Announcements and news
The inability of the Pentagon to rapidly assimilate new technologies and cut bureaucratic red tape is increasingly being perceived as not merely a poor use of tax dollars, but as a strategic liability by both senior DoD officials and members of Congress (Freedburg, 2015). In a March address to the Center for Strategic and International Studies, Senate Armed Services Committee (SASC) Chairman John McCain compared the 18 month standard innovation cycle in the private sector to the Pentagon acquisition cycle, which can last for up to 18 years. McCain argued that the glacial pace of Pentagon acquisitions threatens to undermine the nation’s technological superiority, and the inefficient allocation of taxpayer dollars during sequestration further exacerbates the acquisition processes negative impact on national defense.
In an effort to address these concerns, Under Secretary of Defense for Acquisition, Technology and Logistics Frank Kendall ordered the implementation of the DoD’s new acquisition reform effort, “Better Buying Power (BBP) 3.0.” The BBP 3.0 memo, released Thursday, offers a series of initiatives to improve the efficiency of future acquisition programs, with the intent of cultivating the long-term technological superiority of the US military in the face of increasingly advanced systems fielded by both Russia and China. The BBP memo concentrates on 34 areas of focus, such as increasing the use of prototyping and experimentation, emphasizing technology insertion, modular system design and open system architectures, the ability to strengthen cybersecurity throughout a product’s lifecycle, increased access to small business research and development, etc. Many of the new measures are aimed at incentivizing nontraditional defense contractors, such as Silicon Valley technology companies, to engage with the Pentagon, and at increased collaboration with allied nations (Mehta, 2015).
Undersecretary Frank Kendall described the design of the long range strike bomber (LSRB) as an example of BBP 3.0 recommendations including planned technology insertion that would enable competitions for bomber upgrade and sustainment contracts
Overall, the document underscores the DoD’s renewed vigor to rapidly assimilate new technologies and manage excessive bureaucracy. BBP 3.0 will likely be accompanied by new legislation being drafted by House Armed Services Committee Chairman Mac Thornberry in consultation with SASC Chairman John McCain. Thornberry’s legislation will take an incremental realist approach to acquisition reform, which starts by mitigating the unintended consequences of past reform efforts such as the Weapons Systems Acquisition Reform Act of 2009 (Freedburg, 2015). Thornberry’s bill would also consolidate program requirements and reduce redundant reporting standards:
“Many reports and requirements that are currently handled as separate, time-consuming processes would be consolidated into a single strategy document. Other reports and requirements would simply go away. ‘Probably one of the biggest things,’ the staffer said, is downgrading many ‘certifications’ to mere ‘determinations’: That’s not just a change in terminology. It marks a major reduction in the amount of time and lawyers involved. Milestone A decisions to start developing technologies no longer require any certifications at all, only determinations. Milestone B decisions to start actual engineering and manufacturing development (EMD) would still require certifications, but not as many.” - Sydney J. Freedberg, Jr., 2015
DoD officials have been largely receptive of Thornberry’s proposals, including Undersecretary Kendall. In summary, the combination of BBP 3.0 and new acquisition reform legislation has the potential to mitigate the damage of prior acquisition reform efforts and improve the efficacy of new programs. BBP 3.0 will enable the DoD to make the required investments in its third offset strategy such as robotics, big data, miniaturization, autonomous systems, etc.
- Work: Better Buying Power 3.0 Strives to Enhance U.S. Tech Edge, Jim Garamone, 2015
- Pentagon Begins Better Buying Power 3.0, Aaron Mehta, 2015
- Pentagon spotlights cyber in Better Buying Power 3.0, Amber Corrin, 2015
- Frank Kendall: Better Buying Power 3.0 Implementation Guide in The Works, Ross Wilkers, 2015
- Cut Red Tape: HASC Chair Thornberry Rolls Out 1st Major Acquisition Changes , Sydney J. Freedberg, Jr., 2015
- The Imperative of Defense Reform: Serious Challenges for a Serious SecDef. , John G. McGinn, Stephen Rodriguez and Peter Lichtenbaum, 2015
- Kill Old Procurement Laws, Congress! Stackley, Punaro, Sydney J. Freedberg, Jr., 2015
The National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) recently awarded its Chief Information Officer–Commodity Solutions (CIO-CS) Government-wide Acquisition Contract (GWAC), valued at $20 billion, to 65 companies. CIO-CS is an indefinite-delivery/indefinite-quantity information technology (IT) contract with a duration of ten years (Boyd, 2015). While the contract is primarily a health IT vehicle, it will also include a host of other services such as deployment and installation, engineering studies, web and video-conferencing, big data, virtualization and health and biomedical IT, maintenance and training, enterprise licenses and extended warranties, and cyber security (NIH, 2015). The NIH incorporated numerous changes into the CIO-CS as a result of the previous Electronic Commodities Store (ECS) III GWAC.
In contrast to the ECS III, the CIO-CS and will place a premium on the adaptability of companies providing IT services:
“With CIO-CS we saw an evolving, enormous change in the IT marketplace when it comes to commoditized services and managed services and cloud services…We wanted to build a contract that had contract holders that were going to be able to meet those needs as they change. They are changing very, very quickly to be able to not only provide the straight laptops, desktops and hardware equipment; but to be able to buy those more sophisticated software licenses, being able to get the cloud services that they need. They will continue to evolve with mobility and infrastructure services that agencies are looking at…Contract holders really had to prove that they are going to be able to be relevant and meet those ever-changing needs that the government has over the next 10 years.” – NITAAC Program Director Robert Coen
The CIO-CS contract awardees include a wide range of firms including multibillion dollar companies such as AT&T and Hewlett Packard, as well as 44 small businesses of varying types:
- 6 service-disabled veteran-owned small business
- 8 HUBZone
- 14 women-owned
- 6 8(a), seven economically disadvantaged women-owned small business
A full listing of CIO-CS contract holders available at the NITAAC website. The number of small business participating in CIO-CS is consistent with prior NIHAAC commitments to award fifty percent of the total $8 billion awarded in previous GWACS over the past two and a half years (Coen, 2015).
In summary, NITAAC requirements reflect the growing interest within the NIH to modernize its IT services, transition towards a more cloud-based infrastructure, and address cyber security issues. Growing concerns over inadequate cyber security measures are likely to profoundly affect federal health IT contractors in the coming years. For example, the National Institute of Standards and Technology (NIST) released draft requirements relating to the management of controlled unclassified sensitive information; the new NIST requirements will supplement existing Federal Information Security Management Act (Ravindranath, 2015).
- NIH awards new government-wide IT contract, NIH, 2015.
- Chief Information Officer – Commodities and Solutions (CIO-CS), FBO, 2015.
- Coen dissects the CIO-CS GWAC, Aaron Boyd, 2015.
- NIH launches competition for $20B CIO-CS program, Steve Watkins, 2014.
- Robert Coen: NIH Seeks To Adapt It Needs In ‘Evolving’ Marketplace Through New GWAC, Anna Forrester, 2015.
- NIH awards $20B CIO-CS acquisition contract for IT, Michael O'Connell, 2015.
- Contractors Could Get New Rules For Handling Sensitive Government Data, Mohana Ravindranath, 2015
- NIH Awards New Government-Wide IT Contract, Covers Cybersecurity, Big Data Solutions, Homeland Security Today Staff, 2015
Fort Meade MD, place of performance for the contract
In late April, the Defense Information Technology Contracting Organization released a request for proposals (RFP) concerning US Cyber Command’s (USCYBERCOM) $475 million indefinite delivery, indefinite quantity omnibus contract.* The RFP outlines 20 services selected contractors will provide:
- Knowledge Management
- Records Management
- Cyber Operations
- Planning; Science and Technology/Research and Development
- Cyber Focused Training
- Cyber Exercise
- Integrated Technology Support
- CybersecurityProject Analysis
- Program Management
- All-source Intelligence
- Business Process ReengineeringSecurity
- Strategy and Policy and Doctrine Development
- Administrative Support
USCYBERCOM is outsourcing work to the private sector, including sensitive cyber operations and offensive roles, in an effort to meet high operational demand (Sternstein, 2015). Under the new cybersecurity strategy, the Department of Defense will field 133 cyber mission force teams by 2018, including: 13 national mission teams, 68 cyber protection teams, 27 combat mission teams, and 25 support teams. However, USCYBERCOM has only met half of its staffing requirements for its original goal of maintaining 6,000 personnel by 2016. USCYBERCOM’s difficultly in acquiring skilled cybersecurity employees is largely a result of intense competition with the private sector.
Similarly, the NSA has been under significant pressure to sustain its workforce despite Congressional exemptions in hiring authority regulations combined with comparatively high wages relative to other federal agencies. NSA human resources director John Yelnosky noted:
“We’re throwing the kitchen sink at them from our standpoint…And they’re writing in to us, as they leave NSA, in their exit interviews, ‘I’m leaving to double my salary…The competition out there is really fierce and particularly for these folks that we make a big investment in, and we feel those losses very keenly”
As the economy continues to improve, competition between the private sector and federal agencies is likely to both accelerate and favor the private sector; the private sector’s greater degree of flexibility in managing its workforce in terms of wages, perks, providing greater opportunity for career advancement, etc. in conjunction with its ability to more quickly assimilate of new technologies grants it a decisive advantage over the public sector. Substantial cybersecurity contracts similar to the USCYCBERCOM omnibus will continue as federal agencies will be unable to meet demand for cybersecurity capabilities. For example, $100 million cyber expertise contract designed to attract subject matter experts in intelligence, national security, counterterrorism, and technology (Konkel, 2015). *CYBERCOM recently cancelled this contract, and is expected to relaunch the opportunity by October 1st. Competition for cyber security personnel will most likely continue, regardless of when the opportunity is released.
- CYBERCOM To Outsource $475 Million of Work To Stand Up Command, Aliya Sternstein, 2015.
- DOD’s new Internet strategy boosts role in defending “US interests”, 2015.
- United States Cyber Command (USCYBERCOM) Omnibus Contract, FBO, 2015.
- The Department of Defense Cyber Strategy, DoD, 2015.
- The NSA’s Fight To Keep Its Best Hackers, Jack Moore, 2015.
- US Cyber Command Has Just Half the Staff It Needs, Aliya Sternstein, 2015.
Draganflyer X6 small unmanned aerial system (sUAS)
The Department of Justice (DOJ) recently announced a series of guidelines for the use of unmanned aerial system by domestic law enforcement and federal agencies. While the DOJ report is fully cognizant of the significant potential for UAS within law enforcement, the document states that all UAS use must conform to existing privacy and civil liberty protections:
“UAS must be operated consistent with the U.S. Constitution. The Fourth Amendment protects individuals from unreasonable searches and seizures and generally requires law enforcement to seek a warrant in circumstances in which a person has a reasonable expectation of privacy. Moreover, Department personnel may never use UAS solely for the purpose of monitoring activities protected by the First Amendment or the lawful exercise of other rights secured by the Constitution and laws of the United States.” – DOJ, 2015
The restrictions outlined by the DOJ largely apply to existing manned surveillance platforms. In an effort to improve accountability and transparency, the Deputy Attorney General will review DOJ UAS issues on an annual basis and will require federal agencies to keep logs of every flight (Moon, 2015). Furthermore, all data retrieved by UAS is subject to existing data storage and protection laws.
The release of DOJ guidelines on the use of UAS by law enforcement indicates the growing momentum of the civilian UAS market. The release of UAS guidelines by the DOJ follows the FAA’s notice of proposed rulemaking (NPRM) with respect to non-recreational sUAS operations, which was released in March of this year. The NPRM details daytime flight, altitude, operator certification, and line of sight restrictions under consideration by the FAA. Pending the implementation of domestic UAS regulations, the domestic UAS market will comprise an increasing share of the global civilian UAS market growth of nearly $100 billion over the next decade. The market for law enforcement UAS will provide significant opportunities for firms with experience providing sUAS systems to the US Military, such as AeroVironment, which produces the the “Wasp,” “Raven,” and “Puma” (Finnegan, 2013).
- Department of Justice Policy Guidance 1 Domestic Use of Unmanned Aircraft Systems (UAS), 2015
- DOJ lays down some privacy rules for feds flying drones, Mariella Moon, 2015.
- Game of drones: As U.S. dithers, rivals get a head start, Jeremy Wagstaff, 2015.
- Justice Department releases guidelines on domestic drone use, Dante D'Orazio, 2015.
- Public safety market offers growth for UAVs, Philip Finnegan, 2013.
Office of Personnel Management
The Office of Personal Management (OPM) is the victim of a highly intrusive cyber espionage operation conducted by “Deep Panda”, a state backed Chinese hacker group. The personal information of over 4 million current and former government employees dating back to 1985 has been compromised. Chinese hackers managed to circumvent the much vaunted EINSTEIN 3 cyber intrusion monitoring and blocking system (Sternstein, 2015). Once OPM’s network was penetrated, the hackers were easily able to access government records, as OPM’s personnel data was unencrypted (Perera, 2015). The breach was initially discovered by CyTech Services, which ran diagnostic software of OPM’s network in a sales demonstration in April of 2015.
Several US intelligence officials stated that the collection of OPM personnel records represents a goldmine for Chinese counterintelligence activities. In tandem with the Anthem Inc. and Premera Blue Cross breaches conducted by Deep Panda, the Chinese government has the medical records, security clearance statuses, social security numbers, performance ratings, addresses, and other compromising personal data of millions of US government employees (Barrett, 2015). The data is useful in both the recruitment of Americans by Chinese intelligence services and identification of American spies within the Chinese government.
Cyber security experts have been widely critical of OPM’s failure to safeguard its networks given the sensitivity and volume of its personnel files. Adam Firestone, Senior Vice President and General Manager of Kaspersky’s Government Security Group, remarked that the government needs to reassess its approach to cyber security from “perimeter defense” to the internal defense of networks:
“The issue is how the network was prepared for the breach. And what were the internal security mechanisms inside the network to prevent the information inside the network from being used and useful for an adversary who got in. From our perspective we assume a breach, we assume that everything is porous, but we prepare. The idea is to prepare the network and your systems for the breach such that even though they do get in, what they retrieve is not useful.”
Navy Cyber Command has demonstrated the viability of this approach as it has managed to fend off every cyber intrusion since the Navy-Marine Corps Intranet breach in 2013. Cyber Fleet Commander Vice Admiral Jan Tighe attributed the success of Navy Cyber Command to the prompt internal defense of its networks, noting that initial breaches were inevitable. It is unclear how the United States will respond to China given the Department of Defense’s newly released cyber strategy which emphasizes the US will retaliate against cyber-attacks (Stewart, 2015). The distinction in the OPM case is the hacker group did not destroy OPM networks or hardware, but committed an act of espionage.
- Chinese hackers may have breached the federal government’s personnel office, U.S. officials say, Fred Barbash and Ellen Nakashima, 2015.
- Navy, Marine Cyber Fought Off All Net Attackers Since 2013, Sydney J. Freedberg, Jr.,2015.
- Anthem Breach May Have Started in April 2014, Brian Krebs, 2015.
- The Chinese Have Your Numbers, 2015.
- U.S. Weighs Extent of Suspected Data Breach by Hackers in China, Devlin Barrett, 2015.
- U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say, Devlin Barrett, Danny Yadron and Damian Paletta, 2015.
- Opm Hackers Skirted Cutting-Edge Intrusion Detection System, Official Says, Aliya Sternstein, 2015.
- China's Cyber Attack, Defense News, 2015.
- U.S. Spy Agencies Join Probe of Personnel-Records Theft, Damian Paletta, 2015.
- Pentagon's new cyber strategy cites U.S. ability to retaliate, Phil Stewart, 2015.
Motorola HC1 Headset Computer
Wearable technology, devices that are worn by users, is a rapidly expanding market which is set to exceed $32 billion by 2019 (IHS, 2014). Commercial wearable technology applications include biometric monitoring, camera and video functions, communication systems, and internet access. Many of these functions could be expanded upon to assist law enforcement by providing greater situational awareness to both officers and dispatchers. Furthermore, the use of body mounted cameras provides an additional means of ensuring accountability among law enforcement personnel, as per the Obama Administration initiative to field more than 50,000 police body cameras nationwide.
The most relevant capability of wearable technologies to law enforcement relate to increased situational awareness functions. For example, biometric sensors would be able to alert dispatchers of a potential emergency situation. Datalinks would enable officers to rapidly exchange information between networked officers and dispatchers including video feeds from body cameras, maps, floor plans, and data from platforms such as unmanned aerial vehicles. Wolf Tombe, Chief Technology Officer of U.S. Customs and Border Protection, it is examining fielding a wrist mounted drone:
“[CBP] is considering are small unmanned aircraft, including a drone mounted on the wrist. Such technology would meet CBP new technology requirements: enhancing officer safety, increasing mission effectiveness — and reducing costs, he said. If it does any or all of those things, ‘bring it in and we’ll look at it’ - John M. Doyle, 2015
Interest in wearable technologies extends across multiple DHS agencies including the Science and Technology Directorate (S&T) directorate. S&T recently launched “Emerge Accelerating Wearable Tech for First Responders,” a $750,000 program to develop wearable technologies to improve the situational awareness of first responders.
The Obama Administration is seeking to acquire wearable body mounted cameras for nonfederal law enforcement officers as a means of improving accountability between the police force and citizens. In response to the Ferguson Missouri riot following the death of Michael Brown, the Obama Administration announced the planned acquisition of 50,000 body cameras for officers nationwide. A total of $20 million in grants has been allocated towards purchasing police body cameras with a total of $75 million expected over the next three years pending Congressional approval (Edwards, 2015).
Despite the substantial capabilities and potential of wearable technologies for law enforcement, significant barriers remain towards the widespread proliferation of wearable technology in law enforcement. Alternative existing equipment, such as mobile devices, could provide some of the situational awareness and data sharing capabilities at greatly reduced cost over proposed wearable systems. Relatively simple body cameras and biometric sensors will likely see expanded use over the next few years. However, until the cost of wearable computers and wearable UAS drops substantially, wearable technologies will not meet their full potential given the limited deployment of more expensive high-end wearable systems.
- Improving Our View of the World: Police and Augmented Reality Technology, Thomas J. Cowper & Michael E. Buerger, 2003.
- A Guide to the $32b Wearables Market, HIS Janes, 2014.
- RoboCop: Wearable Tech, Melanie Basich, 2015.
- FACT SHEET: Strengthening Community Policing, Office of the Press Secretary, 2014.
- 5 wearable tech trends for police, Mary Rose Roberts, 2014.
- The Future of Wearable Technologies in Law Enforcement, Sean Petty, 2014.
- HOMELAND SECURITY: Customs and Border Protection Exploring Small Drone Use, John M. Doyle, 2015.
DHS’ United States Computer Emergency Readiness Team (US-CERT),
developer of EINSEIN 3A intrusion detection and prevention system
In the aftermath of the OPM hack, which compromised the personal information of over 22 million people, and the subsequent resignation of OPM Director Katherine Archuleta, the Federal Government undertook a 30 day long initiative to shore up its cybersecurity. Federal Chief Information Officer (CIO) Tony Scott explained that federal-civilian agencies would increase their use of multistep verification, decrease the number of privileged users that have access to sensitive information, and patch known vulnerabilities (Boyd, 2015). After 30 days, all federal agencies will report their progress with respect to implementation of the added security features to OMB and DHS. Since the start of the sprint, CIO Scott announced federal agencies have increased their use of two factor verification by 20% overall with select agencies implementing 100% two factor verification for privileged users. With the assistance of DHS, federal agencies have patched more than 60% of known cyber vulnerabilities since May this year according to DHS Director Jeh Johnson.
In an Op-ed in Politico, Federal Cybersecurity Needs Improvement, Director Johnson revealed that many of the new cybersecurity procedures being enacted under the cyber sprint are part of a much larger government strategy to tackle cybersecurity. DHS’ National Cybersecurity and Communications Integration Center (NCCIC) will perform a critical information sharing and coordination role in future federal incident response. Johnson stated that NCCIC is also responsible for the management of EINSTIEN, an advanced intrusion detection and prevention system. The latest version, EINSTEIN 3A, is deployed by 15 federal agencies covering roughly 45% of all federal-civilian employees; DHS plans to assist in the deployment of EINSTEIN 3A across all federal agencies by the end of the fiscal year. The government has also permitted EINSTEIN’s providers, AT&T, CenturyLink, and Verizon, to market the software to private sector firms:
“The EINSTEIN technology is marketed under the brand name of Enhanced Cybersecurity Services, or ECS…More businesses are willing to accept the U.S. government’s help, after learning parts of their own workforces have been caught up in cyber espionage campaigns. Recent data breaches at health insurers, including Anthem, have been tied to the Chinese military, as has the OPM attack….After the OPM discoveries, there has ‘been an exponential increase’ in companies inking agreements with CenturyLink to roll out the commercial rendition of EINSTEIN” - Sternstein, 2015
As the federal government seeks to revamp its cyber security procedures, federal contractors will be faced with greater scrutiny in terms of safeguarding sensitive information. Federal investigators determined that the credentials used to gain access to OPM’s network were from KeyPoint systems, a contractor providing background check services to OPM. Cybersecurity firms have previously voiced concern over the current lack of cybersecurity measures instituted by defense contractors.
- Contractor breach gave hackers keys to OPM data, Aaron Boyd, 2015.
- Home Depot Has Better Cyber Security Than 25 US Defense Contractors, Aliya Sternstein, 2015.
- Suddenly, Everyone Wants the NSA’s Cyber Defense Tech, Aliya Sternstein, 2015.
- Feds on '30-day sprint' to better cybersecurity, Aaron Boyd, 2015.
- Cyber sprint increases use of two-factor authentication, Aaron Boyd, 2015.
- White House touts 'cyber sprint' successes, Cory Bennett, 2015.
- White House sprints to patch security flaws, Cory Bennett, 2015.
- Federal Cybersecurity Needs Improvement, Jeh Johnson, 2015.
​The DC Chapter of AFCEA held a moderated Defense Health Agency panel discussion on April 26, 2016 focusing on innovative solutions for the military health system.
The panelists were:
- James Craft, Chief Information Officer, Joint Improvised Explosive Device Defeat Organization, Department of Defense
- Steven Hernandez, Chief Information Security Officer, Office of Inspector General, Department of Health and Human Services
- Rose-Marie Nsahlai, Lead IT Security Specialist, Office of the National Coordinator for HIT, Department of Health and Human Services
- Dr. Joseph Lucky Ronzio, Deputy Chief Health Technology Officer, Veterans Health Administration, Department of Veterans Affairs
The main topics of discussion were in relation to Mobile Health Technology, Interoperability and Cybersecurity.
The discussion surrounding Mobile Health Technology focused on empowering the consumer / patient to be more active and collaborative with their providers when making health and wellness choices, and on embracing sensors and telehealth / telemedicine as alternatives to physician office visits. The Deputy CHTO of the VA, Dr. Ronzio, argued that both provide a better patient experience, while lowering costs for all parties. Moving forward, more emphasis will be placed on devices and mobility for both the patient and the provider. NSA, for example, is working on a "thin" encryption that is specifically for health and wellness devices, so the security layer is a lower overhead for the device.
​All three agencies placed an emphasis on interoperability with respect to standardization of software and hardware technologies, in order to improve data exchange and communication between the agencies and reduce costs. Companies that provide 90 percent of Electronic Health Records (EHR) used by hospitals nationwide, as well as the top five largest health care systems in the country, have agreed to implement three core commitments:
- Easy and secure consumer access to electronic health information;
- No blocking of electronic health information / to adopt transparency; and,
- To adhere to federally recognized standards and best practices.
Given tightening budgets, all agencies voiced support for innovative solutions, assuming that a new solution replaces antiquated processes and systems, and, most importantly, saves money.
EHR security is one of the top priorities for DOD, HHS and the VA, particularly with the recent high visibility cybersecurity breaches that impacted numerous US hospitals, Anthem and OPM, just to name a few. According to IBM X-Force Interactive Security Incidents data from Jan. 1, 2015 to Oct. 31, 2015, almost 100,000,000 health care records have been compromised due to malicious attacks. A patient’s EHR can contain sensitive information such as SSN, addresses, financial and employment information in addition to medications, vaccination records, chronic conditions, etc. By gaining access to a patient’s EHR, a cyberterrorist can pinpoint and act on vulnerabilities such as directed bioterrorism or withholding medication for an individual, including US military personnel. DOD, HHS and the VA are continually looking to partner with organizations that can help mitigate these cybersecurity risks.