Posts in category: Uncategorized

The Office of Inspector General within the Department of Defense found that the Next-Generation Overhead Persistent Infrared program management office failed to ensure a program protection plan was consistently updated to reflect the Next-Gen OPIR contractor’s progress in implementing software assurance.

An IG audit report on the space architecture development also revealed that program management officials have not provided such a plan for milestone decision authority approval since October 2020, the DOD OIG said Tuesday.

The U.S. Space Force is developing Next-Gen OPIR to replace the Space-Based Infrared System missile-warning constellation.

According to a Breaking Defense report, the first of four Next-Gen OPIR satellites is expected to be deployed into geosynchronous orbit in 2026, a year later than the initial launch schedule.

DOD Inspector General Robert Storch said software assurance is critical for the agency to ensure its systems’ integrity, security and reliability, noting that software vulnerabilities “can pose significant risks to mission success and national security.”

“By implementing thorough software assurance practices, the DoD can reduce the likelihood of cyberattacks, system failures, and compromised data, ultimately protecting critical assets, enhancing operational effectiveness, and safeguarding military missions,” he explained.

To resolve the identified issues, the IG recommended that the Next-Gen OPIR program manager ensure regular updates to the program protection plan to accurately reflect the program management office and contractor’s progress in implementing software assurance activities. 

It also recommended that the under secretary of defense for research and engineering revise DOD guidance to include a process for identifying risks associated with software assurance activities and tracking the acceptance of any risk left unmitigated.

NASA has issued a request for proposal for technologies meant to help with future Artemis missions’ lunar logistics and mobility.

The agency said Tuesday the RFP, published in September, intends to address the possible issues in landing and moving cargo on the lunar surface identified in two white papers the agency previously published as part of its Moon to Mars objectives.

The Lunar Logistics Drivers, Needs white paper focused on the accurate prediction of logistics resupply needs involving items such as food, water, air and spare parts. The design of future lunar missions will depend on these logistics items since they will take up a large part of the cargo.

The Lunar Mobility Drivers, Needs white paper, meanwhile, tackles the transportation of cargo and exploration assets from the landing site to other locations on the surface of the moon.

NASA’s planned lunar terrain vehicle and pressurized rover can theoretically carry around 1,760 pounds of cargo and will be mainly used by astronauts to move around the moon’s surface. The agency is seeking proposals that will enable the transportation of 4,400 to 13,000 pounds of cargo.

According to the Lunar Surface Cargo white paper, existing cargo delivery capabilities like the commercial lunar payload services and human-class delivery landers will meet near-term needs. However, they are not designed for future missions with larger cargo.

NASA is soliciting proposals providing a comprehensive assessment of logistics with the possible inclusion of different transportation systems.

Nujoud Merancy, deputy associate administrator for strategy and architecture stressed that the agency collaborates with various partners to develop its exploration architecture.

“Studies like this allow the agency to leverage the incredible expertise in the commercial aerospace community,” Merancy said.

The Department of Homeland Security’s Science and Technology Directorate has selected four startups to develop synthetic data generation capabilities for protecting privacy and mitigating security threats.

Betterdata, DataCebo, MOSTLY AI and Rockfish Data are expected to deliver synthetic data capabilities that replicate real data’s shape and patterns, DHS said Tuesday.

According to Melissa Oh, managing director of S&T’s Silicon Valley Innovation Program, the selected startups can provide agile and creative approaches to help the government address complex challenges like data privacy and security.

DHS awarded the contracts following the release of SVIP’s solicitation in collaboration with the Cybersecurity and Infrastructure Security Agency and the DHS Privacy Office.

The request for proposals seeks to acquire synthetic data generation capabilities that would enable DHS to train machine learning models in scenarios where real data is either unavailable or poses security risks.

Commenting on the effort’s progress, CISA Associate Chief of Strategic Technology Garfield Jones said investing in privacy-enhancing technologies and collaborating with industry partners will advance the overall privacy ecosystem and its stakeholders.

The selected awardees could potentially access up to $1.7 million in funding across the four stages of the SVIP project.

On Nov. 13, join the Potomac Officers Club’s 2024 Homeland Security Summit to learn more about the most significant threats against the United States and the measures being implemented to address them. Register now to attend this important event!

The National Institute of Standards and Technology, under the Department of Commerce, is seeking information to support the implementation of the U.S. Government National Standards Strategy for Critical and Emerging Technology, an initiative launched in May 2023 to enhance existing private sector-led activities and plans focused on critical and emerging technology—or CET—by adhering to standards of transparency, impartiality, consensus and coherence.

According to a request for information issued on Tuesday, NIST is calling for feedback to enhance the education and empowerment of the standards workforce and decision-makers within the business and technology sectors.

NIST is also gathering information regarding existing awards and recognition programs that can help encourage standards participation and leadership in CET areas.

In addition, the notice seeks to maintain open communication within the U.S. CET and standards communities about the USG NSSCET Implementation Roadmap.

Interested parties have until Dec. 9 to send in their comments.

The Department of Defense has selected 98 historically black colleges and universities and minority-serving institutions to receive a total of $50.1 million in grants for the purchase of research and scientific equipment.

The DOD said Monday researchers from 21 HBCUs and 49 MIs, including one tribal college, across 26 states and the District of Colombia will benefit from grants worth up to $800,000 each.

The initiative is part of the DOD HBCU/MI Research and Education Program, which aims to boost transformative research in crucial defense technology areas.

The competition, managed by the Army Research Office with input from the Office of the Under Secretary of Defense for Research and Engineering, received 152 proposals totaling $82 million. The ARO, alongside the Office of Naval Research and the Air Force Office of Scientific Research, evaluated the proposals and selected the 98 awardees.

Evelyn Kent, director of the DOD HBCU/MI Program and Outreach, said, “Equipping universities with relevant instrumentation and other equipment is imperative for advancing novel research aligned with defense science and technology priorities while fostering innovation at the institutions. These awards help enrich the curricula offered to scholars pursuing science, technology, engineering and mathematics degrees and support the training of the next-generation workforce.”

The Department of Defense has made its Cloud Financial Operations Strategy publicly available.

The purpose of the DOD Cloud FinOps strategy is to provide the agency a framework to better manage and optimize cloud costs to, in turn, improve architectural, budgetary and investment decision-making, Leslie Beavers, acting DOD chief information officer and 2024 Wash100 Award winner, said in a memorandum.

“It establishes a way ahead that will allow the Department to be a better user and buyer of cloud services,” Beavers added.

The strategy says that the DOD needs to improve its acquisition of cloud services, because cloud adoption is a fundamental component of modernization, and modernization is made necessary by the increasing digitalization of warfare.

Improving acquisition is also necessary because of rising cloud costs and tightening military budgets.

To help with this effort, the strategy “describes a desired outcome, provides a DoD-tailored FinOps framework, and identifies strategic imperatives and associated actions to enable an enterprise understanding of cloud cost and impact.”

Its implementation will be overseen by the Enterprise Cloud Management Board.

An online hub for Americans to access benefits and services across the federal government is giving its users a new option to sign on.

The General Services Administration will begin offering facial recognition technology as an option for users of Login.gov, a one-stop for government-provided public services, to verify their identities.

GSA’s Technology Transformation Services announced Wednesday it will allow Login.gov users to verify their identity online through facial technology that meets standards set by the National Institute of Standards and Technology’s 800-63-3 Identity Assurance Level 2 (IAL2) guidelines.

Login.gov will allow its users to match a “selfie” with the photo on a government ID, such as a driver’s license.

GSA said the facial recognition technology used by Login.gov does not rely on “one-to-many facial identification,” and does not use these images for any purpose other than verifying a user’s identity.

The facial recognition option builds on Login.gov’s existing identity verification process, which requires validation of a government-issued ID and a phone number or address.

GSA Administrator Robin Carnahan said in a statement that the facial recognition option is “another milestone in ensuring agencies have a wide variety of strong identity verification options.”

“Proving your identity is a critical step in receiving many government benefits and services, and we want to ensure we are making that as easy and secure as possible for members of the public, while protecting against identity theft and fraud,” Carnahan said.

GSA began testing a facial recognition option for Login.gov in May.

The agency previewed the rollout of IAL2-compliant facial recognition tools in a blog post last October.

GSA said it’s been working with other agencies to “evaluate the effectiveness of the Login.gov product across demographic groups, monitor for algorithmic bias in identity verification, and to evaluate additional pathways to verify identities at the IAL2 level, such as compensating controls.”

Login.gov Director Hanna Kim said in a statement that GSA will “continue to uphold our values of equity, privacy, and transparency by incorporating best-in-class technology and learning from academic and user research.”

“Login.gov heard from our agency partners with higher-risk use cases that it was important that we offer a version of our strong identity verification service that is IAL2 certified,” Kim said. “We’re glad that we’ve been able to do this while ensuring that users continue to have multiple secure pathways to verify their identity, whether that is in-person or remote.”

Login.gov users are also able to verify their identity in person at over 18,000 post offices across the country, if they are unable to do so online.

More than 99% of the U.S. population lives within 10 miles of a post office.

Since its launch in 2017, Login.gov now serves more than 50 federal and state agencies, and supports 300 million annual sign-ins.

GSA’s rollout of facial recognition technology on Login.gov comes a year after its inspector general’s office found it misled agency customers and the Technology Modernization Fund board about meeting NIST’s IAL2 standard for remote identity proofing.

The IG report found that, rather than conducting physical or biometric comparisons, such as through facial recognition or fingerprints, as required by NIST, Login.gov was instead using a third party to compare identification cards to information contained in LexisNexis.

“Login.gov has never met the technical requirements for identity proofing and authentication of NIST Special Publication 800-63-3 for Identity Assurance Level 2 (IAL2). At multiple points starting in 2019, Login.gov officials should have notified customer agencies that Login.gov did not comply with IAL2 requirements in SP 800-63-3. However, Login.gov did not notify their customer agencies until Feb. 3, 2022, after a Wired article reported that Login.gov used selfies for verification,” the March 2023 report states. “Before then, Login.gov not only portrayed publicly that it was compliant with IAL2 requirements, but also misinformed customer agencies through interagency agreements stating that they met and/or were consistent with the IAL2 requirements.”

GSA said it notified its inspector general’s office in February 2022 of the misrepresentations and initiated the audit.

Former Federal Acquisition Service Commissioner Sonny Hashmi told reporters last year that the “misrepresentations about Login.gov’s compliance with the NIST IAL2 standard, starting in 2018, were completely unacceptable.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

• In the wake of Hurricane Helene’s devastation, a top Republican on the House Homeland Security Committee is asking questions about the Federal Emergency Management Agency’s advanced forecasting models. New York Congressman Anthony D’Esposito, chairman of the emergency management subcommittee, said many communities caught in the path of Hurricane Helene weren’t aware of the potential for destructive flooding. D’Esposito is asking FEMA to provide data on its advanced forecasting models and prepositioning of resources. He’s also asking FEMA whether the agency has adjusted its rainfall modeling after Hurricane Helene.
• The largest federal employee union is endorsing a bill to prevent suicide among federal corrections officers. The Officer Blake Schwarz Suicide Prevention Act would expand access to mental health care services for law enforcement officers working at the Bureau of Prisons. The American Federation of Government Employees supports the bill. AFGE said many federal correctional officers are veterans who are already at a higher suicide risk than the general population.
• As Hurricane Milton is approaching the Florida coastline, there are military bases securing equipment, relocating personnel and preparing for possible disaster response efforts. Officials at MacDill Air Force Base in Tampa ordered widespread evacuations on Monday. The Navy is also relocating its assets ahead of the storm. Maj. Gen. Pat Ryder, the Pentagon’s top spokesperson, said the Defense Department is tracking the storm’s path and thinking through the potential contingencies. On Tuesday, the National Guard Bureau mobilized about 500 Guardsmen to support the Federal Emergency Management Agency later in the week.
• The Office of Personnel Management retirement backlog saw a decline in claims received and processed in September. OPM received more than 5,600 claims and processed just over 6,300 claims in last month. That is over 1,400 less than in August. The inventory backlog dropped to just under 15,000 cases, but that’s not enough to meet the steady state goal of 13,000 cases. OPM says September cases completed in less than 60 days on average took 41 days to process, while cases that took more than 60 days on average took 115 days to fully process.
• House lawmakers want to know how the National Institute of Standards and Technology is approaching the thorny issue of facial recognition. Leaders on the House Science, Space and Technology Committee want to know how NIST’s updated digital identity guidelines address longstanding concerns about facial recognition. In a letter to NIST Director Laura Locasio this week, lawmakers asked NIST to share the findings of its digital identity and face recognition technology work. NIST published the updated digital identity guidelines last month. They serve as standards for how federal agencies use digital identity technologies, including facial recognition.
• Cyber operators across the federal government can take a range of new courses from DC3 Cyber Training Academy’. In its schedule for November, DC3 is offering classes around cryptocurrency activities, cybersecurity analyst, log analysis and Linux essentials. The academy has also released its 2025 course catalog — it will offer courses for entry-level, intermediate and advanced-level professionals. Courses are taught on-site at the DC3 Cyber Training Academy in Maryland, in residence at off-site locations and online. Students interested in enrolling can request additional information through the cyber training academy registrar.
• The Biden administration is giving agencies more capacity to oversee more infrastructure projects. The Federal Permitting Council is investing $15 million in a new contracting tool to help agencies deal with a surge in environmental reviews and other permitting work under the Bipartisan Infrastructure Law and the Inflation Reduction Act. Permitting Council Executive Director Eric Beightel said, “We are developing a contract solution to enable agencies to quickly leverage surge support to enable reviews and other permitting work to be completed effectively and on schedule.”
• The Partnership for Public Service is urging both Vice President Kamala Harris and former President Donald Trump to use resources from the General Services Administration and kickstart presidential transition planning. Getting transition plans underway now is critical, Partnership officials said, regardless of who wins the November election. But so far, both presidential campaigns are still behind on their transition planning efforts. The Harris campaign signed an initial agreement with GSA to access transition resources, like office space and connections with agencies. But less than a month out from Election Day, the Trump campaign has yet to do the same.
• The Social Security Administration is turning the ship around on employee engagement. For the first time in years, SSA is seeing positive trends in employees’ feedback on engagement, satisfaction and agency leadership. That’s according to SSA’ results in the 2024 Federal Employee Viewpoint Survey. The positive trends in the 2024 FEVS come after years of declining scores for the agency. But SSA leaders said there’s still more work ahead to continue the upward trajectory — most notably by addressing what many employees say are unreasonable workloads.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Various industries are still dealing with the consequences of the July 2024 technology outage which led to a “blue screen of death (BSOD)” and extreme disruptions. A defective update from CrowdStrike caused this issue, knocking critical systems offline, bringing the airline industry, medical practices and financial institutions to a grinding halt. It also forced those impacted to lean on call tree procedures, ensuring that communications were maintained using out-of-band methods.

This outage even impacted the government. The Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency worked with federal, state, local and critical infrastructure partners to assess and address all essential outages. The outage not only sparked conversations about patch management practices and system update testing approaches but also highlighted the potential cybersecurity ramifications of pervasive outages.

To prevent future outages, it’s crucial to prioritize strategies for driver testing and patch management systems planning. Emphasizing rigorous testing, particularly for kernel mode applications, is essential. Patch management processes must evolve, focusing on iterative rollouts with finer-grained controls within products to minimize the impact of kernel-mode application updates. By enhancing the testing, deployment and overall management of updates, these strategies will support the continuity of operations.

Despite the initial chaos, comprehensive response, communication and mitigation plans helped some organizations to address what appeared to be a massive, unknown cyber event of unparalleled magnitude. There are numerous opportunities for technical and organizational improvement that will help stop, mitigate or recover from similar events. If followed appropriately, these precautions can also prevent cyberattacks that target software.

Balancing proper testing with frequency of updates

Programs that support driver testing, like Microsoft’s Windows Hardware Quality Labs (WHQL) certification process, ensure the compatibility and reliability of products that operate with kernel-level privileges. Hardware drivers and some software applications operating in kernel mode require a higher degree of testing to reduce the likelihood of system disruptions.

Regular software that runs without administrative or elevated privileges is less likely to cause severe system disruptions — but an application or driver running at the kernel level can cause major problems if not tested.

In the CrowdStrike incident, the core kernel-level application is WHQL certified and stable, but the regular detection and response content updates to that product are not individually certified due to the frequency of release. These content updates are needed frequently, as the endpoint detection platform requires rapid change in response to emerging threats.

Given that these content updates are released too frequently for each update to be WHQL certified, a certain level of trust is placed on vendors to conduct thorough testing. This tension between rigorous testing and the velocity of deploying updates to address the rapidly changing threat landscape is core to the recent incident. Current vendor practices and testing tactics need to be reevaluated to mitigate future issues.

Software checks to avoid outages

Modifications to software testing and deployment procedures will be essential to reduce the impact and likelihood of another massive outage. Pre-deployment extended compatibility testing, performed by a software vendor and customers, would reduce the risk of incidents.

The only expense is a delay before security updates are in effect — a small price to pay for a safer approach.

Some endpoint defense systems allow customers to set rolling deployments, allowing for monitoring and quick rollback if issues arise. Utilizing pilot groups to deploy initial updates to a small, controlled group of users or systems, and then monitoring the performance and stability before wider deployment, is another strategy to prevent severe outages.

These approaches are bolstered when deployed during low-traffic periods, such as after work hours or over weekends, because they minimize disruption and allow for immediate intervention if issues occur.

Automation and enhanced patch management practices

Stronger patch management practices are another tactic to defend against outages. These include extended compatibility testing and checks, and the use of artificial intelligence and machine learning for monitoring and rollback.

Increasing the scope of testing across a wider range of hardware and software configurations will identify potential issues before release. This can be used within the pilot groups — a smaller number of users across various configurations. Also, testing patches against a replicated lab or simulated production environment will ensure that updates are compatible with supported hardware and software configurations. This includes testing on different versions of the operating system and with various third-party applications.

AI/ML can play a major role via heartbeat monitoring. Since a BSOD-causing error may not allow a system to operate enough to send an error alert, using heartbeats and related up/down monitoring techniques can identify inoperable hosts. Using indirect techniques, like AI/ML, to detect a problem state (BSOD loops) and link it to a recent patch deployment activity would rapidly identify the problem.

Furthermore, when a group of hosts is in this loop state, they are unable to send normal heartbeat messages, but an automated, AI-driven monitoring solution can both identify the anomaly and link it to patch deployment logs. If a customer’s environment is designed to stagger updates, and multiple hosts stop communicating with a heartbeat server, there is likely either a network issue blocking communications or a host-based problem commonality.

When combined with a staggered or phased rollout approach, early AI-driven detection could reduce the impact of a future BSOD event caused by updates. These automated monitoring tools can quickly identify issues post-deployment and enable rapid rollback if necessary.

AI provides predictive analytics too, reviewing historical data and usage patterns to identify potential issues. This enables adaptive testing and phased rollouts, where updates are deployed gradually and monitored closely for any signs of trouble. This approach will reduce the impact of an event by many orders of magnitude.

Integrating AI as a means to augment the testing regimen into the WHQL certification process or adopting AI/ML-driven monitoring solutions can significantly enhance the reliability, efficiency, and speed of testing, identification, and remediation — ultimately preventing or reducing the impact of BSOD problems.

Enhancing the WHQL testing program, optimizing patch deployment timing and settings, and adopting robust patch management practices can significantly reduce the risk of issues like the CrowdStrike BSOD problem. IT operations and security operations teams have also taken onboard their own lessons learned during the recent outage regarding how to operate when their own devices are inoperable, and are adding resilience to their collaboration processes during the incident troubleshooting activities.

Industry stands to improve its support of the government mission by taking these collective measures regarding readiness, resilience and ensuring that updates are thoroughly tested, carefully deployed, and effectively managed.

Peter O’Donoghue is chief technology officer for Tyto Athene.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Over 5,000 Florida National Guard members have been mobilized ahead of Hurricane Milton’s imminent landfall on Florida’s west coast, as thousands of Guardsmen are supporting recovery operations in communities impacted by Hurricane Helene.

Florida Gov. Ron DeSantis said Tuesday evening the number of National Guard personnel activated to respond to the hurricane will soon increase to 8,000.

The response includes 450 tactical vehicles, including 140 high water vehicles and aerial, water, and ground National Guard search and rescue teams.

“This is probably the largest National Guard mobilization in advance of a storm in Florida history,” said DeSantis.

The Florida State Guard’s response will also include three high water UTVs, four drone teams, ten maritime crews, two amphibious rescue crews, 15 cut and toss crews, and two UH-60 Black Hawks. 

Additionally, the U.S. Army North has moved its personnel and equipment from its contingency command post to Fort Moore in Georgia to assist requests from the Federal Emergency Management Agency and state leadership,  including high-water vehicles and helicopters for search and rescue operations and medium-lift helicopters to move personnel and equipment.

“There are personnel to help with logistics support and additional search and rescue operations. The National Guard is doing things to be in place and to be ready to support almost immediately,” Deputy Pentagon Press Secretary Sabrina Singh told reporters Tuesday.

State authorities have helped evacuate 300 healthcare facilities located in the potential path of the storm.

And state veteran nursing homes that are in areas at risk of being impacted by Milton are allowing family members of their residents to shelter with them, as these nursing homes are built to endure Category 5 hurricane winds.

Officials at MacDill Air Force Base, a major military installation in Tampa, Fla., ordered a widespread evacuation on Monday — just two weeks after Hurricane Helene, one of the deadliest storms in recent history, flooded parts of the base.

Navy officials said Monday the service is moving its assets ahead of the storm.

Hurricane Milton, which is currently a Category 4 storm, is expected to make landfall Wednesday night or early Thursday, according to the National Hurricane Center. The storm is predicted to be the first most destructive hurricane to hit the Tampa Bay area since 1921.  DeSantis declared a state of emergency for 51 out of 67 state counties.

“The No. 1 message, as it has been for several days now, is that you need to prepare, do whatever you need to do, and then get out of the evacuation zones,” Tampa Mayor Jane Castor said Monday.

“Helene was a wake-up call. This is literally catastrophic, and I can say without any dramatization whatsoever — If you choose to stay in one of those evacuation areas, you’re going to die.”

Hurricane Helene hit Florida less than two weeks ago and moved into several southeast states — more than 6,700 Army and Air National Guard members from 16 states have been already deployed to assist emergency workers with recovery operations in communities impacted by the devastating storm.  The Defense Department has deployed over 1,500 active-duty soldiers to help with debris clearing,  search and rescue operations and delivery of food and water supplies to communities in North Carolina. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.