The VA is inching toward awarding contracts for its upcoming modernization of a supply chain management system, officials shared during a House Veterans’ Affairs Subcommittee hearing. The Supply Chain Modernization (SCM) acquisition will be an “indefinite delivery, indefinite quantity” services contract and the validation phase has been approved through the Federal Information Technology Acquisition Reform Act (FITARA) review, led by the agency’s chief information officer. 

Lawmakers across the aisle agreed that the VA is not meeting reporting requirements requested by the subcommittee’s chairman, Rep. Matt Rosendale, R-Mont., as laid out in the House-passed IT Reform Act of 2021, which requires the agency to submit information — including cost, schedule and performance metrics — for “any major technology project” to Congress before the VA expends funds.

“I do believe VA can be successful in this effort if they communicate requirements and resources related to programs, effectively,” ranking member Sheila Cherfilus-McCormick, D-Fla., said during the hearing. “As of now, we haven’t seen that effective communication.”

Michael Parrish, the VA’s chief acquisition officer and principal executive director, said during the hearing that the agency does not view the SCM as a “major” IT project because the VA has not established a “firm budget” or a “firm schedule.”

Parrish described the project as taking a modular approach and said that the VA is addressing subcomponents with separate technology solutions as a service instead of purchasing hardware “that otherwise would be obsolete over time.”

In the current bill text for the IT Reform Act, the threshold for a “major information technology project” is met if the dollar value of the project is estimated to exceed $1 billion for the lifecycle cost of the project, $200 million annually or if the project is designated as such by the department’s secretary or CIO, or the director of the Office of Management and Budget. 

“Without a doubt, the VA and the veterans it serves would benefit from a functional inventory management system, and the department could make better use of taxpayers’ dollars if the system used to order medical supplies were connected to the systems that pay for and track them,” Rosendale said in his opening remarks. “However, what is described in the VA’s request for proposals seems to be a bureaucratic, empire building, mega-project.”

During the hearing, Rosendale cited information given to the committee from the VA putting the lifecycle cost of the SCM system between $9 billion and $15 billion, and would require congressional funding into 2043. Parrish reiterated that the agency is not yet committed to any dollar amount for the project. 

“The [SCM] project is a gigantic effort, the likes of which we have only seen in the [Electronic Health Record] and we know how that has turned out,” Rosendale said. “It would try to knit together all-encompassing systems to manage every aspect of a unified VA supply chain, from tongue depressors to X-ray machines to printer paper to headstones.”

The VA’s Oracle Cerner-run electronic health record has seen a litany of challenges, including patient safety issues with EHR pharmacy software and a  veteran’s death tied to a scheduling error. The system was originally launched in 2020, in an effort to create interoperability of records between the VA and Department of Defense health care systems. The implementation of EHR was later suspended in 2023 as part of a reset, and the department noted that it was working toward holding Oracle Cerner accountable for delivering high-quality services.

The post Congress presses VA on modernization overhaul, supply chain system upgrade appeared first on FedScoop.

Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), violated its obligations to CMS and potentially 254,000 of its 64 million Medicare beneficiaries whose personally identifiable and protected health information may have been exfiltrated, according to the agency.

President Biden issued an executive order in February 2021 in an effort to shore up agencies’ supply chains, after Russia-linked hackers breached federal contractor SolarWinds’ software supply chain  — compromising nine agencies. Supply chain attacks continue to increase, prompting multiple reviews by the Department of Homeland Security’s Cyber Safety Review Board.

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS.”

ASRC Federal resolves system errors related to Medicare beneficiary entitlement and premium payment records and supports premium collection from direct payers for CMS. Subcontractor HMS suffered a ransomware attack on its corporate network on Oct. 8, which it notified CMS of the next day.

After an initial investigation, CMS concluded on Oct. 18 its data that HMS handled was potentially compromised for some Medicare beneficiaries.

CMS continues to notify beneficiaries whose information may have been exfiltrated by letter that they’ll receive an updated Medicare card with a new Medicare Beneficiary Identifier, which also may have been compromised; free credit monitoring services; and incident updates.

No CMS systems were breached or Medicare claims data involved. But names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare Beneficiary Identifiers, banking information including routing and account numbers, and Medicare entitlement, enrollment and premium information were potentially compromised, according to the agency.

Affected beneficiaries are advised to destroy their old Medicare card upon receipt of the new one, contact their financial institutions and enroll in Equifax Complete Premier credit monitoring for free using the letter’s instructions.

“At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” reads the letter sent to affected beneficiaries.

Healthcare Management Solutions was contacted for comment.

The post CMS subcontractor breach potentially exposes data of 254,000 Medicaid beneficiaries appeared first on FedScoop.

Speaking at the Fortinet Federal Security Transformation Summit hosted by FedScoop, Senior Director for Cybersecurity and Emerging Technology on the National Security Council Steve Kelly said the White House is focused on working collaboratively with software providers as it introduces the new standards.

He said: “OMB is working closely with agencies to ensure a consistent approach to implementation, and [we] plan to soon host a listening session with software makers and other interested parties to continue to take their feedback on some of the language.”

Kelly added that OMB is in the process of completing details of minimum cybersecurity requirements for vendors and that these will likely be published around January next year.

It comes after the White House in September issued a memo requiring federal agencies to obtain self-attestation from software providers before deploying their software on government systems.

According to OMB’s September memo, federal departments must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.

Kelly stressed also that OMB wants to work closely with industry to ensure that the process for adopting the new standards runs smoothly.

He said: “For software makers unable to attest to one or more of the required security practices, they can submit a plan of action and let us know how they are working to meet the requirements.”

The post OMB to hold listening session with industry on software security self-attestation  appeared first on FedScoop.

The agency will end use of the Defense Medical Logistics Standard Support (DMLSS) system, which is a local server-based application that supports internal medical logistics at military hospitals or clinics, including in war zones.

In procurement documents on SAM.gov, the department said that it will now seek a new supply chain solution that must operate in the VA’s technical production environment, either in the VA cloud or in another FedRAMP certified cloud.

 “As the largest integrated healthcare system in the country, our supply chain logistics solution must meet the needs of the 1,298 medical facilities in our network and the millions of veterans that we serve—and this transition will help us do exactly that,” said Michael D. Parrish, VA’s chief acquisition officer.

In February under pressure from lawmakers, the VA said it would take a second look at the DMLSS contract to determine if it was the right fit for the agency, and said it was considering other options. 

Pressure to drop the DMLSS contract has been building since the VA’s Office of Inspector General (OIG) released a report in November 2021 that found failures in VA’s pilot project to deploy the DMLSS system at the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois.

The OIG report found the DMLSS system did not meet 44% of the high-priority business requirements identified by Lovell hospital staff as essential to their  operations.

To create a supply chain infrastructure that improves the veteran experience, VA told reporters Tuesday that it will cancel future DMLSS deployments. The agency said it will work with the Defense Health Agency (DHA) to modify the current agreement and allow the VA to continue to fund joint operations at Lovell hospital.

The VA said it will establish the new Office of Enterprise Supply Chain Modernization in the coming months to oversee its supply chain transformation effort. The agency expects a new supply chain logistics solution contract by 2023. 

The post VA drops supply chain management IT system, hunts for new solution appeared first on FedScoop.

The FBI is looped in more quickly when cyber incidents are reported, Walden said, during CrowdStrike’s Fal.Con 2022 cybersecurity conference in Las Vegas. And while the information may be used in investigations, it’s also shared among operational agencies including the Cybersecurity and Infrastructure Security Agency to identify and attribute the criminal actor responsible, and where possible help the victim rebuild critical infrastructure and recover assets.

Information sharing really started to improve with the signing of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in March and subsequent convening of the Cyber Incident Reporting Council in July, Walden said.

“My hope — and I think I’m seeing this happen in a better way — is that the victim company contacts the FBI right away, and if not the FBI, then CISA or the police,” Walden said. “But contacting the FBI, we’re seeing more federal cohesion on the back end.”

Funds for the Office of the National Cyber Director were only appropriated in November, but the policy and strategy entity is responsible for connecting all the operational cyber agencies governmentwide. That means improving agencies’ cohesion and working with the Office of Management and Budget to ensure they’re adequately funded to achieve cyber aspirations.

When the Biden administration was preparing to sanction Russia over its invasion of Ukraine, ONCD helped ensure classified cyber information was downgraded, so it could be provided to the financial sector so companies could protect their networks.

“We need to scale that,” Walden said.

“Ultimately we’re focused on shifting the burden of risk, providing more responsibility — both in the federal government and those enterprises in the private sector that can bear that risk — but also focused on future resilience,” she said.

Tech companies can assist ONCD in that regard by adopting a resilience-by-design approach with their products to protect against basic supply chain vulnerabilities, allowing agencies to focus on bigger challenges, Walden said. 

President Biden’s executive order on securing the supply chain issued in February 2021 further included a review of the federal procurement process and cyber incentives.

“Those are the types of concepts that we are trying to infect everyone with,” Walden said.

The post ONCD senior leader says FBI and operational cyber agencies have improved incident info sharing appeared first on FedScoop.

CSRB found not every organization even had software bills of materials (SBOMs), machine-readable inventories of components and how they relate because data formats haven’t been standardized.

The Department of Homeland Security tapped CSRB to review the U.S. response to the Log4j vulnerability, one of the most serious to date, publicly disclosed on Dec. 10. In its report released Thursday, CSRB recommended SBOM tooling and adoptability be improved to support faster software supply chain vulnerability response.

“Generally our observation is that the entities who are using open source software really should be looking to help support that community directly in getting them access to training programs, developing the tools that will make things like SBOMs adoptable and being able to measure the efficacy of the security of objects,” said Heather Adkins, CSRB deputy chair, on a press call. “And we think that’s a whole-of-community approach that’s going to be needed.”

In the meantime developers should generate and ship SBOMs with their software with plans for tooling and process upgrades upon availability, according to the report. The recommendation aligns with the Cybersecurity and Infrastructure Security Agency issuing a solicitation in May for open-source software libraries and other tools foundational to SBOMs, which many federal contractors hope become the standard for proving government-mandated compliance with the Secure Software Development Framework.

CSRB recommended agencies prepare to “champion and adopt” SBOMs as the technology matures and the Office of Management and Budget, Office of the National Cyber Director, and CISA consider issuing guidance on using software inventories and metadata to improve vulnerability detection and response.

The report further recommends government require software transparency from vendors, spearheaded by OMB and the Federal Acquisition Regulatory Council discouraging the use of products without provenance or dependence information. OMB and the FAR Council should make procurement requirements, guidance, and automation and tooling investments that set expectations for baseline SBOM information and an implementation timeframe, according to CSRB.

Board officials maintained the Log4j event is not over with vulnerable versions of the free, Java-based logging framework likely to remain in compromised systems for a decade — offering even unsophisticated attackers access. Many companies can’t quickly identify where their vulnerable code is, said Robert Silvers, CSRB chair. 

“The rate at which cyber incidents occur is rapidly increasing,” said Homeland Security Secretary Alejandro Mayorkas. “And we’re at a pivotal moment for the department and our public and private sector partners to achieve a more secure cyber ecosystem.”

The post DHS board: No one used software inventories to find vulnerable Log4j deployments appeared first on FedScoop.

DHS S&T‘s Silicon Valley Innovation Program issued a five-year other transaction solicitation call for foundational open-source software libraries and other tools increasing the availability of trustworthy software bills of materials (SBOMs), machine-readable inventories of components and how they relate.

Many federal contractors hope SBOMs become the standard for proving government-mandated compliance with the Secure Software Development Framework. But multiple data formats exist, prompting the Cybersecurity and Infrastructure Security Agency to seek translation tools and automated SBOM generators that plug into build systems.

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms,” said Allan Friedman, senior advisor and strategist at CISA, in a statement. “By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster and more efficiently.”

SVIP issued the call on behalf of CISA for tools that will help secure essential communications, finance, transportation and energy services.

Other capabilities CISA is interested in are those that:

• visualize SBOM data on provenance and risk;
• plug into integrated development environment tools to highlight software dependencies, warn of vulnerabilities and provide mitigations; and
• use software identifiers to help system administrators using security incident and event management tools pinpoint and prioritize threats to the operational environment.

SVIP runs four phases with an optional fifth for further testing around new operational environments and use cases. Applicants will be submitting Phase 1 applications for $50,000 to $200,000 in funding to produce a minimum viable product (MVP) within three to nine months.

MVPs may be chosen to move to Phase 2: prototype development.

The deadline for Phase 1 applications is 3 p.m. ET, Oct. 3.

A virtual industry day will be held starting at 12:30 p.m. ET, July 14 for developers and vendors to ask questions about the solicitation and operational needs.

“DHS is committed to working with industry to develop tools and technologies that provide visibility into the software supply chain,” said Melissa Oh, managing director of SVIP, in a statement. “This topic call highlights core capabilities that will help bring transparency into the digital building blocks used by organizations in both their business operations and in their cyber defenses.”

DHS’ request for automated tools to help manage supply chain risk comes after the Department of Justice’s Office of Inspector General last week published details of a study in which it found that just two sub-agencies adhered to supply chain risk guidelines over the last six years.

Supply chain risk within federal agencies’ IT procurement processes has received enhanced scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across government and the private sector.

The post DHS seeks automated SBOM tools for enhanced supply chain visibility appeared first on FedScoop.

Alliant 3 remains in the market research phase as GSA considers the ceiling increase, as well as incorporating supply chain risk management requirements and Section 876 authority for agencies to award contracts at an hourly rate without considering price in their evaluations.

The predecessor, Alliant 2, has a $50 billion ceiling and estimated value of $36 billion, and agencies used the best-in-class (BIC) contract to procure innovative IT solutions including artificial intelligence, big data, biometrics, health IT, and virtual networking products and services in fiscal 2021.

“Because the Alliant 2 program has been so successful, we’re looking at moving forward on Alliant 3 much, much faster and earlier than we ever anticipated,” said Laura Stanton, assistant commissioner of IT Category at GSA, during the Coalition for Government Procurement Spring Training Conference on Thursday.

The Office of IT Category is trying to understand the impact supply chain risk management requirements will have on businesses, small ones in particular, so it put out two requests for information, Stanton added.

Most businesses were concerned with how to manage resource costs and remain competitive while becoming compliant, based on responses.

“They’re looking to the government to give well-defined guidance, when it comes to these cyber requirements,” Stanton said.

GSA officials also addressed Polaris — a small business set-aside, indefinite delivery, indefinite quantity contract for IT service-based solutions — which was paused for revisions following a series of protests.

Changes were made to several sections, following discussions with the Small Business Administration, the deadline for feedback on which was May 23.

“We’re sifting through the information right now,” said Tom Howder, deputy commissioner for the Federal Acquisition Service.

GSA is “very close” to awarding a third cohort on 8(a) STARS III, a $50 billion governmentwide acquisition contract (GWAC) emphasizing small businesses and with subareas for AI and blockchain. Awarded in June 2021, the BIC contract already has more than 1,000 contractors onboarded.

The agency plans to round out its portfolio of cloud solutions with the Ascend cloud marketplace blanket purchase agreement (BPA), which is being written. GSA found common cloud requirements exist across the federal government and is simplifying them within Ascend, which will allow for the procurement of Infrastructure-, Platform- and Software-as-a-Service solutions and cloud-related IT professional services off the Multiple Award Schedule (MAS). 

“We’re looking at multiple ways that agencies need to buy and manage cloud,” Stanton said.

The post GSA eyes early Alliant 3 release appeared first on FedScoop.

But security experts say standardizing the SBOM, an inventory of software components down the stack, requires practical deadlines for vendors and a concrete process for using the information it contains at agencies.

Federal contractors working to comply with new technology regulations typically seek as much certainty as possible from government agencies to allow them to budget for changes. The Biden administration’s cybersecurity EO in May last year was widely praised for introducing a standardized timeline for complying with the adoption of zero trust and other measures.

OMB required that agencies comply with the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) in March, as mandated by the Cybersecurity Executive Order issued in May 2021. Software vendors will eventually be expected to prove their compliance with the SSDF, and they’d prefer self-attestation rather than third-party verification — which derailed the Pentagon’s first attempt at Cybersecurity Maturity Model Certification (CMMC).

“I really hope they go the former route because we’re building enough momentum behind the different parts of the executive order, behind this issue,” Jim Richberg, chief information security officer (CISO) at Fortinet, told FedScoop. “If they decide we’re going to have to stand up this whole regime of third-party assessors, we’ve just kicked this can a couple of years down the road.”

Third-party evaluations necessitate infrastructure that will take time to establish, whereas vendors — particularly those that are Federal Risk and Authorization Management Program (FedRAMP) authorized — are used to simply sharing their software development life cycles with agencies for review during procurements.

Standardizing a process for software vendors to supply agencies with artifacts establishing chain of custody in a digital form is more easily achievable, costs less and can be automated and made more auditable over time, said Tim Brown, CISO at SolarWinds.

The SolarWinds breach in 2020 that compromised nine federal agencies, among other incidents, precipitated the SSDF’s creation and left the software company committed to the SBOM to reestablish trust with customers. Parts of all nine affected agencies either never abandoned SolarWinds or began buying its software again in the last year-and-a-half.

“We think we are eroding that trust deficit,” said Chip Daniels, head of government affairs at SolarWinds. “But the only way to continue to do that is to show how we’re complying with things like the NIST standards and the spirit of the executive order.”

SBOMs present their own challenges. For one, agencies don’t currently have the staff to evaluate them; teams would need to be stood up, Brown said.

OMB’s guidance needs to address that, as well as the process for cataloging the information SBOMs contain, for vendor self-attestation to work. 

“A few things would need to be in place: How does that information get provided? What information needs to be stored? What information needs to be dynamic versus static? Are we looking at point-in-time or continual attestation?” Brown said.

Allowing a year for self-attestation would give vendors the time needed to put checks in place, develop standard templates with questions and answers, and pave the way for eventual validation, according to one security expert.

OMB declined to comment on whether it was favoring vendor self-attestation and how that might work, ahead of the release of its guidance.

Other experts like Sean Frazier, chief security officer at Okta, worry that while SBOMs “should be a priority,” frequent federal guidance is leading to “cyber fatigue.” Security fundamentals like multi-factor authentication —  adoption of which remains at a mere 22% among Microsoft customers —  encryption and patching should be the short-term focus of agencies and vendors, Frazier said.

“If we don’t solve that low-hanging fruit problem, whatever we do for supply chain, they’re still attacking credentials, so they’re going to keep hitting that all day long and twice on Sunday because it still works for them,” Frazier said. “We’re not actually making it harder for attackers where they actually have to look at the supply chain and go, ‘I want to take advantage of this vulnerability and that vulnerability,’ because I can still get through the front door with a credential breach.” 

Okta’s SBOM, which it refers to as its list of software and services (LSS), is a “longer-term project,” he added.

As a cloud service provider, Okta would prefer to handle questions around its software development life cycle through the FedRAMP process, which is actually happening, Frazier said. Forthcoming NIST Special Publication 800-53 Revision 5 guidance includes a control family around supply chain that the FedRAMP Project Management Office plans to adopt and measure its vendors against.

CMMC is under revision because the original process was “cumbersome” and “subjective,” Richberg said. Who a vendor’s third-party assessor was determined their grade, whether they passed or failed.

Richberg expects OMB to require vendors to prove compliance through artifacts demonstrating specified functions in its guidance but that it won’t be overly prescriptive, instead referring back to the SSDF. 

Upon release the guidance will be put into contractual terms by agencies, but the Cyber Executive Order wanted the SSDF implemented within a year. Depending on OMB’s release date, some proofs of concept may appear before the end of fiscal 2022.

“I think aiming for the end of this fiscal year is frankly a little ambitious with this just coming out now,” Richberg said.

The post OMB guidance presents chance to standardize software bill of materials appeared first on FedScoop.

GSA used data from its Verified Products Portal (VPP) to identify the risky items on GSA Advantage! and remove them with industry.

VPP launched in 2020 as a manufacturer- and wholesaler-facing website for authoritative product content like standardized part numbers, product specifications and supplier authorization information that GSA is making actionable with government continuing to implement security measures in last year’s Supply Chain Executive Order.

“We’ve reduced the risk of customers purchasing counterfeit, fraudulent or otherwise illegitimate products,” said Sonny Hashmi, commissioner of GSA’s Federal Acquisition Service, in the announcement. “This promotes fair competition in the federal marketplace and improves our customers’ ability to purchase with confidence.”

GSA is also working with industry to improve how commercial off-the-shelf (COTS) products are represented in the federal marketplace with better images, descriptions, PDFs and other details.

The agency encourages manufacturers and wholesalers looking to better represent their COTS products to visit gsa.gov/VPP for more information.

The post GSA pilots supply chain monitoring for GSA Advantage! appeared first on FedScoop.