It would be nice to think that Congress finally got off its “you know what” to pass five cybersecurity bills over the last week because they finally realized their importance and necessity. Or maybe lawmakers finally moved on cyber because the White House signaled over the summer its acceptance that smaller may be better.

But in the end the passage of five bills has as much to do with the changes coming to Congress in terms of rewarding long-time committee chairmen than really grasping the desperate need for these bills.

All five of these bills, however, signal a long-coming and much needed change to how agencies defend their computer networks and hire the people to do that critical work so why complain how Congress got there and let’s celebrate the fact that after six years, they finally did.

“Our nation faces serious cybersecurity threats. Including foreign nations and other adversaries that continue to compromise our networks and steal the America people’s sensitive information,” said Sen. Tom Coburn (R-Okla.), ranking member of the Homeland Security and Governmental Affairs Committee, in a statement. “These bills will help the nation address these threats. Updating the law for federal information security will ensure that agencies are accountable to Congress and the public for data breaches. Codifying the NCCIC will require DHS to improve its programs for assisting the private sector and sets the stage for future legislation to provide liability protection for sharing cyber threat information.”

Let’s start with the granddaddy of cyber: the Federal Information Security Modernization Act (FISMA). It’s been 10 years in the making and the lack of action by Congress forced the Office of Management and Budget and the Homeland Security Department to find workarounds — most prominently the move to continuous diagnostics and mitigation (CDM) and changes to the FISMA guidance.

“The original Federal Information Security Management Act passed by Congress in 2002 was transformational at the time as it was the first effort to establish accountability for information security and privacy across federal departments and agencies,” said Bob Dix, vice president of government affairs and critical infrastructure protection for Juniper Networks, and a staff member on the Hill in 2002. “The updated FISMA recognizes the need and opportunity to achieve near real time insight into the cybersecurity risk posture of federal civilian networks and systems on a 24×7 basis, which will improve the ability to manage that risk and reduce the impact of an ever evolving threat.”

Alma Cole, the former head of DHS’s security operations center and now vice president of cybersecurity at Robbins Gioia, said the two major changes in FISMA are the operational authorities given to DHS and the strict requirements for incident reporting to Congress.

“The term ‘binding operational directive’ is a new one which is designed to give DHS the ability to issue compulsory direction to an agency to take action on specific cybersecurity vulnerabilities or threats,” Cole said. “From its foundation FISMA was designed to implement a risk management framework which included minimum baseline guidance but ultimately assigned the agency head with the responsibility of assuring that systems were adequately secured. The concept there which still exists in language here is that the security program and risk management overall can be properly aligned with the agency mission.

DHS now has operational authority to supersede that somewhat by laying down specific requirements or actions to address critical cybersecurity needs. Although some may not like that position I believe that it is a good thing overall for the security of the federal government. The prominence of security professionals and their authority to adequately manage risk can vary greatly from one organization to the next.”

Another key area of the new FISMA law is the requirement for agencies to report security breaches to Congress within seven days.

Cole said the seven day requirement is more reasonable than the one-hour rule OMB put in place to report cyber incidents to DHS’s U.S. Computer Emergency Readiness Team (U.S. CERT).

“This single reporting requirement may have more effect at getting agencies serious about information security than any other because of the scrutiny that could be placed on any particular incident by Congress,” he said. “This requirement could also necessitate much more time and resources being given to the incident response and reporting process and will likely also involve much more of the senior agency official’s time to be on the Hill explaining what may have gone wrong which could have led to particular incidents. Expect focusing on cyber issues to improve from the agency head all the way down.”

Dix said the legislative update is an important step, but there are several other things agencies need to do day in and day out that also would make a huge difference starting with workforce training and development.

And that’s where the next set of bills in terms of importance comes in. Lawmakers included a major provision in the cybersecurity workers at the Homeland Security Department. Members of Congress also passed the Cybersecurity Workforce Assessment Act.

There are several key provisions in the Border Patrol Agency Pay Reform Act, but none more important than Congress giving DHS the ability to pay cybersecurity experts more money.

This is a similar authority the Defense Department has and something DHS has been asking for over the last four years.

The bill “requires the secretary to fix the rates of basic pay for any qualified position in relation to the rates of pay provided for comparable positions in the Department of Defense (DoD) and allows the secretary to provide such employees with additional compensation, incentives, and allowances.”

At the same time, DHS also will identify all of its cyber workforce positions, determine the primary work category and specialty area and standardize how those positions are tracked and filled with the proper employment code.

The workforce assessment bill requires DHS to assess its cyber workforce by position and whether they are federal or contract employees.

DHS also must develop a strategy to address readiness, capacity, training, recruitment and retention of cyber workers.

The plan must include a five-year implementation strategy and a 10-year projection of DHS’s cyber workforce needs.

“Accompanying the legislative update provided by the Federal Information Security Modernization Act of 2014 will require a consistent and sustained attention to workforce development and training; internal accountability; and an update to federal acquisition practices,” Dix said. “Continuing to make procurement decisions for information technology products and services based solely on lowest price is an invitation for those with criminal and nefarious intent to compromise the federal government’s information systems with counterfeit, tainted, or malicious products.

Moving toward a practice of purchasing IT products and services from trusted and authorized sources will be another important step in addressing supply chain assurance and product integrity, thereby further improving the security and resilience of federal networks and systems.”

DHS also receives recognition for how far it has matured with the passage of the National Cybersecurity and Communications Integration Act.

Sen. Tom Carper (D-Del.) authored the bill to codify the NCCIC’s role in sharing threat data with government and private sector entities, and providing technical assistance to those organizations too.

Finally, the Cybersecurity Enhancement Act focuses on workforce and the cyber research and development community. The bill would improve coordination in government by requiring a strategic plan to assess cyber risk and guide direction of federal cyber research and development.

The bill also codifies the National Institutes of Standards and Technology (NIST) current activities to help lead the development of voluntary cyber standards for critical infrastructure providers.

Barry West joined the Federal Deposit Insurance Corporation (FDIC) and now he’s hiring a senior security expert. The FDIC is looking for a senior IT security specialist for a term appointment of 13 months with a possibility of a three years extension for a total of four years. The FDIC someone to establish security programs priorities, provide management support for ITsecurity programs and make decisions and develop recommendations in the security program area that influence important agency or division Information Technology (IT) policies and interrelated programs.

Applications are due Dec. 24.

Forty vendors now have a leg up in bidding on contracts with the Defense Logistics Agency.

DLA became the second major Defense Department agency or service to publicly announce its superior supplier list.

DoD officially launched the program in June when the Navy announced the results of its pilot program highlighting nine vendors. The idea of a superior supplier program first came from the Better Buying Power version 2.0.

The Navy plans to reward the nine companies by inviting them to examine their existing Navy contracts and propose how best to eliminate bureaucratic processes that add cost and reduce profit.

DLA’s list is much larger, 40 total companies, who were given ratings of gold, silver and bronze.

“Given DLA’s mission to support our warfighters around the world, it’s important to recognize those companies with proven track records for superior performance in government contracting,” said Matthew Beebe, head of DLA’s acquisition directorate, in a release. “At the same time, we hope it stimulates a conversation within companies that didn’t make the list on how to do better.”

DLA stated it considered 153 of its parts and commodity suppliers with the largest contracts with the agency in fiscal 2013 and 2014.

The agency says it selected 40 companies based on federal Contractor Performance Assessment Reporting System (CPARS) ratings, along with several companies that have partnered with DLA on recent significant cost savings initiatives.

Contractor Performance Assessment Reporting System (CPARS) ratings, along with several companies that have partnered with DLA on recent significant cost savings initiatives.

DLA says the selected companies represent eight of its major supply chains and includes 13 small businesses.

Among those who received a gold rating are:

• The Boeing Company
• United Technologies Aircraft Systems
• Lockheed Martin Corporation
• U.S. Foodservice Inc.
• American Apparel Military Uniform Company

Alan Chvotkin, senior vice president and general counsel for the Professional Services

Council, said DoD needs to explain several things about how the superior supplier program works.

“There is still some lack of transparency on what CPARS ratings were ‘good enough’ to get to gold, silver or bronze status and, more importantly, what tangible benefits inure to the designated companies beyond bragging rights,” he said. “We have had previous concerns about how the selection process is made and how the benefits would be obtained — and those concerns remain even under the Navy’s and DLA’s program.”

The Army and Air Force continue to work on superior supplier programs and are expected to announce their lists in the coming months.

Chvotkin said DoD has targeted the superior supplier program only at commodities or products so far and not services so it’s not affecting their membership to a great degree. But PSC continues to work with the military departments and agencies on the Better Buying Power initiative.

The Justice Department’s first foray into the open data world with the launch of two APIs is noteworthy. But the underlying reason why DoJ could release the software code is really the story here.

First, the APIs, or application programming interfaces, that Justice released are codes for Web developers to build mobile apps and other software more easily to find press releases and job openings.

Nothing ground breaking in terms of APIs.

Skip Bailey, a former chief information officer at the DoJ’s Bureau of Alcohol Tobacco, Firearms and Explosives, said the APIs are part of how Justice is moving to open source platform, Drupal. And that, he said, is the big accomplishment.

“Creating APIs are not a big effort and it takes a reasonable effort to convert the data, but a lot of the reason Justice could even release the APIs is because they moved to Drupal from HTML. So the APIs almost are the frosting on the cake,” said Bailey, now the director of Deloitte digital, in an interview with Federal News Radio. “There’s a big push across the government to modernize and move from unstructured to structured data. Justice did this to better manage their data.”

Bailey said open source platforms such as Drupal are gaining ground throughout government at a much more rapid pace than at any time over the last decade.

“I think the technology has maturity because even 12 years ago when I came into government. There was underlying policy of having no foreign code in your software. But I think people realized this was a ridiculous requirement because no system is without foreign code,” he said. “That has always been a problem with open source because the code comes from anywhere. But there is now a belief that there are ways to protect the code so you are not putting yourself in jeopardy. Also Justice is using open source for low risk, publicly available data. It’s a good place to start. I think it will snowball and you’ll see more and more of it. It’s a great move for the federal government.”

DoJ’s move to Drupal and other modernization efforts has been going on for several years.

Starting under former chief information officer Luke McCormack and continuing under new CIO Joe Klimavicz, Justice moved its website to a cloud, open source infrastructure and added search, sort and filter capabilities to thousands of Supreme Court briefs, legal opinions, Freedom of Information Act (FOIA) court decisions, Congressional testimony and more.

All of DoJ’s components will migrate their public websites to the Drupal platform in the coming years.

“Website content that has been migrated to the new platform automatically adjusts to fit any device, including mobile devices and tablets, as well as desktops, making the Department’s information assets more accessible than ever before,” Klimavicz said in a release. “The open source platform also enables the department to refresh content rapidly, providing better access to information to the American public.”

Justice said it collaborated with GSA’s 18F organization to develop the APIs.

Bailey said the move to open source platforms has the potential to reduce agency costs because while labor rates may stay the same for operations and maintenance, there are no or small licensing fees.

An interesting bid protest decision flew under the radar that signals yet another challenge to FedBid, the reverse auction contractor.

By the way, it’s growing ever more doubtful that FedBid will receive any “punishment” for its role in the Veterans Affairs contracting scandal involving Susan Taylor.

An expert source on how suspension and debarment says vendors, generally speaking, can’t be punished for alleged crimes of the past if they have made changes in the present. So the government tends not to go after companies with S&D if there is no evidence of an existing threat to agencies procurement actions.

A recent search on the System for Award Management (SAM) doesn’t list FedBid in the excluded parties list.

But still the company remains under the microscope. The latest challenge to FedBid comes from a bid protest sustained by the Government Accountability Office on Nov. 26. In that decision, GAO found the Interior Department in using the FedBid reverse auction platform to buy $14 million worth of gym equipment under a small business set-aside didn’t follow the procurement regulations because it didn’t refer a finding of non-responsibility of one of the bidders to the Small Business Administration.

But where FedBid comes under fire is GAO found that when FedBid suspended the protester’s account, it was making a de-facto non-responsibility determination for the agency.

A procurement expert, who requested anonymity, said FedBid was acting in the agency’s stead.

Now Interior’s contracting officer told GAO that FedBid’s finding didn’t impact the award decision. While that may be true, it’s hard to imagine that the contracting officer could make a fair determination when FedBid is basically running the procurement and tells its customer that one of the bidders has a low past performance rating because of “late delivery” and was “unresponsive to [a] buyer[‘s] request.”

Raul Espinosa, an attorney for FitNet, the protester, and commissioner of Fairness in Procurement (FPA), a self-described think tank, said in a release this was the second time GAO found FedBid acting in a role that should only be reserved for the contracting officer.

Espinosa also highlighted GAO’s sustainment of a July 2014 bid protest by Aerosage for automobile fuel where FedBid also was acting as an agent of the government.

“The legal implications of both GAO decisions are huge,” said Scott Amey, the general counsel of the Project on Government Oversight (POGO), in the FPA release. “The FedBid and AeroSage GAO decisions will encourage IGs to investigate the FedBid rules and practices.”

In both cases, however, there is no evidence that FedBid did anything improper or illegal, but the issue is how much control the government is giving up to the vendor.

Both of these cases highlight the struggles agencies are having in using the reverse auctions in government, and the need for the Office of Federal Procurement Policy to issue guidance is growing.

Espinosa wrote in the release that FPA Think Tank told Congress in earlier this year, “Reverse-auctions are the future of government contracting as far as commodities are concerned,” however, “the FedBid rules allow government buyers to allegedly rig solicitations; discriminate against sellers; circumvent the regulations; restrict competition; offer preferential treatment and control trade.”

While GAO didn’t come to the same conclusions as FPA or POGO, the fact remains that as more agencies use reverse auctions — whether FedBid or the General Services Administration’s or other vendor offerings — the lack of standards will continue to cause heartburn in the acquisition community.

Defending against another cyber attack against the White House is just one part of that job that will keep whoever takes on the advertised position of Information Technology Specialist (INFOSEC), who would be the branch chief within the cybersecurity division of the Executive Office of the President, quite busy. The EOP is using its direct hiring authority to bring in someone at the GS-14 level to oversee the IT security operations, including the operations center, policy, procedures and management, of White House unclassified network cybersecurity.

Applications are due Dec. 5 — so hurry.

H arvard, the Commerce Department and the Office of Management and Budget are stealing away three senior executives from the White House’s Office of Science and Technology Policy.

Nick Sinai, the deputy chief technology officer, is heading to Harvard’s Kennedy School of Government to join former federal CTO Aneesh Chopra as the inaugural recipients of the Walter Shorenstein Media and Democracy Fellowship.

Sinai, whose last day was Nov. 21, was at OSTP for three years after working at the Federal Communications Commission and as a venture capitalist at Polaris Partners and Lehman Brothers Venture Partners, which is now Tenaya Capital.

Lynn Overman left the White House after spending the last 2 1/2 years working in adviser positions. She served for the last year as the senior adviser to the CTO. She joined Commerce as its deputy chief data officer in November.

Charles Worthington is the third in the trifecta, leaving OSTP after spending the last six months as a senior adviser and the previous 10 months as a Presidential Innovation Fellow after working on working on open data initiatives at the Department of Energy.

Worthington joins OMB’s U.S. Digital Services office, where he will work on high-profile or deeply troubled IT projects across the government.

Sinai may be the biggest loss of all three because he’s leaving government service. At Harvard, he will work on a six-month residency where Sinai and Chopra will speak and lecture on “data as public infrastructure and speak widely, write, and investigate the media, policy and economic implications of providing greater public access to government data,” according to a press release from Harvard.

Overman’s role at Commerce will depend on who eventually is named the chief data officer. But her focus will be on making Commerce’s treasure trove of data easier to find and use.

W hat could be the last set of the mostly dreaded annual Federal Information Security Management Act (FISMA) reports are arriving from agency inspector generals.

The White House’s recent acceptance that smaller cyber bills may just be better than one big one have bouyed the hope that Congress may actually pass a cyber bill in the next year. And an update to FISMA surely would be included in that smaller bill approach — right?

The long-held criticism of FISMA has been it’s a compliance or checklist exercise, and the audits of agency compliance are too much pass or fail instead of taking into account agency risk-based decisions.

The State Department’s recent report highlights what many see as a problem with FISMA. First off, a good portion of the State IG’s report is redacted for national security reasons. But one fact that is in the open is State doubled the cybersecurity budget of the chief information security officer in the Bureau of Information Resource Management, Office of Information Assurance to $14 million in 2013, in part to hire contractors to better comply with FISMA.

Therein lies the biggest problem with FISMA. Not to play semantics but “improve FISMA compliance efforts” is the key phrase.

Not to improve its cybersecurity or better protect its data, but to comply with the law. Now, maybe within that phrase, State’s IG means to say the agency is using the additional funding to address the 29 recommendations in the fiscal 2013 report, or the 33 recommendations in this year’s audit. But that’s not what the IG wrote so it’s hard to say exactly what auditors meant.

So does the IG’s findings mean State’s systems are insecure or full of holes? Traditionally, State has been a leader in cybersecurity, implementing continuous monitoring and risk based scoring before nearly every other agency, which leads one to believe they are in better shape than other agencies in terms of understanding their risks and protecting the most important systems or data.

The IG community also recognizes the problem with following the FISMA mandate and understands the changing nature of cybersecurity practices where decisions are made based on risk rather than the blanket protection approach.

Last February, I wrote about the Council of IGs’ effort to develop a new maturity model for agency cybersecurity as a way to get away from the typical FISMA assessment that many believe have little value.

And it seems that maturity model is almost ready for a test run.

During the September Federal Audit Executive Council conference, Andy Patchan, the associate IG for IT at the Federal Reserve Board and Consumer Financial Protection Bureau, and Louis King, the assistant IG for financial and IT audits at the Department of Transportation, presented the proposed maturity model for the information security and continuous monitoring (ISCM).

The draft model includes four levels starting with policies and procedures and ending with continuously improving ISCM practices.

IGs would assess agencies across five areas: ISCM policies and procedures, strategy, implementation for IT assets, security controls assessments, and security status reporting.

As of September, Patchan and King wrote that the plan is to pilot the maturity model in late 2014 and early 2015, and then improve upon it so it can be included in the Homeland Security Department’s fiscal 2015 FISMA metrics for IGs. Eventually, the goal is for the IGs and DHS to develop a FISMA maturity model reporting framework for all 11 information security areas.

But it’s not just the IGs that need to change. DHS has to write risk-based metrics and, most of all, Congress must update the 10-year-old law.

T he Defense Department is taking a second bite at the cloud security apple. The Pentagon, without a doubt, understands how to protect government-only clouds, but with the growing acceptance and use of commercial clouds, achieving the proper balance of security, cost and accessibility has proved to be more challenging than expected.

To that end, DoD recently released the results of a 45-day study, called The DoD Cloud Way Forward, detailing three new approaches to help military services and agencies ensure the security of the commercial clouds they use.

“A key aspect of the report is clear guidance to both cloud service providers and DoD Cloud Customers describing the cradle-to-grave process they must follow in order to move DoD computing into commercial cloud infrastructure,” wrote DoD acting Chief Information Officer Terry Halvorsen, in the memo attached to the report. “Finally, this study identifies key additional work items which the Department must complete to implement report recommendations and remove current barriers to the usage of commercial cloud. These items include additional technical refinement of security requirements, an update to the department’s policies that currently hinder the use of commercial cloud, and continued focus on the resolution of legal issues that constrain the use of commercial cloud.”

The report basically is a pre-cursor to the upcoming and long-awaited commercial cloud policy update from DoD.

Government Executive first reported the release of the study.

A former federal CIO, who requested anonymity because they still do business with DoD, said the study outlines a lot of good things and a lot of challenges, but the reality of the ability of a commercial cloud environment to protect information appropriately hasn’t been demonstrated yet.

“The department is running toward savings potentially at the expense of information security,” the source said. “Either the Federal Information Security Management Act standards need to be lowered or enforced, but the government can’t embrace the cloud until that is faced. Commercial cloud has yet to be proven as a cost savings to the government. It provides agility and flexibility, but when security is baked in the costs are not well known and especially since the security aspects are not sorted out.”

Still, the report gives a lot of insight into where DoD is heading over the next few years. Halvorsen said in September the new approach will be less centralized around the Defense Information Systems Agency and more by individual service.

At the same time, DoD is trying to clarify how commercial cloud vendors can meet the military’s security requirements for cloud without driving the cost through the roof.

The study lays out a new cloud security model that differentiates between national security and non-national security systems, while at the same time introduces the concept of mission-critical systems.

The cloud security model still breaks down the impact levels into six categories, but DoD now will reduce the requirements under Levels 1-2. The goal in doing that is to align the military much more closely with the rest of the government, including the security controls under the Federal Risk Authorization and Management Program (FedRAMP).

DoD modified Levels 3-4 to separate the requirements for non-national security systems. The Pentagon proposes two impact levels for non-NSS systems that contain controlled unclassified information (CUI) that recognizes the better recognizes the risks of losing or having the data exposed.

For impact levels 5-6, DoD said the requirements under current version 2.1 are too strict and “exceeds the requirements of the vast majority of fielded DoD systems.” Therefore, the department is changing the baseline to better align with mission needs, and “significantly lowers the number of security requirements cloud service providers (CSPs) would have to meet. DoD cloud customers will still have the option to negotiate additional security controls directly with CSPs if required.”

Finally, DoD introduced the concept of mission impact where military services and agencies must also consider what would happen to the warfighter if a system went down or if bad actors stole data. DoD wants the services to consider mission impact as part of its designation within the levels 1-6.

“DoD cloud customers are expected to use the impact level that best guards against the highest impact concern for their mission, data, and application,” the paper stated. “DoD cloud customers should use these levels as the basis for their requirements, and tailor them as necessary for the data and importance of their mission. For example, if a mission has high confidentiality and/or high integrity impact, additional controls will have to be added over the CSM impact levels. The work performed during this effort lays the groundwork for collapsing some of the levels.”

In the end, the changes have one overarching goal: “to accelerate deployments of missions at all impact levels to cloud services in the near term.”

The source said lowering the security bar for levels 1-4 for non-national security systems makes sense, but until FedRAMP is doing more than using a FISMA checklist to ensure compliance and requires penetration testing, then the compliance mentality is still a problem.

“The good news is the honoring of reciprocity between agency ATOs and that is a first,” the source said.

Another major change is for vendors serving DoD. The study recommended creating an Enterprise Cloud Service Broker (ECSB) cloud service catalog that would be available for all DoD to use. It also establishes a new process for CSPs. While the approval to operate authority (ATO) resides solely with the mission owner, DoD will assess vendors — first to make sure they meet FedRAMP requirements and then second, and if necessary, to ensure they meet any DoD additional requirements.

From the study, DoD detailed 20 new policy and regulatory changes needed to meet their commercial cloud goals. The expected actions include:

• Update the DoD CIO core data center memorandum to recognize approved cloud services as appropriate destination in addition to core data centers.
• The DoD CIO will issue a policy allowing low-impact PII (i.e., business card information) to be maintained in level 2 cloud services (currently, even low- impact personally identifiable information is classified as CUI and would require Level 3 cloud services)
• Draft DoD CIO memo will reflect the change of level 3 data and new hosting options.
• The DoD CIO will develop a policy recommending that systems perform a risk assessment on their development and test systems to see if approved cloud services would be appropriate to support their dev/test activities. Dev/Test environments are typically 5-15 times larger than production environments, so migrating these to CSP may result in significant savings.
• The DoD CIO will develop additional guidance on the acquisition of commercial cloud services for DoD contract officers and acquisition professionals.
• The DoD CIO and the Defense Information Systems Agency will develop an acquisition plan for military services and agencies to obtain cloud service from a CSP that is not is the Enterprise Cloud Service Broker cloud service catalog.