B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at
Just select the "B2G Essentials" blog to continue to receive this valuable content.
Commerce Department Looks to Modernize IT by Sharing

The Commerce Department’s CIO, Steve Cooper, has called out three focus areas for technology priorities: shared services, infrastructure, and modernizing the department’s technology strategy. Implementation of shared services will have a palpable impact on contracting, since the federal agency is considering a broker model to deliver services and achieve cost savings. 

The Department of Commerce has established four working groups targeting opportunities to implement shared services within technology, finance, human resources, and acquisition. The aim of these groups is to identify capabilities within those lanes to have delivered by a set of shared service providers. The department will likely stand up a shared service broker, an internal organization that will be responsible for selecting and managing providers, service agreements, and performance. By focusing shared services for commodity technologies and capabilities, bureaus will be able to free up resources to deliver greater value to mission activities. 

According to a recent interview with Commerce's CIO, the acquisition approach has yet to be determined. One potential option will be to pursue shared services as a joint effort along with other functional areas. The other option would treat these services independently. While bureau leadership is in favor of more broadly adopting a shared service model, none of the bureau CIOs have volunteered to take on the responsibilities of being the provider. This presents an opportunity for vendors to fill the role. A request for information (RFI) is expected out by the end of the year, which will then lead to a request for proposals (RFP) for the selected services. Since the leadership consensus across Commerce’s CIOs is inclined toward testing out shared service models sooner rather than later, service providers should watch for upcoming opportunities. In the short term, an RFI and RFP are expected for video teleconferencing and audio conferencing. 

Additional direction for efforts related to shared services and cloud services implementation are covered in the department’s enterprise transformation roadmap. Other areas to monitor for opportunities at Commerce include technology infrastructure modernization, like secure wireless.


Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.


DISA Contract Consolidation: How Will DISN/DoDIN Support Contracts Be Affected?

Last week I posted a brief analysis of contracts supporting the Defense Information Systems Agency’s Defense Enterprise Computing Centers that might be vulnerable to consolidation in the next 2-4 years.  At its recent Forecast to Industry event, DISA officials stated repeatedly that contracts will be consolidated in the years to come as a cost savings measure.  The plain fact is that when sequestration returns in fiscal 2016, it will reduce DISA’s budget by a considerable percentage.  The agency has no choice but to reduce the amount it spends on contractor-provided goods and services.  What the percentage reduction in DISA’s budget will be remains to be seen, but vendors should be prepared to see it drop significantly compared to agency budgets in years past.

Another area of discussion at the DISA Forecast revolved around contracts that support the Defense Information Systems Network, otherwise known as the Department of Defense Information Network, or DoDIN.  Here the impetus to consolidate contracts was less pronounced.  In his comments Jesse Showers, the Vice Director of Network Services at DISA outlined basic requirements for 10 project areas with anticipated budgets over $10 million that will be satisfied using a small number of large contract vehicles.  These vehicles and requirements worked out as follows:

Work on the Operations, Sustainment, Maintenance, and Net Assurance of the DoDIN will be performed by vendors holding GIG Services Management (GSM) – Operations, Engineering, Transition and Implementation, and Projects and Support contracts.

Transport and Bandwidth Services will be provided by vendors holding DISN Access Transport Services (DATS) until these requirements transition to other, undetermined contracts in fiscal years 2015-2016.  Meanwhile, the forthcoming Global Network Services contract(s) will absorb work currently being performed under the JHITS contracts and various task orders awarded to GSA Networx vendors.  Finally, based on what Mr. Showers stated, work being performed under DISN Transmission Services Pacific II (DTS-PII) will fall under the recompete of this contract DISA will conduct in FY 2017.

SATCOM support will continue under the Future Commercial Satellite (FCSA) contract until fiscal 2019.

So, where will future opportunities be found?  Curiously, Mr. Showers’ comments did not focus on contract consolidation, suggesting that work supporting the DISN/DoDIN will be more stable over the next several years.  If this is the case then the information in the following table will prove useful.    

Order/Contract # / Contract Vehicle # / Vendor / Exp. Date / Contract Name
  • VC01 HC102808D2009 CGI Federal 4/30/2018 Encore II Task Order
  • VC08 HC102808D2023 Northrop Grumman  4/30/2018 Encore II Task Order
  • HC102813F0062 GS06F0621Z ECS Federal 2/3/2018 No Data
  • HC102813F0094 GS06F0621Z ECS Federal  1/23/2018 Info Assurance Support
  • HC102813F0089 GS06F0599Z Alliant Enterprise JV 1/16/2018 No Data
  • HC102813F0027 SBD Alliant 11/1/2017 Creech AFB Labor
  • HC102812F0619 ECS Federal 9/16/2017 No Data
  • HC102812F0677 GS06F0603Z AOC Alliant Tech 9/16/2016 No Data
  • TKCT006T76IRU HC101306H0502 TKC Technology 1/30/2016 No Data
  • GS06F0616Z Data Networks 1/15/2016 No Data
  • HC101311C0100 AT&T 11/30/2015 DISN Video Services Global
  • SNVC006H2QIRU HC101305H0669 Communication Decisions-SNVC 11/15/2015 No Data
  • MCIT006GX6IRU DCA20092H0104 Verizon 8/15/2015 Telecom Services IDIQ Task Order
  • MCIT006GX7IRU DCA20092H0104 Verizon 8/15/2015 Telecom Services IDIQ Task Order
  • SPCC40007 HC101304H0530 Sprint 2/27/2015 No Data
  • SPCC40009 HC101304H0530 Sprint 2/27/2015 No Data
  • SPCC40011 HC101304H0530 Sprint 2/27/2015 No Data
  • SPCC40012 HC101304H0530 Sprint 2/27/2015 No Data
  • MCIT40008 DCA20092H0104 Verizon 2/27/2015 Telecom Services IDIQ Task Order
  • MCIT40010 DCA20092H0104 Verizon 2/27/2015 Telecom Services IDIQ Task Order
  • VYVX40002 HC101304H0570 Level 3 1/28/2015 Data Migration
  • VYVX40003 HC101304H0570 Level 3 1/28/2015 Data Migration
  • VYVX40004 HC101304H0570 Level 3 1/28/2015 Data Migration
  • VYVX40005 HC101304H0570 Level 3 1/28/2015 Data Migration
  • VYVX40006 HC101304H0570 Level 3 1/28/2015 Data Migration
  • TWTH40084 HC101304H0528 Time Warner 12/19/2014 No Data
  • TWTH40085 HC101304H0528 Time Warner 12/19/2014 No Data
  • TWTH40086 HC101304H0528 Time Warner 12/19/2014 No Data
  • TWTH40087 HC101304H0528 Time Warner 12/19/2014 No Data
  • TWTH40088 HC101304H0528 Time Warner 12/19/2014 No Data
  • TWTH40089 HC101304H0528 Time Warner 12/19/2014 No Data


I’ve listed here all of the support contracts that will be expiring from FY 2014 on.  Unfortunately, the data for many of these efforts is lacking detail, so in some cases I cannot point readers to specific types of work.  What I can do is put on everyone’s radar the contracts, expiration dates, and incumbents so that those seeking to compete for work on the DISN/DoDIN will understand what and who they’re up against.  I suspect a lot of the requirements currently being fulfilled by these vendors will be consolidated into either Global Network Services or the GIG Services Management Contracts, but in case they aren’t this list will help you zero in on potential opportunities in the next few years.


GSA Reports Agency Buying Trends through Networx

In early June, the General Services Administration (GSA) reported on government telecommunications buying habits from the first half of fiscal 2014. Using data collected through their Networx program, GSA analysis found $332 million in agency savings amid increased acquisition.

GSA’s “big data” from Networx acquisition details stems from over 136 federal agencies buying through the program. These agencies purchased over $762 million in services through Networx during the first half of fiscal 2014. This amounts to a 12.8% year-over-year increase in purchases from FY 2013, and it means that agencies are spending more through the Networx contracts.

Several services have been purchased more during the first half of this year than last. These include Network-Based Internet Protocol Virtual Private Network Service, Managed Network Services, and call center services. GSA also observed an increase in storage services, such as Network Attached Storage and Storage Area Networks. Their analysis also noted a decrease in several services, particularly Frame Relay Service and Asynchronous Transfer Mode. Since GSA uses percentages to report its findings about changes from FY 2013 to FY 2014, it’s difficult to tell exactly how much growth (or contraction) was seen in the various services it highlights.

According to GSA, these trends are indicative of trends in the broader market. As an analyst covering communications and network services in the federal space, I couldn’t help but wonder how patterns through Networx weigh against other major vehicles like Transformation Twenty One Total Technology Program (T4) and Schedule 70. Leveraging the Federal Industry Analysis team’s market segmentation and reported IT obligations for FY 2013, the communications and network services (CNS) market saw over $2 billion in spending. Across the government, the top ten vehicles for CNS FY 2013 obligations are as follows:

  1. GSA Schedule 70
  2. Networx Enterprise
  3. Operations Maintenance and Defense of Army Communications (Southwest and Central Asia)
  4. Transformation Twenty One Total Technology Program (T4)
  5. Networx Universal
  6. DISN Satellite Transmission Services – Global
  7. Total Engineering and Integration Services (TEIS III)
  8. Department of Navy Wireless Services
  9. End-to-End Solutions for the Future Commercial SatCom Acquisition
  10. Information Technology Enterprise Solutions 2 Services (ITES 2S)

In total, these ten vehicles comprise 41.5% of reported spending for that fiscal year. Both Networx vehicles (Enterprise and Universal) fall in the top five contract vehicles. Combined, these two vehicles represent 11.9% of the spending in this segment of the IT market for FY 2013. While those contracts represent a growing portion of the CNS market, it still leaves room for wondering how trends through roughly 12% of the market align with the other 88%.


Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.


Cloud Trends: Feds Buy Communications and Collaboration Solutions

Having blogged extensively about Defense cloud computing and the Defense Information Systems Agency over the last month or so, I thought I’d change tack this week and examine the use of cloud based communications and collaboration tools across the federal government.  Communications and collaboration solutions, what I like to call C2S, are today the most common cloud-based capabilities bought by federal customers.  This may change in the future, of course.  For now, however, C2S procurements rule the cloud roost, making it worth diving into the composition of the market to derive insight on the solutions being used.

Everyone has heard by now that replacing email systems is usually the first foray most federal agencies make into the cloud.  Large contract awards to Microsoft and Google receive a lot of media attention.  C2S, however, involve a lot more than just email systems.  The chart below shows the distribution of 52 C2S procurements over the last four and a half fiscal years by solution type.  As we can see, email procurements make up the majority of solutions procured.  So far so good, right?


Appearances can be deceptive.  Readers will notice that email solutions are part of a larger category described as “Bundled Comms.”  The reason I’ve used this term is to denote that agencies rarely buy cloud-based email upgrades alone.  Instead, they tend to buy integrated solutions that include email as the primary capability.  Often these bundled solutions also include chat, presence, and even telephony; capabilities that are typically part of unified communications solutions.  The only reason I haven’t referred to them as UC is that some of the solutions in this category are purely email.  Splitting hairs aside, the point is that agencies are buying cloud-based bundled communications solutions within which email is but one of many capabilities.

Other cloud-based solutions agencies are buying include SharePoint, video teleconferencing, communications infrastructure, and telephony.  The communications infrastructure category includes Wide Area Networks (WANs) at the Department of Health and Human Services and scalable capacity communications infrastructure for DISA headquarters and remote locations.  The balance of procurements center on automated information and data sharing solutions utilized for a variety of purposes.

What’s making all of this possible is the gradual transition of agency communications infrastructures to Internet Protocol-based transport networks.  At some agencies this process is mature, at others not so much.  The takeaway is that as Everything-over-IP becomes more common so will the use of cloud solutions.  Migrating to the cloud is not only a matter of developing the business case and identifying the capability to be used, it is also laying the transport infrastructure enabling the use of cloud solutions.  Therefore, the evolution of IP-based transport infrastructure should promote increased use of the cloud across the federal government, meaning it’s only a matter of time before capabilities delivered via the cloud become dominant in federal IT. 



DISA’s FY 2014-2019 Strategic Plan: Observations & Implications

Basing business decisions on an agency strategic plan can be tricky.  All too often the goals and objectives stated by an agency in the plans are either never met or they take years to manifest as business opportunities.  Those observations are probably valid in regard to the Defense Information Systems Agency’s latest Strategic Plan for the next five fiscal years.  However, given the increasingly central role that DISA is playing in Defense IT, I feel compelled to point out some of the plan’s implications for IT vendors in case they translate into acquisitio

It’s All About the JIE

Not surprisingly, DISA’s strategic plan focuses heavily on development of the Joint Information Environment.  For the uninitiated (believe it or not there are still a few of them kicking around!), the JIE is a multi-year effort directed at creating a common operating environment across the Department of Defense.  The effort centers on engineering a secure transport environment that leverages Internet Protocol technology for the delivery of capabilities and services.  This environment also unifies identity management and network monitoring capabilities into Joint Regional Security Stacks, providing a Single Security Architecture that the DoD argues is more defensible than the multiple, stovepiped network environment that currently exists.  The final piece of the puzzle is enterprise services, which DISA will deliver on a cloud-basis via both government and industry hosted clouds.  The industry part of that latter JIE element has been slow to develop, but DISA promises this will change in coming years.

In summary, there are three major areas of investment related to the JIE – transport infrastructure, cyber security, and cloud services.  Today’s post focuses on the first of these - modernization of the DoD’s transport infrastructure.

Transport Infrastructure

The Plan – “Normalize Networks with common standards … to eliminate excess redundancy and legacy non-IP services; Standardize and consolidate computing infrastructure to maximize utilization of fiscal resources.”

My Take – “Common standards” and “maximize utilization of fiscal resources” is best interpreted as commoditization of IT hardware purchased through contract vehicles already in place at the lowest possible cost.  By necessity this strategy limits competitively available opportunities to vendors already doing the work.  At DISA this would include those holding contracts for O&M of the Defense Information System Network (DISN), as well as Global Information Grid Services Management Engineering, Transition, and Implementation (GSM-ETI) and GSM-Operations contracts.  In the Army, the main beneficiaries are those providing network engineering support in the areas of European Command/Africa Command and at Camp Humphreys in South Korea.  Included among these would also be those holding Infrastructure Modernization (IMOD) contracts.

DISA, along with other federal agencies, has realized that IT transport hardware has become so inexpensive that by utilizing a targeted strategy which installs the new hardware at critical points in the network, it is able to boost bandwidth and “normalize” networks at relatively low cost.  This is a trend I would expect to see spread to more federal agencies.

The Plan – “Establish an Airborne – Intelligence, Surveillance, and Reconnaissance (A-ISR) Transport Service.”

The Plan – “Ensure DoD’s access to [electromagnetic] spectrum [that will] lead the development of … an architecture to transform Spectrum Management (SM) to support future cloud based operations and warfare. Implement, integrate, and improve cloud-based SM services/capabilities and influence/facilitate the implementation of emerging spectrum technologies.”

My Take – Demands for more spectrum bandwidth to deliver enterprise services have increased exponentially in recent years despite the withdrawal of U.S. military forces from Iraq and Afghanistan.  In line with the Anti-Access/Area Denial (A2/AD) tenets of the Air Sea Battle operational concept, a rising percentage of this demand has centered on satellite communications and, recently, on aerial platforms.  These objectives in DISA’s strategic plan suggest the agency will be investing in aerial ISR platforms and in cloud-based capabilities to better manage electromagnetic spectrum.  If DISA also requires architecture to enable these cloud-based capabilities, it also suggests commercial engineering support will also be procured.

In short, these few lines from DISA’s strategic plan indicate that opportunity at the agency will be available for vendors across the range of IT goods and services.  Transport hardware investments will move to Air Force and Navy providers as the next regional phase of the JIE shifts into gear in the Pacific.  Transport hardware will also be required for the A-ISR investment and, presumably, for cloud-based spectrum management as well.  Software vendors providing cloud-based spectrum management capabilities (this is a rapidly evolving technology area!) will also find interest at DISA and those experienced in engineering services for the cloud will also find opportunities to compete.

Sources Sought for Satellite Data Processing

The National Oceanic Atmospheric Administration (NOAA) recently issued a sources sought notice for data center processing to support satellite constellations expected to be launched in the next five years.

The National Environmental Satellite, Data, and Information Service (NESDIS) notice outlined a potential requirement to support and provide the Constellation Observing System for Meteorology, Ionosphere, and Climate (COSMIC-2 (C2)) processing system. The follow-on contract to the current COSMIC constellation includes two constellations, each comprised of six satellites. Launches for the two constellations are planned for 2016 and 2018.  The first constellation, to be launched in 2016, will be an equatorial orbit providing increased observation over the tropics. The second constellation, to be launched in 2018, will be in a polar orbit, similar to the predecessor COSMIC constellation, providing data with global coverage. The performance period for the effort could stretch FY 2014 to FY 2022. Development efforts would stretch the first two years of that span, followed by operations and maintenance as well as post-processing and archiving work beginning in FY 2016.

The sources sought notice calls for a contractor to provide a mature, fully automated Global Navigation Satellite System Radio Occultation (GNSS RO) data processing, distribution, and archival system by May 2016. Like other weather satellites, these systems collect data that enable longer lead times on severe weather warnings and more accurate forecasts. As government agencies work to make information machine readable and publicly available, the data generated and disseminated by weather satellites is often highlighted as a potential source of economic fuel. Yet even these programs do not escape budget pressure.

The FY2015 budget requested some $6.8 million for COSMIC-2. Down the line, additional funding for the program is expected come from an international partnership with Taiwan, which has pledged around $100 million towards construction costs for the second satellite constellation. Recent debate around NOAA’s various satellite systems has raised questions about prioritizing funding. At the same time, the full cost and operation of the 12-satellite COSMIC-2 is expected to be a fraction of other satellite programs, like the Joint Polar Satellite System (JPSS). Recently, the Senate subcommittee approved $51 billion for Commerce, Justice, and Science. The bill is expected to go before the full Senate Appropriations Committee on June 5, 2014, removing the current guesswork about competing programs and potential spending caps for the satellite programs.

Responses to the notice are due by June 30, 2014. Updates and additional information is available through the GovWin opportunity database (opportunity ID: 114905).


Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.


DoD Cloud Innovation: Research on Cloudlets

The Department of Defense’s efforts to utilize commercial cloud solutions over the last few years have received a decent amount of attention in the trade press and on the conference circuit.  The reporting tends to evaluate the DoD’s use (or non-use, as the case may be) of the cloud from the perspective of a standard commercial business use-case, meaning DoD customers are expected to either identify applications to migrate, solicit the work, and migrate the app to a commercial hosting solution, or to purchase a capability as a service from a commercial provider.  It is against these standard approaches to cloud computing that the DoD’s efforts have been judged.  Cloud innovation at the DoD, however, is often more diverse and exploratory than industry is led to believe.  This and next week’s posts will examine two examples of innovative cloud use in the DoD in an effort to show that there can be business opportunities for vendors beyond the threshold of “ordinary” use-case expectations.

Mobile Cloudlets

The first area of innovation is in mobile cloudlets.  What’s a mobile cloudlet?  Good question.  Cloudlets are an approach to cloud computing in connection-challenged environments that is being pioneered by researchers at the Carnegie Mellon University’s Software Engineering Institute.  As explained by Grace Lewis, a Senior Member of the Technical Staff at the SEI, “cloudlets … are lightweight servers running one or more virtual machines [that] allow soldiers in the field to offload resource-consumptive and battery-draining computations from their handheld devices to nearby cloudlets. This architecture decreases latency by using a single-hop network and potentially lowers battery consumption by using WiFi instead of broadband wireless.”  This approach, which takes advantage of both cloud computing and mobile technology, provides mission capabilities more effectively to military personnel, and, potentially, law enforcement and first responders, in difficult environments where connectivity may be lacking.

Research on cloudlets in the DoD is currently focused in a couple of different areas.  The first of these is funding for work at the SEI, which I won’t go into here because of the limited addressability of these dollars.  The second area is research being performed at the Army Research Laboratory (ARL) related to Mobile Ad-Hoc Networks, or MANETs.  Specifically, in FY 2015, the ARL has requested $6.1 million for the Information Protection for Mobile Ad-Hoc Networks project.  The goal of this project as it relates to cloudlets is to “develop security protocols and processes for using tactical cloudlets as a shared resource among Warfighters and coalition forces.”  In addition, the ARL has also requested $1 million for the Mobile Network Modeling Institute to examine the “impact of clouds and local tactical cloudlets on network behaviors.”  The final effort worth noting is the Heterogeneous Computing and Computational Sciences project.  For this work, the ARL has requested $1.67 million to “create new models to describe offered load and computational capacity within cloudlet-based services in Army-centric mobile and ad hoc networked technologies.”

There is of course no guarantee that any of this money ever materializes into a contract.  What’s important to remember in this context is the direction of the DoD’s efforts and the potential impact this could have on future business opportunities.  As the DoD’s use of cloudlet-based approaches evolves, it can translate into benefits for those who have positioned themselves to offer solutions that can operate in a cloudlet.  This means potential opportunity down the road for software development and mobile application vendors.  The winds are blowing toward cloudlets in connectivity-challenged environments, suggesting that those who tack into this wind will find interested customers in the DoD.


Balancing Security and Capability Remains Challenge for Mobile Adoption

The Mobile Work Exchange held its fall 2013 town hall meeting on September 12, 2013. The conference explored strategies for deploying a more mobile workforce, offering insight from over 20 speakers from both government and industry leadership.
In his opening address, the Bureau of Alcohol, Tobacco, Firearms, and Explosives’ Rick Holgate noted shifts in technology adoption over the last five to ten years. Holgate, the Assistant Director for Science & Technology and Chief Information Officer, cited findings from two surveys saying, “One thing I think we would all agree on is that the federal workforce is extremely optimistic about the productivity that mobility represents and the potential productivity gains.” Indeed, the impact of mobility spans various areas like productivity, transportation, and real estate. Potential savings estimates range from $12 to $14 billion per year in efficiencies. These untapped areas for efficiency mainly fall into two areas in areas related to increasing workforce productivity and consolidating real estate.
Along with increased mobile capabilities over the past 5 to 10 years, the work environment has evolved. These advances in mobility have introduced new challenges, particularly related to security and privacy. Referencing the Mobile Security Framework, Holgate applauded “agencies that have somewhat different security perspectives and baselines and ways of thinking about security” collaborating to establish a government-wide baseline for mobile security. Traditionally, guidance documents from the National Institute for Standards and Technology (NIST) have identified security controls but left it up to individual agencies to determine how to apply them. This baseline guidance allows agencies to make progress with mobile adoption efforts, particularly around shared mobile device management solutions.
The theme of security challenges continued throughout the day. In his luncheon keynote, the Air Force’s Major Linus Barloon described various issues he’s encountered related to information security. Challenges persist around identifying ways to improve prevention of security incidents, spill containment, and re-establishing security. Current technology has evolved to where previous approaches, like wiping machines and reintroducing them to computing environments, are no longer considered as effective.
Based on his experience, Barloon suggested that getting devices in the hands of users is only a quarter of the problem around mobility. Noting the numerous contract vehicles and acquisition mechanisms, Barloon observed, “It’s very easy to get that device into your users’ hands.” Once that’s achieved, however, questions arise about governance, extending to legal, ethical, and acceptable uses for devices. With the shift to mobile environments, issues emerge around translating and applying risk management frameworks to mobile devices, determining how to apply risk principles to these devices, and also defining how these devices will factor into continuous monitoring. It’s a balancing act, as Barloon described it. One the one hand, agencies aim to limit risk. On the other, they’re looking to increase operational capability.
In his closing, Holgate suggested the development of the next generation for the Digital Government Strategy is likely to assess agencies in terms of maturity of mobile adoption. This next step would also look to determine how to bring lagging organizations up to speed. Another area for development, Holgate noted, is in establishing metrics for program impact, especially in areas like workforce productivity and quality of citizen services.
The next Mobile Work Exchange session is scheduled for April 10, 2014. More information is available through the event site.
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ@FIAGovWin.. Follow me on twitter 

NIST Guidance Tackles Mobile Authentication

The Commerce Department’s National Institute of Standards and Technology (NIST) recently updated its guidance to government agencies for electronic authentication (e-authentication) for federal IT systems and services providers.
NIST’s Electronic Authentication Guidance (Special Publication 800-63-2) covers remote authentication of users (e.g. employees, contractors, and private individuals) leveraging open networks to interact with government information systems. As a supplement to the Office of Management and Budget’s (OMB) guidance, E-Authentication Guidance for Federal Agencies, the NIST work builds on levels of assurance that are defined by the consequences of authentication errors and credential misuse. The OMB guidance from 2003 provides federal agencies with criteria for determining the level of assurance needed for applications and transactions. These four levels of assurance address identity proofing, registration, tokens, management processes, authentication protocols and related issues.
The guidance from OMB also provides a five step process for agencies to fulfill their e-authentication requirements. The guidelines from NIST target third step in this process, which involves selecting “technology based on e-authentication technical guidance.” Outlining specific technical requirements for each of the assurance levels, the NIST document addresses:
·          Registration and identity proofing;
·          Token (e.g. cryptographic key, password) for authentication;
·          Token and credential management mechanisms;
·          Protocols to support authentication mechanisms;
·          Assertion mechanisms used in communicating remote authentication.
The lowest level achieved in any of the technical areas listed above determines the overall authentication assurance level. Agencies may use additional risk management measures to adjust the level of assurance. In particular, privacy requirements and legal concerns may contribute to a context in which an agency may deem additional authentication measures appropriate.

Previously, NIST released updated guidance that reflected authentication token technologies and restructure the e-authentication architectural model for increased clarity. Among other changes, that revision also added technical requirements for credential service providers, protocols used in transporting authentication data, and assertions related to implementation within the e-authentication model.
The most recent edition provides a more limited update with most of the changes focused on processes for registration and issuance of professional credentials. Two general categories of threats for the registration process are impersonation and compromise of the infrastructure. Since infrastructure threats are addressed by normal security controls, the NIST guidance emphasizes mitigating the threat of impersonation. Two approaches are presented for deterring impersonation: either make it more difficult to accomplish or increase the likelihood of detection. The technical guidance provides several strategies for making impersonation more difficult and describes general requirements for each of the four assurance levels.
Despite budget limitations, agencies continue to look for ways to make information more accessible and empower an increasingly mobile workforce. System risk assessments and technical requirements associated with specific assurance levels will shape the solutions they implement mobile strategies. While assurance requirements will vary across the government, this technical guidance provides a structure for describing agency security requirements and provides vendors with a framework for articulating how solutions will fulfill those needs.
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ@FIAGovWin.. Follow me on twitter 

DoD Targets Rapid Mobile Technology Review and Approval Process

The Defense Department (DoD) supports approximately 600,000 smartphone users, and they are pursuing a strategy to support a broader ranges of devices. Recently, at the annual Forecast to Industry from the Defense Information System Agency (DISA), mobility played a dominant role in discussion.  In particular, goals stressed streamlining the review process for commercial products.
DISA presentations depicted a comprehensive mobility concept including capabilities for Voice/VoIP, email, texting, calendar, automation capabilities, unified communications, telecom expense management, mission partner applications, secure access to the Department of Defense Information Network (DODIN, formerly the Defense Information Systems Network, or DISN), and device security. The vision also includes a mobile app store and enterprise Mobile Device Management.
            Source: DISA                   


Historically, it has taken anywhere from nine months to a year for new mobile devices, mobile applications and operating systems to complete the DoD review process. Often, those technologies are outdated by the time they achieve approval. Jennifer Carter, the component acquisition executive at DISA, described one of the process challenges, saying, “The traditional DoD cycle times do not meet what is needed to get these capabilities out to the warfighter, and we don’t want to be where by the time we issue the device it’s obsolete and … you have to buy it on eBay.” The address this lag, DoD is partnering with industry to achieve more rapid deployment of commercial technologies by streamlining review and approval cycles. These goals will include 30 day turn around cycles for new hardware, new applications, and new operating systems.

Of the 600,000 smartphone users in the DoD, 470, 000 use BlackBerry handsets and 130,000 are piloting iPhone and Android devices for security trials. Back in May, DoD approved the use of Samsung’s hardened version of Android (Knox) in smartphones and BlackBerry 10 devices. The Knox took a noteworthy approach to the Security Technical Implementation Guides (STIG) by proactively considered the DoD’s security requirements.
The discussion also called out support needed from industry to close a number of gaps. Moving forward, DISA will be looking for
·          security built into products,
·          alignment with NSA protection profiles,
·          enterprise license agreements for commercial applications,
·          enterprise based cost models, and
·          continued advancement of enabled secure mobile applications.
Mobility contracts opportunities on the horizon include gateway procurement and enterprise solutions for mobile applications. The gateway request for proposals (RFP) is anticipated during the first quarter of FY 2014. This will be a single award for a firm-fixed price contract. The request for information (RFI) for mobile applications solutions is also expected during the first quarter of FY 2014.
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

More Entries