Government IT News

Spotlight: Gov.uk opens APIs

Molly Bernhart Walker — Wed, 08 Feb 2012 13:09:29 -0500

The application programming interfaces, or APIs, that form the "bedrock on which Gov.uk is built," are now available to the public, according to a Feb. 7 blog post from the U.K. Government Digital Service. The United Kingdom's consolidated government website, which went live Jan. 31, is built on APIs that pull information from back-end content management tools into the applications that populate the pages on the site.

"As with everything we've made, our APIs are subject to iteration and very much in beta," wrote James Stewart, technical architect at GDS. He added that APIs provide a "reasonable way to get at the content," but that API content and formats could still change, which would impact developers who plan to use the APIs immediately. Blog post

Interior rebids cloud email contract; Crypto crack makes satellite phones vulnerable;

David Perera — Wed, 08 Feb 2012 13:05:36 -0500

> Interior rebids cloud email contract. Article (Nextgov)
> Agencies piloting IT fraud prevention tool. Article (FCW)
> Volunteers of the Internet: ICANN wants you. Article (National Journal)
> DoD OIG takes over classification oversight. Article (Secrecy News)
> Crypto crack makes satellite phones vulnerable. Article (ars technica)

And Finally... BBC tracks down a Facebook troll. Embedded video

NIST instructs agencies on cyber-incident response

Molly Bernhart Walker — Wed, 08 Feb 2012 12:39:33 -0500

New cybersecurity guidance urges federal agencies to have formal incident response plans in place in preparation for the inevitable network or application intrusion. The guidance comes from a draft second revision of the National Institute of Standards and Technology "Computer Security Incident Handling Guide," or SP 800-61 (.pdf). NIST published the first version in March 2008.

Of course, prevention through the use of continuous monitoring is important--especially because threats grew stealthier since the last SP 800-61 revision, write authors.

"Continually monitoring threats through intrusion detection and prevention systems (IDPSs) and other mechanisms is essential," says NIST.

However, incidents will and do happen, and when they do a rapid response will minimize damage.

In the publication, NIST reminds agencies that the Federal Information Security Management Act requires they designate primary and secondary points of contact with the Homeland Security Department's computer emergency readiness team, or US-CERT.

Agencies should have a policy and plan for reporting to US-CERT; procedures for incident handling and reporting; guidelines for communicating with outside parties on incidents; a reporting staff model with clearly designated internal and external relationships; specific services the incident response team is prepared to provide; and appropriate training in place.

All guidelines for interacting with US-CERT or other organizations following an incident should also be thoroughly documented, recommends NIST--this includes guidance for prioritizing incidents and lessons learned on past incidents. And agencies should be prepared for a broad array of incidents, as well as the most common incidents, such as attacks executed through attachments in email messages or thumb drive-based viruses.

NIST will accept comments on the latest revision via email through March 16, 2012.

For more:
- download NIST SP 800-61 Revision 2 (Draft) (.pdf)

SEC lacks in configuration management, says OIG

David Perera — Wed, 08 Feb 2012 12:35:25 -0500

The Securities and Exchange Commission hasn't kept its cybersecurity documentation up to date, resulting in it not conducting baseline control configuration scans and not meeting other requirements of the Federal Information Security Management Act, says the SEC office of inspector general.

In a redacted report dated Feb. 2, the SEC OIG, basing its findings on an assessment conducted by Phoenix, Ariz.-based Networking Institute of Technology, says the agency does have a continuous monitoring program that assesses the security state of information system, including vulnerability scanning, patch management, and ongoing assessment of security controls.

But it lacks an updated specification for the controls that should be placed on its systems in the first place and hasn't scanned to see that even the outdated specifications have been configured correctly, the OIG report says.

The agency's standard baseline configuration of absolute minimum controls is at least 3 years old, the report adds, meaning it hasn't incorporated revisions in the governmentwide control catalog, a special publication published by the National Institute of Standards and Technology known as SP 800-53. (NIST is also preparing to release yet another revision to SP 800-53 later this month.)

Auditors also chastise the agency for mistakenly believing that it need not tailor baseline controls set for low- moderate- and high- risk systems as set in SP 800-53. While agencies typically do align actual controls closely to low-, moderate- and high-risk control buckets as articulated in SP 800-53, under FISMA agencies are also supposed to review those generic sets of controls for effectiveness within their own information technology environments.

SEC's "use of a generic controls set based only on security categorization without additional tailoring may result in its understating or overstating the security requirements for systems," the report notes.

For more:
- download the report, no. 501 (.pdf)

Kendall: Cyber acquisition is unique

Molly Bernhart Walker — Wed, 08 Feb 2012 11:20:37 -0500

The Defense Department is drafting a plan it will soon present to Congress to more effectively acquire cyber defense capabilities, according to Frank Kendall, acting under secretary of defense for acquisition, technology and logistics.

"What we're going to try to put in place is a way to respect the fact that cyber has to move at a much faster pace than anything else we do," said Kendall Feb. 6, during a Center for Strategic and International Studies event in Washington, D.C.

"We have to react instantaneously to many of the threats, we can't sit around and wait for a [Defense Acquisition Board] or a [Joint Requirements Oversight Council] for these things," he added. "We have to take it outside the conventional system for the major, long term weapons systems."

By "cyber," Kendall said he means information technology used specifically for defending the networks, some IT used for intelligence gathering and "the things that we might buy to attack other people."

In crafting an acquisition strategy that deviates from traditional DoD procurement, it's important that cyber programs are still reviewed within the bigger picture, he said. Cyber programs would typically not be so expensive that they reach same level of review as a major defense acquisition program, said Kendall, "but they're terribly important."

These smaller, but critical cyber programs should be reviewed thoroughly, just as long-term, large-scale defense expenses would be, he said. The department is well aware of the threats and while much is being done to address cyber on a granular level, Kendall said the department level needs "to get a better handle on exactly what we're getting for our money and exactly what our posture is."

"We really want to understand where we are," said Kendall. "We want to know what our defense levels are, what our abilities are to attack,...what kind of gaps we have...and what our investments are giving us."

For more:
- see archived video from the event

NIST calls for two-tier NSTIC governance body

David Perera — Wed, 08 Feb 2012 10:46:33 -0500

A government effort to establish a national online identity ecosystem should be led by a new, self-sustaining and privately-led steering group, says a new set of governance recommendations (.pdf) released Feb. 7 by the National Strategy for Trusted Identities in Cyberspace program office.

NSTIC seeks to create a new web-based identity and attribute authentication methodology through the private sector, which would offer services such as identity certificates or attribute verification. The program office, a part of the National Institute of Standards and Technology, released Feb. 1 a solicitation for pilot projects.

In the new governance recommendations, the NSTIC program office calls for a two-tier steering group governance structure: A plenary containing working groups and committees, and a management council to provide strategic guidance.

The steering group should be self-sustaining after an initial period of government support, the recommendations state, without specifying a method for doing so. Possibilities to be considered include transaction fees assessed on identity ecosystem transactions, fees assessed on organizations participating in the ecosystem (e.g., identity providers, relying partners, etc.), or a steering group membership fee, the recommendations add. There should be no correlation between the amount any organization pays in fees and its standing in the steering group, the recommendations state.

Membership of the steering group would be open to organizations and individuals with an interest in development of the identity ecosystem, the recommendation says, including international participants. NSTIC "has to be interoperable worldwide," said White House cyber czar Howard Schmidt speaking Jan. 31 at an event put on by the Center for Strategic and International Studies in Washington, D.C.

For more:
- download the NSTIC governance recommendations (.pdf)

FedRAMP CONOPS calls for big DHS role

David Perera — Wed, 08 Feb 2012 07:17:24 -0500

A concept of operations for the FedRAMP governmentwide assessment and authorization of low- and moderate-impact cloud services released Feb. 7 by the program office shows that the Homeland Security Department will have an active role in continuous monitoring and incident response.

The document (.pdf) assigns DHS multiple responsibilities, including real-time monitoring of security posture reports from cloud service providers. Federal officials say any provider of multi-tenant cloud computing at the low and moderate risk level must go through the FedRAMP process, which grants providers a provisional authorization valid at any federal agency. Provisional authorization doesn't substitute the need for a local agency official to sign an authorization to operate on the local network, but it should significantly speed up the process since agencies won't have to reassess provider compliance with baseline security controls, federal officials say.

To ensure ongoing compliance with the baseline, cloud service providers will have to provide agencies with automated security posture data feeds, which must share them with DHS, the concept of operations states.

In addition, DHS, in the form of US-CERT, will have an active role in incident response, the document adds, working with the FedRAMP program office on matters including root cause analysis and recommending remedial actions.

The concept of operations also explains somewhat more what constitutes a "significant change" that could potentially affect a cloud service provider's provisional authorization. Significant changes don't include routine changes covered by a configuration management plan, but rather changes that affect "the scope of an approved provisional authorization or impact the authorization boundary."

Examples include changes to applications that reside on the cloud system, changes to cloud infrastructure, to the risk posture, or in the point of contact to the FedRAMP program office.

For more:
- download the FedRAMP CONOPS, v 1.0 (.pdf)

Air Force shopping for 18,000 iPads; Agencies still struggle with telework;

Molly Bernhart Walker — Mon, 06 Feb 2012 13:16:37 -0500

> Air Force shopping for 18,000 iPads. Article (NextGov)
> Former CIO at ICE moves to DOJ. Article (FCW)
> NSA pilots smartphones. Article (InfoWeek)
> Agencies still struggle with telework. Article (FedNewsRadio)
> FDA lawsuit raises questions about federal employee email monitoring. Article (Federal Times)
> Aneesh Chopra on his innovation agenda. Article (TheAtlantic)

And Finally... The Best and Worst Super Bowl Ads. Article (Slate)

U.K. website consolidation, open gov efforts move forward

Molly Bernhart Walker — Mon, 06 Feb 2012 12:33:16 -0500

The United Kingdom launched Jan. 31 a new site called Gov.uk, which serves as the single, citizen-facing government website for all British-government information, according to an announcement from Tom Loosemore, project director of BBC 2.0. The site is still considered "beta," as further expansion and functionality is expected in the next two months. Gov.uk's development drew from comments and testing in the now-shuttered website protoype, known as alpha.gov.uk.

In the next few weeks, Loosemore expects a private beta test of a shared Gov.uk "corporate" publishing platform, which will replace much of agencies' activities in siloed content management systems. And by the end of March, the Government Digital Service will release the first draft of a "global experience language"--a guide for keeping a consistent design and user-experience as agencies develop sites within the Gov.uk domain, says the blog post.

The American federal web reform effort is watching developments in the United Kingdom closely, said Federal Chief Information Officer Steven VanRoekel earlier this year. Business.USA.gov, a new website now under development, aims to consolidate business-centric information from across government in a single place. VanRoekel said the U.K. government's move to consolidate all federal websites down to two domains--a business interface and a consumer interface--is "actually a pretty good model on the whole...I want to learn from and see how it works out and we're talking to the British government about analytics."

Gov.uk was built around 667 actions, or "needs people have of Government," but the blog post notes there are more needs to be addressed. The site is optimized for search, rather than browsing, notes Loosemore, who says browsing by section also still needs work. In creating the site, the Government Digital Service built a scalable, modular open source platform to support needs across many government departments.

Helping citizens find information more easily through Gov.uk is just one piece of the United Kingdom's broader open government efforts. The government is opening more data around health outcomes, education, transportation, criminal justice, and central and local government spending, said Francis Maude, the U.K. minister for the Cabinet Office, while speaking Jan. 30 at a World Bank event in Washington, D.C.

"There's nothing soft, or fluffy, or cozy about transparency. It's hard and it's difficult. And it makes life difficult for those who govern, but it makes life better for those who are governed," said Maude.

One major initiative underway is a program called Midata, which aims to give British consumers access to the personal data companies collect on them in an electronic format. Personal information empowers the individual, said Maude.

"Our ambition is to transform high-tech consumer information markets, through the provision of online citizen access to personal data including medical records online," he said.

Opening data does present challenges, however, in that some data is not accurate or easy to use. Maude said its important to keep in mind that speed trumps accuracy.

"Get the data out there, let people and organizations scrutinize it, examine it, interrogate it, and if it isn't high quality to being with--and a lot of it isn't--it will pretty soon improve," said Maude.

In April, the United Kingdom will take over as co-chair of the Open Government Partnership and Maude said he hopes his government can share important lessons learned from its experience with open government.

For more:
- see the Government Digital Service blog post
- download archived video from the World Bank event

NASA looks for small satellite swarming technology

David Perera — Mon, 06 Feb 2012 11:53:18 -0500

As small satellites that weigh less than 400 pounds proliferate, NASA says it sees potential and challenges in operating them together as a coordinated constellation.

To that end, NASA says it's willing to fund "Edison SmallSat" projects worth up to $15 million that demonstrate key technologies such as command and control communications between small satellites. Also of interest are propulsion technologies--specifically utilizing high performance, low-toxicity propellants such as electrical propulsion, solar sail or tethers--and a combination of control systems, sensors and software permitting small satellites to work in close proximity, even physically joining other spacecraft.

The propulsion technology demonstration is restricted to CubeSats, the one liter square-shaped nanosatellites developed for research.

NASA announced the funding opportunity in a broad agency announcement dated Feb. 2, with initial proposal summaries due by March 4.

The demonstration satellites will launch as secondary or hosted payloads with other spacecraft missions, but the BAA says they could be launched as primary payloads on very small launch vehicles, "if and when these launch vehicles come into existence."

The notion of small satellites flung into space with small rockets has been a long-standing dream of the space community, particularly the military, which hopes to develop a tactical response capability it dubs "operationally responsive space."

For more:
- go to a NASA webpage with links to the BAA
- download the BAA directly (.pdf)

FEMA focuses on speed, not perfection in using social media

Molly Bernhart Walker — Mon, 06 Feb 2012 09:46:13 -0500

The Federal Emergency Management Agency is using information gathered from social media monitoring when deciding how to respond to a disaster. While official assessments are more thorough, speed is more important than precision, said FEMA Administrator Craig Fugate at a Feb. 3 event hosted by the State Department called Tech@State.

"Disasters are like horseshoes, hand grenades and thermo nuclear devices; you just have to be close," said Fugate. "You won't get that time back...speed in response is the most perishable commodity in a disaster."

Recovery following Hurricane Katrina failed because FEMA spent the first 12 to 24 hours of the disaster getting teams into the area to make an assessment and send information back to headquarters, said Fugate. That means within 12 to 24 hours people with survivable injuries were worsening and nothing was actually accomplished.

When tornadoes ripped through Joplin, Mo. in May 2011, FEMA had enough information--although imperfect--from Twitter and Facebook to suggest that the situation was dire, said Fugate.

"The 'official' part is overplayed," said Fugate. "If you want to make social media real you have to see [the public] as a resource rather than a liability."

Despite FEMA's increasing reliance on social media in disaster response, Fugate said he is not "a big advocate of technology." Rather, technology is "just another tool," he said.

"I'm in the business of trying to changed outcomes. Disasters happen, I can't stop them," said Fugate. "No tweet stops bleeding...unless something has actually changed, it's just information."

OMB Shared First should include open source, says group

David Perera — Mon, 06 Feb 2012 06:25:31 -0500

Open source advocates urge the Office of Management and Budget to expand its Shared First strategy to include open source software development in a Feb. 2 comment posted online.

OMB released Dec. 8 a draft strategy calling on agencies to develop a plan to shift at minimum two commodity IT areas "to a shared environment" by Dec. 31, 2012. The agency says it will have a final strategy developed by April to guide agencies toward the common utilization of commodity and support IT at the intra- and inter- agency level, "culminating with improvement in mission IT."

"There is no explicit mention of open source in the plan at this time, we believe that there should be," says the comment form Open Source For America, a group consisting of open source companies and supporters promoting open source adoption within the federal government.

Were the shared first mandate to extend toward the sharing of development resources as federal agencies work toward sharing mission software, the degree of application customization necessary from one agency to the next could be reduced were agencies to develop software under open source licenses, the comment asserts. Open source also has a solution for the discoverability of potential shared services through online websites like sourceforge.net and github.net, the comment states.

"Open source excels at the Shared First design goals, including visibility, commoditization, reusability, extensibility, and standardization," the comment says.

For more:
- go to the OSFA shared first comment

Trojan masquerading as Windows updater targets defense contractors

David Perera — Sun, 05 Feb 2012 23:19:34 -0500

Security researchers say they've uncovered a remote access Trojan masquerading as a Microsoft (NASDAQ: MSFT) operating system updater targeting U.S. and foreign defense, aero- and geo- space contractors.

In a joint paper published Jan. 31, security firms Zscaler and Seculert say they both observed in 2010 Internet traffic to a malicious command and control servers trying to appear as though it were related to Microsoft's Windows Update.

In the paper, they dub the Trojan the "MSUpdater," adding that its spread has been aided by phishing emails with infected .pdf attachment that take advantage of zero day exploits in Adobe Reader. Infected emails have been sent since at least spring 2009, according to data in the paper.

Its operators have favored conference-related subjects as phishing lure. For example, one message used an attachment related to the International Conference on Intelligence Sensors, Sensors Networks and Information Processing. Other malicious attachments reference the IEEE Aerospace Conference and the International Conference and Communications System Software and Middleware.

The Trojan is virtual machine aware, meaning that it is coded to detect whether it is running in a virtualized environment. That makes its detection difficult, since malware analysis is typically done on virtual machines. Once downloaded onto a machine, using the file name msupdater.exe, the Trojan will run in the computer's memory as a common process, often svchost.exe, the paper says.

In a blog post, Zscaler researchers say the combination of the Trojan file name and the HTTP paths used to reach the command and control server (often something like /microsoftupdate/getupdate/default.aspx) combine to keep the infection under the radar.

For more:
- download the paper, "The'MSUpdater' Trojan and Ongoing Targeted Attacks" (.pdf)
- go to the Zscaler blog post
- go to a Seculert blog post about the Trojan

FAA reauthorization would create NextGen czar UPDATED

David Perera — Thu, 02 Feb 2012 13:06:54 -0500

A four year, $63.6 billion Federal Aviation Administration authorization bill agreed to by a conference committee of House and Senate lawmakers would require creation of a Chief NextGen Officer. The bill would also authorize the agency to spend nearly $16 billion annually on the air traffic control modernization effort.

Already being dubbed the "NextGen czar," the officer will report to the FAA administrator, should Congress approve the bill and the president sign it. The bill is likely to gain approval on both fronts and could pass Congress as early as Feb. 3. The bill would end a series of short-term authorizations the agency has operated under since 2008. During a month-long period in mid-2011, the agency underwent a partial shutdown after Congress failed to approve another temporary extension.

The authorization bill also affirms the agency's decision to require ADS-B Out avionics on board most airplanes by 2020, and doesn't make the deadline 2015 as previous authorization had required. Language from an earlier version of the authorization bill making ADS-B In mandatory also is not included in the final, conference version. ADS-B is the backbone of NextGen, which seeks to largely replace radars with Global Positioning System-derived data for tracking aircraft positions.

The bill also requires the Transportation secretary to accelerate the integrating of unmanned aerial vehicles into national airspace by producing a plan within 270 days of the bill's passage into law. The plan would be incorporated into the NextGen implementation plan.

UPDATED Feb. 2, 3:00 p.m.: NextGen authorization figures added to story.

For more:
- download the FAA authorization conference bill (.pdf)
- download the conference committee's joint explanatory statement (.pdf)

FBI calls cyber attacks a top terror threat; HASC Chairman: Kill BRAC;

Molly Bernhart Walker — Thu, 02 Feb 2012 12:34:45 -0500

> HASC Chairman: Kill BRAC. Article (DoD Buzz)
> $638M contract to deliver Navy ships with common computing network. Article (NextGov)
> White House pushes Congress to fast track reorganization authority. Article (Federal Times)
> FBI calls cyber attacks a top terror threat. Article (InfoWeek)
> MyTSA mobile app expanding. Article (FedScoop)

And Finally... Inside the offices of LEGO. Article (Dezeen)