

Without a doubt, the breach suffered by the Office of Personnel Management last year thrust federal chief information security officers into a new kind of spotlight. Similar to the emergence of chief information officers in the late 1990s and early 2000s, when IT started to take over how agencies deliver services and meet mission, executives are looking to CISOs to provide answers to the never-ending cyber threat.

“We received a lot of attention in the cyber world and I think that’s good,” said Rod Turk, the CISO at the Commerce Department, during the April 5 breakfast sponsored by AFCEA chapter in Bethesda, Maryland. “It’s mind-boggling the number of reports we have to send to the Office of Management and Budget, the Homeland Security Department and Congress, but what that does in addition to just being reports is those results are briefed at a higher level. The President’s Management Council and the White House have used those reports, and we have immediate interest at the deputy secretary and secretary levels into what’s being reported out of our office.”

Turk said he had a recent meeting with senior executives at Commerce and one made a point to the secretary about how important it is to have visibility into the agency’s cyber health.

Turk’s experience is becoming more common for CISOs.

(more…)

The end of e-government is near. Well, at least the term “e-government.”

Rep. Derek Kilmer (D-Wash.) is expected to introduce a new bill as soon as this week that would change in law any mention of the Office of E-Government and IT at the Office of Management.

In the 33-page draft bill obtained by Federal News Radio, Kilmer spends seven pages striking out references to the administrator of E-Government and IT and replacing it with Federal CIO.

The real purpose of the bill, called the “OPEN Government Data Act,” is to push for agencies to do several things around data such as codifying OMB’s requirement for information to be released in an open and machine-readable format, requiring agency CIOs to develop and manage an enterprise data inventory, and make it public, and codifying Data.gov as the central portal for these data sets.

If you want to learn more about the bill, the Center for Data Innovation and the Data Coalition are hosting an event April 14 in Washington, where Kilmer and others will discuss the bill and why it’s needed.

While these provisions in the bill are worthwhile and continue to focus on the power and importance of data, let me spend a few minutes reminiscing about the last 15 years of e-government and how it set us up for today.

(more…)

The Homeland Security Department has filled another key cybersecurity position that had been in an acting status for about a year.

Robert Silvers takes over as the permanent assistant secretary for cyber policy, where he oversees the development of department-wide cyber policies and strategies.

Silvers replaces Rosemary Wenchel, who came to DHS in 2012 as the deputy assistant secretary for cybersecurity coordination, where she coordinated joint cybersecurity efforts between DHS and the Department of Defense.

Wenchel is retiring after more than 25 years in government. Wenchel served as acting assistant secretary since May 2015 and before that served as the principal deputy assistant secretary in the same office since December 2014.

Silvers has been with DHS since 2012 when rising to become deputy chief of staff, overseeing all policy development, operational implementation and budget issues across the entire department.

(more…)

Agencies have until April 30 to send the Office of Management and Budget their update on how they are implementing the Federal IT Acquisition Reform Act (FITARA) and making progress against their initial self-assessment.

Well, all agencies but the departments of Energy and Labor. These two still must get OMB’s approval for their initial plans.

Yes, 22 of 24 CFO Act agencies met OMB’s mandate of getting their FITARA plans in and approved by December 2015. Here we are in April, and Energy and Labor are struggling to finalize how they will reform the way they manage technology and give more authorities to their chief information officers.

It came as a surprise that Labor is struggling with FITARA, but Energy, not so much.

It was clear from almost since FITARA became law that Energy would face obstacles as its national labs lobbied heavily to be exempted from the requirements.

(more…)

Last week, I asked whether NASA was “slow rolling” a cybersecurity breakthrough called Gryphon X. It’s a proposal from Ames Research Center that many in the cybersecurity community believe could help secure critical infrastructure in a more active and proactive way, and also push the space agency back toward the front of the innovation pack.

This week, we are learning more about NASA’s plans to move forward with Gryphon X after all.

NASA Ames Chief Information Officer Jerry Davis sent an email response to questions detailing the current status of the proposal:

“Currently, Gryphon X is in the proposal and formulation stage. Newly proposed programs such as Gryphon X that involve expenditure of public funding must undergo a rigorous process to ensure that we are using those funds to clearly and efficiently meet the needs of the agency,” Davis wrote. “We intend to hold a stakeholders’ workshop this spring to further articulate Gryphon X’s goals and objectives, solicit feedback and further scope the program to meet NASA’s needs. After that, we’ll do a cost analysis to determine the life cycle cost of the program to meet requirements. Right now this is basically what we consider a very good and well thought-through idea, but there are many steps to flesh-out that idea and prove that it’s the best way to meet NASA’s needs, and that it deserves funding.”

Davis added that like any good idea in the private sector, NASA must look at all aspects of the proposal to determine if moving from concept to operational capability makes sense.

(more…)

The Homeland Security Department first invented the “carwash” process for mobile apps in 2013 with the simple concept of making it easier to ensure software used on smartphones and tablet computers met all of the federal security, accessibility and other regulatory and legislative requirements.

Back in 2013, no standard way existed to vet mobile apps, opening the door for a host of potential problems. By May 2015, the CIO Council approved one standard approach to mobile app vetting and the carwash meets those requirements. Still, having a written approach is much different than actually having a proved process.

This is why a recent decision by DHS’ chief privacy officer to mandate the use of the carwash process is a huge win. The carwash process provides continuous integration build, testing, source code management and issue tracking for building applications. In addition, it has matured over the last few years into a governmentwide shared service.

(more…)