On June 13, CISA issued a binding operational directive ordering civilian agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface. Agencies were required to do so within two weeks of notification of such devices being connected to the internet.

Censys — a cybersecurity firm that specializes in threat-hunting across devices connected to the internet — used its platform to analyze more than 50 federal civilian branch agencies’ publicly exposed devices that they use to manage networks from the internet. It found ” hundreds of publicly exposed devices within the scope outlined in the [CISA] directive.”

“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET. Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys wrote in a blog post sharing its findings.

In the post, the company explained: “These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.”

Censys also found more than “15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP” — protocols that the firm says “have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure” — and “[m]ultiple out-of-band remote server management devices such as Lantronix SLC console servers,” which CISA said in its directive “should never be directly accessible via the public internet.”

To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.

The post ‘Hundreds’ of agency internet-connected devices found running in violation of recent CISA directive, cyber firm reports appeared first on FedScoop.

CISA is looking to modernize parts of EINSTEIN — the program also known as the National Cybersecurity Protection System, which provides a frontline capability to monitor network traffic in and out of federal civilian branch agencies and situational awareness of malicious activity across the federal government — as “evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides,” the agency said in a request for information published this week.

This means replacing sensors on agency networks that have been in place, in some cases, for a decade or longer. Specifically, CISA is considering changes to EINSTEIN 1 and EINSTEIN 2, which monitor traffic routed in and out of physical networks and systems.

“The visibility provided by existing EINSTEIN sensors remains a crucial enabler of CISA’s mission to protect [federal civilian executive branch] agencies,” reads the RFI, posted by the General Services Administration on behalf of CISA. “It is one component that CISA uses to gain operational visibility, protect FCEB agencies, and respond to threats. With the limitations of EINSTEIN capabilities, CISA stands to lose that needed visibility. Consequently, a new solution may be necessary to compensate for this loss of visibility to protect FCEB agencies adequately.”

Federal agencies’ enterprise IT architectures have been modernized and have evolved, largely by migrating to the cloud, since EINSTEIN was first introduced in 2003 and subsequently added to. This means CISA and agencies will need to also “consider other broader strategies beyond replacing the existing footprint of EINSTIEN capabilities (e.g., optimal placements in federal agencies, new technologies/techniques to maximize visibility, etc.).”

“For future CISA needs, the augmentation or replacement of this visibility must be considered within the current networking environment and how it may be combined and used with other data sources acquired by CISA analysts,” the RFI reads.

Industry responses are due by July 14.

The contract motion comes after CISA, in the fiscal 2024 president’s budget proposal, requested $425 million to restructure parts of EINSTEIN into a new Cyber Analytics and Data System. That system is meant to provide “tools and capabilities to facilitate the ingestion and integration of data as well as orchestrate and automate the analysis of data that supports the rapid identification, detection, mitigation, and prevention of malicious cyber activity.”

The 2024 budget request also called for $67 million for EINSTEIN and another $408 million for the agency’s Continuous Diagnostics and Mitigation (CDM) program, which provides agencies with a “window into the security posture of agency computers, servers, and other Internet-connected devices.”

CISA recently released a separate RFI for deploying new CDM capabilities across the federal government.

The post CISA considering the future state of EINSTEIN as agencies modernize appeared first on FedScoop.

Under the single-award contract, called T-Cloud, SAIC will support Treasury’s adoption of a multi-cloud environment as a cloud broker, centralizing management of services from major cloud providers like Amazon, Google, IBM, Microsoft and Oracle, with the opportunity to onboard others.

“T-Cloud will enable the Treasury Department to rapidly and securely adopt a modern, flexible and cost-effective approach to utilizing and consuming data in the cloud,” said Bob Genter, SAIC’s president of defense and civilian sector. “SAIC is honored to be the Treasury Department’s cloud services digital transformation partner.”

SAIC will also provide services for business operations, technical, security, network, service desk, subject matter expert support, and transition services, according to a news release.

Treasury has been planning out T-Cloud since as far back as 2019, when it introduced a cloud roadmap developed by its Office of the Chief Information Officer in collaboration with the IRS, procurement offices and other stakeholders.

“At present, Treasury bureaus are individually moving forward with cloud solutions, and have implemented a number of cloud solutions to address unique mission priorities requiring agile and elastic approaches, often through duplicative contract actions,” that roadmap explained. “This scattered approach, while offering varying degrees of agility for individual customers, ignores opportunities for cost reduction through service deduplication and consolidated procurement actions.”

The contract has a seven-year period of performance.

Treasury isn’t the only large department to award a major cloud contract recently. The Department of the Interior last week awarded Peraton a $1 billion cloud contract. And, the Department of Agriculture is plotting a similar departmentwide contract for cloud adoption.

The post SAIC wins $1.3B Treasury cloud contract appeared first on FedScoop.

The House Appropriations Committee on Wednesday said in a summary of the Financial Services and General Government appropriations bill that it wants to eliminate funding for the TMF in fiscal 2024 as part of its efforts to “cut wasteful spending” across the federal government.

The Subcommittee on Financial Services and General Government conducted its markup of the bill Thursday morning. The bill also seeks to ensure “agencies return to pre-COVID telework policies and levels.”

The Biden administration requested $200 million for the TMF in its 2024 budget request earlier this year, compared to the $300 it requested for fiscal 2023 — which resulted in just $50 million of additional funding, despite the urging of some top lawmakers to fund the program at the requested levels.

It’s been common since the creation of the TMF for fiscally conservative lawmakers to try to zero it out.

Speaking with FedScoop earlier this year on the fifth anniversary of the TMF, Federal CIO Clare Martorana told FedScoop the fund has proven itself as an alternative model to drive modernization that delivers near-term impact in the federal government outside of the otherwise snaillike two-year budget cycle.

“There’s some data out in the marketplace done by large consulting companies that talk about the failure rate of IT projects. And it’s pretty significant — projects over $6 million with a significant failure rate. And that’s not acceptable to us. And as technologists, we know how to do this differently. And the way that you do it differently is the way that we’ve designed TMF,” Martorana explained during an interview on the Daily Scoop podcast.

Despite the potential absence of funding for fiscal 2024, the General Services Administration-managed TMF still has money to spend from the $1 billion injection it received as part of the American Rescue Plan in 2021.

So far, the fund has invested more than $700 million across 38 IT modernization projects at 22 federal agencies since it was launched five years ago. It has more than $786 million remaining to spend, according to federal spending data.

The post Technology Modernization Fund faces uphill battle after House committee zeroes out 2024 funding appeared first on FedScoop.

Though GSA has been in the process of conducting market research for a forthcoming Alliant 3 contract, the agency wants to give federal agencies an additional five years to contract for wide-ranging IT solutions available on the existing Alliant 2 contract, such as cloud, cybersecurity, and artificial intelligence services.

This brings the total length of the contract to 10 years.

“GSA remains committed to driving efficiency, cost savings, and innovation through our acquisition solutions,” GSA Federal Acquisition Service Commissioner Sonny Hashmi said in a statement. “Exercising the Alliant 2 option provides agencies with a flexible, streamlined, and agile procurement vehicle that keeps pace with rapidly evolving technology trends and has a proven track record of delivering results.”

The extension comes after GSA last August decided also to raise the ceiling on the contract to $75 billion, up from the previous $50 billion, citing huge demand that “surpassed our expectations at every turn,” per Hashmi.

GSA has touted the success of Alliant 2 in giving small businesses more opportunities to subcontract with other providers to deliver IT services to federal agencies.

Exodie C. Roe III, GSA’s associate administrator for the Office of Small and Disadvantaged Business Utilization, said the extension “demonstrates GSA’s dedication to promoting small business participation and economic growth, creating a win-win scenario for both federal agencies and small business owners alike.”

GSA says on its website that the request for proposals under the eventual Alliant 3 contract will come no sooner than the first quarter of fiscal 2024 to allow the market research process to move forward. The agency issued a draft solicitation for the contract last fall.

While the extension of Alliant 2 technically gives GSA more time to hash out Alliant 3, Laura Stanton, assistant commissioner of IT Category at GSA, said last year that “we’re looking at moving forward on Alliant 3 much, much faster and earlier than we ever anticipated” because of the success of its predecessor.

The post GSA extends Alliant 2 contract by five years appeared first on FedScoop.

Brian Merrick, deputy director of solutions delivery staff for Justice, said during a webinar event the department’s Office of the Chief Information Officer is working through a draft policy involving privacy and the department’s application of AI technologies and “the considerations around using it.”

Privacy — as well as things like diversity, equity and inclusion — is “an active ongoing conversation that we make sure we circulate into any of the new emerging tech efforts so we’ve got the right controls in place, we’ve got the right equity holders involved and engaged fully, so that we make sure that we’re meeting all those requirements going forward, because obviously, being Department of Justice, we are highly focused on making sure that we follow those requirements,” Merrick said during the Federal News Network event.

While he couldn’t comment on when or if the draft policy might be made public, Merrick did say the AI privacy policy would be focused “in general [on] governing how we use the technology. But there will be certainly some intersections, I think, with the public interest, and when appropriate, we’ll make sure that the public interest is satisfied and all of our notification requirements.”

Interest in AI has exploded in recent months with the widespread introduction new capabilities like generative AI, and many federal agencies have begun exploring how they can take advantage of the emerging technology.

FedScoop recently spoke with Melinda Rogers, DOJ chief information officer, in an exclusive interview, during which she shared the department’s plans to use generative AI to improve customer experience for its IT service desk program.

In December 2020, the department issued an artificial intelligence strategy focused on
“cultivating an AI-ready workforce, aligning activities with the DOJ Data Strategy, building a governance structure, and supporting Department-wide AI adoption—with implementation designed to adapt to the evolving technology landscape.”

Merrick said the DOJ has “several AI efforts that are in play right now” including in the law enforcement community and for the legal community, particularly around “enhanced search options … [and] managing documents.”

“It’s a huge requirement for us as we’re one of the largest law firms, I guess, you would say,” he said.

Internally, Justice’s IT division is also using AI tools “with our own datasets that we manage to be able to glean those insights and help us expedite some of our processing,” Merrick said.

On the generative AI front, Merrick said “everyone is grappling with a completely different animal.”

“And so that’s gonna require a much more concerted effort as we really review policy with the rest of the world, frankly, and make sure that we’ve got our policy aligned with use cases and fully understand how that technology works,” he said. “So we’re still a bit off on that. But we’re starting to explore the possibilities and see what that looks like in the future.”

The post Justice Department developing privacy policy for AI appeared first on FedScoop.

The IRS is currently accepting comments from industry on its proposed plan to enlist a managed service provider to update its Integrated Enterprise Portals (IEP) platform through an acquisition, called IEP 2.0.

The IRS refers to these portals as the “front door” to its most vital IT systems, calling them in draft solicitation documents the “primary gateway for external users – including taxpayers, third-party tax preparers, and other business partners – and internal users – IRS employees and contractors with staff-like access – to access IRS business services.”

In essence, it’s a hybrid cloud platform that IRS manages privately to support its most mission-critical services, particularly those that involve peak tax season activities like the agency’s Modernized eFile and Integrated Customer Communications Environment applications.

The volume of traffic to the more than 90 websites and services connected to the portals is staggering: “In 2021, IRS IEP websites served over 11.4 billion page views to 660 million site visitors globally (during 2 billion sessions),” the agency said.

With the IEP 2.0 contract, the IRS wants to partner with a managed service provider to “deliver, operate, and manage the IEP services and to evolve IEP services as needed to support the changing dynamics of the many requirements due to Congressional mandates placed on the IRS.”

Accenture is the incumbent on the preceding IEP contract, which has a total value of $692 million and was awarded in 2017.

The new contract, with a proposed $1.7 billion ceiling, will likely be a single-award contract with a five-year base period of performance, and three one-year options to extend.

Interested vendors have until June 30 to submit comments on the proposed acquisition.

The IEP modernization comes as the IRS, fresh off of an $80 billion injection of funding from the Inflation Reduction Act, has leaned into becoming a more digital and modern organization. Earlier this year, it awarded spots on its $2.6 billion Enterprise Development, Operations Services, which will bring more than 400 legacy IRS systems under one contract to modernize existing systems, build out analytics and improve cybersecurity.

Meanwhile, the tax agency is also exploring a direct file option for taxpayers in forthcoming tax seasons. The IRS in May tested a prototype of a free tax filing system that could allow Americans to file tax returns digitally and free of charge.

The post IRS plans $1.7B update to its IT enterprise’s ‘front door’ appeared first on FedScoop.

In a request for information published Wednesday, State announced that a trio of its bureaus wants industry feedback about possibly using generative AI and machine learning capabilities to help with basic contract writing.

On top of this, State wants to glean “insight into the current hurdles and security considerations to introducing generative and natural language processing AI onto the Department’s network” through the RFI process.

Generative AI has exploded in popularity recently with the emergence of ChatGPT and other similar products that can generate new content, such as text or images, based on their training, which can include the use of large language models.

State’s bureaus of Information Resource Management — its CIO’s office — Consular Affairs, and International Narcotics and Law Enforcement are leading the effort.

“DOS business operations rely on outdated technology and manually intensive processes that result in unexploited data resources, wasted labor hours, and gross inefficiencies,” the RFI states. “The goal of embedding AI technology into an existing and recurring process is to reduce inefficiencies from manual laborious tasks, simplifying workflows, and improving the accuracy of repetitive tasks in the market research and acquisition planning phases while also addressing the nuances of IT-acquisitions.”

Currently, contracting officers typically copy and paste information from previous contracts to save time, State says in the document. But this can lead to errors or introduce risks, like “creating opportunities to exclude mandatory cybersecurity requirements while incorporating outdated provisions and clauses.”

The ideal solution would prompt a user to write a problem statement for the acquisition at hand and the generative AI solution would “generate a complete, draft PR package for any type of IT purchase, for a government procurement professional to review for potential edits, prior to submission in the contracting writing system,” the RFI explains.

The goal is this would not only reduce costs, manual labor and the chance of errors but also improve decision-making and deliver better contract outcomes, the department believes.

State admits there are some constraining factors that could limit moving forward with generative AI, including that the technology hasn’t been approved for use by the department, and the department doesn’t have a published AI policy yet. And as is the case with any federal RFI, the department is cl

Interested parties have until July 17 to respond to State’s RFI.

Secretary of State Antony Blinken is a major advocate for the U.S. being on the cutting edge of adopting emerging technologies like AI for global diplomacy. In January, Blinken kicked off operations of a new Office of the Special Envoy for Critical and Emerging Technology dedicated to the intersection of technology and diplomacy. And the department already has an extensive inventory of AI applications.

“We want the internet to remain a transformative force for learning, for connection, for economic growth, not a tool of repression,” Blinken said then. “We want to shape the standards that govern new technology, so they ensure quality, protect consumer health and safety, facilitate trade, respect people’s rights. We want to make sure the technology works for democracy, fighting back against disinformation, standing up for internet freedom, reducing the misuse of surveillance technology. And we want to promote cooperation, advancing this agenda tech by tech, issue by issue, with democratic partners by our side.”

The post State Department considers generative AI for contract writing appeared first on FedScoop.

Jeff King had been serving as acting IRS CIO since earlier this year on a 90-day loan from the Treasury Department, where he serves as deputy CIO. King will return to that role at the end of June, and Kaschit Pandya will step in to fill that vacant IRS role on an interim basis.

Pandya currently serves as deputy CIO for IT operations at IRS. He spoke to FedScoop in 2022 about how cloud has been a “game-changer” for the IRS.

This marks the third CIO to lead IRS’s IT operations in recent months. Nancy Sieger was the longtime CIO of the agency but, as FedScoop first reported, left to become chief technology officer of Treasury in March and King stepped in temporarily.

All of this comes as the IRS is in the midst of driving a massive tech transformation supported by billions of dollars of funding under the Inflation Reduction Act, which gave the tax agency and $80 billion injection to bolster its enforcement, operations support, business system modernization, and taxpayer services.

NextGov first reported the change at IRS.

The post IRS faces change-up at CIO appeared first on FedScoop.

Awarded by the Interior’s U.S. Geological Survey, the $1 billion indefinite-delivery, indefinite-quantity contract will enlist Peraton to “manage a portfolio of cloud computing, storage and application services across multiple vendor offerings, supplying DOI with a flexible solution for the delivery of those cloud services,” per the solicitation’s request for quotes issued last November.

“Cloud services provide a wealth of benefits that DOI can leverage to provide the right services, at the right place, at the right time in service to our country needs,” contracting documents read. “Cloud services will enable the Bureaus to improve efficiency, align with administration goals and provide a sound technical platform for our future. DOI needs a consistent approach to reviewing, securing, managing and procuring cloud services to ensure optimized coordination and integration between vendors, which provides the best value for the taxpayer. A partnership between portfolio managers with DOI processes, will rapidly provide the benefits DOI needs for success.”

It added: “The Cloud Hosting Solutions (CHS) III acquisition puts DOI bureaus in control of how, when, and where they wish to receive service.” 

Specifically, Interior called out in acquisition documents that it wanted a partner to build a “Virtual Private Cloud” environment. Overseeing that, the cloud broker will “procure ‘third-party’ services from vendors that provide services on a rental or ‘pay as you go’ nature that are designed to enhance or complement the CSP environment associated with the award.”

The contract has a five-year base period of performance with three two-year options to extend.

This award comes as Interior’s Foundation Cloud Hosting Services contract, awarded to a group of 10 contractors in 2013 with a total ceiling of $10 billion, will expire this year. That contract saw a lengthy bid protest process led by losing bidder Centurylink.

Peraton’s win follows a similar large cloud contract it was awarded by the Department of Homeland Security in the fall of 2021 to shift the department’s data center operations to the cloud.

The company also won a place on the U.S. Postal Service’s $2.7 billion Information Technology Solutions (ITS) contract vehicle with 10 other vendors this year.

The post Interior awards $1B cloud contract to Peraton appeared first on FedScoop.