GovWin
 
 
FY 2015 President’s Budget Request – A First Take

The White House released its much-anticipated FY 2015 Budget request yesterday, a month past its legal and historical due date. Several of my fellow GovWin Federal Industry Analysis (FIA) colleagues and I dug right into reading the budget so that we could provide you with our first impressions of what we found noteworthy.

Like any presidential budget, the FY 2015 President’s Budget Request provides a blueprint for the administration’s policy and legislative agenda for the coming fiscal year and beyond. We reviewed the largest federal departments’ discretionary and information technology (IT) budgets to get a sense of direction and priorities for FY 2015, which begins October 1, 2014. Below is a summary table followed by key funding details and initiatives arranged by department.

 

Defense

DoD’s budget request is down this year as FY 2015 discretionary funding of $495.6B represents a 0.8% decrease from the FY 2014 enacted budget of $496B.

Funding highlights include:

  • $120.3B for the Army (a decrease of $1.3B from the FY 2014 enacted level)
  • $147.6B for the Navy (an increase of $300M from the FY 2014 enacted level)
  • $137.7B for the Air Force (an increase of $3B from the FY 2014 enacted level)
  • $89.8B for Defense-Wide operations (a decrease of $2.5B from the FY 2014 enacted level)
  • $199B for DoD operations and maintenance funding (an increase of $6B from the FY 2014 enacted level)
  • $90.3B for DoD procurement funding (a decrease of $2B from the FY 2014 enacted level)
  • $63.5B in DoD RDT&E funding (a decrease of $700M from the FY 2014 enacted level)

Provisions of Interest

  • $128M for military infrastructure in Guam, $51M of which is to establish facilities for Marine Air-Ground Task Forces throughout the region
  • $47.4B for the DoD Unified Medical Budget
  • $2.9B for the Defense Advanced Research Projects Agency
  • $11.5B for basic and applied research and advanced technology development

Agriculture

The USDA’s budget request is down this year as FY 2015 discretionary funding of $23B represents a 4% decrease from the FY 2014 enacted level of $24B.

Funding highlights include:

  • $7.2B for the Food and Nutrition Service (an increase of $124M from the FY 2014 enacted level)
  • $4.8B for the Forest Service (a decrease of $700M from the FY 2014 enacted level)
  • $2.4B for Rural Development (a decrease of $400M from the FY 2014 enacted level)
  • $1.8B for the Foreign Agricultural Service (same as the FY 2014 enacted level)
  • $1.5B for the Farm Service Agency (a decrease of $100M from the FY 2014 enacted level)
  • $1.1B for the Agricultural Research Service (same as the FY 2014 enacted level)
  • $1B for the Food Safety and Inspection Service (same as the FY 2014 enacted level)
  • $837M for the Animal and Plant Health Inspection Service (a decrease of $8M from the FY 2014 enacted level)
  • $815M for the Natural Resources Conservation Service (a decrease of $14M from the FY 2014 enacted level)

Provisions of Interest

  • The Opportunity, Growth, and Security Initiative provides funding to build a new biosafety research laboratory in Athens, GA
  • $45.2M for the USDA OCIO
  • $15M for IT investments for the Comprehensive Loan Program (CLP)
  • $44 million to address climate change’s risk to agriculture, including investments in cyber infrastructure for big data

Commerce

The president’s budget request provides $8.8B in base discretionary funding to Commerce, a 6% increase over FY 2014 enacted levels.  It requests $2B in IT funding, an increase of 5.3% over FY 2014 enacted levels. 

Funding highlights include:

  • Provides funding for NIST to accelerate advances in areas such as cybersecurity and advanced manufacturing
  • Supports key trade promotion activities to stimulate economic growth
  • Seeks to promote business investment in the US to create jobs and promote US competitiveness
  • Provides $753M for innovative design methods for achieving the lowest cost possible 2020 decennial census
  • Establishes up to 45 manufacturing innovation institutes across the US
  • Continues strong support of NOAA, including $2B to continue the development of polar-orbiting and geostationary weather satellite systems
  • Provides $1.6B for research and development
  • Funds a new investment line item for modernizing IT and business processes at PTO ($64.4M)

Energy

The DOE’s budget request is up this year as FY 2015 discretionary funding of $27.9B represents a 2.6% increase over the FY 2014 enacted level of $27.2B.

Funding highlights include:

  • $11.7B for the National Nuclear Security Administration (an increase of $M from the 2014 enacted level)
  • $6.0B for Department Management and Performance (a decrease of $200M from the FY 2014 enacted level)
  • $5.1B for Science Programs (an increase of $100M from the FY 2014 enacted level)
  • $4.0B for Energy Programs (an increase of $300M from the FY 2014 enacted level)

Provisions of Interest

  • $180M in R&D to facilitate the transition to a Smart Grid
  • $325M for Advanced Research Projects Agency–Energy programs
  • $141M ($91M in Science and $50M in NNSA) for R&D related to exascale computing
  • More than $300M for DOE cyber security initiatives

Health and Human Services

The president’s budget request provides $77.1B in base discretionary funding to HHS, a 1.7% decrease over FY 2014 enacted levels.  It requests $8.6B in IT funding, a decrease of 10.4% over FY 2014 enacted levels. 

Funding highlights include:

  • Supports the Affordable Care Act and operation of the Health Insurance Marketplace
  • Provides $30.2B to NIH for medical research
  • Improves mental health services for youth and families
  • Invests in payment innovations and other reforms for Medicare and Medicaid and other federal health programs to improve program integrity and delivery of high-quality, efficient health care
  • Invests in a new initiative to improve access to high-quality health care providers
  • Funds construction of two new Indian Health Service health care facilities
  • Increases the investment in CMS IT infrastructure by $58.6M, a 19.4% gain
  • Increases the investment in CMS Healthcare Fraud Prevention Partnership (HFPP) by $17M, a 354% increase
  • Decreases IT funding for the CMS  investment that developed the health insurance marketplace (-$297M) and transfers to states for CMS Medicaid Management Information System (-$618M) 

Homeland Security

DHS is slated to receive $38.2B in base discretionary funding in the president’s budget request, a 2.6% decrease over FY 2014 enacted levels. The budget also includes and $6.8B for disaster relief. The budget requests $5.8B in IT funding which includes a $3M reduction from the FY 2014 enacted levels, a 0.1% decrease year over year.

Funding highlights include:

  • $514M for research and development in homeland security technology and developing state-of-the-art solutions for first responders – target opportunities in cybersecurity, explosives detection, nuclear detection, and chemical and biological detection.
  • $300M to initiate construction in 2015 of the National Bio- and Agro-Defense Facility to study large animal zoonotic diseases and develop countermeasures
  • $124M to support, expand, and enhance E-Verify system to aid U.S. employers with employment legality verification
  • $112.5M for Secure Flight, under which DHS conducts passenger watch list
  • $3.8B for the Transportation Security Administration (TSA) screening operations. Supports risk-based security initiatives at the Transportation Security Administration that enhance the efficiency of passenger screening operations, while improving the customer experience for the traveling public.
  • $1.25B for cybersecurity activities including:
    • $377.7M for Network Security Deployment, including the EINSTEIN3 Accelerated (E3A) program
    • $143.5M for the Continuous Diagnostics and Mitigation (CDM) program
    • $173.5M to support ICE cyber and cyber-enabled investigations of cyber-crime, etc.
    • $28M for the classified Homeland Secure Data Network to security and info sharing
    • $67.5M for Cybersecurity/Information Analysis Research and Development
    • $8.5M to establish a voluntary program and an enhanced cybersecurity services capability to support Executive Order 13636, Improving Critical Infrastructure Cybersecurity
    • $3.9M for Secret Service Cybersecurity Presidential Protection Measures to support monitoring of protective sites which directly or indirectly support a Presidential visit

Justice

The president’s budget request provides $27.4B in discretionary funding for the Justice department, $122M above the 2014 enacted level – for DOJ core law enforcement needs, safe and secure prisons, and other Federal, State, and local programs. DoJ’s IT budget is just slightly better than flat (+0.4%) year-over-year at $27.4B.

Funding highlights include:

  • $722M for cybersecurity efforts to combat increasingly sophisticated and rapidly evolving cyber threats
  • $13M to the FBI for investment in the National Instant Criminal Background Check System as part of the DOJ’s overall $182M budget for Federal, State, and local gun violence reduction efforts
  • $8.4B for Federal prisons and detention facilities, to maintain secure prison facilities and to continue bringing newly completed or acquired prisons online
  • $15M under the Smart on Crime initiative for prisoner reentry programs and for Prevention and Reentry Coordinators
  • $15M to expand the Residential Drug Abuse Program at the Federal level and $14M to expand the Residential Substance Abuse Treatment program at the state level
  • $1.7M to develop new multidisciplinary program evaluation and policy analysis capability to improve budget, management, and policy decisions
  • $299M for the Department’s Juvenile Justice Programs
  • $423M (roughly half of which are grants) to combat violent crimes against women
  • $9M to establish a National Center for Building Community Trust and Justice to promote procedural fairness in policing, use deterrence strategies to reduce crime, and encourage police departments to track the quality of their interactions with the public

Transportation

DOT’s budget request is down this year as FY 2015 discretionary funding of $13.7B represents a 2.14% decrease from the FY 2014 enacted level of $14B.

Funding highlights include:

  • $48.6B for the Federal Highway Administration (an increase of $7.2B from the FY 2014 enacted level)
  • $15.3B for the Federal Aviation Administration (a decrease of $584M from the FY 2014 enacted level)
  • $4.9B for the Federal Railroad Administration (an increase of $3.3B from the FY 2014 enacted level)
  • $17.6B for the Federal Transit Administration (an increase of $6.9B from the FY 2014 enacted level)
  • $851M in mandatory and discretionary funding for the National Highway Traffic Safety Administration (an increase of $32M from the FY 2014 enacted level)
  • $669M for the Federal Motor Carrier Safety Administration (an increase of $97M from the FY 2014 enacted level)
  • $261M for the Pipeline and Hazardous Materials Safety Administration (an increase of $51M from the FY 2014 enacted level)

Provisions of Interest

  • $302B four-year surface transportation reauthorization proposal to support critical infrastructure projects
  • Funding for FAA NextGen investments is preserved
  • $370 million for National Airspace System Sustainment
  • $5M for cyber security initiatives, a decrease of $7M from the FY 2014 enacted level

Treasury

The president’s budget request provides $12.4B in base discretionary funding to Treasury, a 1.5% decrease over FY 2014 enacted levels.  However, provides total resources of $13.8B which is a $1.2B increase partially funded by proposed program integrity caps. It requests $4B in IT funding, an increase of 13.4% over FY 2014 enacted levels. 

Funding highlights include:

  • Continues implementation of the Affordable Care Act
  • Continues implementation of the Wall Street Reform and Consumer Protection Act to create a more stable  and responsible financial system
  • Invests $12.5B in the IRS, which includes a $480M program integrity cap adjustment.  Aimed at improving enforcement of current tax laws and reducing the current tax gap.  Includes more than a $100M increase to improve customer service, and an additional $165M is proposed to further enhance customer service through the Opportunity, Growth, and Security Initiative
  • $1.5B for a new round of State Small Business Credit Initiatives
  • Expands the level of detail and capabilities of sorting federal spending data to enable better use of the data
  • Calls for a $227M increase to the IRS Main Frames and Servers Services and Support investment over FY 2014 levels

Veterans Affairs

The president’s budget request provides $65.3B in base discretionary funding to VA, a 3% increase over FY 2014 enacted levels, giving VA total budget authority of $68.4B which includes $3.1B of estimated medical care collections.  The budget requests $4B in IT funding, an increase of 4.7% over FY 2014 enacted levels.

Funding highlights include:

  • $56B for VA medical care, and $58.7B in advanced funding for FY16 appropriations for medical care
  • Emphasis on ending veterans’ homelessness. ($1.6B) Working with HUD
  • Supports continued improvements in delivery of mental health care and telehealth technologies ($7B)
  • $1B in mandatory funding to help put veterans back to work protecting and rebuilding America
  • An additional $400M for high priority capital projects
  • Invests $138.7M in the Veterans Claims Intake Program and $173.3M for the Veterans Benefit Management System to address the claims backlog

Stay tuned to FIA as we will be publishing our complete analysis of the FY 2015 budget request later this month, where we will go into greater detail on the key initiatives, IT investments and contractor implications that will shape the federal IT marketplace for FY 2015.

Fellow GovWin Federal Industry Analysis (FIA) analysts Angela Petty and Alex Rossino contributed to this entry.

White House Cybersecurity Framework Takes a Cajoling Tone

Last week the White House unveiled its much-anticipated framework for cybersecurity aimed at persuading financial, energy, and other critical infrastructure companies to further bolster their network protections against cyber- attacks. The measured tone of the guidance and accompanying statements by officials is a stark contrast to the Obama Administration’s aggressive posture at the onset of the initiative.

The Framework for Improving Critical Infrastructure Cybersecurity is the product of a year-long effort led by the National Institute of Standards and Technology (NIST) initiated by President Barack Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. While the release came within the Obama’s specified time frame initial news reaction was that the framework was much weaker than what he promised a year ago. The White House’s promotion voluntary standards is a marked departure from the more regulatory approach it had pursued up to this point and in his published statement on its release the President said that much more work needs to be done.

Framework Overview

The Framework describes itself as a risk-based approach to managing cybersecurity risk and seeks to reinforce the connection between business drivers and cybersecurity activities. Its core is composed of three parts:

  • The Framework Core – a set of five cybersecurity functions—Identify, Protect, Detect, Respond, Recover, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

  • Framework Implementation Tiers – describes the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive) measured over a range, from Partial (Tier 1) to Adaptive (Tier 4), from informal to agile and risk-informed.

  • A Framework Profile – the alignment of current standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).

The remainder of the Framework defines cyber- risk management and further discusses the three Framework components, with examples of how the Framework can be used, and provides additional reference information relevant to implementation.

White House Event and DHS Program

The White House announced the Framework release with an event that featured speakers from several agencies and a panel of industry advocates that have worked closely with the administration on the issue. A key repeated theme throughout was the voluntary nature of the Framework, which may be a reaction to concerns that federal policy in this area would pursue a heavy-handed regulatory bent.

As part of the roll-out, The Department of Homeland Security Secretary Jeh Johnson announced the launch of their Critical Infrastructure Cyber Community C³ Voluntary Program, a public-private partnership aimed at aligning critical infrastructure owners and operators with existing resources that will help them adopt the Framework and manage their cyber risks.  The stated primary goals of the C³ Voluntary Program are to support industry in increasing cyber resilience, to increase awareness and use adoption of the Cybersecurity Framework, and encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management. In his remarks, Johnson said one aspect of the C-cubed program includes providing industry access to cyber- experts at DHS for consultation and advice at no cost.

Also at the event, Department of Commerce Secretary Penny Pritzker chaired a panel of supportive industry execs from AT&T, Lockheed Martin, and PEPCO to show their support for the White House’s efforts.  Among their comments, they emphasized the “good first step” aspect of the framework and that it is not a “cookie-cutter” approach. They also stressed the fact that “there are no truly private networks” as well as the need to understand exactly what actors and devices are connected to their networks.

White House Cyber Coordinator Michael Daniel closed out the event by highlighting the intent to continue to foster C-level engagement in order to keep the Framework a living document through NIST workshops, etc.; to address the regulatory aspects of the EO by streamlining and aligning existing regulations without issuing new ones; and to deal with the issue of incentives for industry to participate in the framework and related cyber- efforts.

Implications

In the industry panel discussion, AT&T’s Randall Stephenson commented that he sees huge opportunities within the cyber framework for big business. He and the others see the need for innovation in cybersecurity, including solutions that improve an organization’s situational awareness of their cyber- risk posture, training and education, policy development and enforcement, risk management, etc. It was unclear whether he meant up-side for cybersecurity vendors or potential for big firms to improve their cyber- risk poster, or both.

The potential cost of pursuing the government’s framework approach has been raised as an issue. In fact, an administration official noted that the federal government is going to “do its best to make the costs of using the framework lower, and the benefits of the framework higher…”

Cybersecurity opportunities that develop within the private critical infrastructure markets will complement the ongoing needs of federal agencies to secure their networks and improve their processes, especially in light of the continued challenges and failures of many agencies to lead by example.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Discover more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Will It Take a Real Zombie Attack to Improve Federal Cybersecurity?

It's been said that 80% of cyber-attacks could be prevented by implementing and maintaining the most basic cyber-measures like keeping software patched and using non-default passwords. Well, a recently released Senate study documents the dismal track record many federal agencies have at doing just that. The ramifications range from the now-infamous zombie attack warning that went out over a hacked emergency notification system to incidents of personally identifiable information (PII) theft.

As the White House releases updated critical infrastructure protection (CIP) guidance and Congress is debating its latest cybersecurity and CIP bill, the Republican Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, Tom Coburn, released a report detailing how federal agencies are poorly prepared to defend against some of the even most routine attacks.

The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure was picked up by the Washington Post, which highlighted the February 2013 hack of the FCC’s Emergency Broadcast System that led to several TV stations broadcasting the zombie attack warning. The report cites previous work by the GAO and by agency IGs to emphasize the breath and severity of the problem of not doing the basics when it comes to IT security.

Physician, Heal Thyself

The gist of the report is that while the White House has been very focused on improving the security of the computers and networks which run the nation’s commercially-owned critical infrastructure, through efforts like last year’s executive order, etc., for these efforts to be credible and taken seriously the federal government should address the dangerous insecurity of its own critical networks. This is especially true when the vulnerabilities are due to the failure to perform routine and basic measures.

The report cites the most recent FISMA report in noting that civilian agencies fail to detect about 4 in 10 intrusions and notes that many hacks often exploit mundane weaknesses that could be prevented with routine efforts, particularly out-of-date software patches. The report also cites a June 6, 2013 Congressional Research Service memo to the HSGAC Minority Staff on “FISMA Spending, Historical Trends,” in which CRS estimates that the federal government has spent at least $65 billion on IT security since 2006. (Assuming that covers from FY 2006 to FY 2012, that would average more than $9 billion per year.)

Select examples mentioned in the report include:

  • Homeland Security – In 2013 OMB found DHS rated below the government-wide average for using anti-virus software or other automated detection programs encrypting email, and security awareness training for network users. DHS also came in at 72% of their internet traffic going through Trusted Internet Connections (TIC), missing its OMB-set goal of 95% and even the general government agency goal of 88%. Other widespread issues deal with unpatched software and poor password practices (using weak/default passwords, written/posted passwords, etc.)

  • Internal Revenue Service – Every year since 2008, GAO has identified about 100 cybersecurity weaknesses which compromise computers and data, often repeating weaknesses GAO cited the previous year. Issues include routine lack of encryption to protect sensitive data, lax password standards/administration, failure to fix known vulnerabilities that have been identified by their security monitoring, and lagging software patch installation.

  • Energy – In January 2013 hackers compromised 14 servers and 20 workstations, stealing personal information on hundreds of government and contract employees, and possibly other information. In another incident six months later, hackers took personal information for 104K past and present employees. Vulnerabilities include from unprotected servers, unapplied software patches, weak access controls and passwords, and poorly-secured web applications.

Implications

Shining the spotlight on the ongoing deficiencies of federal agencies to effectively deploy rudimentary security measures may add fuel to the fire in the debate over the fed’s role in private CIP and cybersecurity. The lines have been drawn largely between those who favor a regulatory approach with rules and requirements versus those who advocate an incentives-based approach with liability protections. Whatever the merits of either side, the fact still remains that more must be done to secure federal networks, systems and devices.

The Post article notes that Coburn and others see as the underlying problem the fed’s failure to hire and maintain highly-skilled IT workers that have the proper authorities to enforce simple security protocols, combined with a lack of accountability at the agency senior level for security failures. The examples emphasize that the problem in this area is not technical, really. It’s more about policy, governance and administration. That comes back to strategy, training, and execution, to which agencies should turn to their cyber- industry partners for support and expertise.

Maybe a report like this will give federal IT managers and cybersecurity staff a little more clout to shake the current system out of “zombie mode” and into effective action. We’ll see what the next FISMA report reveals.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Federal Cloud Market Drivers: Security Compliance and Brokers

As federal agencies face meeting cloud security compliance this June, acquisition in the government cloud market continues to evolve.

The Office of Management and Budget launched the Cloud First Policy back in 2010, spurring agency adoption of cloud-based solutions whenever such secure, reliable options exist. Since then, a lot of progress has been made around clarifying the capabilities of cloud solutions by standardizing definitions, developing security controls, and exploring contracting practices. Over the past few years, the General Services Administration (GSA) has steadily rolled out the Federal Risk and Authorization Management Program (FedRAMP) through its initial operating phase. 

FedRAMP established a cloud security baseline, leveraging guidance documents from the National Institute of Standards and Technology (NIST).  Agencies can, however, require security beyond the level established by these controls. While agencies determine their individual cloud adoption needs, this combination ensures their ability to adjust controls around specific security needs while meeting government-wide standards. 

At the outset of 2013, some 70 cloud service providers were reported to be in the FedRAMP application queue. A year later, thirteen different cloud-based solutions have received provisional authority to operate (ATO), most of which are Infrastructure-as-a-Service (IaaS) offerings. Since the NIST guidance documents shaping the FedRAMP controls undergo updates, a lingering question surrounds how changes to the baseline will impact FedRAMP approved providers as well as applications under review. 

With the standard definitions and security baselines etched out for cloud services, the contracting landscape has proved to be another area of steady development. While many agencies have contracted services independently with commercial services providers, others have sought to use channels established by GSA and other organizations. According to a representative from GSA’s Federal Acquisition Service, several acquisition vehicles were established with the intention of providing agencies with a means to pursue cloud solutions. Adoption through GSA’s Infrastructure-as-a-Service and Email-as-a-Service blanket purchase agreements (BPAs) has been slower than expected, partly due to the lag in expiration dates for current contracts. As the demand for cloud capabilities continues to expand, GSA is looking to leverage existing channels rather than standing up separate “boutique” options.  Currently, cloud offering can be found through GSA’s IT Schedule 70 as well as Government-wide Acquisition Contracts (GWACs), such as Alliant and Alliant Small Business

In a recent panel discussion, several government representatives described efforts to define the role of cloud brokers as the footprint cloud implementation continues across the government.  The role of cloud brokers could build on strategic sourcing initiatives, curating the solutions that government organizations pursue. One of the challenges for these brokers is varying knowledge-levels across the customer base: Some organizations know exactly what they want, while others are still developing an understanding of cloud capabilities and their specific requirements. 

One way the cloud broker model can operate takes offerings from various commercial providers, integrates them, adds layers of security, and presents the combination as a service to the government. By reducing the costs with pre-build services and improving the time to market, the broker model also stands to generate competition among providers to increase capabilities while keeping costs down. At the same time, this model carries risks for the brokers. Often there are significant gaps between the services sought by the government and what providers are willing to offer.

Some government officials describe their ideal cloud acquisition environment as a sort of buffet of services with endless possible combinations. Even under a broker, however, the reality is likely to be more of fixed menu. Cloud services providers accept financial risk by undergoing the FedRAMP approval process without any assurance of future business from receiving an ATO. Brokers are also taking on risks, like closing gaps around services level agreements. As government looks to industry to carry more and more risks, the costs to businesses will create an ecosystem that supports certain businesses and creates barriers for others. 

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

Agencies Continue to Struggle with Gaps in Basic Mobile Security Practices

A recent report on practices and vulnerabilities, finds room for improvement across the government’s mobile security practices.

Mid January 2014, the Mobile Work Exchange published The 2014 Mobilemeter Tracker.  The report highlights findings from the Secure Mobilemeter, a self-assessment tool for evaluating mobile practices and procedures. End-user and agency data collected through the Secure Mobilemeter during September, October, and November 2013 included responses from 155 individuals and 30 agencies, including the Department of Justice, Homeland Security, Navy, General Services Administration, and Department of Agriculture. 90% of individual government respondents indicated using at least one mobile device for work (e.g. tablet, smartphone, or laptop). Nearly 70% use a government-furnished device, 15% use a personal device, and 16% use both.

 

The report found that while most government employees leverage mobile computing in some capacity, best practices are not followed consistently. Based on the scale devised for the report, 41% of government employees need to improve mobile device security practices. For example, 25% of respondents indicated a failure to secure mobile devices with passwords and 31% accessed public Wi-Fi with a work-related device. Other gaps in basic security include 14% fail to lock their computers when away from their desk. Similarly, 22% of employees do not always store files in a secure location.

Although the Federal Digital Government Strategy has contributed to progress in a number of areas, over 25% of government employees have not received mobile security training. Further, 57% of agencies were found to have gaps in mobile policies and security systems. Agency level vulnerabilities include practices around registering mobile devices with the IT department, utilizing a remote wipe function, tracking phones, and leveraging multi-factor authentication or data encryption.

As government agencies increasing rely on networked systems and mobile computing capabilities, lagging policies and organizational culture pose greater and greater risks to government systems and data. Agencies and vendors must keep pace with new security requirements that emerge from operational shifts driven by advancements in mobile technologies. The push for government organizations to achieve greater operational efficiencies through technology adoption raises the stakes for vendors competing for contracting opportunities, who are tasked with helping agencies close capability gaps and compliance with evolving standards.

-----------------------------

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

Congress Set to Pass FY 2014 Funding – Would Avert Shutdown, Mute Sequestration

The U.S. Congress is expected to pass an omnibus funding bill for the remainder of fiscal year (FY) 2014 that includes $1 trillion in discretionary federal funds.

The Hill reported that H.R. 3547 passed the House and is now moving onto the Senate. The bill is a compromise measure in keeping with the budget agreement the two parties reached late in 2013. As such, the bill is set to increase total discretionary spending to $1.102 trillion in FY 2014, an increase over the $986 billion that was originally planned.

If the final bill passes the Senate and is signed by the President, as is expected at the time of this writing, another looming government shutdown will have been averted. Further, departments and agencies that have been coping with the limitations imposed under the “same stuff, different day” scenario that accompanies continuing resolutions (CR) will have real appropriations with operating budgets and more program flexibility, even if their budgets don’t necessarily grow.

Year-over-Year Changes

The pending omnibus would, in one sweeping appropriations, address funding for each of the agencies covered under the twelve individual appropriations bills that traditionally make their way through Congress.  Barring any unexpected changes in either chamber, a summary of the appropriation’s impact on departmental budgets is presented in the table below and following descriptions.

Department of Defense

Total FY 2014 funding is set at $572B and includes $487B in base budget and $85B for OCO.

  • Military Personnel (MILPERS) - $129B, up $1.3B from FY 2013. Includes 1% pay raise for armed forces and civilian workforce, the first civilian raise in 4 years.
  • O&M - $160B, down $13.6B from FY 2013. Priority on essential readiness programs, including $447M for CYBERCOM
  • Procurement - $92.9B, down $7.5B from FY 2013 enacted level.
  • RDT&E - $63B, $6.9B below FY 2013
  • Military Construction (MILCON) - $9.8B, a decrease of $817M from FY 2013
  • These budget categories (MILPERS, etc.) are split and aggregate across the four defense areas as follows:
    • Air Force - $133B, Army - $117B, Navy/Marine Corps - $144B, Defense-wide - $57B
  • Identifiable OCO spending breaks out as follows:
    • Air Force - $16.5B, Army - $40B, Navy/Marine Corps - $14B, Defense-wide - $7.4B
  • Includes a 1% pay raise to members of the Armed Forces and the Department of Defense civilian workforce. This is the first pay raise for Department of Defense civilians in four years.
  • Supports readiness with O&M funding that is $11B higher than under a full-year CR.
  • Provides $1B billion for the National Guard and Reserve Equipment Account to ensure Guard and Reserve units have the critical equipment necessary for both homeland security and overseas missions.
  • Includes $2.4B to continue operation and begin modernization of nine Navy ships which had been proposed for retirement due to budget constraints
  • Adds $175M for the Rapid Innovation Program and $75M for the Industrial Base Innovation Fund to promote the development of new technologies and timely fielding of critical equipment.
  • Instead of across-the-board sequestration cuts, the bill proposes 1,065 specific cuts to programs and redirects some of those funds to higher priorities.
  • Translates delays in acquisition programs into spending deferments and reductions, including:
    • $204M from the Army’s Warfighter Information Network-Tactical Increment II due to test issues
    • $85M from the Air Force’s Space Fence radar system due to acquisition delays
    • $45M from follow-on development of the Navy’s E-2D Advanced Hawkeye aircraft due to contract delays.

Health and Human Services

HHS funding is part of the broader Labor, Health and Human Services, and Education Appropriation which totals $156.8 billion in discretionary funding, and the Agriculture Appropriation.  We estimate the HHS portion of these appropriations to be $80B.  HHS highlights of the omnibus bill include the following:

  • $2.6B for FDA, $217M above FY 2013
  • $3.7B for CMS management and operations, equal to the sequester level
  • $6.9B for the CDC, $567 million above the FY 2013
  • $4.4B for the Indian Health Service, $304M above the post-sequestration level
  • $29.9B for NIH, $1B above FY 2013 post-sequester
  • $30.9B for ACF, $782M above FY 2013 enacted level
  • $3.6B for SAMHSA, $144M over FY 2013 enacted level
  • $8.6B for Head Start, a $1B above the post-sequestration level
  • $2.36B for the Child Care and Development Block Grant, $154M above FY 2013
  • $3.6B Community Health Centers (CHCs), a $700 million increase
  • $2.3B HIV/AIDs Programs, a $70M increase
  • The bill provides no new funding for ObamaCare, and holds the line on ObamaCare funding in CMS.
  • $305 million for CMS to allow for the timely processing and payment of benefits, and the continuation of essential services for the increasing number of Americans who rely on traditional Medicare programs.

Education

  • $250M for Race to the Top—Preschool Development  to be used for grants to States
  • $11.5B for IDEA/Special Education 
  • $14.4B for Title I/Disadvantaged Schools, a $625M increase
  • $1.2B for 21st Century Community Learning Centers, an increase of $58M
  • $1.3B for Impact Aid, an increase of $65M
  • $22.8B for the Pell Grant program

Veterans Affairs

VA funding is part of the broader Military Construction/Veterans Affairs Appropriations.  VA’s discretionary funding totals $63.2B for FY 2014.  VA highlights of the omnibus bill include the following:

  • $55.6B in FY 2015 advance appropriations for veterans medical care
  • $20M above the budget request to upgrade computer hardware, such as servers, in VA Regional Offices to handle the advanced program requirements of the Veterans Benefits Management System
  • $250M for rural health care, including telehealth and mobile clinics
  • Mandates several requirements before the VA can obligate more than 25% of the funding for  Vista electronic health record modernization
  • $4B in FY 2014 to meet the health care needs of veterans who have served in Iraq and Afghanistan
  • $4.9B to provide healthcare for women veterans in FY2014
  • $7.6B for Long Term Care
  • $586M for Medical and Prosthetic Research
  • $3.7B for Information Technology, $20M over the request
  • $140M – an increase of $20 million above the President’s request and $26 million above
  • the fiscal year 2013 enacted level – for information technology upgrades at regional offices to
  • manage the improved paperless claims processing system;
  • $250 million for rural health care, including telehealth and mobile clinics, for veterans in rural and highly rural areas, including Native American populations.
  • Minor Construction within the VA is funded at $715M – the same as the President’s request and $108 million above the fiscal year 2013 enacted level.

State and International Programs

  • $49B includes $6.5B for Overseas Contingency Operations (OCO) and $15.7B in base and contingency funding for operational costs of the State Department and related agencies
  • $1.3B for USAID operations, of which $91 million is for contingency funding

Homeland Security

Overall FY 2014 discretionary spending for DHS is $39.3B, a reduction of $336 million from the FY 2013 enacted level.

  • Coast Guard: $10.2B overall, of which $8.7B is discretionary spending. The bill also provides $425 million in targeted increases above the FY 2014 request to support front line personnel with resources, including $23 million and $2 million respectively for pre-acquisition design work of the Offshore Patrol Cutter and for initial acquisition planning and design of a new polar icebreaker.
  • Transportation Security Administration (TSA): $7.4B for TSA is reduced by $2.1B in offsetting collections and fees. The bill includes funding for investments in explosives detection systems, passenger screening technologies, and air cargo security. The bill includes $177 million for passenger screening technologies, $93 million for Secure Flight, which matches passenger data against records contained in portions of the Terrorist Screening Database, $83 million for expedited and other vetting programs, and $25 million for the Federal Flight Deck Officer and Flight Crew Training program.
  • U.S. Customs and Border Protection (CBP): $10.6B, which adds $111 million above the FY 2013 enacted level. Adds $91 million above the budget request for Air and Marine operations and procurement of critical assets, including enhanced radar for unmanned aircraft systems and restoring the 30% cut to flight hours proposed in the budget. Adds $10 million for trusted traveler programs, including additional Global Entry kiosks and mobile document readers, expanding preclearance activities, and for border transformation programs like the land border integration effort and the port runner/absconder program.
  • U.S. Immigration and Customs Enforcement (ICE): $5.6B for ICE, of which $2.8B is for detention and removal operations, including border patrol, special agents and immigration officials.
  • United States Citizenship and Immigration Services (USCIS): $116 million in direct appropriations for USCIS and with $114 million, fully funds the E-Verify employment eligibility verification system.
  • United States Secret Service: $1.6B, expands cyber training provided by the Secret Service to state and local law enforcement officials, grows cooperation between the Secret Service and the FBI in cybersecurity, and maintains the Service’s primary role in protecting U.S. financial systems in cyberspace.
  • Domestic Nuclear Detection Office (DNDO): $285 million, including $14 million for handheld portable radiation detectors, $71 million for research and development of next-generation detection technologies, and $22 million for the Securing the Cities program.
  • National Protection and Programs Directorate (NPPD): $1.2B for the Infrastructure Protection and Information Security Program, including $792 million for cybersecurity protection of Federal networks and incident response, consisting in part of:
    • $382 million for intrusion detection on civilian Federal networks
    • $200 million to build on a new monitoring and diagnostics program begun in 2013 to better protect civilian Federal networks against threats through real time analysis of day-to-day activity
    • $15.8 million for cybersecurity education to train future cyber warriors
  • Science and Technology (S&T): $1.2B, sustains investment in high-priority research and development efforts, including $404 million in funding for the construction of the National Bio- and Agro-Defense Facility (NBAF).  
  • Office of Health Affairs (OHA): $127 million, including $85 million for the Bio-Watch Program and $2 million to complete demonstration projects through the Chemical Defense Program.

Housing and Urban Development

  • HUD’s operating budget declines this year as FY 2014 discretionary funding of $32.8B represents a 2% decrease from the FY 2013 enacted level of $33.5B.
  • Funding includes:
    • $26.3B for Public and Indian Housing (increase of $411M from FY 2013 enacted and $1.5B below FY 2014 request)
    • $10.5B for Housing Programs ($561M above FY 2013 enacted and $381M below FY 2014 request)
    • $6.6B for Community Planning and Development Programs ($145M less than FY 2013 enacted)
  • Provisions of Interest
    • $36M for the HUD OCIO.
    • $250M for development, modernization, enhancement and maintenance of Department-wide and program-specific IT programs.

Justice

  • Bolsters resources for DOJ capabilities to counter growing cyber threats. Within 120 days of enactment, DOJ is to provide a multiyear strategic plan that identifies resources, programs and coordination structures need to enable prevention of and more rapid response to future cyber attacks.
  • Justice Information Sharing Technology (JIST):  $25.8 million in funding for JIST, as well as enabling the Attorney General to transfer funds to this account from funds available to DOJ for enterprise-wide IT initiatives.
  • National Security Division (NSD): $91.8 million for the NSD, including funds to support the Intelligence Community to combat cyber threats at with resources that at least match FY 2013 levels.
  • Federal Bureau of Investigation (FBI): Receives $8.3 billion, an increase of $232 million over FY 2013 enacted levels.
    • $8.2 billion for salaries and expenses of the FBI.
    • $390.0 million in resources to continue support its Next Generation Cyber Initiative and cyber task forces
    • The FBI is expected to increase resources for the National Instant Criminal Background Check System (NICS) by $60,000,000 to expand capacity of NICS to meet rising demand for system resources.
  • Drug Enforcement Administration (DEA): $2.4 billion, marking a rise of $21 million over FY 2013 levels.
  • Includes $361.0 million for regulatory and enforcement efforts to combat prescription drug abuse.
  • Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF): $1.18 billion, an increase of $47 million over FY 2013 enacted.
  • Includes resources for the updating and expanding of the National Integrated Ballistic Imaging Network (NIBIN).
  • U.S. Marshals Service: $2.7 billion, marking a decrease of $72 million from FY 13 due to reduced estimates for federal detention requirements.
  • Federal Prison System (BOP): $6.9 billion, an increase of $79 million above FY 2013 enacted.
  • Maintains staffing levels and continues activation of new prisons.
  • Grants Program: $2.2 billion for various state and local grant programs, $32 million above FY 2013 enacted level.
  • State and Local Law Enforcement Assistance: $1.17 billion for initiatives including victims of human trafficking, DNA grants, Byrne-Justice Assistance Grant (JAG) subgrantees, as well as National Instant Criminal Background Check System (NICS) Initiative grants.

Energy

  • National Nuclear Security Administration (NNSA): Receives $11.2 billion to maintain the safety, security, and readiness of the nation’s nuclear weapons stockpile.
    • Increases funding for Weapons Activities by $847 million over FY 2013, providing $7.845 billion in FY 2014.
    • Critical defense funding upholds national nuclear deterrence posture.
    • Includes $537 million to extend the life of the B61 nuclear bomb.
  • Energy Programs: Increases funding for energy programs to $10.2 billion, a $620 million rise over FY 13 enacted levels. Including:
    • $562 million for research and development to advance coal, natural gas, oil, and other fossil energy technologies. ($28 million above FY13 enacted level)
    • $889 million for nuclear energy research and development to further next generation of nuclear power. ($36 million over the FY13 enacted level.)
  • Science Research: Office of Science receives $5.071 billion ($450 million over FY 2013) for breakthroughs in energy applications and development of next-generation high performance computing systems.
  • Provides $280 million for Advanced Research Projects Agency-Energy (ARPA-E), an increase of $29 million over FY 2013, to develop promising/high-risk future energy technologies.
  • Energy and Efficiency and Renewable Energy (EERE) programs receive $1.9 billion, an increase of $182 million over FY 2013, to advance biomass, electric vehicle, and energy efficient advanced manufacturing technologies.
  • Defense Environmental Cleanup receives $5.0 billion, an increase of $381 million above FY 2013.
  • Cuts funding for Nuclear Nonproliferation by $289 million from FY 2013, providing $1.954 billion for FY 2014.
  • Provides $147 million for Electricity Delivery and Energy Reliability, including $5 million within Cyber Security for Energy Delivery Systems to enhance full-scale electric grid testing capabilities associated with integration of wireless technologies, power generation, and communications and control systems.

Agriculture

  • USDA’s operating budget is a winner this year as FY 2014 discretionary funding of $20.9B represents a 2% increase over the FY 2013 enacted level of $20.5B.
  • Funding includes:
    • $5.5B for the Forest Service
    • $2.6B for Agriculture Research
    • $292.8M for the Forest Service
    • $828M for the Animal and Plant Health Inspection Service
    • $1.5B for the Farm Service Agency
    • $2.4B for Rural Development ($180M above FY 2013 enacted level)
    • $1B for the Food Safety and Inspection Service ($19M below FY 2013 enacted level)
    • $2.6B for the Food and Drug Administration (Restores $85M in fee revenue lost dues to sequestration)
    • $215M for the Commodity Futures Trading Commission ($100M below President’s 2014 Request)
    • $826M for the Natural Resources Conservation Service
  • Provisions of Interest
    • Budget contains requirements for the Secretary of Agriculture to eliminate waste, fraud, and abuse in the Supplemental Nutrition Assistance Program.
    • Makes cuts to lower-priority programs.
    • Provides $44M for the USDA OCIO, no less than $27M of which is to be spent on USDA cybersecurity requirements.
    • Provides $4.2M for APHIS’ IT infrastructure.
    • Increases CIO governance over IT expenses, requiring the CIO to approve of any investment greater than $25K before the investment is made.
    • Stipulates no new IT system or upgrade of current systems may be acquired without OCIO and Executive IT Investment Review Board approval.

Transportation

  • DOT’s operating budget is flat this year as FY 2014 discretionary funding of $17.8B represents a 0.5% decrease from the FY 2013 enacted level of $17.9B.
  • Funding includes:
    • $41B for the Federal Highway program (same level authorized in the MAP-21 transportation authorization legislation that expires on September 30, 2014); an increase of $557M from FY 2013 enacted
    • $12.4B for the Federal Aviation Administration ($168M below FY 2013 enacted);
    • $1.6B for the Federal Railroad Administration (decrease of $34.6M from FY 2013 enacted)
    • $2.15B for the Federal Transit Administration (decrease of $100M from FY 2013 enacted)
    • $819M in mandatory and discretionary funding for the National Highway Traffic Safety Administration (increase of $8.9M over FY 2013 enacted)
    • $585M for the Federal Motor Carrier Safety Administration (increase of $24M above FY 2013 enacted)
    • $12.8M increase over the FY 2013 level for the Pipeline and Hazardous Materials Safety Administration
  • Provisions of Interest
    • Funding for FAA NextGen investments is preserved.
    • $15.7M for the DOT OCIO.
    • $7M for upgrading and enhancing the DOT’s financial systems and re-engineering business processes.
    • $4.45M for cybersecurity initiatives.

NASA

  • Preserves balance of NASA portfolio across science, aeronautics, technology and human space flight.
  • Asteroid Redirect Mission (ARM): Completion of significant preliminary activities is needed prior to NASA and Congress making long-term commitment to this mission concept.
  • Science: Funding totals $5.15B, including Education and Public Outreach, Earth Science, Planetary Science, Astrophysics, and Heliophysics.
    • Prior to expending any funds on the development of JPSS climate sensors, NASA is to prepare development plans with notional budget and schedule details for submission to the Appropriations Committee.
    • Under Planetary Science, Mars Exploration receives $288 million, including $65 million for the development of the Mars 2020 Rover.
  • Aeronautics: Funding amounts to $566 million.
  • Space Technology: Funding totals $576 million.
  • Exploration: $4.1 billion for Exploration mission directorate, including Multi-Purpose Crew Vehicle and Space Launch System programs.
    • $1.6 billion is provided for the Space Launch System (SLS) to sustain core development of mission components. Due to concerns regarding diversion of funds for activities with only tangential relevance to the SLS, NASA is expected to complete quarterly spending reports on additional potential for the investment along with tracking milestones and development schedules.
    • $1.2 billion is provided for the Orion Multi-Purpose Crew Vehicle, including $3 million for Construction and Environmental Compliance and Restoration.
  • Space Operations: $3.8 billion for Space Operations, including strong support for the International Space Station (ISS).
  • Cross Agency Support: $2.8 billion in Cross Agency Support funds security, infrastructure, and reports.
  • Office of Inspector General to receive $37.5 million.
  • Administrative Provisions include establishing terms and conditions for the transfer of funds.

Labor

  • $2.6B for Job Training through for Workforce Investment Act Grants to States, an increase of $121M
  • $80M for Unemployment Insurance (UI) Program Integrity, an increase of $16M
  • $10.4B for the Employment Training Administration, a decrease of $562M from FY 2013 enacted level
  • $1.7B for the Office of Job Corps
  • $269.5M for Veterans Employment and Training Service (VETS)

Treasury

  • $112M for the FinCEN (Financial Crimes Enforcement Network ), $7M above a FY 2014 full-year CR level
  • $226M for the Community Development Financial Institutions Fund (CDFI), $17M above a FY 2014 full-year CR level
  • $11.3B for IRS
  • $35M Treasury Inspector General, a $7M increase
  • $156.4M Treasury Inspector General for Tax Administration, a $12.6M above a FY 2014 full-year CR level
  • $92M to help address identity theft and refund fraud, combat offshore tax evasion, and improve delivery of services to taxpayers. 
  • The bill includes no additional funding for ObamaCare
  • $3M available until 9/30/15 for IT modernization requirements
  • Up to $250M available until 9/30/15 for IT support
  • $313M available until 9/30/16 for capital asset acquisition of IT systems, including management and related contractual costs for business systems modernization.

Interior

  • $954 million for the Bureau of Reclamation’s Water and Related Resources, $106 million over FY 2013.
  • Bureau of Land Management (BLM): Funded at $1.1 billion, marking an increase of $7 million above FY 2013 enacted. Provides for effective stewardship of public lands.
  • National Park Services (NPS): $2.6 billion, an increase of $28.5 million over FY 2013 enacted. Allows every national park to remain open for the duration of FY 2014.
  • U.S. Forest Service: $5.5 billion, including increases for wildfire fighting and management.
  • United States Geological Survey (USGS): Provides $1.03 billion for Surveys, Investigations, and Research, including an increase of $400,000 for data preservation.
  • American Indian and Alaska Native Programs:  Provides funding for health care, law enforcement, and education.
    • Indian Health Services: Receives $4.3 billion in funding, an increase of $78 million over FY 2013 enacted levels.
    • Bureau of Indian Affairs and Education:  Provides $2.5 billion in funding, an $18 million increase over FY 2013 enacted levels.
  • U.S. Fish and Wildlife Service (FWS): $1.4 billion, a decrease of $32 million from the FY 2013 enacted levels. This funding provides for compensating ranchers for livestock loss, stopping spread of mussel and fish varieties, and species conservation.
  • Fully funds request for information technology management.

Commerce

  • National Oceanic and Atmospheric Administration (NOAA): $5.3 billion, marking an increase of $310 million over the FY 2013 enacted levels.
    • Including $953.6 million for the National Weather Service as well as $187.1 million for the National Environmental Satellite, Data and Information Service (NESDIS) operations, research, and facilities.
    • Fully funds NOAA’s weather satellite programs (GOES-R and JPSS). Although NOAA is expected to focus on the weather satellite program and to better address gaps in its FY 2015 budget, NOAA will continue to provide quarterly updates to the Committees on Appropriations regarding its weather satellite portfolio.
  • Bureau of Census: $945.0 million, including $693.0 million for periodic censuses and programs.
  • United States Patent and Trademark Office (USPTO): $3.0 billion, marking an increase of $91 million over FY13.
    • Maintains provision that USPTO makes available any fees collected in excess of estimates.
    • Adopts language from the House and Senate reports for Patents End-to-End. USPTO will submit a report to the Committees on Appropriations within 90 days of the Act’s enactment.
  • National Institute of Standards and Technology (NIST): $850 million for NIST, increase of $41 million over FY13 enacted, including $651.0 million for NIST’s scientific and technical core programs.
    • Increase of $5.0M for cyber security research. Increase of $1.0M for disaster resilience research.
    • $4.0M for the National Initiative for Cybersecurity (NICE) Program.
    • $15.0M for the National Cybersecurity Center of Excellence.
    • $16.5M to maintain the current operating level for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
  • International Trade Administration (ITA): $470.0 million in total resources, offset by $9.4 million in estimated fee collection.
  • Bureau of Industry and Security (BIS): $101.5 million for operations and administration.
  • Economic Development Administration (EDA): $246.5 million for programs, including $209.5 million for Economic Development Assistance Programs.
  • Minority Business Development Agency: Receives $28.0 million in funding.
  • Economic and Statistical Analysis: Provides $99.0 million in funding.
  • Working Capital Fund: Rather than supporting the level requested for the WCF, the Commerce Department is expected to submit a list of transfers to and activities funded from the WCF along with its 2014 spending plan. The agreement supports the plan to establish the Enterprise Security Operations Center from the WCF.


Fellow GovWin Federal Industry Analysis (FIA) analysts Kyra Fussell, Angela Petty, and Alex Rossino contributed to this entry.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin FIA. Follow on twitter 
@FIAGovWin.

Security Challenges in 2013 Will Continue Demand for IT Security

With the ink barely dry on a budget deal to fund the government for the remaining three fiscal quarters of FY 2014, all signs continue to point to fiscal constraint. But given the number, diversity, and high-profile nature of several cybersecurity events of the past year, one area of federal growth for the foreseeable future, especially in staffing, is for cybersecurity.

Nextgov recently published a list of their ten worst security hacks of 2013, which ranged from government networks and media organizations to personal credit card information. The variety and international nature of many of these attacks underscores that the battlefield of today and the future continues to reside in cyberspace. And the Department of Defense’s U.S. Cyber Command and its branch components are working to staff-up with uniformed personnel and others to meet the challenge.

The Army has around 500 cyber-staff and is building a new command center at Fort Meade, Md., to house 1,500, leading a worldwide cyber-corps of 21,000 soldiers and civilians. By 2017, the Air Force will add more than 1,000 uniformed cyber-forces to its 6,000 experts now working at Air Force Space Command.

The Navy had 800 cybersecurity staffers in 2013 and will reach nearly 1,000 by 2017, working toward a mix of 80% uniformed sailors and 20% civilian employees and contractors. The Marines currently have 300 uniformed personnel, civilians, and contractors at work and plan to increase that number to just under 1,000 by 2017.

By contrast, the Department of Homeland Security — which is charged with protecting the federal civilian .gov domain — can’t seem to hire quickly enough, as proven by some recent legislation. The latest proposed amendment to the Homeland Security Act of 2002 would require the DHS Secretary to regularly assess the readiness and capacity of the agency’s cyber workforce to meet its cybersecurity mission and develop a comprehensive workforce strategy to enhance readiness, capacity, training, recruitment and retention of the cyber workforce, including a five-year recruitment plan and 10-year projection of workforce needs.

Homeland Security’s challenges in recruiting and retaining cybersecurity personnel are not breaking news. Even with multiple agency efforts to improve recruitment and retention, the Government Accountability Office reported this year that over 20% of cybersecurity positions are vacant at the National Protection and Programs Directorate, the primary DHS cyber-division.

Agencies beyond Homeland Security have also continued to supplement their internal workforces with contracted personnel. Office of Management and Budget reports show that up to 90% of federal IT security spending is on personnel costs, so the focus on beefing up the cyber ranks does raise the issue of cost.

However, given that the lack of an experienced and skilled cybersecurity workforce continues to put agencies at risk -- as well as demand for an improved national cybersecurity posture -- cyber spending will likely continue to buck the budget belt-tightening trend.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Targeting Security Improvements through Supply Chain Risk Management

National Aeronautics and Space Administration (NASA) officials started market research over a year and a half ago for the follow-on to a government-wide acquisition contract (GWAC) that supplies federal agencies with information technology products and product-based services. One new aspect of this follow-on is the growing emphasis on IT supply chain risk management.

Since the release of the Request for Proposal (RFP) for the next iteration of the Solutions for Enterprise-Wide Procurement (SEWP) contract in August, NASA’s program office for SEWP has released 12 amendments and extended the submission due date into December.  The security associated with IT supply chains has received increasing attention. On the vendor side, more detail around supply-chains will be disclosed in SEWP V. Information about industry supply-chains will help to clarify the various risks and costs as products move from manufacturers to government customers. Supply-chain risk management considers what technologies agencies are using and evaluates layers of risk from how a product moves from a manufacturer to a customer.

Aligned with the Executive Order released in February, efforts to improve critical infrastructure security have highlighted mitigating security risks introduced through the supply chain. Back in April 2013, the Cyber Security Research Alliance (CSRA) conducted a workshop in collaboration with the National Institute of Standards and Technology (NIST) targeting security for cyber-physical systems (CPS). Cyber-physical systems span applications in critical infrastructure including power and water, industrial systems, emergency management, security systems, and medical devices among others. Among other topics, the workshop participants explored the impact of supply chain on securing CPS. The global market for information and communication technology product manufacturing introduces numerous opportunities for products to be subject to tampering or sabotage. Both insufficient diligence around buyer practices and lack of visibility into the supply chain present challenges for reducing and managing risks.

Recommendations for moving forward included developing supplier reliability and monitoring methodologies. In particular, findings recommend advancing research and development for tools to identify vulnerabilities and corrective measures, reviewing existing practices to improve information sharing and collaboration between suppliers and buyers, building security technology refresh into life-cycle, and leveraging analytics to target potential future failures and counterfeits.

Moving forward, the practices of government contractors are likely to be subject to increasing scrutiny as agencies face growing reporting requirements, demand cost efficiencies, and strive to comply with security mandates.  Past iterations of the SEWP have been leveraged by organizations across the government. With the increased performance period and ceiling value of SEWP V, it’s clear that trend is expected to continue.  In order for vendors to maximize the opportunity, they need to meet the modernized requirements. Deadline for submission to the SEWP V RFP is set for December 16, 2013.

Further perspective on current and evolving government cyber security concerns is available in our latest report: Federal Information Security Market, FY 2013-2018.

-------

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

Defense and Security Mobility Landscape Reflects Changes and Challenges

Federal agencies in the defense and security mission areas are grappling with how to effectively harness the capabilities of mobile and wireless technologies in a secure and cost-effective way. The remarks and panel discussions at a recent industry event reveal that agencies are in different points in their development, but all are facing challenges.

At the recent Defense and Security Mobile Technologies Symposium held by AFCEA-DC representatives from across the Department of Defense, Department of Homeland Security, the intelligence community and other federal agencies gave their individual perspectives on their mobility plans, activities, and challenges.

A few general take-aways from the event:

  • Changing technologies – Federal agencies, especially DoD, are still struggling with the rapid change of technology and the security challenges of mobility. This is especially true for BYOD. But agencies recognize that they can’t keep spending on specialized devices at the same rates as in the past.  

  • Declining budgets – Surprise! NO ONE said their budget would be up for mobility in the coming year(s). A few agency speakers said their budgets will be flat at best. Most said things like “we need to find efficiencies in our IT and shift the savings to other (non-IT) areas.”
      
  • Shifting view of MDM – The consensus among agencies is to move in the direction of device-agnosticism so that they can accommodate and secure whatever devices connect to their networks. This has direct implications for Mobile Device Management (MDM) policies and approaches, leading some to say that MDM that focuses on the device is the wrong approach. Similarly, there’s continued stress on implementing security at the data level, rather than primarily focusing on security at the network and device level. While these themes are consistent with what we’ve been hearing over the last several years it is clear that they are still working to make them a reality. It’s going to take longer than most anticipate.
      
  • CAC’s the way – DoD mobility credentialing will be inextricably linked to CACs since they are effective and ubiquitous. The Pentagon is looking for ways to allow users to access a network via multiple concurrent devices through derived credentials via Common Access Card (CAC). There are a lot of policy and technical issues to work through inside the Department and with solutions-providers, as is noted in a recent news story on the topic. While technical issues exist, governance policy is also a major hurdle.
      
  • More choices, more challenges – The rapid growth of Android and Apple devices is driven by end-user demand for more functional capabilities, but it also continues to present management issues. iOS devices present some challenges within the DoD because Apple doesn’t change their products simply because the government wants them to. Their branding is based on careful attention to their individual customer experience and that is not something they are willing to risk lightly.

Clearly, the federal mobility landscape will be in a state of flux for the foreseeable future, presenting opportunities for creative solutions providers to offer policy and governance support as well as technical offerings.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Congress May Press DHS to Bolster Cybersecurity Workforce Development

When we hear the phrase “boots-on-the-ground” most of us think of uniformed military personnel being deployed in active combat situations. But a current bill in the U.S. House of Representatives uses the phrase in connection with boosting Department of Homeland Security (DHS) efforts to improve its domestic cybersecurity workforce development activities.

In October, the House Committee on Homeland Security marked-up and passed the bill by voice vote authorizing it to be reported to the full House for consideration. It joins several other cybersecurity-related bills that have been introduced and are at various stages of progression. It is yet unclear which if any of these bills will progress to a vote in the House and are taken up in the Senate, given other priorities.

HR 3107 - Homeland Security Cybersecurity Boots-on-the-Ground Act

The bill in its current form would require DHS to develop:

  • Occupation classifications for individuals performing cybersecurity mission activities and ensure that they are used throughout DHS as well as other federal agencies
  • Workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs
  • Verification process so that contractor cybersecurity employees at DHS receive initial and recurrent information security and role-based security training

Other provisos

  • Defines "cybersecurity mission" as threat and vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace.
  • Directs the DHS Chief Human Capital Officer and Chief Information Officer to assess the readiness and capacity of DHS to meet its cybersecurity mission.
  • Requires the Secretary to provide Congress with annual updates regarding such strategies, assessments, and training.
  • Expands recruiting outreach through a tuition-for-work fellowship program and a program to identify military veterans and unemployed computer specialists for potential DHS cybersecurity employment

Implications

The challenge that DHS has faced with recruiting and retaining cybersecurity personnel is not breaking news. DHS has announced multiple efforts to improve recruitment and retention over the last 5+ years. Even with those efforts, the GAO reported earlier this year that more than 20% of cybersecurity positions at the National Protection and Programs Directorate (NPPD) are vacant (see p. 24). 

To cope with the shortfall agencies have continued to supplement their internal workforce with contracted personnel, but budget constraints from all sides add to the challenge. According to OMB, up to 90% of federal IT security spending is on personnel costs. The rest is a mix of training, testing, cyber tools and risk management policy implementation.

It seems to me that this is a tough cost model to sustain in an increasingly constrained fiscal environment, but the nature of current cybersecurity operations and existing needs present challenges to automating many functions that require experienced analysts’ eyes (or “boots,” to follow the theme) monitoring the networks. The nature of the work combined with the priority of improved overall cybersecurity continues to show growth prospects, bucking the budget belt-tightening trend.

Read more of our perspective in our latest report: Federal Information Security Market, FY 2013-2018.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

More Entries