News

FISA Court proposes new rules; DHS restructures the IT workforce;

David Perera — Thu, 02 Sep 2010 11:15:43 -0400

> New Orleans wasted $1 million on IT staff outsourcing, says IG. Article
> "In Google (NASDAQ: GOOG), we are at once the surveilled and the individual retinal cells of the surveillant, however many millions of us, constantly if unconsciously participatory." Article
> FISA Court proposes new rules. Article
> DHS restructures the IT workforce. Article
> Sweden reopens rape investigation of Wikileaks founder Julian Assange. Article

And Finally... First, fried beer. Now, the beer popsicle.

FDA touts online performance metric dashboards

David Perera — Thu, 02 Sep 2010 10:52:10 -0400

The Food and Drug Administration received 5,066 Freedom of Information Requests in the first half of this calendar year, according to a recently unveiled online dashboard that's part of the Health and Human Services Department open government effort.

The dashboard belongs to an initiative dubbed FDA-TRACK that will publically monitor more than 100 FDA program offices with quarterly online updates. FDA Commissioner Margaret Hamburg said the online dashboards will counteract a history of opaqueness at the agency, bringing it "into the daylight."

As for the FDA's FOIA requests, available data on the dashboard shows that they remain relatively stable on a month-to-month basis, averaging around 5,000 a month with a maximum range of 309 requests. The dashboard provides FOIA request numbers from October 2009 through June 2010. The agency routed the greatest percentage of the requests--24 percent in all--to the FDA's commissioner's office.

For more:
- go to the FDA-TRACK website
- download the most-recently revised HHS open government plan (.pdf)

Q&A: Randy Hite on the new GAO EA maturity framework

David Perera — Thu, 02 Sep 2010 10:19:28 -0400

When the Government Accountability Office released August 5 a major revision to its framework for assessing the maturity of agency enterprise architectures, it was the first change to the framework since 2003. Three years in the making, the new framework could also be the EA swan song of the person whose signature is on the preface, Randy Hite, GAO director for information technology architecture and systems issues.

Hite recently talked with FierceGovernmentIT about the framework, about how enterprise architecture has evolved in recent years and the need for a new round of agency EA implementation evaluations. But, much as a new round of evaluations may be needed, Hite said he won't be able to lead it himself--he leaves government service this December after 33 years.

FGIT: So, why a new enterprise architecture maturity framework now and so long after the last update?

HITE: Frankly, it's late in coming. It's overdue. It's needed, so better late than never. The original one served a purpose, it had been overcome by events. The EA discipline has evolved, the manner in which EA, from a practical standpoint, is being implement has evolved.

And, we've learned a lot from looking at EA across the government, we've learned a lot from interacting with the private sector on the subject, so there was more information and knowledge and context to be brought to this whole question of "How do you manage such a complex endeavor?"

I've been wanting to do this literally for three years now, and because the vast majority of the work we do, and in my case, 100 percent of it, is requested by Congress, this is something I was just able to do in my spare time with others, with their spare time in getting it done. It took longer than we would have liked, but I think it's well worth the wait. I'm really happy with how it turned out.

FGIT: How would you contrast EA as it's practiced today as opposed to in 2003, when the last framework was released?

HITE: Back in the early days of EA, it was sometimes viewed as an all or nothing proposition--a boil the ocean kind of endeavor. You needed to have an enterprisewide, top to bottom, A to Z, fully fleshed out architecture before you could do anything.

In reality, it's not done that way. It's really done on an incremental basis, within the context of establishing some thin layer of policies, principals, standards for your entire enterprise. You can then architecture slivers of your organization in more detail and provide the specifics necessary to drive specific programs implementation and systems implementation.

One of the major changes in this framework is that it recognizes that fact. You don't have to have a 100 percent complete architecture in order to implement and derive the benefits from architecture.

FGIT: How's that reflected in the new framework?

HITE: The way the stages were constructed in the past was really directed toward developing the entire architecture, implementing the entire architecture. Now there's provision in the framework for getting an initial version of the architecture, and building out parts of the architecutre and targeting parts of your organization for transformation and modernization. There's stages that recognize that, as well the continuous evolution and improvement of it.

Another thing that this version does that the other one didn't do--this is something we learned from applying the framework--is that consistently across government agencies, there were several major obstacles to making architecture a reality. Those dealt with basically a resistance to change, parochialism, lack of understanding in senior executivs in the organization about what architecture is, and a lack of resources and people with the knowledge and skills to develop and implement architecture.

And so, one of the things this version does is recognize right up front in the initial stage, past the stage of becoming just aware of what an architecture is, is that crating institutional commitment to architecture really provides the foundation for making architecture successful. The basic premise is that if your organizational leadership doesn't recognize the value and its role in making architecture a reality, then you're in for an uphill battle. We saw instances in looking at architecture across the government where program offices trying to get this done were literally the tail trying to wag the dog. They just weren't in a position to make it happen. For architecture to work, ownership has to be vested in the leadership of the organization. They have to own it, and they have to be behind it.

FGIT: EA's reputation often precedes itself as difficult to understand and even as just a bureaucratic device.

HITE: I would agree that there's probably that perception out there. What do people as a rule gravitate to? They gravitate and embrace things they understand. That's kind of the irony of the whole thing, because architecture is designed to simplify and streamline what the organization does, and how it does it, where it does it, why it does it.

On the one hand, it's viewed as a bureaucratic check-the-list, must-do-this kind of thing that really provides no decision making value to senior executives. But, in reality, it's intended to provide just that decision-making value. That's the great irony here - the purpose of the architecture is to help the organization have a better understanding of how it operates so that it can react to changes in its environment quickly, so that it can identify opportunities to consolidate and cut costs and improve efficiencies, improve mission performance and better share information.

I think I was asked one time "Where do you see enterprise architecture 25 years from now?" Frankly, I see it as a tool that sits in the boardroom. And, that when a board of directors is trying to make decisions about the strategic direction of the organization, directors consult the enterprise architecture with "what if" kind of questions to understand how would it impact the organization, and what would have to be done to make a strategic shift?

FGIT: In terms of getting from here to there, though, isn't there that constant problem that taking time to understand how a program is best optimized by fitting into EA helps the enterprise, but there's nothing in it for a program in the short run?

HITE: If you view programs as independent, isolated, individual endeavors, yes, there's nothing in it for that one program.

FGIT: Isn't that pretty much how they're funded and managed?

HITE: Not really, no. I think they are managed--and it's not consistent across all organizations--as an inter-related set of investments. There's a recognition that no program, no system, is an island.

FGIT: There's a GAO report that's barely a few months old, if that, that talks about how FAA doesn't have management tools to manage its NextGen portfolio in a multi-program manner.

HITE: There may be an absence of the tools they need to make that happen. That doesn't mean that there wouldn't be a recognition that there are those interdependencies and relationships. One of the tools to make that happen would be the architecture.

If a program is being defined and designed within the constructs of an architecture, there would be ample opportunity to identity where other services or applications already exist within the organization that will fulfill the need of my program. To the extent that I don't have to develop that myself within my own program, and I can access that service that already exists, I've got an opportunity to save money on my program, and to invest those funds in maybe expanding the kind of functionality that my program can deliver. Or, frankly, just saving money as a cost-cutting measure.

A lot of this is going to be driven by what you're responsible for and accountable for and judged on. If I'm a program, and get I rewarded and evaluated on the basis of the extent to which I act in a manner that is in the best interests of my enterprise as a whole, then I don't pursue [other efforts]. You've got to hold program managers accountable for marching in step with the architecture context of that organization.

FGIT: The new framework now has more gradations--59 core elements now?

HITE: Fifty-nine core elements now, 31 before. The comments that we received from departments on agencies on the prior version was that they were looking for more granularity and specificity in the core elements, to help them implement it.

We're always trying to strike this balance between providing the principles we wanted to have implemented, and not being prescriptive in terms of how that gets done. For example, in the prior framework, we had the need for an architecture framework, an architecture repository tool and a development methodology all rolled into the same core element. In this one, it breaks them out separately.

The reason we did that is because rarely did any organization have all three, but they may have had one of those. We wanted to break them out separately to provide emphasis and attention to all three and to spend more time explaining what we want by all three, because there was some confusion. For example, what's an architecture methodology? Agencies we would go to would describe their framework as being a methodology. They're two completely different things, so we wanted to clarify that.

Some of the other things that account for the increase in core elements is that this version recognizes the concept of architecture federation and segmentation, service orientation, and having an extended architecture across organizations. There are more processes, procedures, structured that we wanted to have in place to cover those kinds of things. Now it deals not only with the corporate architecture that the prior version dealt with--the end all, the be all, the boil the ocean type, one-of-a-kind monolithic architecture. This version recognizes that there is a hierarchy of architectures that make up the family of architectures in an organization, whether you do it on a segmented or a federated basis.

FGIT: Is ITIL influencing enterprise architecture much?

HITE: Frankly, I haven't done current work in the last three to four years on what agencies are doing, architecturally. The last time we've really looked at architecture across the government was probably about five years ago.

FGIT: Any plans for a new evaluation?

HITE: I really think there should be one. We don't have anything planned, and as I said, 100 percent of my work is congressionally requested. We don't have an outstanding request to look at this across the government. I think it should be done. Whether or not we do get a request, or whether or not GAO itself will launch something, is going to be out of my hands. I'm retiring this year. I'll have over 33 years of service, in December.

FGIT: You mentioned that one of the important parts of getting an EA operational is getting executive support. But that's been said, far as I can tell, forever as long as there's been such a thing as EA.

HITE: I have a couple thoughts on that.

In the federal government, for the most part, senior leaders are only here for a short stay. They're looking to make something happen in the near term. Architecture is a strategic asset. The return on investment in architecture is not going to be so much this year or next year, it's going to be downstream. It's a long term investment. And I would dare say that individuals that are coming into the government in leadership positions are looking to demonstrate an impact right away. They don't tend to be here for the long term.

The other thing I would suggest is a lack of understanding and awareness--education around what EA is and what it can do for you.

FGIT: Architects hardly help in this matter--there's a lot of very specialized jargon that goes along with EA.

HITE: I got to believe that there is a translation that goes on between the CIO and those leaders to remove the jargon from it and to put it in concrete business terms. One of the things we did in this framework--we not only talked about the fact that in stage one you have to have a committee made up of the business leaders of the organization and the CXOs of the organization that are the vested owners of the architecture, but that these people actually need to have been given some type of understanding of the principles and concepts associated with architecture. So that they don't come into it with a gross unawareness of what architecture is, what it can do for you. We emphasize that's something that needs to be done. In the absence of that, you do run the risk of someone in the discipline making their eyes glaze over with the kind of terminology that they've been suing to describe things.

I also believe--it's something I've never said before--that when organizations develop their enterprise architectures--and this is something John Zachman always talked about--there are differing views of the organization that one can have, depending on where you sit in the organization. I've always felt that there needs to be the most senior executive view of the architecture. If an architecture is a document, and that document is literally a thousand pages, there needs to be the executive summary, so the senior executives have a better understanding of what it is and how it represents the organization.

When Charles Rossotti was at the IRS, and they first went through putting their enterprise architecture together, he did that. Not only for himself, although he literally read the thousand pages, but for his executive team. He also wanted that to help him for those outside of the organization that were in oversight roles.

FGIT: As far as short term senior leaders, isn't that a permanent, systematic thing?

HITE: Yeah, that's a reality. What can be done? That's a tough one, I don't know what the answer to that one is. There's probably just as many cases where that's not true, that you have very experienced business leaders coming into senior positions in the government, and they realize that there's things we want to do to position this organization for long term transformation, and there those things we want to do in order to provide near term benefits and gains. I've never really queried the most senior people in government to ask them, ‘Do you understand, do you endorse it, if not, why?'

That probably would be a valuable thing to do.

NIEM expansion could require contractor support

David Perera — Thu, 02 Sep 2010 10:04:00 -0400

As the National Information Exchange Model becomes more embedded within agencies as the technical basis for cross-organizational information exchange, its program management office is contemplating hiring a small business to support the model's expansion.

The fiscal 2011 budget passback from the Office of Management and Budget requires agencies to at least evaluate NIEM as a means for sharing information. In all, twelve agencies, including DHS and the Justice Department, currently make use of it; another seven are actively contemplating its adoption, according to government sources.

NIEM uses XML schemas to standardize core data components for exchange and allows other communities of interest to create mutually-intelligible data components specific to their communities. The Recovery Accountability and Transparency Board utilized it for the creation of Recovery.gov and its proponents include the Health and Human Services Department.

In a request for information released Sept. 1, the NIEM program office says it might require a small business to support its activities going forward. Among the potential duties of the small business would be to create domain models and perform gap analysis and document extensions to the NIEM model.

Responses to the RFI are due by Sept. 7.

For more:
- go to the FBO page for the NIEM PMO RFI
- go to the NIEM PMO webpage

DARPA in pursuit of insider threats

David Perera — Thu, 02 Sep 2010 09:13:31 -0400

Just as constantly looking over your shoulder might betray nefarious intent, the Defense Advanced Research Projects Agency says certain system and network activities could indicate the presence of an insider threat.

Insiders granted legitimate access to sensitive networks are notoriously difficult to catch--witness the saga of Bradley Manning, the Army intelligence analyst who allegedly sent a large cache of documents to Wikileaks after downloading them onto a CD labeled "Lady Gaga." As a DARPA broad agency announcement for a new program to detect insiders through their behavior notes, insider threats to date have largely been identified only through perpetrators' incompetence or by accident.

The DARPA program is Cyber Insider Threat, which the agency, through the miracle of selective acronym selection, dubs CINDER. At its head is Peiter Zatko, aka Mudge, a former hacker hired by DARPA earlier this year. CINDER will fund insider detection capabilities in three phases, starting with identifying the types of "missions" an insider might undertake and techniques to identify them.

For example, a malicious insider might take an unusual interest in log files, make frequent queries of who is logged into a particular system, or might repeat non-standard queries to databases, the announcement states. But the goal of CINDER isn't to identify inside actors per se, since a system that would examine isolated activities would run the risk being inundated with false positives. What's needed is a context--hence, identification of insider threat missions that might be performed by an individual or a group of people, the announcement states.

One such mission could "remain persistent within an environment and continuously identify and exfiltrate actionable intelligence as it is discovered."

Previous attempts to model the behavior of legitimate users have been problematic, the announcement says.

Later phases will develop a system utilizing information from Phase I to create a system capable of identifying multiple insider threat missions and demonstrate that system "at scale on real world environments," the announcement states.

For more:
- see the FBO webpage for the DARPA CINDER broad agency announcement or directly download the BAA (.docx)

Auditors: CBP unable to detect excessive custom refunds in fiscal 2009

David Perera — Wed, 01 Sep 2010 22:40:23 -0400

Customs and Border Patrol was unable to prevent itself from issuing excessive custom duty refunds during the last fiscal year due to inherent limitations and lack of controls in certain information technology systems.

Auditing firm KPMG found the material weakness--which also includes in an inability to prevent and correct excessive refunds--during a review of CBP internal controls over financial reporting during fiscal 2009. The Homeland Security Department inspector general released the audit to the public Sept. 1 in redacted form.

U.S. firms are entitled to a customs duty refund, known as "drawback claim," under some circumstances, such as when they export products made with imported merchandise. The customs duty paid when that imported merchandise entered the United States can be the subject of a drawback claim. The penalty for submitting a false drawback claim ranges from a written notice to a fine constituting the amount of the entire false claim, plus restitution.

The amount of redaction done to the KPMG audit makes it impossible to state which information technology system is responsible for the material weakness.

However, the key systems subject to review by KPMG auditors for the report include the Automated Commercial System and the Automated Commercial Environment.

The latter, a web-based portal, is replacing the former, a mainframe-based system. A 2009 review of ACE by the DHS chief information officer found the program has encountered challenges since its initiation in 2001. Among them has been a shifting baseline and significant delays; the review states that as planned, ACE cannot be completed within budget.

The KPMG audit also reviewed the Seized Assets and Cases Tracking System (SEACATS) and CBP's financial management system, which is SAP R/3.

In CBP's official response to the audit, Charles Armstrong, CBP CIO, said he agrees with KPMG's findings.

For more:
- download the redacted audit, OIG-10-109 (.pdf)
- read the November 2009 DHS CIO assessment of ACE (.pdf)

OMB plummets in agency satisfaction rankings

David Perera — Wed, 01 Sep 2010 09:35:16 -0400

The Office of Management and Budget is seen by its employees as among the worst small agencies to work for in the federal government, according to a study of federal personnel perceptions.

The study, based largely on data collected by the Office of Personnel Management and analyzed with a statistical model at the behest of the Partnership for Public Service and American University, ranks OMB as the 25^th among 36 small agencies.

That's a sharp contrast from the 2009 results, when OMB was ranked third among small agencies.

In a prepared statement, OMB spokeswoman Meg Reilly said that agency takes the results seriously.

"We are preparing new workplace initiatives to address the concerns we have heard that can be implemented right away. We are also creating longer-term operational and strategic recommendations for Jack Lew's consideration after he is confirmed as OMB Director. We're confident that this process will yield immediate results for OMB employees and improve overall workplace satisfaction," she said.

Other low ranking agencies include the Federal Communications Commission, which is ranked 21^st.

Among large agencies, the National Archives and Records Administration ties with the Department of Housing and Urban Development for last place at number 31.

The General Services Administration--despite a social media policy evocative of Russian repression, according to some employees there--ranks 8^th among large agencies.

Overall government satisfaction can be ranked as a score of 65 out of 100, the study states. That number represents an all-time high score since the Partnership for Public Service and AU began the study in 2003. This year's is the fifth study. The number is a 2.7 percent increase from 2009 and a 7.4 percent jump from 2003.

"A high level of satisfaction and employee commitment translates into better organizational performance and government effectiveness," state study authors.

For more:
- go to the Partnership for Public Service website

NASA posts historic photos on Flickr; DHS goes to email as a service;

David Perera — Wed, 01 Sep 2010 08:34:44 -0400

> Federal agencies gird themselves for Earl with technology old and new. Article and Article
> Hurricane Earl could imperil teleworkers, too. Article
> CNN "sidestepped company channels" (YouTube), apparently more than Craigslist's CEO can mentally accommodate. Article
> NASA posts historic photos on Flickr, including this snap of the Apollo 11 rocket launching and the first launch of the Bumper 2 rocket in 1950. Website
> California preschoolers tracked with RFID chips. Article and EFF reaction
> DHS goes to email as a service. Article

And Finally... Video of all asteroids discovered since 1980.

Electronic signatures now preferred in the Navy

David Perera — Tue, 31 Aug 2010 23:25:46 -0400

Electronic signatures are now the preferred way of conducting business at the Department of the Navy.

DON Chief Information Officer Rob Carey signed on August 27 a memo--meant for electronic distribution only, naturally--stating that while hand-written signatures are still permissible, they're not preferred.

Decreasing reliance on paper transaction will improve information sharing and security and allow quicker access to documents, Carey states. The memo applies to all DON military, civilian and contractor personnel.

Affixing an electronic signature requires a Defense Department-approved Public Key Infrastructure certificate such as already issued with a Common Access Card. When a person affixes an electronic signature to a document, that person's identity is verified via the PKI certificate.

The Defense Department has required since 2006 PKI-based digital signature applications to undergo testing at the Joint Interoperability Test Command to ensure interoperability across the department.

Carey is due to soon leave his position as DON CIO in favor of a policy and strategy position with the Navy 10th Fleet/Cyber Command.

For more:
- download Carey's August 27 memo, SECNAVIST INSTRUCTION 5239.21
- read a May 5, 2006 memo from the DoD CIO regarding DoD-wide digital signature interoperability (.pdf)

Simplified acquisition and other thresholds going up

David Perera — Tue, 31 Aug 2010 22:41:51 -0400

Contracting officers, rejoice! The quincennial adjustment of various federal acquisition thresholds arrived August 30 in a final ruling that becomes applicable starting Oct 1.

Among the changes is a rise in the simplified acquisition threshold from $100,000 to $150,000. That means that procurements worth up to 50 percent more than the old threshold will now be eligible for the simplified acquisition process, under which agencies need not bother with formal evaluation plans, nor establishing a competitive range, nor conducting discussions, nor scoring offers. Also, a contracting officer, not necessarily a source selection team, can choose the contract winner under simplified acquisition procedures.

The final rule also raises the threshold level of a simplified acquisition "pilot program" (it's been in place since 1997) that allows the government to apply simplified acquisition procedures in procurements now worth up to $6.5 million, provided that a contracting officer "reasonably expects" based on market research that offers will include only commercial items not worth more than that. The old limit on the "pilot program" was $5.5 million.

The distinction between procurements made through simplified acquisition procedure versus procurements under the threshold is slight, at least for a commercial items vendor. Mainly it matters because procurements above the threshold done with the procedure might be subject to scrutiny that acquisitions made under the threshold aren't. For example, contracting officers have to check a database called the Federal Awardee Performance and Integrity Information System (FAPIIS) for any procurement worth more than the threshold, but not for procurements worth less.

In addition, the final rule rises the contract value threshold after which prime contracts must submit a subcontracting plan. The old threshold for negotiated procurements, plus sealed bidding was $550,000. It now becomes $650,000.

The Truth In Negotiations Act's cost-or-pricing data threshold also gets elevated. Starting Oct. 1, contracting officers have an opportunity ask for cost-or-pricing data in order to determine price reasonableness starting with contracts worth $700,000. Until then, the threshold remains $650,000.

The Federal Acquisition Regulation discourages contracting officers from requesting cost-or-pricing data, even going so far as to mostly prohibit its use for price reasonableness determinations in the acquisition of commercial items.

Companies consider cost-or-pricing data a generally invasive tool, since if the government requests it, it's calling for all facts that affect price negotiations significantly.

Unchanged by the rule is the micro-purchase threshold, which holds fast generally at $3,000. Purchases made below the micro-purchase threshold don't require a contracting officer for completion. Above the threshold, however, only contracting officers in possession of a signed warrant from the agency's senior procurement executive can bind the government into a new contract.

For more:
- download the final quincennial thresholds adjustment rule (.pdf)
- download a matrix tracking all the changes (.pdf)

Why congressional websites suck

David Perera — Tue, 31 Aug 2010 21:39:01 -0400

Congressional websites are generally mediocre even if they tend to perk up in quality during an election year, states a new paper printed in a Brookings Institution newsletter.

Based on the presence and absence of about 100 criteria such as timeliness of updates present during 2006 and 2007, three political science academics conclude that congressional websites are stuck in a suboptimal equilibrium.

Perhaps that's not surprising, given the true-life anecdote the authors relate, that of one member of Congress asking a staffer which television channel would display the member's homepage.

Nonetheless, during election years, the quality of incumbents' websites scored higher, state the authors - Kevin Esterling of the University of California-Riverside, David Lazer of Northeastern University and Michael Neblo of Ohio State University.

But, high quality is apparently just a fleeting phase since in years when an incumbent isn't up for re-election, quality regresses to the generally low average, the article authors state.

Congress as an institution doesn't promote website quality, the authors state, as evidenced by the fact that the websites of incoming congressional freshmen follow the same quality distribution curve as that of incumbents.

"You could imagine Congress having mechanisms that would help members of Congress continuously improve their websites and get them to meet best practices," said Esterling during a telephone interview August 31. "We couldn't find evidence of institutionalization of such a process," he added.

Based on interviews the academics conducted with congressional staff, the authors say that metrics of what portions of a member's website constituents find the most interesting generally have no impact on content.

"Given this, it is perhaps no surprise that we found that the qualities of websites are virtually unrelated to the characteristics of members' districts," they state.

Neither do offices consult with each other to learn best practices. Political parties do take an interest in members' websites, but mostly to make sure they're on message, Esterling said while on the phone.

The paper also criticizes the office of House Information Resources, which provides limited website support, such as templates and webhosting.

"Perhaps it's changed, although I doubt it," Esterling said. Staffers told the authors that the templates are limited and constraining, and that working with House Information Resources can be a time-consuming affair.

Article authors hold out little hope for change, but do state that awards given out by the Congressional Management Foundation for the best congressional websites have at least fired up the competitive ardor of members who seek to out-do their peers in all matters, whether geeky as a website or not.

For more:
- download the article, "Improving Congressional Websites" (.pdf)
- see some of the ugliest and worst business websites of 2009
- go to perhaps the worst political website, ever (made with Microsoft FrontPage 5.0!)

Agencies stay watchful amid social-media fervor

Molly Bernhart Walker — Tue, 31 Aug 2010 15:55:20 -0400

Hyper-vigilance on the inside and the outside seems to continue as the watchword for government attitudes toward social media.

For example, should you happen to say anything about the Food and Drug Administration in a social media context, the agency wants to know about it.

According to a solicitation recently posted on FedBizOpps.gov, FDA is looking to acquire "a social media monitoring service to provide metrics and in-depth tracking of mentions of the FDA in any website/blog/micro-blog or online publication." It explains that the data will help assess the reach of FDA messaging and its effectiveness, in order "to get a pulse on how FDA is faring online."

FDA is looking for a hosted solution, for a minimum one-year contract that will provide comprehensive coverage, social media metrics, data filtering and segmentation, workflow management, social media web analytics, social CRM and engagement, automated sentiment analysis, historical data, and enterprise-level scalability.

But a recent post on the Air Force website should serve a reminder that agencies also wants their workers to police themselves. Airmen should consider "the risks and vulnerabilities" associated with revealing personally identifiable information on Web 2.0 platforms, the post states.

"We're starting to see a loss of sensitive information occurring at an alarming rate," said Ryan McCausland, of the service's information protection directorate, in the Air Force article. "We must all continually safeguard our personal information as well as the information we handle in the workplace."

Among the restricted items mentioned in the Air Force post are biographies, rosters, telephone directories and organizational lists. The message of the Air Force post echoes a recent informal announcement by the National Guard Bureau.

For more:
- see the FedBizOpps.gov solicitation
- see the Air Force public affairs post

Audio: Air Force Space and Missile Systems Center on AEHF stall - UPDATED

Mon, 30 Aug 2010 14:17:12 -0400

Air Force officials said August 30 that an on-board thruster meant to send the first Advanced Extremely High Frequency satellite into geosynchronous orbit shut down prematurely following the bird's August 14 launch on an Atlas V rocket.

The Air Force first acknowledged the problem in an August 20 statement, but David Madden, director for the Military Satellite Communications Wing at the Air Force Space and Missile Systems Center in Los Angeles, elaborated on the problem in an approximately 40 minute phone call with reporters on August 30. Click below to hear the full audio of the press call.

The Lockheed Martin [NYSE:LMT]-built satellite, the first of a constellation meant to replace the aging Milstar system, is currently being nudged into a "parking orbit" of 950 kilometers, outside the effects of the Earth's atmosphere, Madden said. From there, the Air Force says it will husband on-board fuel and raise the first AEHF into the originally planned geosynchronous orbit, albeit four to five months later than anticipated.

UPDATE: For more:
- read Dave Madden's opening statement

VA's Baker: No wholesale dumping of MUMPS

David Perera — Mon, 30 Aug 2010 08:52:39 -0400

As the Veterans Affairs Department sorts through responses to a request for information on the viability of open source software as a component of the VistA electronic health record architecture, it's also making clear that the MUMPS programing language will continue to underpin VistA in the near term.

VA chief information officer Roger Baker released an August 30 statement noting that the VA's current health information technology system, the VA Health Information Systems and Technology Architecture, known as VistA, contains more than 15 million lines of code written in MUMPS.

"I just don't see us deciding to re-code all of that in another language right away," Baker said. "One question I had was how well modules written in other languages will interface with MUMPS code, but lots of folks have weighed in to assure me that it is not a significant issue," he added.

"So, I would expect an Open Source VistA system to evolve over time as people chose the language they prefer to write new functionality," Baker concluded.

Army looks to research for tips on tech-centric leadership

Molly Bernhart Walker — Mon, 30 Aug 2010 08:31:56 -0400

In the future, Army commanders will text orders to a dispersed and decentralized force who rarely see their superior officers, says the Army Research Institute for the Behavioral and Social Sciences.

Units will be isolated, command posts will be mobile, the planning process will be collaborative, but communicating intent will rely on electronic means, the institute states in a recently listed a notice on FedBizOpps.gov soliciting whitepapers. Leading via information technology represents a "fundamental change in the mode of communication between soldiers and their immediate leader," the notice adds. The deadline for responses is September 7.

A shift to remote command and control has structural implications for Army leadership, leading the institute to acknowledge that it needs more research about the implications.

"The primary goal of this research is to provide guidance to leaders on how to best manage emerging relationships, build trust and identification, clarify expectations, and motivate and inspire followers through electronic media," the announcement states.

"Leaders must understand how information technology is being used effectively (and ineffectively) in a military context, how to forestall potential problems associated with new technology, how technology can be used to facilitate leader influence, and what knowledge, skills, and abilities are needed to lead in a technology-mediated environment," it adds.

ARI's objectives for the research include:

An assessment of current frequency and function of technology-mediated communication among Army leaders and their subordinates;
identification of characteristics that are embodied by an effective technology-enabled leader;
development of best practices for e-leadership in a military context, and a description of the ease of implementation of said practices; and
development of recommendations for training military leaders who are attempting to influence from a distance via electronic communication.

For more:
- see this FedBizOpps.Gov post

InfoWeek finds disconnect between OMB and agencies; Mars rovers still going;

David Perera — Mon, 30 Aug 2010 08:13:57 -0400

> Colonel sent home from Afghanistan for criticizing PowerPoint use. Article
> Well duh--InfoWeek survey finds "significant disconnect between OMB's centralized IT policies and what's actually happening within agencies." Article
> DoD social media guru leaves department. Article
> Mars rovers still going. Article
> Old adults embracing social media. Survey overview and report (.pdf)

And Finally... More signs of the impending apocalypse: Deep fried beer. Article

DON EA version 2.0.000 now available

David Perera — Sun, 29 Aug 2010 22:26:19 -0400

The Department of Navy Enterprise Architecture version 2.0.000 is out! The new EA includes rules regarding open architecture, conditioned-based maintenance and emerging country code standards, according to the DON CIO. Unfortunately, a detailed description of applicability and usage of DON EA v2.0.000 content won't be available until "prior to Sept. 30, 2010." Enforcement of the new EA starts on Oct. 1, 2010.

Lynn: Cyber deterrence rests mostly on denial, not retaliation

David Perera — Sun, 29 Aug 2010 21:19:38 -0400

Deterrence in the cyber world will depend far less on retaliation than on denying enemies access to U.S. networks in the first place, says Defense Secretary William Lynn.

Lynn wrote a much-noted article that appeared online August 25 in Foreign Affairs discussing efforts the Defense Department is undertaking to counter increasingly sophisticated cyber attacks. While attention has generally focused on Lynn's account of an foreign intelligence network attack made through an infected USB drive, the deputy secretary also makes several policy points in the article.

The extent to which a cyber attack should provoke a retaliatory response has been a recent matter of debate within the strategic community. But given the difficulty of assigning attribution to cyber penetrations, and given the fact that what constitutes a cyber attack, as opposed to espionage, "deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation," Lynn wrote.

In a phone call with reporters, Lynn didn't exclude retaliation, but emphasized that "the mix in the cyber world is more heavily weighted to denial of benefit than retaliation."

Deterrence founded mostly of retaliation isn't the only Cold War concept that fails to make the cyber cut in Lynn's article. Because attribution difficulties make verification of compliance almost impossible, traditional arms control regimes would also likely fail to deter cyber attacks, Lynn wrote.

"If there are to be international norms of behavior in cyberspace, they may have to follow a different model, such as that of public health or law enforcement," he added.

However, the Cold War construct of shared warning among allies does apply to cyberspace, Lynn wrote. During his press availability, Lynn said he's recently traveled officially to the United Kingdom, Canada and Australia and will travel to NATO headquarters in the next month to foster cybersecurity cooperation.

Lynn's Foreign Affairs article also tackles the problem of acquiring information technology capabilities for the Defense Department. Few disagree that the current acquisition process as generally administered results in the department lagging in acquiring cutting edge private sector technology.

But the Pentagon is developing a new, specific acquisition track for IT, Lynn wrote. It will allow acquisition cycles of 12 to 36 months rather than seven to eight years, as often occurs now, he said.

In addition, the new acquisition track will allow for incremental development and for different levels of oversight, depending on the mission criticality of the technology in question. For it to work, however, the military "must be willing to sacrifice or defer some customization in order to achieve speedy incremental improvements," Lynn wrote.

For more:
- read Lynn's Foreign Affairs article (reg. req.)
- listen to Lynn's phone call press availability (.mp3)

Rand: Rate network dependability according to how humans, and not hardware, see it

David Perera — Sun, 29 Aug 2010 16:35:56 -0400

Incorporating user perceptions into a network dependability measurement framework results in a more accurate picture than when data comes only from traditional sources, says a new Rand research paper.

Rand produced the paper at the behest of the Navy's Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I). As the military grows increasingly dependent on networks, their dependability is vital, the paper notes.

The study criticizes a measurement of network operational availability arrived at through dividing uptime by the amount of time a network is both working and not working. A simple binary concept of network availability misses times of partial functionality, such as when a network is congested or partially degraded.

What's more, human failures--as opposed in particular to hardware failures, which is a traditional source of data in network dependability measurement frameworks--count for more than half of failures in networked environments, the Rand study states, citing other studies.

Availability isn't, therefore, dependent just on whether the hardware or other network components are fully functional. Rather, it can be measured as percentage of successfully executed service requests made during a certain time period, the study states.

Directly modeling the availability of a service is easier said than done, it adds. It would require diagramming all the hardware and software, as well as human interaction.

As for measuring sailor perception, Rand recommends that the Navy come up with a standardized way for sailors to report availability or reliability-related issues, since otherwise that perception-based information is not easily accessible nor comparable across systems.

For More:
- download the Rand report, "Navy Network Dependability: Models, Metrics and Tools." (.pdf)

DOT pays out unjustified award fees on cost plus contracts, says IG

David Perera — Sun, 29 Aug 2010 14:26:54 -0400

The Transportation Department pays incentive fees to contractors without demonstrating that they deserve them, says an inspector general report.

The report, dated August 25 and based on an investigation conducted between June 2007 and May 2010, examines 24 cost plus award fee contracts from seven Transportation administrations, including the Federal Aviation Administration and the Federal Highway Administration. The contracts have a potential maximum value of more than $3 billion and about $170 million in available award fees. Under cost plus award contracts, vendors receive a percentage of a pre-determined incentive fee based on performance--a "fee" in this case being what the private sector calls "profit."

Cost plus award fees are slightly different than cost plus incentive fee contracts--in the latter, vendor profit can go up or down, in large measure based on an inverse relation to how close the final cost is to the estimated total cost.

While Transportation officials generally give contractors high ratings, paving the way for them to receive award fees dependent on performance, they generally do not demonstrate how contractors meet or exceed evaluation criteria, the report states. During one rating period, civil servants extended to contractors 91 percent of the $16.5 million available award fees, but didn't adequately justify why they had done so in cases amounting to $14 million of paid out award fees, the report states.

Extrapolating to all 41 cost plus award fee contracts Transportation officials had going as of Dec. 31, 2006, auditors assert that the department has paid approximately $140.6 million in award fees without proper justification. That assertion comes with a large caveat, however--auditors assign their number a confidence rating of 90 percent, meaning that the range of statistically possible values range from $75.5 million to $216.1 million.

Proper justification has been lacking in large measure because none of the examined contracts have clear and measurable criteria to evaluate contractor performance, auditors state. For example, the Federal Highway Administration's Adaptive Control Software contract calls for adjectival ratings such as "above standard," but performance monitors have differing individual interpretations on what that ratings language means.

Contract language in 13 of the 24 reviewed contracts also allows for vendors to be paid award fees even if they return below-average results, auditors state.

Because some Transportation administrations allow award fee payment for mere satisfactory payment, and some contracts also allow for a "base fee" contingent only on satisfactory performance, in many cases vendors are rewarded twice for the same satisfactory performance, the report asserts.

The audit also finds that duties in the award-fee process aren't properly separated, with some performance monitors also serving on the performance evaluation board. "In other words, performance monitors are reviewing their own rating," the report states.

In the department's official response to the audit, Linda Washington, assistant secretary for administration, says the report "overstates the issues," adding that Transportation disagrees with the report's assertion of $14 million in unjustified award fees and thus also auditor's extrapolation to $140.6 million. Had the department instead used cost plus fixed fee contracts in those cases, she adds, Transportation could have spent another $1.4 million more.

For more:
- download the audit report, ZA-2010-092
- download a Dec. 4, 2007 OMB memo on the "Appropriate Use of Incentive Contracts"

William Lynn wrote an article on cybersecurity; Navy lost control of drone that violated D.C. airspace;

David Perera — Thu, 26 Aug 2010 11:45:58 -0400

> One year at FCC: Where things stand. Special Report from FierceWireless
> Bedbugs infest Queens, N.Y. Social Security Administration. Article
> Sen. Carper predicts cybersecurity will become rider to defense authorization bill. Article
> German government proposes banning employees from checking Facebook when hiring. Article
> William Lynn wrote an article on cybersecurity, but nobody is talking about it.
> Navy lost control of drone that violated D.C. airspace, blames software. Article

And Finally... If "The Empire Strikes Back" were a silent movie. Video

State attorneys call for shut down of Craigslist adult services ads

David Perera — Thu, 26 Aug 2010 10:56:14 -0400

State attorneys are once again pressuring Craigslist over prostitution, requesting that the San Francisco-based company immediately take down the adult services section of its websites.

Spurred in part by a CNN report (YouTube) in which a child advocate dubbed the ubiquitous classified ad website "the Wal-Mart of child sex trafficking," the attorney generals of 17 states sent Craigslist an August 24 letter asking for "immediate action to end the misery for the women and children who may be exploited and victimized by these ads."

The letter also cites the case of two girls, who identified themselves only as MC and AK, who say they were trafficked for sex through Craigslist; the girls' open letter appeared earlier this month in ads taken out in The Washington Post and the San Francisco Chronicle.

Self-policing efforts by Craigslist have failed to reduce obvious ads for prostitution in the adult services section, the state attorneys state.

The online classified ad company wrote a blog post August 18 touting its manual review process of adult services ads, stating that more than 700,000 such ads have been rejected from May 2009 to May 2010. The company also wrote an earlier response to MC and AK, asking that "you or the advocacy groups who placed the ads please let us know where the police reports were filed?" and requesting that responses be sent to legal [at]craigslist.org.

"Craigslist is one of the few bright spots and success stories in the critical fight against trafficking and child exploitation," the blog post states.

State attorney pressure against Craigslist is nothing new. Connecticut Attorney General Richard Blumenthal, at the head of a 39-state coalition, subpoenaed the company in May for documents relating to "the craigslist brothel business " (as he put it).

At the time, Craigslist CEO Jim Buckmaster accused Blumenthal of "once again indulging in self-serving publicity at the expense of the truth and his constituents."

Political pressure had in 2009 succeeded in compelling Craigslist to take down its "erotic services" section and institute the manual review process of ads in the new adult services section. Nonetheless, a cursory look at Craigslist shows that pictures of scantily-clad women offering various types of relaxing massages are prevalent on the site.

The site also entered into an agreement in 2008 with the National Center for Missing and Exploited Children (NCMEC) and the attorneys general of 40 states to clamp down on illegal activity on the site.

The 17 attorneys general who signed the letter are from Arkansas, Connecticut, Idaho, Illinois, Iowa, Kansas, Maryland, Michigan, Missouri, Montana, New Hampshire, Ohio, Rhode Island, South Carolina, Tennessee, Texas, and Virginia.

For more:
- download the letter from 17 state attorneys (.pdf)
- watch the CNN report on prostitution on Craigslist

Spotlight: A look at Telecoms participating in Networx

Molly Bernhart Walker — Thu, 26 Aug 2010 10:34:17 -0400

The General Service Administration's massive Networx telecom contract offers considerably more services than FTS 2001, the current telecom contract offering which expires in June 2011. But while Networx might not immediately lead to a revolution in federal telecom, it has caused significant changes in the telecom industry.

"Under Networx Universal, participating service providers AT&T (NYSE: T), Qwest (NYSE: Q) and Verizon (NYSE: VZ) have to provide both legacy TDM and next-gen IP services that are currently on the FTS 2001 and Crossover contracts, while Networx Enterprise, which includes Level 3 (NASDAQ: LVLT), Sprint (NYSE: S), AT&T, Qwest and Verizon, is primarily focused on next-gen IP services," explains a recent special report from sister-publication, FierceTelecom. Read FierceTelecom's rising government communications stars

Fast, cheap and at the communications edge: The new Army software model

Molly Bernhart Walker — Thu, 26 Aug 2010 09:41:19 -0400

Mobile applications and devices will become increasingly critical to meeting the needs of warfighters who are producing and consuming information in combat zones, said an official from the Army Communications-Electronics Research, Development and Engineering Center (CERDEC).

A first step toward realizing an apps model is making situational awarenes systems used at the edge of connectivity, such as Command Post of the Future (CPOF) and Battle Command, more customizable, said Michael Anthony, chief of Advanced Applications Branch at CERDEC, during a blogger roundtable on August 25.

CPOF now allows third parties to create enhancements through a software developer's kit, Anthony said. Any developer can follow Project Management Battle Command's process to add new capabilities into CPOF much more quickly than with traditional acquisition, he added.

"Today's warfighters are facing an ever-changing, ever-adapting, ever-evolving enemy. And we need to be able to adapt if not as fast, or faster than the enemy. And to put it bluntly, our traditional process, the DOD 5000 process, does not necessarily enable this, at least for software," said Anthony.

"So we believe by allowing or decentralizing some of this ability to create solutions to meet the immediate needs of warfighters, and then creating an environment to share that across the organization, we'll realize a greater return on taxpayer dollar. So not only will we be able to meet our servicemen and women's immediate needs, we'll also be able to achieve this in a total cost of ownership--at a lower total cost of ownership," said Anthony.

When the Defense Advanced Research Projects Agency developed and deployed the Tactical Ground Reporting system (TIGR), an edge-enabled system, it did not follow the traditional DoD 5000 model, explained Anthony. It was "put in front of soldiers in a very fast, iterative process in theater, enhanced based on direct warfighter feedback."

"The DoD 5000, you know, is an incredible model when you're building a major system, a plane, a tank, a battleship" said Anthony. He said that, although the process takes time, it also covers important bases in security and accreditation.

"I'm not sure if it warrants a significant change to the policy or some sort of additional guidance," said Anthony. "Some of the PMs are leaning forward to, you know, not only enhance this but see how this type of process can work within their own system or program of record."

This focus on providing access to edge-enabled systems builds upon Army CIO and G6, Lt. Gen. Jeffrey Sorenson's interest in creating an app-enabled Army. On August 10, Sorenson said an acquisition decision memorandum that would define mobile application specs for operating environment, standardize configuration and cybersecurity architecture would be released by the end of August.

Anthony said an ADM along those lines has not been released yet, but the Army is actively pursuing that model and putting together the accreditation process. "I think the programs of record are all working aggressively to ensure that they can leverage, exploit and harvest some of the innovation that we believe the Army's going to--or at least this technology will--enable the Army to spread across the enterprise," said Anthony.

For more:
- listen to the DoDLive roundtable

Lack of technical data hampers competition at DoD, says GAO

David Perera — Thu, 26 Aug 2010 09:34:49 -0400

Lack of access to technical data is a major barrier to competition at the Defense Department, concludes a Government Accountability Office report.

In nearly 60 percent of 47 noncompetitive Defense contracts examined by the GAO, the department was essentially stuck with a certain contractor since it lacked technical data behind the goods and services it has been purchasing.

It's a situation that contractors haven't been entirely loathe to part with. In one case, a contractor informed an Air Force missile program that it would cost $30,000 merely to put together a cost estimate for its technical data package, the GAO report states. The contractor later said it would part with the technical data for $31 million, but wouldn't sell the rights to critical software, which was proprietary to the contractor.

In another case, a contractor with a $4.8 billion sustainment and support contract told the Air Force that purchasing the data rights would cost the service more than $1.3 billion.

The situation the government finds itself in is a result of decisions made years, if not decades ago, when cost pressures pushed the military not to buy the technical data packages at the onset of a weapons system acquisition. Some of the procurement officials interviewed by GAO auditors also blame a lack of access to technical data to acquisition procedures for commercial items. Procurement officials told the GAO the government "lacks leverage" in commercial acquisitions.

The Defense Department and other government agencies use commercial item acquisition in an attempt to avoid the many other problems that come with procuring custom-made goods, such as high costs and lack of innovation.

In any case, even when technical data is not an issue, the military may have little choice but to rely on the contractors that were the original equipment manufacturers of a weapons system, the GAO report states.

For example, the Army awarded a noncompetitive engineering contract for its Hellfire missile program despite the fact that a technical data package has been developed. But, the vendor in question has worked on the program since 1994, and so has unique expertise with the missile.

For more:
- download the report, GAO-10-833 (.pdf)

NASA past performance ratings higher for cost plus contracts than fixed price

David Perera — Wed, 25 Aug 2010 23:00:31 -0400

The more a company has a contractually risky relationship with NASA, the more likely it is that the agency will rate that contractor well during past performance evaluations, according to new research from INPUT, a Reston, Va.-based intelligence and analysis firm.

INPUT obtained information on NASA past performance evaluations through Freedom of Information Act requests, releasing a proprietary August 16 report supplied by the firm to FierceGovernmentIT.

Two months following every anniversary of a contract worth more than $100,000, NASA must evaluate its contractors on a 5-point scale based on attributes including quality, timeliness, price or control of costs, and other considerations.

Cost plus award fee contracts--the most common type of NASA contract, accounting for nearly 67 percent of all contractor spending, according to INPUT--earn on average a rating of 4.64, the report states.

Cost plus incentive fee contracts--the second most common contract at NASA, accounting for about 9 percent of contractual spending--earn on average a rating of 4.59, INPUT states.

Firm fixed price contracts--nearly 8 percent of contractor spending--merit on average a 4.32, a rating that's almost 7 percent lower than the cost plus award fee average.

The vast majority of contractors--94 percent, in all--receive a score of 3 or above in past performance evaluations, according to INPUT. Most NASA centers tend to rate their contractors similarly, with average scores ranging from 4.55 to 3.91. That low score comes from the Glenn Research Center in Cleveland, Ohio, the top score from the Dryden Flight Research Center located inside Edward Air Force Base, northwest of Los Angeles.

The Obama administration has criticized agency use of cost reimbursement contracts--calling them, in a memo issued March 4, 2009, potentially "wasteful, inefficient, subject to misuse, or otherwise not well designed to serve the needs of the Federal Government or the interests of the American taxpayer."

The memo, signed by President Obama, directs agencies to utilize cost-reimbursement contracts only when circumstances don't allow the agency to define its requirements sufficiently to allow for a fixed-price type contract.

Despite top-down pressure on agencies not to use cost reimbursement contracts, they nonetheless remain popular in no small part because they allow agencies to skirt around funding uncertainties caused when Congress fails to approve annual spending bills by the start of the federal fiscal year. Under those conditions, it's far easier to start work with a cost reimbursement contract to which money can be added incrementally, than with a fixed price contract

Most CBP agents not trained in how to conduct border laptop searches

David Perera — Wed, 25 Aug 2010 21:45:03 -0400

Most Customs and Border Patrol agents at ports of entry receive training on their legal authority to search border crossers' laptops, but not in how to actually conduct an electronic search, according to an August 20 Homeland Security Department assessment.

DHS has claimed the authority to search electronic devices carried in and out of the country since the Bush administration. In August 2009, DHS issued revised directives on the search power of CBP and Immigration and Customs Enforcement agents. Both CBP and ICE still retain the ability to search electronic devices "with or without individualized suspicion" and to copy the data that resides on them.

A department privacy impact assessment prepared at the time cites the 1977 Supreme Court ruling of U.S. v. Flores-Montano, which holds that "presenting one's self at the U.S. border seeking to enter has been equated with consent to be searched," the impact statement says.

Since the release of new computer-based course in November 2009, approximately 95 percent of CBP field agents have gone through training on border crossing searches of electronic devices, the new assessment states.

However, "the course does not directly address how an electronic device should be searched," it adds.

Rather, CBP officials are told of the legal authorities that support the border searches, the time frames for holding on to an electronic device (five days unless "extenuating circumstances" exist), when CBP can seek assistance from other agencies and also in the handling and review of business confidential information, attorney-client information, medical information, and work-related information (claims of privileged material require CBP to consult with a federal attorney, according to the privacy impact assessment). The training also informs agents of their reporting requirements.

Missing from the course is the "operational step that occurs before information is discovered--the actual search of the device," the assessment adds.

CBP has developed another course on "triage of electronic devices at the border," made mostly available to senior agents, the assessment says. That course does train officials in the "requisite knowledge to adequately search" an electronic device, and the fact of the triage course's limited availability should not necessarily be taken as proof that the CBP is underprepared, according to the assessment.

Nonetheless, the assessment recommends that CBP plan within a year to have an implementation plan for wider distribution of the triage course.

For more:
- download the DHS assessment on CBP training for the search of electronic devices (.pdf)
- see an August 27, 2009 announcement of new directives for CBP and ICE on border searches, or go directly to the current CBP directive (.pdf) or the ICE directive (.pdf)
- download the DHS privacy impact assessment on border searches of electronic devices (.pdf)

Wikileaks says it will release CIA document; GSA finalizing FedRamp requirements;

David Perera — Wed, 25 Aug 2010 11:00:40 -0400

> Judge issues injunction against federally financed stem cell research. Article
> Laptop containing unencrypted health information stolen from Yale Medical School. Article
> Wikileaks says it will release CIA document. Article
> GSA finalizing FedRamp requirements. Article
> Court of Appeals strikes down two FCC spectrum auctions. Article

And Finally... Video shot from the perspective of a Space Shuttle solid rocket booster during ascent and descent. Wow!

Obama excuses state governors from background checks to see classified info

David Perera — Wed, 25 Aug 2010 10:44:59 -0400

State governors no longer have to undergo a background investigation to receive classified intelligence information under an executive order signed August 18 by President Obama.

Instead, they're required now to only sign a non-disclosure agreement and stay away from "disqualifying conduct," states executive order number 13549.

In addition, the order establishes a program for sharing intelligence information up to a classified level of "secret" with state and local governments, as well as private sector entities. Involvement in the program requires federal agency sponsorship, and participants may see more highly classified material on only a case by case basis, the order states.

In any case, state, local and tribal officials can only physically possess information up to a secret level so long as they are outside of a location fully managed by the Homeland Security Department or other federal agency, the executive order says.

Information sharing among federal and more local levels of government--and the private sector--has long been viewed as a weakness of national security efforts.

A recent survey by the Government Accountability Office of private sector cybersecurity officials found that 87 percent of surveyed private-sector representatives greatly or moderately expected access to classified or sensitive information, but only 16 percent say they received it.

DHS's efforts to share even just sensitive but unclassified information haven't gained much traction, according to some reports. A June 21 GAO report on the security of intermodal transportation facilities found that 11 of 17 mass transit and passenger rail systems officials who discussed the DHS portal for such information, the Homeland Security Information Network, did not use it for guidance on available security technologies when considering security technology investments.

An October 2008 DHS inspector general report found that the department "has not defined and communicated its homeland security information sharing process to HSIN stakeholders."

For more:
- read executive order 13549
- download the GAO survey of private sector cybersecurity officials' expectations, GAO-10-628 (.pdf)
- download the June 21 GAO report on intermodal transportation security, 10-435R (.pdf)
- go to the October 2008 DHS OIG report on HISN, OIG-09-07 (.pdf)

OMB targets 26 IT projects for critical assessment

Molly Bernhart Walker — Wed, 25 Aug 2010 10:20:02 -0400

The Office of Management and Budget released a list August 23 of 26 "high-priority" IT projects across federal agencies that are at-risk for termination or serious modification if significant changes are not made to turn the projects around. Many of the targeted projects are either over-budget or running behind schedule, OMB says.

The list of projects was formulated after 16 days of meetings between Federal Chief Information Office Vivek Kundra and agency CIOs, Kundra said while speaking to reporters the day OMB released the list. Fifteen departments are affected by the project crackdown. The projects are an average of five years old and range from a low life-cycle cost of $64 million to a high life-cycle cost of $7.5 billion.

"The focus here is to make sure that these projects are turned around and if these projects can't be turned around, if they don't add value, we will take the appropriate actions. They may be discontinued," said Kundra.

Kundra announced that one project at the Office of Personnel Management has already being "essentially halted."

"It slowed down in terms of spending as we go out there and make sure that it's properly scoped through fiscal year 2012," Kundra said. It is unclear from Kundra's remarks whether or not other projects have been temporarily suspended as further assessment is conducted.

Matthew Perry, the OPM CIO, said during the press call that the project has been underway for 23 years and is at a life-cycle cost of $136 million. He said the agency is putting together it's implementation plan and will be taking action to improve the project because it is important for federal employees that the project continues.

As for the private entities supporting some of these projects, "companies also need more information about how and why these projects were selected--they can only help correct problems they understand," said Phil Bond, president and CEO of TechAmerica, a technology industry group. "There certainly are concerns in many quarters about what data went into the development of this list, how that data was analyzed and how it was presented."

During the press call on at-risk programs, Kundra explained that the decisions on which programs to target were based partially on the IT dashboard--a tool that several groups, including Government Accountability Office have criticized for its accuracy.

"I've talked about it and we've said multiple times that there are challenges in terms of the data sometimes that's presented on the IT dashboard. And agencies over the last one year have been working very, very hard to fundamentally reengineer their back-end processes to make sure that the data on the IT dashboard is accurate as possible," said Kundra.

"The IT dashboard is an evolutionary process. And we're going to iterate and improve data quality over time," he added.

Kundra said the decisions were also based on conversations in meetings held from August 2 to August 18 with 27 CIO-council agencies. Meeting attendees included agency CIOs, program managers, others working on specific projects. The data discussed in the meetings included past GAO reports and IG reports, in addition to Dashboard data.

"These projects were not selected just based on the IT dashboard. That was one of the data points," he said.

"What we want to make sure is that we're being surgical in our approach to make sure that these projects deliver faster and that this project actually creates value for the American people as we focus on execution," he added.

For more:
- see the list of 26 at-risk IT projects
- listen to the press call and read the transcript
- see the TechAmerica statement