Cyber Archives | FedScoop https://fedscoop.com/category/cyber/ FedScoop delivers up-to-the-minute breaking government tech news and is the government IT community's platform for education and collaboration through news, events, radio and TV. FedScoop engages top leaders from the White House, federal agencies, academia and the tech industry both online and in person to discuss ways technology can improve government, and to exchange best practices and identify how to achieve common goals. Mon, 10 Jun 2024 20:34:04 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.4 https://fedscoop.com/wp-content/uploads/sites/5/2023/01/cropped-fs_favicon-3.png?w=32 Cyber Archives | FedScoop https://fedscoop.com/category/cyber/ 32 32 VA software license assessments called out in GAO recommendations https://fedscoop.com/va-software-license-assessments-called-out-in-gao-recommendations/ Mon, 10 Jun 2024 20:34:04 +0000 https://fedscoop.com/?p=78733 The agency should compare software inventories with known purchases to reduce costs, per a watchdog report that also highlighted issues with EHR modernization.

The post VA software license assessments called out in GAO recommendations appeared first on FedScoop.

]]>
The Department of Veterans Affairs has work to do in assessing its software licenses, the Government Accountability Office said in a report that included four other new priority recommendations to the VA.

The congressional watchdog noted in its release that the VA has implemented six of its 29 open priority recommendations, including the deployment of an automated data tool used to improve acquisition workforce records and taking steps to modernize the agency’s performance management system across the Veterans Health Administration. 

Assessing software licenses, however, is something that the VA needs to address, per the watchdog. In January, the GAO issued a report on software licenses throughout the federal government,  noting that the VA had neglected to regularly compare software license inventories that are currently used with purchase records. 

In the new priority recommendations, GAO noted that the federal government spends more than $100 billion yearly on cyber and IT-related investments. 

“Until VA implements this priority recommendation and consistently tracks and compares its inventories of software licenses to with known purchases, it is likely to miss opportunities to reduce costs on duplicative or unnecessary licenses,” the report states. 

Other high-risk governmentwide areas that could impact the VA, according to the GAO, are “improving the management of IT acquisitions and operations” and “ensuring the cybersecurity of the nation.”

Charles Worthington, the VA’s chief AI and technology officer, said in a recent interview with FedScoop that he believes the VA’s technical infrastructure “is actually on pretty good footing,” pointing to the agency’s migration to the cloud and using commercial products in the software-as-a-service model, “where it makes sense.”

Other priority recommendations from the GAO cover the VA’s electronic health records (EHR) modernization program, including one that directs the agency to implement “leading practices for change management.” The other nine involve evaluating whether the system is “operationally suitable and effective” to ensure that the system satisfies customer needs, establishing “user satisfaction targets” to protect patients’ health and safety from unnecessary risks, and validating that future systems are not deployed too early. 

“Implementing these … recommendations would also help solve existing problems with the system,” the GAO stated.

The post VA software license assessments called out in GAO recommendations appeared first on FedScoop.

]]>
78733
AI fuels rise in attacks from ‘unsophisticated threat actors,’ federal cyber leaders say https://fedscoop.com/ai-cyberattacks-federal-agencies-fbi-treasury-state-department/ Wed, 05 Jun 2024 15:07:46 +0000 https://fedscoop.com/?p=78674 Officials from Treasury, State and the FBI say information-sharing is increasingly important as AI enables so-so hackers to level up.

The post AI fuels rise in attacks from ‘unsophisticated threat actors,’ federal cyber leaders say appeared first on FedScoop.

]]>
A day in the life of the Treasury Department’s top cybersecurity official is an unrelenting game of Whac-a-Mole that has only grown more intense in the age of artificial intelligence and the corresponding rise of inexperienced-yet-prolific attackers. 

For Sarah Nur, Treasury’s chief information security officer and associate CIO for cyber, that arcade-style battle to protect federal networks from adversarial threats is “nonstop.”

AI has made it “a lot easier” for “unsophisticated threat actors … to create these attack scenarios,” Nur said, “so that they can go ahead and launch and play around in our current infrastructure.”

Speaking Tuesday at a Scoop News Group-produced GDIT event in Washington, Nur and other federal cyber officials spoke of the proliferation of AI-fueled cyberattacks and how much more critical coordination and information-sharing has become as use of the technology among amateur hackers has surged.     

Cynthia Kaiser, deputy assistant director of the FBI’s cyber division, said she’s seen “a crop of adversaries who are becoming at least mildly better” at their craft due to AI. The technology eases hackers’ ability to perform basic scripting tasks and identify coding errors, Kaiser said, while deepfakes are leveraged in social engineering campaigns and increasingly refined spearphishing messages.

“A beginner hacker can go to the intermediate level,” she said, “and even the most sophisticated adversaries can be more efficient.”

Gharun Lacy has also observed a leveling up among threat actors in his role as deputy assistant secretary for cyber and technology security in the State Department’s Bureau of Diplomatic Security. Those adversaries are “using AI as an amplifier,” bettering their best skills as a result. 

“Do you have a threat actor that is extremely proficient in human engineering? Then they’re going to get better at human engineering,” Lacy said. “That phishing email will now call you by a nickname that you had in high school.” 

The Treasury Department is especially susceptible to this onslaught of new-age threats given its role as the federal government’s sanctions arm, Nur said, not to mention the fact that the financial industry is one of the most targeted critical infrastructure sectors. Hackers today can simply look up a CVE, plug it into an AI system and ask it to provide “an undetected attack scenario that I can utilize,” Nur said, noting that packages of this kind on the dark web are “ready to go.”

“I heard someone say ‘fight AI with AI.’ I get what that means,” Nur said, “and I think that’s a very key concept. We really have to look at leveraging AI to quickly detect these anomalies and any kind of fraud or unusual suspicious activity.”

The silver lining for federal security officials is that AI still provides defenders with a decided advantage over attackers in cyberspace. The key to maintaining that advantage, they say, is doubling down on coordination with public and private-sector partners.

Kaiser said the use of large language models to “more rapidly draft text” for interagency memos and private-sector alerts represents “a huge win for everybody” in the battle against threat actors. 

At the State Department, the chief AI officer, chief data officer and members of the agency’s Center for Analytics have successfully leveraged AI in “reducing the noise in terms of threat intelligence,” Lacy said, sifting through “massive amounts of data” to make it “more actionable directly for us.” Streamlining data and threat intel leads to more valuable insights that State can provide to its partners, he added. 

“If I know this piece of information is not useful for me, but it may very well be useful to one of my private industry partners, I need to know how to get that information to them quickly,” Lacy said, noting that the White House has provided a quality blueprint for sharing intelligence and has encouraged agencies to be “very forthcoming now in terms of naming, blaming [and] shaming when incidents happen — and doing it quickly.”

Lacy pointed to a State Department collaboration with foreign ministries from the United Kingdom, Australia, Canada and New Zealand that brings together those countries’ cyber defenders in a quarterly meeting to “share a lot of information.” 

“I think we’re past the sharing; we’re on to collaborating,” Lacy said. “I think that’s … the phase we’re in right now. But the collaboration has to yield collective action.”

Treasury’s in a similarly collaborative mode at the moment, fresh off its launch last month of Project Fortress, a public-private partnership aimed at protecting the financial sector from cyber threats. Nur said the agency has been active in onboarding companies and organizations to the group, ensuring that participating financial institutions have access to top tools and are practicing good cyber hygiene before truly “aggressive AI attacks” become the norm.

Whether it’s meeting regularly with other CISOs, coordinating with international partners or establishing communication channels with industry, agency cyber officials across the board agree that mitigating AI-fueled threats will only be possible with more collaboration and better sharing of information.

“In the past, what really prevented us from sharing that information is that embarrassment, that reputational impact,” Nur said. “We can no longer think in those ways. We need to shift our mindset to say, ‘hey, look, we’re going to expect at least two to three a year, maybe even more, and that’s OK.’” 

The post AI fuels rise in attacks from ‘unsophisticated threat actors,’ federal cyber leaders say appeared first on FedScoop.

]]>
78674
EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment https://fedscoop.com/epa-cybersecurity-risk-assessment-timeline-gao/ Thu, 30 May 2024 15:07:55 +0000 https://fedscoop.com/?p=78569 Five years after a GAO recommendation, the agency commits to finishing its work by Nov. 22.

The post EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment appeared first on FedScoop.

]]>
The Environmental Protection Agency said it is “on target” to establish a process to conduct organization-wide cybersecurity risk assessments within the next six months, putting a hard timeline on its long-awaited response to a watchdog report critical of the agency’s cyber posture.

An agency spokesperson said in an email to FedScoop that the cyber risk assessment process — recommended to the EPA in a July 2019 Government Accountability Office report — is on track to be finished “by November 22.” The EPA had previously told the GAO that it was committed to a “late summer to early fall” timeline.

In its original recommendation, the GAO made the case for the administrator of the EPA to establish a process to conduct an agency-wide cybersecurity risk assessment as a means to protect against “a growing number of threats to their information technology systems and data” — a recommendation applicable to all federal agencies. Adopting a “risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks,” the GAO said at the time, would help the EPA “better manage” its cyber risks.

While the EPA has updated its cybersecurity risk management strategy, the agency told the GAO last month that it “was continuing to plan” for the assessment and was “in the process of updating an internal procedure to address ongoing risk assessment activities.” 

The EPA spokesperson told FedScoop that updates to the agency’s enterprise risk assessment procedure would include a variety of additional performance metrics, citing logging maturity, strong authentication, critical vulnerability remediation and priority security control specifically.

The agency’s updated procedure for assessing cyber risks will also feature a modified risk-scoring system, the spokesperson added. That portion of the assessment will now include “enterprise and component-level risk scores, which will be added to the senior executive dashboard.”

“The procedures also include activities to consolidate the various cybersecurity dashboards into one overall dashboard that provides an executive level view of EPA’s risk posture,” the spokesperson said. 

In the priority open recommendations document released by the GAO this week, the watchdog warned that absent an established process for overseeing a cyber risk assessment, the EPA “may be missing opportunities to identify trends in cybersecurity risks, target systemic risks to the agency and its systems, and prioritize investments in risk mitigation activities.”

The EPA has been active recently on the cybersecurity front, stepping up its warnings to the country’s water utilities of increasingly serious cyber threats. This month, the agency issued an alert about rising threats to the water sector and said it will boost its inspections and enforcement efforts. 

That alert came two months after an EPA and White House warning to U.S. governors about cyberattacks capable of “disabling” water facilities. The EPA said it would establish a task force focused specifically on defending the water sector from cyber threats.

The post EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment appeared first on FedScoop.

]]>
78569
Federal cyber workforce needs telework flexibilities, OPM director says https://fedscoop.com/federal-cyber-workforce-needs-telework-flexibilities-opm-director-says/ Fri, 24 May 2024 21:55:12 +0000 https://fedscoop.com/?p=78504 Rob Shriver said during a House Oversight and Accountability Committee hearing that barriers to telework would hinder the cybersecurity workforce.

The post Federal cyber workforce needs telework flexibilities, OPM director says appeared first on FedScoop.

]]>
Amid a concerted push on Capitol Hill to get federal workers back to their offices, the government’s personnel chief this week made the case for continued remote work for one group of agency staffers. 

During a House Oversight and Accountability Committee hearing Wednesday, Office of Personnel Management Director Rob Shriver responded to mostly Republican concerns about federal telework policies by citing the practice’s usefulness with the cybersecurity workforce in advancing agency missions. 

“If we were to require cybersecurity professionals to come into the office five days a week, I think we wouldn’t be able to recruit the kind of workforce that we need,” Shriver said. “I think agencies need to keep working here to make sure they’re getting it right, that those arrangements are driving good performance.”

Shriver’s comments come weeks after Sens. Mitt Romney, R-Utah, and Joe Manchin, D-W.Va., introduced legislation that would require federal workers to spend 60% of their time in their offices. And a bill introduced last month from Sens. Gary Peters, D-Mich., and Joni Ernst, R-Iowa, would call on agencies to collect telework data and boost monitoring of how the practice impacts performance metrics. 

In his witness statement, Shriver pointed to OPM’s efforts to assist and support agencies in retaining and attracting cyber talent within the federal government. He also shared that the agency supports the Tech to Gov initiative and “is helping to connect aspiring tech talent with federal employment opportunities to bolster agency cyber and emerging tech programs.”

Those efforts follow White House moves to relax education requirements for some cybersecurity contracting jobs, shift to skill-based hiring and diversify the cybersecurity workforce.

Matt Bracken contributed to this story.

The post Federal cyber workforce needs telework flexibilities, OPM director says appeared first on FedScoop.

]]>
78504
Agency CISOs aren’t sweating a looming zero trust deadline https://fedscoop.com/federal-agencies-zero-trust-deadline/ Fri, 17 May 2024 16:21:30 +0000 https://fedscoop.com/?p=78370 Security chiefs at OPM, Interior and USCIS reflect on budgetary and cultural challenges ahead of a Sept. 30 due date to implement zero trust architecture.

The post Agency CISOs aren’t sweating a looming zero trust deadline appeared first on FedScoop.

]]>
Federal agencies are up against a fast-approaching deadline on a slew of cybersecurity standards, but the security chiefs responsible for hitting those marks feel relatively optimistic about the Biden administration’s goal to implement a so-called “zero trust” model for IT systems. 

During panel discussions Wednesday at the Scoop News Group-produced Amazon Web Services Innovate Day, chief information security officers downplayed the Sept. 30 deadline on targets called out in the Office of Management and Budget’s zero trust architecture strategy, expressing both confidence that they will hit the goals and readiness to turn the page on the January 2022 memorandum. 

“The status of OPM zero trust is pretty darn good,” said Office of Personnel Management CISO James Saunders. While there’s work to be done at OPM on the data pillar of the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, Saunders said that “overall, I think we’re on track and on target to hit the end of this fiscal year goal.”

The Department of the Interior — and its 11 bureaus and eight offices — may not have had quite so smooth a path, but CISO Stan Lowe said the agency is in a good position with its adoption of “practical zero trust.”

“We’re always going to live in a hybrid environment where I’m going to have legacy applications,” Lowe said. “It’s an ongoing, continuous thing. It’s not a destination, it’s a journey, because technology is going to change.”

The “ongoing” nature of meeting the White House’s zero trust benchmarks was on display at Interior with its work on implementing phishing-resistant multifactor authentication — a callout under the identity pillar of the strategy. 

When Lowe, a Federal Trade Commission and Veterans Affairs alum, took over as Interior’s CISO in 2023 after several years in the private sector, he was greeted by “a lot of legacy stuff … floating around the department.” He quickly discovered that what worked for one bureau might not for another — at least in those early stages of MFA adoption.

“The requirement says ‘phishing-resistant MFA.’ Well, that wasn’t necessarily possible [for some offices], so my position on that in the beginning, until we got to the point, was any MFA is better than no MFA,” Lowe said. 

Tackling the zero trust architecture pillars has been filled with trade-offs and shifting strategies of that kind for agency CISOs. Saunders, for example, said funding was the “biggest challenge” for OPM early on, especially coming off an August 2021 OMB memo on logging that “did not come with extra money” for agencies.

A $9.9 million investment from the Technology Modernization Fund to OPM in September 2021 ultimately proved to be a game-changer in fueling the agency’s zero trust work.

Still, a lesson in budgeting and prioritization was learned. “For a lot of these new cybersecurity investments, we need to engage with our business [counterparts] because TMF is only going to support us for so long,” Saunders said. “And that’s a continuous conversation; continuous engagement was not something that was necessarily a strong suit of the cybersecurity organization at the time.”

Shane Barney, CISO at U.S. Citizenship & Immigration Services, described zero trust as “the world’s biggest unfunded mandate for a lot of organizations.” That changed for USCIS when “all of [the Department of Homeland Security’s] different director heads” got in a room and “actually prioritized it first — and it’s not a small amount of money,” Barney said.

“They recognized the connection between security and the business being successful,” he said, adding that zero trust essentially amounts to good “cyber hygiene.”

For any CISO given a mandate to implement agency-wide technical change, internal cultural resistance is a frequent roadblock. Lowe joked that the security organization within Interior has a reputation of putting “the ‘no’ in ‘innovation.’’ 

But Lowe is entering the zero-trust sprint to the end of fiscal 2024 feeling “pretty optimistic.” After Interior weathered the Ivanti VPN vulnerability earlier this year, the veteran CISO said he’s ready for whatever comes next in the federal government’s cybersecurity journey.  

“Having worked in organizations that are fully zero trust and having gone through that journey with those organizations, I know this is possible,” Lowe said. “It’s just gonna take some intestinal fortitude and some hard decisions along the way to be able to get this done.”

The post Agency CISOs aren’t sweating a looming zero trust deadline appeared first on FedScoop.

]]>
78370
New TMF investments boost agency projects in generative AI, digital service delivery, accessibility https://fedscoop.com/new-tmf-investments-boost-agency-projects-in-generative-ai-digital-service-delivery-accessibility/ Thu, 16 May 2024 18:49:43 +0000 https://fedscoop.com/?p=78355 Nearly $50 million in targeted investments awarded to the Departments of State, Education and Commerce.

The post New TMF investments boost agency projects in generative AI, digital service delivery, accessibility appeared first on FedScoop.

]]>
The latest targeted investments from the Technology Modernization Fund support agency efforts to leverage generative artificial intelligence, improve security and enhance digital services, according to a Thursday announcement from the General Services Administration

TMF investments to the Departments of Education, Commerce and State total just under $50 million. 

The State Department received two investments: $18.2 million to increase diplomacy through generative AI and $13.1 million to transition its identity and access management systems to a zero-trust architecture model.

The AI investment is intended to “empower its widely dispersed team members to work more efficiently and improve access to enhanced information resources,” including diplomatic cables, media summaries and reports. On the zero trust investment, State said it is planning to expedite the creation of a comprehensive consolidated identity trust system, as well as centralizing workflows for the onboarding and offboarding process.

Clare Martorana, the federal CIO and TMF board chair, said in a statement that she’s “thrilled to see our catalytic funding stream powering the use of AI and improving security at the State Department.” 

State recently announced a chatbot for internal uses and revised its public AI use case inventory to remove nine items from the agency website. Additionally, the agency has started to encourage its workforce to use generative AI tools like ChatGPT. 

The Department of Education, meanwhile, is using a $5.9 million allocation to assist the Federal Student Aid office on a new StudentAid.gov feature called “My Activity” to centralize documents and data to track activities and status updates. The FSA is anticipating “a reduction in wait times and the need for customer care inquiries,” per the GSA release. 

Education also recently announced an RFI for cloud computing capabilities for the FSA office, a follow-on contract for its Next Generation Cloud. 

Finally, the Department of Commerce’s National Oceanic and Atmospheric Administration will put its $12 million TMF investment toward modernizing weather.gov through a redesign to “enhance information accessibility” and “establish a sustainable, mobile-first infrastructure.” NOAA reported plans to integrate translation capabilities for underserved communities’ benefit. 

The release noted that NOAA’s associated application programming interface “faces challenges, causing disruptions in accessing dependable weather information for the American public.”

Martorana said she was “equally excited about the TMF’s two other critical investments — with students getting more modern access to manage their education journeys and the public gaining access to life-saving weather information in an accessible manner for all.”

These investments come after a second appropriations package to fund the government for fiscal year 2024 threatened to claw back $100 million from the TMF. Both the GSA and the Office of Management and Budget have faced challenges in convincing lawmakers to meet funding levels proposed by the Biden administration.

Martorana recently called on Congress to fund the TMF, pointing to the funding vehicle as a way to improve service delivery for the public across the government.

The post New TMF investments boost agency projects in generative AI, digital service delivery, accessibility appeared first on FedScoop.

]]>
78355
Federal cyber leaders proceed with caution on AI as a defensive tool https://fedscoop.com/federal-cybersecurity-ai-threat-protection/ Wed, 08 May 2024 16:46:23 +0000 https://fedscoop.com/?p=78228 Agency IT leaders warn of the technology’s tendency to bring in bad data, underscoring the need for “risk-based approaches” and human involvement.

The post Federal cyber leaders proceed with caution on AI as a defensive tool appeared first on FedScoop.

]]>
Three years ago, chief information security officers couldn’t go anywhere without hearing about zero trust. Today, artificial intelligence is the defensive measure du jour for those same government IT leaders. 

With a healthy dose of skepticism formed through years of protecting digital infrastructure from advanced threats, many federal cybersecurity practitioners have significant concerns about AI, viewing it as a technology that needs corralling. That’s especially true for large language models and other data sources, they say. 

“It’s garbage in, garbage out,” said Paul Blahusch, CISO for the Department of Labor. “If our adversary can poison that data, well, we’re going to start getting the wrong information back out from our artificial intelligence. It’s going to say, ‘Day is night, night is day. Black is white, white is black.’ And are we going to just take that and say, ‘Oh well, that must be what it says because the AI said so?’”

Speaking during an Advanced Technology Academic Research Center webinar last week, Blahusch and other government and industry cyber experts painted AI as a technology that’s not entirely new, having found itself in the cultural zeitgeist thanks to ChatGPT. But it’s one that can and will be put to better use.

“I’m sure that my … antivirus [software] has been using some form of AI and machine learning for a long time,” Blahusch said. “The whole idea of artificial intelligence within cyber tooling has been there for a while — all our threat intel types of analyses use some of that. But we can certainly take it to the next level.”

That next level should come in the form of reducing burdens on the federal cyber workforce, Blahusch said. When it comes to data analysis, those employees can focus on “higher-value work” if AI systems are positioned to handle the rest. 

“I don’t have all the resources to have 100 people looking at streams,” he said. “I need technology to help me with that and have my limited number of people do the things that human beings need to do.”

Jennifer R. Franks, director of the Government Accountability Office’s Center for Enhanced Cybersecurity, Information Technology & Cybersecurity Team, acknowledged during the panel that she’s “not really an AI enthusiast,” but as a cyber professional who also works in privacy and data protection, the technology is “here to stay.” 

New uses of automation in government work are necessary given staffing shortages, but humans will still play a critical role since emerging technologies like AI also bring on additional vulnerabilities, she said. 

“We can’t be naive to the risk-based approaches that we have to take, making sure that we still have human decision-making. You know that is going to help us in managing some of the complexities,” Franks said. “We have to make sure that … we’re managing some of the controls around the tools and technologies and the machine learning aspect of the codes that are going into the algorithms, [so they] are not compromised.”

As a former federal IT manager now on the industry side, Youssef Takhssaiti said government cyber officials need to embrace AI, leveraging the technology’s ability to analyze network traffic, detect anomalies, automate responses to standard attack scenarios and myriad other defensive techniques. 

But procurement officers also “have to be very careful when it comes to adopting or purchasing” AI products, according to Takhssaiti, a Treasury Department and Consumer Product Safety Commission alum who’s working on a PhD in artificial intelligence. 

“Everyone is focused on speed to market — how can I get my product and application out to the market and consumers,” said Takhssaiti, now global GRC director for Aqua Security. “Before adopting any [AI products], two key things to focus on: Are they a vulnerability for you or as vulnerability-free as they could be? And what do they do with my data? Is it being used to retrain these models?”

Whether it’s continuing to embrace zero-trust architectures, dabbling in AI or looking out for the next big defensive thing in cyber, federal security professionals agree that threat protection strategies need to take an “all of the above” approach while also leaning on tried-and-true mitigation methods.  

“We’re still actively deploying and implementing the initiatives as ZTA across our various environments. But now we have AI, right?” Franks said. “But we cannot still forget … the basic cyber hygiene strategies. … And then going forward, we have to redesign and strengthen where it is we need to go so that we can stay ahead of the vulnerability curve.”

The post Federal cyber leaders proceed with caution on AI as a defensive tool appeared first on FedScoop.

]]>
78228
Department of Education begins market research for cloud capabilities https://fedscoop.com/department-of-education-begins-market-research-for-cloud-capabilities/ Mon, 06 May 2024 16:48:37 +0000 https://fedscoop.com/?p=78148 In a request for information, the Department of Education’s Federal Student Aid Office said it’s looking for a managed service provider for cloud capabilities.

The post Department of Education begins market research for cloud capabilities appeared first on FedScoop.

]]>
The Department of Education’s Federal Student Aid office is looking to advance cloud capabilities through its Next Generation Data Center, a follow-on contract for the office’s Next Generation Cloud. 

The agency said Friday in a request for information that it is conducting market research to identify a service provider to modernize and “continuously improve” the existing cloud environment provided by Amazon Web Services. 

The department said in the RFI that FSA “must evolve cloud capabilities” for general purpose business use, to meet federal requirements laid out in a 2021 executive order on improving national cybersecurity and to “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.”

The request states that within the first year of awarding a contract, all on-premise applications and infrastructure that remains will move to the cloud. In the second and third year of the contract, “the entire cloud environment must be optimized and modernized as a dedicated workstream” through cloud native design principles in order to take advantage of the commercial cloud’s full benefits. 

“The preponderance of FSA’s applications will migrate into FSA [Next Generation Cloud], managed by the FSA chief information officer,” the request states.

This effort is unrelated to the recent updates to the Free Application for Federal Student Aid, which was recently overhauled to leverage cloud technologies for the transmission and delivery of FAFSA data, an agency spokesperson said in an email to FedScoop.

The post Department of Education begins market research for cloud capabilities appeared first on FedScoop.

]]>
78148
NASA balks on timeline to incorporate cyber into spacecraft acquisition policies https://fedscoop.com/nasa-balks-on-timeline-to-incorporate-cyber-into-spacecraft-acquisition-policies/ Thu, 02 May 2024 18:57:17 +0000 https://fedscoop.com/?p=77959 The space agency pushed back on some GAO recommendations for NASA’s administrator to update acquisition requirements to better reflect cybersecurity threats.

The post NASA balks on timeline to incorporate cyber into spacecraft acquisition policies appeared first on FedScoop.

]]>
The Government Accountability Office is concerned that NASA still hasn’t incorporated cybersecurity practices into required agency policies, particularly for its major spacecraft projects. Without these requirements, NASA could end up with “inconsistent implementation of cybersecurity controls,” the auditing agency warned in a new report sent to Congress.

“NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required,” the report stated. 

Spacecraft are incredibly dependent on software and IT, the report concludes. Even though the space agency has included cybersecurity elements in some of its contracts, they need to be standardized. For this reason, the GAO is recommending that the chief engineer, the chief information officer, and the principal advisor for enterprise protection develop a specific timeline for actually updating “its spacecraft acquisition policies and standards” to deal with cybersecurity threats.

Yet NASA pushed back on some of the recommendations. Per the report, NASA’s CIO said it was “not feasible” for there to be one set of essential controls for all mission spacecraft. GAO pushed back on that response, writing that “NASA should leverage its space security guide to determine the controls that address the likely threats to its spacecraft.” 

NASA was also not interested in establishing a timeline, saying that it needed to carefully consider requirements. The space agency said that it had systems in place for dealing with the risks of space. 

“While we do not dispute this, we note that NASA’s space security guide recognizes that NASA does not currently have a cybersecurity risk management framework for end-to-end integrated space mission systems,” the auditing agency said in response. “Without a plan with identified timeframes, it is unknown when the agency will actually perform an update to incorporate, if necessary, any additional cybersecurity controls.”

The post NASA balks on timeline to incorporate cyber into spacecraft acquisition policies appeared first on FedScoop.

]]>
77959
A major USAID contractor said it was hacked in 2021. It’s still not sharing details https://fedscoop.com/a-major-usaid-contractor-said-it-was-hacked-in-2021-its-still-not-sharing-details/ Thu, 02 May 2024 16:19:11 +0000 https://fedscoop.com/?p=77946 A data breach disclosure filed by Chemonics in 2022 said that more than 6,000 people were impacted in the 2021 incident.

The post A major USAID contractor said it was hacked in 2021. It’s still not sharing details appeared first on FedScoop.

]]>
Chemonics, an international development firm that has received billions in government contracts and has described USAID as its “primary client,” suffered a hack that impacted its employees back in 2021. Three years later, neither the company nor the agency is commenting on what actually happened. 

According to a consumer data breach notice filed with the Maine attorney general’s office, the attack was described as an “external system breach” and “hacking” that impacted more than 6,000 people. The alert came after the company discovered “anomalous activity in its email environment” on July 12, 2021, also according to a filing with New Hampshire’s attorney general. 

That notice said that either an “unauthorized” actor or actors obtained access to company email accounts between March 2 and July 13 of that year — though Chemonics couldn’t identify the specific emails that were impacted, the company said in the disclosure. “The investigation also found no conclusive evidence of data exfiltration, and we have no evidence of actual or attempted misuse of personal information,” the notice stated.

The extent to which different types of information were released is unclear. The Maine notification said that driver’s license numbers and non-driver identification card numbers were released. The New Hampshire notice said that emails with individuals’ names and social security numbers were revealed in the breach — though “financial account information without corresponding access codes” was also included in some emails. The legal website JD Supra wrote that “access credential information” was also accessed, but the author did not respond to FedScoop’s request regarding the source of that information. 

Chemonics isn’t answering questions about what steps it’s taken to address the potential impact of the event on USAID, which the company works with in myriad partner countries. Nor did the company address whether it reported the incident to the Cybersecurity and Infrastructure Security Agency, the type of information impacted, or whether it has suffered any other breaches. 

“We are continually adapting and updating our cybersecurity policies and procedures to ensure we are current with the ever-evolving cyber threat landscape that impacts us all,” a Chemonics spokesperson said in response to a series of questions from FedScoop. “While we cannot comment on any specific cybersecurity incident, we are committed to safeguarding all data entrusted to us.” 

The spokesperson continued: “It is our practice to work transparently and proactively with our staff, clients, and partner organizations who may be affected by any potential incident, including complying with applicable laws. Cybersecurity continues to be a priority focus for Chemonics as we seek to achieve meaningful development impact in complex contexts around the world.”

Turke & Strauss, a law firm specializing in data breaches, states on its website that it’s investigating the company over the incident. The firm declined to discuss their work on the topic.

Notably, Chemonics appears to have had three chief information security officers in the past three years, though the company did not answer FedScoop’s question about whether anyone held the position before October 2021, when an individual on LinkedIn said that they started the position. The data breach notifications written in 2021 came from Pete Souza, who was described at the time as the director of cybersecurity, infrastructure, and system administration at Chemonics.

Those impacted were provided identity theft protection from the company, as well as active credit monitoring, per the disclosures. Notices for residents of states including Vermont, Montana, Massachusetts, and other states are available online. 

In regard to the incident, CISA referred FedScoop to Chemonics. So did a USAID spokesperson, who only added the following: “USAID takes the security and confidentiality of all our partners very seriously. Strong cybersecurity practices and policies are critical to the success of USAID and its partners. “

Back in May 2021, the Russian-backed group Midnight Blizzard, which was previously called Nobelium, orchestrated a cyberattack by impersonating USAID through its Constant Contact email marketing service to send “malicious links” to organizations that worked with the agency. Chemonics did not address whether this breach was related to Midnight Blizzard or that particular incident. 

The post A major USAID contractor said it was hacked in 2021. It’s still not sharing details appeared first on FedScoop.

]]>
77946