Fwd: | 10.17.12 | VA encryption licenses lay dormant
John Scott III
From: FierceGovIT <edi...@fiercegovernmentit.com>Date: October 17, 2012 12:12:14 PM EDTTo: jms...@gmail.comSubject: | 10.17.12 | VA encryption licenses lay dormantReply-To: edi...@fiercegovernmentit.comIf you are unable to see the message below, click here to view.
October 17, 2012
Sign up for free:
Subscribe | Web | Mobile
Refer FierceGovernmentIT to a Colleague
This week's sponsor is Laserfiche Take the Work- and the Paper- out of Paperwork
Using electronic documents as the foundation for automating business processes delivers cost savings across government organizations like the Arkansas Supreme Court, Collin County, TX, & more. Learn how.
Today's Top Stories
1. OIG finds 85 percent of VA encryption licenses lay dormant
2. IC runs apps acquisition pilot
3. Wheeler: ITAR typically no barrier to releasing government open source code
4. Web content management diminishing in importance, says GSA official
5. IOM: No more DoD-VA integrated medical centers until iEHRAlso Noted: Computer viruses "rampant" on medical devices; VA looks for appointment schedules tools through contes and much more...
More News From the FierceGovernment Network:
1. DoD setting up national spectrum research facility
2. FBI issues Android malware warning
3. Report: Some government mobile apps are a waste
This week's sponsor is AFCEA Bethesda. Agency leaders discuss new IT procedures for healthcare - onlinepre-registration closes today!
Today's Top News
1. OIG finds 85 percent of VA encryption licenses lay dormant
By Geoff Whiting Comment |
Forward |
Twitter |
Facebook |
The Veterans Affairs Department has failed to make good on a hard drive encryption policy, finds the VA office of inspector general.
In a report (.pdf) dated Oct. 11, the OIG says the department has installed and activated only 65,000 of the Guardian Edge encryption licenses it bought since a massive data breach in 2006 involving records of 26.5 million active duty troops, veterans. and their family members.
That amounts to just 16.25 percent of licenses procured, auditors say. The VA initially purchased 300,000 encryption licenses in 2006 and bought another 100,000 licenses in 2011, spending about $5.9 million total in license fees and maintenance agreements, according to the report.
The remaining 335,000 licenses have generated "about $5.1 million in questioned costs" and their inactive status means "veterans' personally identifiable information remains at risk of inadvertent or fraudulent access," says the report.
The VA office of information technology "could not provide us reasonable assurance that it would install and activate the remaining encryption software licenses," it adds.
The 65,000 number represents how many computers had logged in to the Guardian Edge/Symantec server over a three month period earlier this year, but the OIG says this number may include duplicate counts from some computers.
This large-scale failure is "due to inadequate planning and management" specifically by OIT forgetting to include time to test software for compatibility with VA computers, not maintaining a sufficient workforce to install the encryption, and inadequately monitoring its systems to verify that encryption was present on VA laptops and desktops.
OIT officials told auditors the main reason for the lack of protection is incompatibility issues between different VA computers and the encryption software. "OIT discontinued installation of the encryption software until OIT could upgrade and standardize VA's computer equipment," says the OIG.
As of Aug. 2012, the OIT was still assessing if the software is compatible with existing operating systems.
The VA's requirement for full disk laptop encryption stems from the 2006 theft of an unencrypted laptop hard drive from a VA employee's home in suburban Maryland. The theft put at risk the personal information of 26.5 million individuals; the department ended up settling a class action suit filed as a result for $20 million in 2009.
The OIG recommends the VA chief information officer perform an assessment of the encryption software project to see if the software is still compatible with VA systems and meets its needs. The OIT should then develop a plan to install and activate the remaining licenses, accounting for workforce needs and monitoring procedures.
For more:
- download the OIG report (.pdf)Related articles:
Auditors find ongoing FISMA weaknesses at VARead more about: health IT, Office of Inspector General
back to top2. IC runs apps acquisition pilot
By David Perera
The intelligence community is running an acquisition pilot under which qualified apps or widget developers can submit their code to a marketplace and be paid a nominal fee--but if the application's uptake is significant, be paid what it would have cost the federal government to otherwise purchase it, said Dawn Meyerriecks, assistant director of national intelligence for acquisition, technology and facilities.
She spoke Oct. 15 at the Mil-OSS WG4 conference in Arlington, Va.
"If we would be spending a million bucks to buy the application and you satisfy that and you got 100 percent uptake, we'll give you the million bucks," she said.
One area that Meyerriecks might welcome development in is collaboration tools. "I sample lots of collaboration software--I think it universally sucks. Sorry, 'suck' is a technical term," she said.
Meyerriecks also said that the government is getting better in recruiting software development talent.
The bad news is "you now have people who are O5s and O6s that we've trained [to believe] that an engineer is an engineer, and that one from Boeing is probably better than the ones sitting at the desks with GS-13 on their sleeves."
It's rare for an intelligence community to speak at a public-setting conference, Meyerriecks noted, just as it is for one to have a LinkedIn profile.
"The official policy of the IC is that you do not have social media accounts," she said. But, when Meyerriecks returned to government after 6 years in the private sector, she pointed out that it would be more conspicuous to take down all those accounts than to leave them up, she said. Meyerriecks' LinkedIn profile lists her employer as the "US Government." (A Washington, D.C. truism is that the only federal employees who ever say they work for "the government" work for the intelligence community.)
For more:
- watch Meyerriecks's keynote at the Mil-OSS WG4 conference (embedded video)
- go to the Mil-OSS homepageRelated Articles:
Wheeler: ITAR typically no barrier to releasing government open source code
DoD official: Open source memo doesn't mandate a support vendor
SASC Accumulo language pro-open source, say proponentsRead more about: federal IT acquisition, social media
back to top3. Wheeler: ITAR typically no barrier to releasing government open source code
By David Perera
Export control regulations shouldn't necessarily be an obstacle to the release of unclassified government open source code, said David Wheeler, a research staff member of the Institute for Defense Analyses. He spoke Oct. 15 during the Mil-OSS WG4 conference in Arlington, Va.
"If software is intended to be released to the public, you can ask the U.S. government department or agency to approve its public release," he said.
As a result, programmers wanting to release code back into open source communities need not necessarily get bogged down by applying for a license under the State Department-run International Traffic in Arms Regulations.
"If you determine that it's okay to release to the public, there is no more ITAR control," he added.
However, the review process to determine whether the code is releasable to the public isn't well defined, Wheeler acknowledged. "The law doesn't actually say. It just dumps the problem off onto the--the phrase they use is 'cognizant government official.'"
However, even that imprecise language still creates parameters, Wheeler said, since the official making the public release decision must be "cognizant" of the code--meaning that the decision of whether to release shouldn't be in the hands of officials too high within government hierarchy.
Reviewers can also look to the military control technologies list for export controls categories--and typically, the software that people release to the public as open source "is pretty obviously not a category."
When it comes to government utilization of open source, an objection brought up that the Antideficiency Act prohibits it is inaccurate, Wheeler also said.
The act, which first became law in 1884, prohibits the government from accepting "voluntary services," which on its face could seem to exclude open source code. But, the law distinguishes between "voluntary" services and "gratis" services and bans only the former. The law's prohibition on voluntary services comes from a 19th century practice whereby individuals would volunteer their services to the federal government, and then present a bill for them. But, if the government gains agreement ahead of time that a service won't be invoiced--i.e., is gratis--the Antideficiency Act exclusion no longer applies, Wheeler said.
As for what constitutes agreement ahead of time that code is gratis, Wheeler said it's a reasonable supposition that if people normally download code from a source and don't get charged for it, "it would be bizarre to think that the government couldn't do the same thing." Wheeler, who hastened to add he isn't an attorney, noted that misinterpretation, rather disagreement over what constitutes agreement ahead of time, is the typical Antideficiency Act-related obstacle.
Voluntary "has this weird technical meaning, dating from the 180ss," he added.
For more:
- download Wheeler's presentation from the Mil-OSS WG4 conference--filled with many useful references (.pdf)Related Articles:
DISA strategic plan calls for expanding Forge.mil capabilities
Baker: VistA refactoring will be done in the open
Forge.mil investigates integration with GitHub
SASC Accumulo language pro-open source, say proponentsRead more about: export controls, open source
back to top4. Web content management diminishing in importance, says GSA official
By Molly Bernhart Walker
The White House's digital government strategy directs agencies to streamline their backend web content management systems and create application programming interfaces, or APIs, for their content. But crafting APIs is far more important than focusing on web platforms, said Gray Brooks, API strategist at the General Services Administration's digital services innovation center.
"The philosophies are going to soon be competing," said Brooks, while speaking Oct. 11 at the World Government Summit on Open Source in Washington, D.C.
"At some point the question's going to come, if you achieve that goal--for the public at least--why does the website matter if you can achieve it through API?" he said.
Agency websites are going to "sublimate" and become less relevant, said Brooks. With APIs, the experience can then serve the user where they're already looking for information. Any presentation layer can simply query an API to call up data, rather than loading content into a more rigid CMS, he said.
"When you think about what's going to be the face of the agency in 2015 or 2016, nobody knows what that is," said Brooks. "But the fact is, it's not going to be about us. It's going to be everywhere else."
Brooks said his conversations with agencies are shifting to focus less and less on web CMSes and more on APIs. He said the change in philosophy is similar to his personal experience: He cares less about the operating system on his computer than he does about the browser he uses, because most of his activities are web-based.
"At some point, be willing to let the CMS become abstracted, and actually focus on making sure that the content, the data, the services are handled by the APIs," said Brooks.
Related Articles:
Agency API maturity varies significantly
GSA offers agencies a hand with APIs
Governmentwide API requirements coming in NovemberRead more about: GSA, web content management
back to top5. IOM: No more DoD-VA integrated medical centers until iEHR
By David Perera
Additional integrated health centers along the lines of the James A. Lovell Federal Health Care Center in North Chicago, Ill., shouldn't be undertaken by the departments of Defense and Veterans Affairs until they stand up an interoperable electronic health records system, says the Institute of Medicine.
In a report commissioned by the DoD that was released Oct. 16, institute researchers say lack of EHR interoperability at the health care center costs at least $700,000 annually. The money is spent on five registered pharmacists who conduct manual checks on prescriptions to ensure that doctors without complete access to each other's systems don't accidentally prescribe medicine with negative interactions.
The two departments have spent more than $100 million to develop interoperable information technology capabilities, but order portability between the VA system (known as VistA) and the DoD system (known as AHLTA) resisted efforts. The main stumbling block, report authors say, is that VistA and AHLTA required changes to their systems in order to have the same sequential prescription numbers. However, the departments had agreed that interoperability at the center would have to be achieved without changes to the systems, which "left a gap."
As a result of experiences such as those the center has afforded, the DoD and VAannounced in March 2011 creation of a new, common health record system known as the iEHR (i stands for "integrated"), with high-need modules such as one for pharmacy set for completion first. The Government Accountability Office has recently cast doubt on program managers' ability to meet projected time frames, calling them "optimistic and uncertain."
The level of interoperability required for an integrated DoD-VA medical center is of the highest order possible, report authors say. It's not enough that data from both systems can be simultaneously read, as is currently the case at the Lovell center. Rather, each system must be able to compute structured data from the other, they say.
There have been attempts to transport data across systems, report authors note, but medical officials haven't considered one known as the Clinical Data Repository/Health Data Repository reliable enough to ensure patient safety, while another, the Bidirectional Health Information Exchange, has a reputation for being "too awkward and slow to use in patient encounters."
The report also chronicles difficulties the two departments had in working together, including creating a single-sign-on system. Report authors say their field tests of the single-sign-on system for VistA and AHLTA showed difficulties. Each department selected a different vendor to provide that capability, and DoD's firewall and server weren't always cooperative; the interagency program office has since decided to just utilize one of the two vendors' solutions, the report notes.
DoD officials also insisted for a period that individuals accessing AHLTA have a secret clearance, despite the fact that there's no classified information within it. The VA operates on a public trust model. DoD officials, report authors say, were reluctant to compromise, but eventually in October 2010 agreed to settle for an Access National Agency Check with Inquiries investigation of staff and interim access while the investigations were conducted.
For more:
- go to a webpage to download the report (reg. req.)Related Articles:
iEHR time frame 'optimistic and uncertain'
iEHR GUI will be based on Janus
iEHR testing environment to launch by Sept. 30, reveals VA-DoD timelineRead more about: DoD, AHLTA
back to topAlso Noted
> EU officials call on Google to change privacy policy. Article (NattyJo)
> Computer viruses "rampant" on medical devices. Article (MIT Technology Review)
> VA looks for appointment schedules tools through contest. Article (GHIT)
> FCC commissioner says old regs slow down new technologies. Article (GovExec)
> Fact checking the second presidential debate. Article (WaPo)And Finally… Do you know your state's official rock? (Nope.) Article (NattyGeo)
Events
* Post listing: Click here.
* General ad info: Click here.
> TECHEXPO Top Secret POLYGRAPH ONLY Hiring Event - October 18, 10am-3pm - Reston, VA
Join the Nation’s leading Defense, Government & Technology employers and interview for 100’s of jobs in Cyber Security, IT, Engineering, Aerospace, Telecom, Intelligence, Operations, Homeland Security & more! Active TS/SCI Clearance w/ CI or Full Scope Polygraph Required. For more event information on attending or exhibiting at TECHEXPO’s hiring events visit:http://www.TechExpoUSA.com
> Cleared Job Fair - OCTOBER 26 - BWI, MD
Security cleared professionals join us 11am-3pm at the Sheraton BWI. Employers includeCSSS.Net, General Dynamics-IT, HP, Invertix, KEYW, LG-TEK, ManTech, Northrop Grumman, Sotera Defense Solutions, TASC & more! Pre-register here. Active or current security clearance required.
> General Dynamics C4S Hiring Event - October 30 - Baltimore, MD
General Dynamics C4 Systems currently has immediate opportunities for experienced professionals. Please submit your resume for review on www.GeneralDynamicsExpo.com. TS/SCI Clearance is required to attend.
> General Dynamics C4S Hiring Event - October 31 - Arlington, VA
General Dynamics C4 Systems currently has immediate opportunities for experienced professionals. Please submit your resume for review on www.GeneralDynamicsExpo.com. TS/SCI Clearance is required to attend.
> Gilbane Conference Boston - InterContinental Waterfront Hotel - November 27-29 - Boston, MA
Content management permeates every aspect of an organization. Attendees at Gilbane Boston benefit from an unbiased & up-to-date understanding of content management & web technologies, vendors, trends & best practices. Save $200 ( use discount code GILBANE) or get a FREE Expo & Keynote Pass - Register Today!
> Human Capital Management Federal 2012 - November 28-30 - Arlington, VA
HCMF provides an interactive training forum for agency leaders & human resources directors to share important human resource strategies, best practices in talent management, new & innovative ideas in recruitment, and best-in-class retention strategies. Get $200 off w/code 12368XZ88EN – Register Now!
Marketplace
* Post listing: Click here.
* General ad info: Click here.
> Whitepaper: Red Hat Enterprise Linux: The Ideal Platform for Running your Oracle Database
Today, x86 servers have dramatically increased in performance and availability, making them a more cost-effective platform than ever for running Oracle databases. This paper highlights the benefits of using Red Hat Enterprise Linux as the server platform for your Oracle database implementation by displaying its scalability, availability, reliability, and manageability.Download this whitepaper now.
> Whitepaper: LTE Improves Public Safety for First Responders!
Public Safety LTE a How-to Guide - FirstNet Edition, produced by Alcatel-Lucent, takes a look at new capabilities for public safety, what LTE is, what it does and how state and local governments can prepare for the FirstNet LTE network. Download today.
> The Benefits of Moving from Open Source to WebSphere Application Server: Forrester Research Discusses its New Total Economic Im
Join us for this complimentary webcast and learn details from a new independent report that shows the total economic impact of migrating from an open source solution to IBM WebSphere Application Server -- including a 44% return on investment (ROI) producing a net value of over $1 million. Register today!
Please take a moment to participate in our brief 15 question 'Federal IT Reform Survey' where we will take a look at security policies, compliance concerns and budget management issues. All participants will receive a free summary report and we will donate $5 to Fisher House in support of military families for each of the first 100 completed surveys. CLICK HERE to get started.
> EBook: Dodd- Frank: The Key to Compliance Success
It's been more than two years since the Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law, and every month the implications for banks and financial firms becomes more clear. This eBook closely examines enterprise content management issues relating to Dodd-Frank. Download for free today.
©2012 FierceMarkets This email was sent to jms...@gmail.com as part of the FierceGovernmentIT email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778.
Refer FierceGovernmentIT to a ColleagueContact Us
Editor: David Perera
VP Sales & Business Development: Jack Fordi
Publisher: Ron LichtingerAdvertise
Advertising Information: contact Jack Fordi. Request a media kit.
Email Management
Unsubscribe from FierceGovernmentIT
Explore our network of publications:
Follow @fiercegov on Twitter
-----------------------------------------------------------