Federal Times Blogs
Four companies have been awarded work under the Department of Homeland Security’s $6 billion cybersecurity contract.
Winners include Knowledge Consulting Group, Northrop Grumman, Technica and HP. The RFQ was for continuous monitoring tools, not services. The goal was to increase or extend software licenses that agencies already have in place, at a discounted price.
Read more here.
The Department of Homeland Security on Wednesday released the first request for quote under its $6 billion continuous monitoring contract, according to industry sources.
The RFQ is for cyber tools and equipment, not services. The goal is to increase or extend software licenses that agencies already have in place, at a discounted price, said James Yeager, director of federal civilian sales at McAfee. As of last month, 12 of the 17 vendors on the contract included McAfee products as part of their tool set available to agencies.
The RFQ will provide tools for 33 departments and agencies and range in value between $37.5 million and $60 million, Yeager said. One or multiple vendors will be selected based on lowest-price, technically acceptable bids.
Contractors have until Friday to submit questions about the RFQ. Responses are due Nov. 22, unless DHS is flooded with questions and opts to extend the deadline, Yeager said. An award is expected within 60 days.
“This task order is not where departments or agencies say ‘I have something, I don’t like it and I want to use something else,’” Yeager said. ”There’s not an option to say, ‘I don’t have anything that meets this requirement, let me tell you want I want.’”
All of the large civilian agencies have signed on to use the contract, which was awarded in August, John Streufert, director of DHS’ Federal Network Resilience division, said at a conference last month. The General Services Administration awarded the blanket purchase agreement on behalf of DHS.
“Our objective is to form up and choose those tools of best value and begin deploying them across some 120 of the largest dot-gov organizations,” Streufert said. He noted that the first proposals would be for commodities, but he expects task orders for services will follow soon after.
Subsequent task orders under the contract are expected in the first half of 2014, Yeager said.
While last month’s 16-day government shutdown delayed work, Streufert doesn’t expect it will impact the overall schedule of the five-year program. And it appears there isn’t too much concern about the program’s viability under the current continuing resolution.
DHS has already spent some of the program’s $185 million fiscal 2013 funds to develop the procurement, Streufert said in a separate interview.
Some agencies are looking to get a more competitive price for existing scanning tools, procure more software licenses or replace tools that didn’t function well in their IT environments, Streufert said.
A senior officer at McAfee, Inc., will be the newest deputy undersecretary for cybersecurity at the National Protection and Programs Directorate at DHS, according to an Aug. 19 blog post by secretary Janet Napolitano
Phillis Schneck, the vice president for the global public sector at McAfee, Inc., has also held positions at IBM, NASA, the University of Maryland, CygnaCom solutions, and other companies.
Phyllis has been a close partner in our cybersecurity mission for many years. She served for eight years as chairman of the FBI’s InfraGard National Board of Directors and founding president of InfraGard Atlanta, growing the InfraGard program to over 30,000 members nationwide in the past decade, and fostering a relationship between InfraGard and DHS. Equally impressive, Phyllis holds three patents in high-performance and adaptive information security, and has six research publications in the areas of information security, real-time systems, telecom and software engineering.
During my tenure as Secretary, we have strengthened partnerships with the private sector to secure cyber networks and protect physical assets while developing a world-class cybersecurity workforce. In fact, the position of Deputy Under Secretary for Cybersecurity was created in 2011 to act as the Department’s chief cybersecurity policy official, in recognition of the growing importance of cybersecurity to DHS’ mission of strengthening the security and resilience of our nation’s critical infrastructure. I am confident that Phyllis will continue these efforts, and build upon the foundations laid by her predecessors, to create a safe, secure and resilient cyber environment and promote cybersecurity knowledge and innovation.
In addition to the standard two forms of identification, offer letter and contact information, new hires at the U.S. Department of Education are required to bring along a certificate of completion for cybersecurity training course.
A recent internal investigation shows why that training is probably a pretty good idea.
In a previously undisclosed probe into a 2011 “spear phishing” campaign, hackers targeted senior staff and managed to break through the department’s security protections to steal data from the department.
Much about the incident, which was described in documents released through a Freedom of Information Act request by Federal Times, remains classified, including how much data and what sort of information hackers took.
One of the hackers used an email address — arne.duncan[at]ymail.com – to infiltrate the department’s security protections.
You can read for yourself the summary of the investigation by the technology crimes division of the department’s Inspector General, which passed along its findings to the FBI. That memo can be found here.
Federal Times recently reported on the incident, but the Education Department declined to comment. Still, there’s a lesson in all of this. Even if the name on an email address seems familiar, government employees ought to make sure the sender’s address is legitimate.
And call the IT department if you’re unsure.
The National Institutes of Standards and Technology is on track to develop a preliminary set of voluntary cybersecurity standards by October, according to the head of the agency.
Patrick Gallagher, NIST director, said at a Senate Commerce, Science and Transportation committee hearing Thursday that the agency is working closely with private industry as mandated by a Feb. 19 executive order.
“We have made significant progress but we still have a lot to do,” Gallagher said.
He said the agency has already held three workshops for industry feedback and will continue to work with the private sector to develop a flexible set of principles that will remain relevant for as long as possible.
President Obama directed NIST in the executive order to work with the private sector on standards that will help protect critical infrastructure – such as telecommunications and manufacturing – from cyber attack.
Sen. John Rockefeller, D-W.V., chairman of the committee, said it is critical that NIST and the private sector work together on any cybersecurity framework to make sure it is adopted by the private sector.
“Making progress against our cyber adversaries is going to require a sustained coordinated effort between the public and private sectors,” he said.
Nearing the end of a half hour talk on cybersecurity at a conference of contracting professionals in Alexandria, Va., Thursday, Booz Allen Hamilton vice president Mike McConnell had not uttered the name Edward Snowden.
And Snowden, after all, is someone who has people talking a lot about cybersecurity these days.
The now famous former Booz Allen employee stands charged with espionage and is still on the run from U.S. authorities after leaking details to the media on once secret government surveillance programs.
As McConnell, a former director of national intelligence, was wrapping up his presentation, he said he’d take a question or two. That’s when an audience member brought up Snowden.
While brief in his response, McConnell went beyond the carefully worded statement that Booz Allen’s public relations staff had issued in the days after Snowden’s leaks became public.
Dubbed a traitor by House Speaker John Boehner and yet hailed as a brave whistleblower by Daniel Ellsberg, Edward Snowden’s leaks about National Security Agency data collection techniques have ignited public debate about privacy, security and the scope of U.S. government surveillance activities.
But legally speaking, the 29-year old, self described high school dropout isn’t really a whistleblower: “Whistleblowers are individuals who have engaged in lawful disclosure,” said R. Scott Oswald, managing principal of The Employment Law Group, a DC-based law firm that represents whistleblowers, including some in the intelligence community.
Snowden, however, leaked classified information subject to a court order, which is hardly lawful, Oswald said.
“What Mr. Snowden did here was not protected and was illegal under our laws, so it’s not correct to say he’s a whistleblower in that sense,” Oswald said. “What he is, I think, is a conscientious objector.”
“He has information that he believes is important for the American public to know,” he said. “What he has decided to do is to commit an illegal act in order to have that information disseminated, so he is subject to criminal prosecution.”
The whistleblower distinction is getting closer attention in newsrooms, too. The Huffington Post, citing a memo it obtained, reported Monday that Associated Press standards editor Tom Kent told staff that “whether the actions exposed by Snowden and [WikiLeaks source Bradley] Manning constitute wrongdoing is hotly contested, so we should not call them whistle-blowers on our own at this point.”
Whether he’s a whistleblower or not, one thing is for sure. Snowden is now officially a former Booz Allen employee.
With its famous former employee’s precise whereabouts unknown, Booz Allen on Tuesday released a statement confirming that it fired Snowden over violations to the firm’s policy and code of ethics.
House lawmakers will consider a bill Wednesday that would allow companies and federal agencies to voluntarily share and receive cyber threat information with each other.
The Cyber Information Sharing and Protection Act (CISPA) passed the House Permanent Select Committee on Intelligence April 10 and will be introduced on the House floor Wednesday. A vote is expected by Thursday.
An earlier version of the bill passed the House last April but lacked additional privacy controls included in the revised bill. Still, that has not satisfied the White House and civil liberties groups who say the bill’s current provisions are insufficient.
CISPA requires the director of national intelligence to enable intelligence agencies to share threat data with the private sector in real time. This includes information about vulnerabilities of federal and industry systems and networks and efforts to destroy or disrupt these systems. Companies that share information under the bill’s provisions would be granted legal protections if they are subject to a cyber attack.
The White House threatened to veto an earlier version of the bill that passed the House last April. Critics of the bill warned that it did little to protect citizens’ personal information and said it would not hold companies accountable for responding to threat information provided by the government.
Despite several amendments to the original bill, CISPA has not met White House expectations.
“We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement.
“Further we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” Hayden said. She said the administration will continue working with the bill’s co-authors, House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., the committee’s ranking member.
In an effort to appease privacy and civil liberties groups, several amendments were added to the bill, including one that restricts how the government can use cyber information it receives from the private sector. The bill requires that the government only use shared information for cybersecurity, investigation and prosecution of cybersecurity crimes and protection of individuals and minors. A provision that would have allowed the information to be used for national security purposes was removed.
Several companies and trade groups, including Facebook, the U.S. Chamber of Commerce and industry group TechAmerica, have expressed support for the bill. But groups such as the American Civil Liberties Union are not satisfied.
“The changes to the bill don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” Michelle Richardson, legislative counsel at the ACLU’s Washington Legislative Office, said in a statement. “CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the internet records of everyday Americans.”
Thousands of rogue Apple, Android and Windows devices found operating on the Army’s network could pose major security risks to sensitive data and Army network operations, according to a recent report.
Army commands failed to report more than 14,000 commercial smartphones and tablet computers being used across the service for research activities, data collection, mobile device pilot programs and other tasks, according to the March 26 inspector general report. Army Corps of Engineers, Engineer Research and Development Center in Vicksburg, Miss., and the U.S. Military Academy at West Point, N.Y., were among the locations using unapproved devices.
Army officials at those sites did not ensure devices met security standards to protect data, and they failed to require all smartphones and tablets be wiped clean of data if reported lost or given to a new user. A lack of clear guidance from the Army chief information officer resulted in officials forgoing training and user agreements before handing out mobile devices.
“The Army did not implement an effective cybersecurity program for commercial mobiles devices,” the report said. “If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information.”
“The Army CIO inappropriately concluded that [commercial mobile devices] were not connecting to Army networks and storing sensitive information; and, therefore, did not” require the same security standards used for other information systems, according to the report.
The IG review was conducted between April 2012 and February 2013 and did not include Blackberry devices.
The IG office set an April 25 deadline for the Army to comment on its recommendations, which include creating clear policy for tracking and reporting mobile device purchases and ensuring mobile devices follow the same security standards as other information systems. Earlier comments provided by the director for the Army CIO Cybersecurity Directorate were deemed nonresponsive.
As of February, DoD reported more than 600,000 commercial mobile devices in use and in a pilot test phase, including 470,000 Blackberrys, 41,000 Apple devices and 8,700 Android devices. The challenge, however, is managing those devices.
Army officials are eager for DoD’s mobile device contract to be awarded this month. The management software will eventually manage, monitor and enforce security for 8 million devices. The software will allow the Army to remotely wipe data from devices and monitor what applications users download, websites they visit and data viewed or modified on their devices.
The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.