All posts by : admin-stone

Amid an “unprecedented” expansion of foreign intelligence risks, U.S. officials are likewise scaling their outreach across government and the private sector on counterintelligence concerns and insider threats.

The National Counterintelligence and Security Center has been focused on building up its public outreach and engagement, especially to private industry in critical technology areas. NCSC Director Michael Casey pointed to the importance of outreach and engagement in the recently issued national counterintelligence strategy.

“If it was just people trying to steal government secrets, we could write a classified strategy, and no one would have to know about it,” Casey said during an Oct. 10 appearance at the Center for Strategic and International Studies. “But because we have to do so much work with the private sector, we have to make it public to explain how we’re thinking about this, how we’re going about it, and provide direction.”

The new counterintelligence strategy, released in August, states the United States “is facing threats from foreign intelligence entities that are unprecedented in their breadth, volume, sophistication, and impact.”

“Adversaries are pursuing not only classified information but also vast troves of unclassified material that can support their political, economic, research and development (R&D), military, and influence goals, and their attempts to target U.S. persons, supply chains, and critical infrastructure,” the strategy states.

Many of the strategy’s goals, ranging from countering cyber threats to reducing supply chain risks, include an element of outreach and engagement.

Casey said the NCSC is increasingly organizing its outreach around public bulletins. In July, the center issued a joint bulletin aimed at protecting U.S. emerging technology startups from foreign investment threats.

But acknowledging the relatively small size of the center, Casey also said the NSCS is focused on coordinating its outreach efforts across federal agencies.

“We try to do a lot of coordination across the rest of the intelligence community and the United States government to make sure that we’re all having the same message and are each hitting our own niche audiences effectively,” Casey said during an Oct. 10 event hosted by the Center for Strategic and International Studies.

“Our focus in the short term is really about how do we improve our coordination across the government,” he added.

Focus on insider threats, OpSec

Meanwhile, the NCSC’s National Insider Threat Task Force is also aiming to strengthen its partnerships across the government and the private sector. James Blasingame, assistant director of the enterprise threat mitigation directorate at ODNI, said the task force has a new team focused exclusively on outreach and engagement.

For more than a decade, agencies have been required under a White House directive to establish insider threat programs to address risks ranging from sensitive data theft to violent workplace incidents.

But as with many unfunded mandates, agencies have had varying degrees of success in establishing effective insider threat programs.

But Blasingame said the task force’s new outreach team is meant to help support agencies and other entities more proactively.

“Our goal is never punitive. It’s encouragement and empowerment,” Blasingame said during an Oct. 15 webinar hosted by the Intelligence and National Security Alliance. “Because we want these programs to be out there, even if they are in an early development or redevelopment phase. It’s in our collective best interest to be as supportive as possible.”

Catherine Camilletti, deputy assistant director of the enterprise threat-mitigation directorate at NSCS, said a major priority this year is to “rejuvenate the task force with dedicated resources for insider threat.” She added that the NSCS is also looking to bolster a lesser-known working group on “operational security.”

“We want to advance and mature those missions, both in OpSec and insider threat,” Camilletti said.

While traditionally the NCSC’s insider threat activities have focused on the federal government, Camilletti said officials are increasingly helping private companies address security and counterintelligence risks.

“I think more and more we’re getting more engagement from the private sector, or at the very least, private sector is reaching out a little more,” she said. “I think there’s this acknowledgment that there are [counterintelligence] concerns that they have for their organization and wanting advice and guidance on, what can I do to protect ourselves and our assets?”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

A panel of experts mandated by Congress to modernize the State Department is about to gain some new members.

President Joe Biden announced Tuesday he intends to appoint four members to the State Department’s Commission on Reform and Modernization.

All of Biden’s intended picks are former State Department officials with decades of experience. One of the intended nominees previously led the State Department’s investigation of Havana Syndrome, which has impacted hundreds of U.S. personnel overseas.

“The commission’s recommendations will aim to improve the department’s structural organization, revamp training requirements for personnel, and improve facilities and embassies around the world,” the White House wrote in its press release.

Congress created the commission in the fiscal 2023 National Defense Authorization Act.

The FY 2023 NDAA gives the commission 18 months to examine the challenges of modern-day diplomacy and report its findings to Congress and the president.

Lawmakers gave the new commission $2 million in funding in the FY 2024 omnibus spending bill.

Secretary of State Antony Blinken and Deputy Secretary for Management and Resources Richard Verma have told lawmakers they support the commission’s work.

During his tenure, Blinken has led a diplomatic modernization agenda, focused on equipping the agency with experts in cybersecurity, public health and strategic competition with China.

“We’ve reorganized the department to make sure that it can be fit for purpose for the challenges of this time, whether that comes to dealing with new technologies, whether that comes to dealing with global health, climate, dealing with China,” Blinken told members of Senate Appropriations Committee in May.” We are making the necessary investments to try to attract and retain the most talented workforce possible. We’re investing in our people in Washington, at our post overseas with training, with technology for promoting more agility, innovation, efficiency in our processes.”

Blinken said he and other State Department have been in talks with lawmakers with recommendations for the commission.

“We very much want to make sure that we provide the support to do it,” Blinken said.

Among his picks, Biden plans to appoint Pamela Spratlen, the former member of a State Department task force investigating cases of “Havana Syndrome” — which the department calls anomalous health incidents.

Spratlen served as coordinator for the Health Incident Response Task Force. She started the job in March 2021, but stepped down six months later.

During her tenure, she told Federal News Network in an exclusive interview she was determined to “reinvigorate” the task force, after it had spent years investigating health incidents, but reached few conclusions about root causes.

“The question always is, what caused this? How is it that five years after initial reports of these kinds of incidents at our embassy in Havana, Cuba, could we still not know exactly what happened? That’s the big question that we all want to know,” Spratlen said in an April 2021 interview.

The National Academy of Sciences, in a report contracted by the department, concluded that “pulse radio frequency,” or high-frequency microwaves led to these health problems.

“The basic fact is that we’re still perplexed about what exactly happened. So, the pulse radio frequency seems to be the leading kind of idea about what might have caused this. But it’s not the only idea out there,” Spratlen said.

However, a 2019 FBI report first reported by the New York Times found these anomalous health incidents were mostly caused by an “episode of social contagion,” or mass hysteria.

Common Havana Syndrome symptoms include severe headaches, dizziness, blurred vision, tinnitus and vertigo.

The Government Accountability Office estimates more than 300 Americans have been treated for Havana Syndrome symptoms in the military health system.

State Department employees made up about 11% of those cases. Defense Department and intelligence community personnel each accounted for 35% of cases.

Spratlen now serves as a member and leader on non-profit organization boards that address foreign affairs issues, including the American Academy of Diplomacy and the Association of Black American Ambassadors.

Spratlen is also an advisor to programs focused on expanding diversity across foreign affairs agencies.

Biden also intends to appoint the following members to the commission:

• Michael Guest, a retired career member of the Foreign Service, who previously served as deputy executive secretary and principal deputy assistant secretary for legislative affairs.
• Caroline Tess, executive director of National Security Action, an organization dedicated to advancing American global leadership; and former member of the Biden-Harris transition team responsible for the confirmation of national security Cabinet secretaries.
• Ricardo Zuniga, partner of Dinámica Americas, a strategic advisory firm, and former principal deputy assistant secretary of state for Western Hemisphere Affairs

These appointees will join 12 other individuals appointed to the commission by Members of Congress.

Those include Rep. Max Miller (R-Ohio) and former Ambassador to Russia John Sullivan.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

It may not come as much of a surprise that federal workforce reforms can happen slowly — but that doesn’t mean things aren’t changing.

For Colleen Heller-Stein, executive director of the Chief Human Capital Officers (CHCO) Council, the Pathways Program is a prominent example where changes have finally arrived, but only after years of hard work.

“There are, frankly, times when we can’t see that return on investment for a number of years,” Heller-Stein said at an Oct. 9 event hosted by software company Cornerstone. “There was a CHCO Council working group five or so years ago that really dug into Pathways regulations and provided some suggestions and recommendations for how Pathways might be adjusted to be even more beneficial to agencies. We finally, this year, saw some updates to those regulations.”

From the very first conversation to the finish line, finalizing those Pathways changes took at least five years to see the light of day. Much of that long-term work, according to Heller-Stein, was informed directly by human capital leaders on the CHCO Council. The council, which regularly brings together HR leaders across agencies, organizes itself into working groups to target key challenges that are current facing the federal workforce. Then, the leaders collaborate to try to figure out how to move the needle on long-term federal workforce goals. CHCOs on the council can collectively choose when to stand up new working groups, or remove old ones.

“There is nothing that says there won’t be a new working group next year. It could be that midway through 2025, as a group is engaged in their work, they say, ‘We need to change a little bit, we need to adjust’ — and there’s a place for that,” Heller-Stein said. “We want to be flexible, to bend and go where the need is, and hopefully have the foresight to see where the need will be, so that we can get there ahead of time.”

Right now, the CHCO Council’s working groups focus on five key areas —human capital data, recruitment and outreach, employee engagement, elevating HR, and hybrid work — all of which are trying to address “evergreen” workforce challenges, while working in tandem with OPM.

“CHCOs have an opportunity to weigh in and be a part of the OPM strategic planning process,” she said. “Likewise, OPM regularly looks to the CHCO and deputy CHCO community for input to help shape OPM policy, make sure that we are being responsive to agencies’ needs and ideally getting ahead of agencies’ needs, so that we’re ready to respond when they need us.”

Employee engagement advice from CHCO Council

Employee engagement has been consistently top of mind for human capital leaders. The CHCO Council’s working group on employee engagement has been putting together — and plans to soon publish — more resources on how to foster better engagement in the workplace.

One of the council’s projects is a “toolkit” for the Federal Employee Viewpoint Survey (FEVS), focused on how agencies can implement changes based on employee feedback in OPM’s annual survey. The toolkit is expected to be published later this fall, with the hope that the recommendations will tie to the coming results of the 2024 FEVS. The toolkit will include not only engagement recommendations, but also strategies for action planning and better communication with employees.

“Agencies are bringing together and uplifting the practices that have been most useful in their agencies — proven ways to engage with employees,” Heller-Stein said. “We’re trying to enhance transparency, communication, accountability and action planning around this.”

Another resource CHCOs have been putting together is a forthcoming “blueprint” for agency leaders, focused on management strategies that can create positive impacts in the federal workplace.

“Senior leaders oftentimes may not be involved with frontline work every day, but they are really thinking about strategy and policy,” Heller-Stein told Federal News Network in an interview following the Oct. 9 event. “But it still really helps set the tone for the work that happens in an agency and the culture at an agency.”

CHCO Council aims to support HR workforce

Leaders on the CHCO Council have also been focused on the internal operations of human capital management, particularly on strategies for better training and developing the HR workforce governmentwide.

In September, for instance, an HR career pathing pilot at nine agencies wrapped up after months of work. The CHCO Council, which helped manage the pilot in partnership with OPM, is currently analyzing the results of that project, which focused on early and mid-career HR staff. Eventually, the goal is to use to pilot’s findings to refine career paths and opportunities for the federal HR workforce.

Additionally, there are plans in the works to launch an HR career growth portal this fall, as part of larger modernization efforts at OPM. The CHCO Council helped develop the portal by using survey feedback and input from more than 2,000 federal HR professionals in focus groups.

“It has been a really great project to understand what is happening in the community,” Heller-Stein said. “What we’re hearing from practitioners is [about] what kinds of tools they need, here they feel they need to develop [and] how OPM and senior HR leaders within their agencies can really support their growth and development to make sure that we have a strong cadre of HR professionals supporting us.”

Deepening the use of federal workforce data

Along with working groups focused on employee engagement and elevating HR, CHCOs over the last couple years have also worked with OPM to put together several data dashboards. The dashboards, which CHCOs in the human capital data working group helped to shape, are meant to help agency leadership, HR staff and the public understand various demographic trends in the federal workforce.

“The working group was really critical in providing agency insights regarding what OPM should include in those types of dashboards, what should be included in OPM’s final data strategy and important features and information to include in those products,” Heller-Stein said.

Several of OPM’s data dashboards now include, for example, detailed information and trends on hiring manager satisfaction, time-to-hire and the cyber workforce.

Heller-Stein said she hopes “agencies will use the dashboards to help shape the way they’re managing HR at their agency, trying to make it easier for them to understand where there might be roadblocks, and where things might be going.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

• In the aftermath of hurricanes Helene and Milton the Federal Emergency Management Agency has set a new record. FEMA took in more than 250,000 disaster assistance applications on Saturday alone. The most new registrations the agency has ever received in one day. The Biden administration has approved $825 million dollars in disaster relief assistance so far. More than 9,600 federal personnel are deployed across the southeast United States, including 4,100 FEMA staff.
• The Office of Personnel Management (OPM) is taking a more direct approach to fostering early-career federal talent. Over the past week, OPM Acting Director Rob Shriver has been making stops at colleges and universities across Michigan, Wisconsin and Pennsylvania. He’s engaging directly with current students and talking about career opportunities in the federal sector. Throughout the federal recruitment tour, Shriver has also been meeting with various Federal Executive Boards (FEBs) to discuss broader workforce trends and challenges.
• Soldiers who go on operational deployments for more than 60 days will now receive 240 dollars per month. Called operational deployment pay, the benefit is specifically for operational deployments and does not apply to soldiers participating in training exercises. The benefit amount is the same for all soldiers, regardless of their rank. Army Secretary Christine Wormuth said the benefit is meant to “recognize the hardship of being away from families but also the rigors of deployment.”
• The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program takes another step forward. Go to the Federal Register this morning and you’ll see it — the 470-page final CMMC program rule. It formally establishes the cyber certification program into federal regulation after more than five years of development. The Pentagon still has to finalize another rule that would establish a CMMC contracting requirement. DoD plans to start putting CMMC into contracts by the middle of next year. But defense officials expect it will take about three years to scale the certification requirements across all contracts.
• NATO plans to publish its first-ever commercial space strategy to better leverage commercial and improve resilience of its space operations. Maj. Gen. Devin Pepper, the deputy chief of staff for strategic plans and policy at NATO, said the document will be aligned with the recently-released Pentagon’s commercial space strategy. The plan, however, will reflect NATO’s different requirements for commercial space systems. Despite the differences, the document will focus on similar capabilities, including communications, domain awareness and intelligence, surveillance, and reconnaissance. The United States currently provides the bulk of NATO’s space capabilities.
• The Defense Counterintelligence and Security Agency is set to publish an implementation strategy for its National Background Investigation Services program. Once fully implemented, NBIS will serve as a “one-stop shop” background investigation system, The NBIS program, however, has faced cost and performance issues — the Defense Department indicated earlier this year NBIS was not on track to meet key milestones. The new implementation plan is a crucial step in getting the long-delayed initiative back on track. The system is also critical to implementing the federal government’s “Trusted Workforce 2.0” initiative. The implementation plan, along with all the milestones associated with the strategy, will be published on performance.gov.
• The White House and the Small Business Administration (SBA) are warning Congress that the SBA’s disaster loan program will run out of money after Hurricanes Helene and Milton all but exhausted its funding. In a letter to lawmakers, President Joe Biden said the need is more urgent today than when he requested new funding for the program several weeks ago. SBA Administrator Isabel Guzman said if funding lapses, all new offers will be held back and delayed until program funding is replenished. Through the disaster relief fund, SBA provides financial relief to small business owners, nonprofits, homeowners and renters with long-term, low-interest loans.
• The White House and the General Services Administration (GSA) are teaming up to help contractors meet federal sustainability requirements. Federal contractors have the chance to hear from agency experts on Biden administration climate and sustainability initiatives. Over the next two weeks in webinars, GSA, the White House Council on Environmental Quality and other agencies will provide details about federal resources and tools that vendors to take advantage of to meet federal climate and energy programs goals. The topics include tax credits for on-site renewable energy, efficient buildings and clean vehicles and on buying carbon pollution-free electricity more rapidly and effectively. Speakers at the webinars will also include experts from the departments of Energy and Treasury, the Environmental Protection Agency and supplier organizations.
• Delays in presidential transition planning could lead to “real risks” for government operations. Vice President Kamala Harris recently signed an agreement with the White House to access to personnel and documents and prepare for a possible presidential transition. But so far, former President Donald Trump has not reached the same agreement with the White House. The Biden administration said it’s “actively working” to reach an agreement with the Trump presidential campaign to offer transition planning resources. The Partnership for Public Service is urging the Trump team to sign an agreement to avoid risks of worsening government operations under a potential new administration in January.

—

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Tom Temin: So what is the real outlook there Loren?

Loren Duggan: Well, some agencies say they have money and others say they’re in need of it. Now FEMA, which you mentioned in your intro, is actually doing OK. They got a big influx of cash with the continuing resolution and they say at some point toward the end of the year, they may need some additional funding. But for right now, they’re OK. The agency that’s most in need, according to the president, is the Small Business Administration, which provides disaster loans to people in affected areas. And he said that might be an area where money is needed even sooner and call for Congress to come back.

Tom Temin: Alright, so what are the chances they’ll actually come back?

Loren Duggan: Well, Speaker Mike Johnson has so far not bitten on that last week. He said that, like I said, FEMA had the money it needed and that it would take time to add up all the costs in both the areas affected by Helene and the areas affected by Milton, the two different storms that have gone through. FEMA takes a while for some of that money to roll out there, have a Disaster Relief Fund, which is the main source of this and I think had billions of dollars left last week. So we’ll see going into a new week, and if pressure mounts, they could come back. And there’s a difference between maybe coming back a few people and coming back the whole chambers as we’ve seen in past disaster cycles.

Tom Temin: Right. And they can’t appropriate funds without everybody being there.

Loren Duggan: Right. I mean, they have, at times, had packages, especially disaster, where maybe the majority and the minority leader in the Senate can show up and maybe a few folks in the House. But if someone demands a vote and says they won’t let this money go out without some sort of arrangement, then they would potentially have to all come back if that was the urgent need and they had to go about that.

Tom Temin: And there might be a little bit of fatigue with the whole idea. I mean they just got through a whole big operation to get Veterans Affairs more money because it was running short because of the PACT Act claims and so forth.

Loren Duggan: That’s right. That was right before the end of the fiscal year. There was a supplemental for fiscal 2024, the year that just concluded, because there was a shortfall there. Disaster aid is something that has been requested by the administration and talked about, but the packages we’ve seen so far, whether it was the most recent continuing resolution or that larger supplemental bill this year that dealt with primarily Ukraine, Israel, Taiwan and some other things, didn’t address this disaster aid. And there are requests from the administration going back to the Maui fires to the collapse of the bridge near Baltimore and for some of the other disasters that had happened even before Helene and Milton. So there’s some like pent up need for disaster aid, plus this new and emerging need for disaster aid that could drive action.

Tom Temin: Yeah, it’s like the whole nation is a giant nest of baby birds with their beaks open, and Congress is trying to find the worms to drop into every beak.

Loren Duggan: Indeed. And one of the questions they have is do you give the money with an offset or without? Speaker Johnson, I believe, last week, said that maybe he would like offsets, though he acknowledged that would be difficult. That’s sometimes been a debate around disaster aid as well in recent years, do you just make an emergency money without an offset, or do you try to find cuts elsewhere in the budget that could be a fight that may, in fact, require people to come back to to have that discussion. But if nothing changes, the first day Congress would be in session is November 12th, about a week after the election.

Tom Temin: And to some degree, the hurricanes and the hurricane of the chatter stemming from the upcoming presidential election have pushed Ukraine off the front pages, so to speak, the homepages, and there’s no, at this point, effort or need or any kind of action forming to send more money over there that we know of.

Loren Duggan: No and the president, right before the end of the fiscal year, announced that he would send another package using the authority that he had up until that point. And so aid has flowed to Ukraine significant amounts over the last couple of years. I think the election and obviously the different stances taken by Vice President Harris and former President Trump may mean that Ukraine is watching the results of this election pretty closely as well and that might suggest what sort of aid could be done later this year or in future years, depending on the administration of the makeup of Congress.

Tom Temin: We’re speaking with Loren Duggan. He’s deputy news director at Bloomberg Government. And a related issue back to Florida is the insurance situation. The state officials talk about it like, ‘We’ll be fine, we’ll be fine.’ But the fact is that insurance is hard to come by or it’s prohibitive in Florida and that could happen maybe in North Carolina, around Asheville, for the same token, which means that there could be some consideration of federal intervention in that market?

Loren Duggan: Potentially or maybe a reexamination of the National Flood Insurance Program, which is the place where the federal government does have a role. It’s a program that has had obviously, a number of budgetary challenges, just given the number of claims over the years and the amount of flooding that goes on. If Congress needs to take action around that program as well to change some of the rules around it, that could be a discussion. The program is something that has to be reauthorized every so often, and has really been running on a series of extensions over time rather than really an evaluation of the program as a whole. We’ll see if, maybe coming out of this, and maybe this is more of a 2025, and beyond question. But do they have to re examine how those programs work and whether there needs to be a federal backstop for the states? That’s always one of those big questions. But it’s not like these incidents are stopping there if anything feels like it’s speeding up, right? There’s more of these storms. It feels like.

Tom Temin: Yeah, in fact, I was talking to someone who was in the brunt of the storm, but their house is 50 feet above sea level, so nothing bad happened. Trees fell and so forth. The door was literally bending in from the pressure of the wind like a horror movie. And this person said, ‘Well, their husband wants to keep everything bolted and all the storm shutters down.’ She said, ‘Well, there’s no more storms coming. He could open the storm shutters again.’ But people are a little bit shell shocked there, I guess, to use a bad analogy. And budget development, we’re in a CR that review for us how that runs, and any talk about appropriations at this point for 2025. that’s got to be job one when they return.

Loren Duggan: That might be job one or maybe job two, if the hurricane displaces that and there’s a need for emergency funding. The government’s funded through Dec. 20, which gives them about five weeks or so after the election to come back in talk about what they want to do, see if it’s a wrap it up this year, a plan, or maybe kick it into next year. You might recall the first House Republican continuing resolution went through March, which would have kicked it well into the next administration. So they have left it as a question open for the lame duck session when they come back. Haven’t heard much about what they want to do. Maybe some of these developments will factor in, but that will be a top priority for sure this fall and winter.

Tom Temin: All right. And then there’s the 2026 budget preparations, which are going on now. People that understand the crazy budgeting cycle of the U.S. government and that’s true of DoD and Bloomberg has done some work in that area. Some of your reporters.

Loren Duggan: That’s right, we focus a lot on the request when it arrives. But there’s a whole lot of action that goes on before that. My colleagues Tony Capaccio and Roxana Tiron had the chance to talk with Michael McCord, the comptroller at the Pentagon, who said this work is underway, and they expect it to be later than it normally is because it’s a new administration, even if it’s a Harris administration, Democratic, a lot of the same people, it will be a new administration. Might be slowed down if former President Trump wins, then we have a completely different administration and it’s anticipated that would take a while. So they’re about halfway done. From what he told my colleagues, there’s a lot of way to go. They have to figure it out. Figure out what the top line is going to be. But as you say, there’s a lot of work that goes on that people don’t pay attention to because it really is behind the scenes, but it’s very much top of mind for these top Pentagon officials what they’re going to do next year.

Tom Temin: Yeah, and earlier in this hour, I had an interview with David Grannis. He’s the executive director of the Commission on the National Defense Strategy, which issued what I thought was a blockbuster of a report a couple of months back on the kind of sorry state of the military and the budgeting system, and whether we could actually take on China and win. We could take them on, but we may not win. And I would think that would be alarm bells for Congress to start thinking seriously about defense budget priorities. But I think some members are interested. It did have bipartisan sponsorship that commission, but yet it doesn’t seem to have really dug that deeply that plow that they put out.

Loren Duggan: Yeah, I think reports like that get digested, maybe take time to work through. We did see Senate authorizers say they wanted more money for this current fiscal year in their authorization bill for DoD and other defense programs. So we’ll see if they win as they negotiate that bill, the NDAA plus appropriations letter this year. But those longer term questions about the U.S. strategy and what it means for our posture in the world, I think we will hear that in a new administration might kick things in a different direction with a new DoD secretary, or whatever it may be.

Tom Temin: And of course, part of the problem is not just the money, but also the process by which DoD grinds through what it does, which keeps it perpetually slow. But that’s a topic for another day. All right, so they’re gone again. They return when officially?

Loren Duggan: Barring emergency return, it would be November 12th, about a week after the election, right after the long weekend, and we’ll be digesting the election results and figuring out what it all means.

Tom Temin: And then, thinking about digesting Thanksgiving not too long after that.

Tom Temin: And you’ve been following this for, I believe, it’s seven years now.

David Berteau: Yeah, you’re right Tom. DoD has been building the CMMC program for seven years now. Started in 2018 and this latest iteration is a set of two proposed rules. This is the second of two proposed rules and comments are due today. We’re going to be submitting those comments from PSC just as we’ve been submitting comments on every iteration all the way back to CMMC 0.4 in 2018. But this is really the critical one because this is how the requirements of CMMC, which could change over time as the threat changes, will be incorporated into contracts themselves.

Tom Temin: Right. So the operational aspects of this are really still unknown, even though they have gelled it into parameters that they can express in rule making. Fair way to put it?

David Berteau: Yes, that’s a great way to put it. There are so many questions that remain unanswered here and they’re actually almost independent of what cybersecurity objectives you’re trying to achieve. It’s how do you actually operationalize and get those in. So there’s two separate rules being debated here. One was submitted last December. We commented on it in February and that rule is now released in this morning’s Federal Register. The preregistration notice was 470 pages long, but.

Tom Temin: No less.

David Berteau: Rule is with no less than, in fact, we’re incorporating that into our comments that we’re submitting later today.

Tom Temin: So you will have had some time to digest this. It’s going to take time to read through the 470 pages, or is most of that been gone over and it’s just simply incorporate some of the rule making comments they might have gotten?

David Berteau: We had an extensive set of comments that we submitted as did quite a number of others back in February and a number of those comments have resulted in changes, but we haven’t really yet finished tracking the comments to the changes.

Tom Temin: In other words, you have to read all 470 pages?

David Berteau: You do have to read the whole thing to know what it actually is. Now this is important because these are the standards which will be implemented by the contract language in the proposed rule, which we’re submitting comments today. They don’t affect how the contracting language goes. They affect how the contracts will go. That first rule was really on what are the requirements the National Institutes of Standards and Technology standards 800-171 which is the basis for that. This is the one that says, ‘OK, how does it get into a contract?’ But we’ve got some history here that’s worth looking at.

Tom Temin: Right. And one of the questions you are raising is when will it actually be implemented through the contracting officers as clauses, basically? And that’s really still an unknown. The other one is the capacity of the so-called C3PAOs. It sounds like a robot from Star Wars. These accrediting organizations that are supposed to objectively say this contractor is good to go. What’s going on there that you see as a challenge?

David Berteau: Well, there is an accreditation body. It’s been in place for a number of years now, and that accreditation body has been issuing the accreditation for C3PAOs. These are the CMMC third party assessment organizations. So they’re independent of the government, independent of the accreditation body, but essential to the certification of contractors to be able to bid and win contracts. The current capacity has been building, but it’s nowhere near the ability to get thousands and thousands of contractors certified and subcontractors certified at a time that would be a rapid implementation. So two things have to happen here. One is, we do need the final rule, not only for the standards, the requirements which I think that final rule. In fact, at our conference last week, a senior DoD official said release of that final rule was imminent. He also, though, said that the pace is glacial. So I don’t know whether imminent means the glacier is about to calve a large iceberg or whether we’re going to melt a little bit longer.

Tom Temin: I guess it depends on your timeline.

David Berteau: Do we work in geological era?

David Berteau: Or fiscal years? But I do think it’s about to come out. But the second rule will have to be finalized before it can go into contracts, and that’s the rule on which we’re commenting today. How fast can that rule be finalized? Well, that will depend in part on the complexity and magnitude of the comments that are coming in and adjudicating that and get it through. The earliest we could see that rule come out I think would probably be January, given that it’s mid-October right now, and that would be kind of about the time of the change of administrations. But then you get the question that you’ve raised, which you can’t put it in every contract right away because you’d have to phase in the implementation. There’s no way you have the magnitude of companies which contracts get picked first. How does DoD make sure that the companies that would bid on that contract are first in line to get the certifications required? In fact, there’s even a question of when do you need to be certified? Do you need to be certified at the time you submit the proposal? Do you need to be certified at the time the government evaluates those proposals? Or do you need to be certified at the time of award? And these are questions, as you well know Tom, sometimes it takes months or even years between a solicitation and the final award of the contract. So this stuff is very much up in the air.

Tom Temin: Right.

Tom Temin: We are speaking with David Berto, president and CEO of the Professional Services Council. And it seems like there’s a lot of discretion that will still be available to contracting officers. For example, what level of certification will they accept for a given deal? Self assessment is one which is the easiest on everybody, but that also has the most risk if something goes wrong with actual cybersecurity later on.

David Berteau: That’s right. In fact, one of the reasons that DoD has continued to push for this CMMC program is it wants to go beyond the self assessment that’s really in the current DFARS requirement and for contractors. I think that what would a contracting officer do? Well, self assessment is the easiest one. But in my experience, most contracting officers are not risk seeking, their risk averse, and so there’s less risk by requiring your contractor to be certified, as opposed to self certification or self assessment. But then the question is at what level do you need to be certified? The Level 2, which is the basic level, might be sufficient for protecting most data and most systems for the company, but will a contracting officer say, ‘Level 2 is not good enough. I want the highest possible level of protection here.’ Again, DoD’s calculations are only a relatively small number of contracts and contractors will be required to go to Level 3. I don’t know how they’re going to manage that. I don’t know what kind of guidance they’re going to put out to contracting officers. It says, take more risk, stick with Level 2.

Tom Temin: And then there’s the question of your subs, which is always a question. It seems procurement issue these days is, how do you deal with the subcontractors?

David Berteau: Right. So subcontractors, of course, are an essential element. The requirements will flow down to subcontractors. And there are many questions associated with that, which includes, what are the responsibilities of DoD and the response, what are the responsibilities of a prime contractor to ensure certification, as well as by when does that certification need to be there? You may not need a subcontractor until the second year of a contract. So do they need to be certified at the front end? Or you can include them in your bid? These are big questions that remain to be answered.

Tom Temin: Right. And I was also wondering this is more of the philosophical end of this, perhaps, but does this really make for better cybersecurity? Because it’s an enormous compliance and bureaucratic exercise, which DoD is really good at to its detriment. But will it make data and contracting and DoD systems ultimately more secure? I wonder if they have a mechanism for measuring that.

David Berteau: This has been a key question that PSC has been raising from the beginning. We’ve approached our engagement with the government on cybersecurity, not just in CMMC, but in the dozen other proposed rules and regulations that are floating out there still today. From the following perspective, No. 1, we know the threat is real. We know the threat is growing every day. There’s greater threat, right? And so you’ve got to be cognizant of that fact. The second is, clearly, what we’re doing now is not good enough because every day you read about another breach, right? Another cybersecurity, another hack, etc., even apparently relatively secure systems, right? And so the real question is, what do you do to make that better and how do you tell if it’s better? So the way I look at the CMMC proposed rules is they create a level of cyber hygiene that is the baseline, right? The standard below which you’re not supposed to go. It may not, in and of itself, create more cybersecurity, but failure to do so will certainly create more vulnerability. So that baseline is there. But then the question is, what do you need beyond that baseline? Many of our member companies are already well beyond NIST standard 800-171 even the newest revision, Rev 3, which you’ve covered on your show a number of times. But not every subcontractor is going to be that way. And how do you maintain that? How do you keep the competence, the competition levels, etc.? These are huge challenges that remain to be worked out.

Tom Temin: And before we get to some of the background and construction of the study, how would you characterize the top line findings? I would say the United States is a paper tiger, or am I overstating it?

David Grannis: Well, I think that the top line here is that the security environment facing the United States has gotten drastically worse over the past few years and that the United States is really not resourced or equipped to deal with all of the challenges we face. And so, as you said, there is a possibility of a war that could be in multiple theaters, or even a global war, and the United States is not positioned to prevail.

Tom Temin: And one of the striking facts I found in skimming through the report, and it’s a big one, is that the spending by China is around $700 billion in change, which puts it in the order of magnitude of spending little bit over $800 billion by the United States. And for years, everyone I’ve heard has been saying, ‘Well, China only spends 10% as much as the United States, and we spend 10 times more than the next 10 combined, and all of this.’ But in fact, China is outspending us, especially if you factor in how cheap their people work.

David Grannis: Right. Well, it’s very difficult to get good estimates of what China spends on its national security because they do not have an open system the way we do and don’t put all of this out into the public. But when you factor in the cost of buying, the cost of labor and all that China does in the national security realm, and not just buying missiles and ships. It really is a lot more comparable to the U.S. budget than people think. The other major difference here is that the United States, for decades, has had a global force capable of operating anywhere around the world where China really has had the luxury of focusing on its own backyard, and so it does not have a lot of the same expenses that we do.

Tom Temin: And let’s get back to the background a little bit here on this commission. Who in Congress was behind this and what was the charter that you were designed to do?

David Grannis: The charter comes from the National Defense Authorization bill. Every four years, Congress creates one of these commissions, or at least they have for the past 16 years or so, in order to take a look at the nation’s defense strategy that is put out by the Pentagon and give Congress and the executive branch an independent look. And so we are eight commissioners appointed by the bipartisan leaders of the House and the Senate, four appointed by Democrats, four appointed by Republicans, all of whom have national security careers. And they look at the strategy, they look at all the information and they provide an independent view.

Tom Temin: And what has been the reaction so far? Because I found it, personally, to be one of the more consequential statements this report in a city that produces reports by the dozen every single day.

David Grannis: Well, we’ve been quite pleased with the response. The commission has testified before the House and the Senate Armed Services Committees and got a very positive reception from both. We have been talking to the think tanks and reporters here around Washington and trying to spread the message further than that. It is a pretty dire message, but, but it is, it is gotten very positively reviewed. If I can just add one thing. What the commission has tried to do is really get beyond the inside crowd and really reach the American public because one of our major findings is that the American public does not understand, No. 1, the challenges we face, but also how it could affect their own lives. We believe that if there is a war with China or otherwise, you would be feeling the effects here at home. They have the ability to turn off the power, to turn off the water, to prevent us from running transportation systems in an effort to prevent us from being able to engage in whatever China or another country is doing.

Tom Temin: Right. Almost since World War II, when people did feel the effects of that through shortages and rationing and so forth. It seems like, from the public standpoint, the wars waged since then have been news, but not something people felt at the homefront.

David Grannis: Well, that’s right. I mean, the United States has been a sanctuary. Obviously, 9/11 demonstrated that we are not invincible. But in terms of the kind of wars that we have been fighting for the past couple of decades, they have been over there and not here. The other troubling fact is that an increasingly small percentage of Americans really feel and are part of the Armed Services, the public service that makes up part of our national security. And so it really is a small percentage of the public that we are drawing on and relying on, and that needs to be broadened as well.

Tom Temin: We are speaking with David Grannis. He’s executive director of the Commission on the National Defense Strategy, and what are some of your top recommendations that Congress could do and the Defense Department could do? You name acquisition and that whole PPBE and all that complex of process that kind of ensnares the Pentagon. But there are few other things that you’ve brought up also.

David Grannis: Well, you put your finger on one of the top ones, we’ve got a Department of Defense that is used to operating over the course of years and producing a relatively small number of extremely capable assist systems that are not well suited to the kind of wars that we could be facing. And so we need to change the defense acquisition. We need to much more closely integrate with the tech sector, the commercial, private industry that really drives innovation in this country in a way that was not the case through most of the Cold War. So that’s one. We also need to stop thinking of national security and defense as synonymous. There are many parts of our government: the state department, our International Investment and Development, our labor and education systems that are part of national security and the way our government is stovepiped and that we play appropriations from one against the other. That needs to change. It needs to be in all elements of national power kind of approach here because that’s exactly what Russia and China are doing.

Tom Temin: It’s almost like we need to go back to the 1950s, in some sense, in our approach. I think it was even more recently, wasn’t it Secretary of Defense (Bob) Gates, who said, I need a bigger and better State Department in effect?

David Grannis: Well, that’s right. And back when it was the United States and the Soviet Union, we had a strategic communications. We were speaking to the world and we were really advocating for our interests. We viewed our allies as a key part of how we would deter and prepare for war and hopefully never have to get there. And increasingly, there is an isolationist trend that people can solve their own problems, and the United States can focus here. Unfortunately, the world’s not going to let us do that.

Tom Temin: And maybe the other difference in your report is that the economic structure is different given the size of the national debt and what that debt costs the government to service is way different, even from 20 years ago, and it’s threatening to crowd out so many other things. It’s the economy that ultimately supports national security, and that’s kind of threatened by debt and other factors.

David Grannis: Well, that’s exactly right. We do say in this report that our investment in national security is going to have to grow. We spend roughly 3% of our GDP right now on defense and national security, and if you look back to the Cold War, it was at least 4 1/2-5% and up. And so we need to get back to that kind of level of spending. But as you say, we can’t just put all of this on the debt. Our commission again, four members appointed by Democrats, four members appointed by Republicans in Congress unanimously agreed that in order to pay for what we’re going to need to do, we are going to need to increase revenue measures. That means taxes, and we’re going to need to reform entitlement spending because we can’t continue to try to do all of this on the national debt and to do it without tackling some of the structural elements of our economic and financial picture.

Tom Temin: Is it frustrating to you and the commissioners and the members that neither candidate seems to be saying anything rational on any topic, let alone on this essential thing to the country?

David Grannis: Well, we recognize that the candidates are talking about what the American public is focused on. There’s recent polling that says that 1 or 2% of the public believes that national security is the biggest problem we face. Now, if all of a sudden, the lights start going out and the bombs start flying and U.S. is mobilizing that number is going to change pretty significantly. And so we are trying to get the word out before the next 9/11 or Pearl Harbor, rather than wait till afterwards, so that we are prepared as a nation.

Tom Temin: And by the way, you come to this as executive director from pretty good experience on the Hill yourself and in the national security apparatus.

David Grannis: Well, I spent more than my fair share of time in Congress, in both the House and the Senate, and working over in the executive branch. And my perspective is that there are a lot of dedicated, well-meaning and very capable people on both sides of the aisle working on these problems, but we increasingly have systems. Our report focuses on the Department of Defense, systems that are just suited for another time we need to start making some pretty significant change.

In the defense landscape, and especially at the tactical edge, communications are critical to the success of the mission. But often, our nation’s warfighters are in denied and degraded environments with barriers to connectivity and communications. The solution to this challenge is decentralized comms, according to SpiderOak CEO Dave Pearah.

GovCon Wire sat down with Pearah to discuss the urgency behind a new approach to communications, SpiderOak’s partnership with Intelligent Waves, data encryption and more. Read below for Pearah’s full Executive Spotlight interview. 

GovCon Wire: Tell me about the strategic partnership between Intelligent Waves and SpiderOak.

Dave Pearah: We want to provide resilient communications for the brave men and women who are serving in areas with really compromised and insecure communications. Now, let me illustrate those layers. We’re talking right now over a Zoom call, we’re both in areas with typically really good power on large-scale devices like computers and laptops, communicating over robust cellular and wifi networks. But a lot of where the mission takes place happens on what we call the tactical edge. 

The tactical edge is a critical part of the overall mission, and one where you have restrictions on size, weight and power of devices, and even more so, you are working over intermittent, unreliable and untrusted networks. Yet, just like you and I are talking right now, we need to have communication to do what we need to do, even more so for the men and women serving at the front on the tactical edge. 

In partnership, we’re delivering a complete solution that allows folks with a very simple interface to communicate resiliently over a network that Intelligent Waves is creating — a mesh network utilizing low-power comms, so not cellular phones, not wifi and not even satellite communication. We’re working in areas where comms are denied, disrupted and untrusted. So we’re setting up this ad hoc network, and we provide the application-level security running on top of it. 

I think a useful analogy is using Signal for secure messaging on your phone. You have texting on your phone, why would you use Signal? Well, for all the reasons people want to use Signal — it’s that end-to-end security and knowing that it doesn’t matter if you have an Android and your friend has an iPhone, or you’re on T-Mobile and they’re on Verizon. Nothing can compromise the privacy of that data. We provide that magic built into other people’s solutions and that’s what we’re doing with CEO Tony Crescenzo and the folks at Intelligent Waves.

With the rise in cybersecurity attacks on government networks, Tony led IW to successfully launch several innovative and disruptive cybersecurity technologies that serve the U.S Department of Defense and Intelligence Community, featuring GRAYPATH (GP), which allows traffic to be obfuscated by transmitting traffic from one source over multiple paths. What we are bringing is that zero trust overlay of data-level and application-level security on top of this ad hoc network and multi-path traffic that hides the signal. 

GCW: How does the new communication solution ensure secure and reliable DOD communications?

Pearah: We provide technology that’s built into other people’s hardware, applications or solutions. We are a small but important part of the overall stack. We provide the data-level and application-level security, and folks like Intelligent Waves and our other amazing partners provide the actual solution that gets developed and delivered to the mission folks. We provide a small piece of tech that sits inside of other people’s solutions. 

End-to-end encryption of data works when the keys for encryption are only held by the people with the need to know. For example, I have an electronic lock on my house, but if we use the same key for every person in the house and never change the key ever, and then we share it with people who want to have temporary access to the house, how useful is that key? If you don’t keep keys unique to individuals, you don’t limit when those keys are useful and you don’t change them, ultimately you might as well just have your door wide open and don’t even bother with a key. 

We want to make encryption easy for folks by allowing them to change the keys that they use for encryption. Now that’s an oversimplification of what we do, but at the end of the day, our software allows it so that devices and people can easily manage compartments for sharing information. 

It’s like using a messaging platform for your company. You’re all in the same company, but you don’t all scream at each other all the time and share all information. You do things like, create different channels for leadership or individual projects. You create smaller groupings that grow and shrink and get created and destroyed over time. That is what we make possible for very small devices in areas with really untrusted comms. 

All of our patents are around doing this in environments where you have such degraded comms and such small form factor devices that we basically do it without central server or central communication and coordination. The magic is allowing people to secure information in these kinds of environments where you can’t have central coordination and that magic gets embedded into other people’s hardware, software and solutions. 

GCW: Why is decentralized communication so important for the DOD in today’s security landscape?

Pearah: We are all about protecting the data, not the network or the infrastructure, because we feel it is the most resilient way to do it in the face of degraded comms. The first point I’m going to make about decentralization is that each endpoint itself is going to secure its own data and not rely on anything else other than itself. 

Just like your message will get to your friend on Signal, whether they’re connected to the internet or not, because you’ve taken the first step of encrypting the data and you’ve sent it out without any sort of central coordination. So that’s step one. The other thing that we noticed when we were serving the space industry is that one satellite is in contact with another satellite, which is then in contact with another satellite, but they’re not all in contact with each other all the time. So the question becomes: Where does security get coordinated? Each satellite is coming in and out of range and doesn’t always have contact with the ground. 

The reason why we created that market is because all the solutions on the ground assume a server with lots of power and constant connectivity, and that just doesn’t work in this domain where you have limited size and limited connectivity. The only reasonable answer is that each endpoint has to be responsible for its own security, and it can’t rely on constant connectivity. The decentralized answer kind of just pops out as the only rational approach to doing it. 

People will try to bring comms and data centers as close to the edge as possible, but there’s a last mile where you can’t just bring a data center in your backpack and the satellite is just out of reach. Those people just can’t be out of luck, they have to have a solution. Having a peer-to-peer, decentralized approach for security and the moving of data is the only reasonable answer for these kinds of austere environments. And that’s why we’ve really leaned into and embraced this decentralized approach. 

GCW: What benefits does this partnership bring to the DOD and its operations?

Pearah: I see a lot of applicability for this. This is multiple use cases in multiple environments, and Intelligent Waves is the perfect partner because they understand and are trying to do something cutting edge and innovative as opposed to the same old network-level security. They have embraced zero trust, they have embraced data-level, not network-level security, and they’re doing it in this really unique place. 

What I love about this partnership is we cut our teeth in space cyber, and this is a non-space environment. Not only is it on the ground, it’s designed for people serving in areas where space comms is either denied, unavailable or compromised. Yet our same technology born in space is solving this non-space environment challenge. I love the extension and expansion of the mandate and use case for us with an amazing partner that frankly has the customer intimacy and understanding of the mission. We’re a small company, and we’re just trying to provide our tech to folks that have intimacy and understanding of these mission sets.

Retired Lieutenant General Ken Tovo, who is a former commanding general of the U.S. Special Operations Command and is an advisory board member for SpiderOak, has expressed strong support for the partnership. Ken understands that in the absence of giving solutions that work in the field, people will use things unofficially. Especially for people serving the mission in these austere environments, all they want to do is go home safely and do the good work. If the government is not going to provide to them, they’re going to find another way of getting the job done. 

What Ken really likes is the flexibility of an instant-on solution that doesn’t require a lot of pre coordination. A lot of traditional solutions are: ‘We’re going to set up a secure network and then you’re going to have comms.’ That sounds good, but sometimes these things happen in an instant and you need to respond agilely. Whatever is creating and consuming information in this tactical edge environment — whether it be a warfighter or a sensor — needs a flexible solution that just works instantly. What Ken’s always thinking about is the people, the safety of the people, as well as the effectiveness of the mission. We are responding to an emerging set of requirements where people don’t want a secure network, more space comms, a new data center or heavy infrastructure. They want something that works in a peer-to-peer mesh immediately and instantly in the field.