Tackling Corruption in Government

Government Business, Government Finance

Article | July 12, 2022

“Belonging to the essential nature of a thing; originating and included wholly within an organ or part.” That is the definition of “Intrinsic.” When we were developing the “IT Manhattan Project” framework, we were doing so in direct response to some of the most significant hacks in U.S. Federal history, which piled on to the already unprecedented push to expedite the modernizing of federal IT because of the COVID-19 response. The COVID-19 response shifted the way that the U.S. federal government operated, where our workforce worked from, the immediate need for mobile ‘available from anywhere’ workloads, and how to both secure and support that new way of doing federal business. A new, vigorous push towards rapidly modernizing federal IT environments was underway. Ultimately, it laid the groundwork for producing transformational federal memos and oversight by way of some of the following: Executive Order 14028: “Improving The Nation’s Cybersecurity” M-22-09: OMB’s Zero Trust Strategy M-22-09 NIST 800-53rev5: Fulfilling an expedited realization of the overall intent of NIST 800-53r5 through the emphasis on things like conditional access, TIC 3.0 frameworks, Secure Orchestration/Automation/Remediation, and modernized, agile approaches to secure micro-segmentation from Hybrid Environments up to Federal Cloud instances Overall mandates like these carry with them a consistent anthem driving at rapid IT modernization with rigorous proof of performance schedules attached. Piling on top of those Herculean efforts, the urgency was drastically increased by several of the highest profile cyber compromises in U.S. federal history. Rapid modernization had to happen right away. The time for IT transformation was here, backed by promises of significant funding and a high level of political visibility. The Shift to Zero Trust At their core intent, Zero Trust architectures are expected to provide a centralized policy structure that dictates how every individual flow in our IT environments are permitted to talk. No user, host, or flow is permitted without being subjected to rigorous authentication and authorization policy. This shifts our previous understanding of North-South, East-West traffic and how we police it. The foundational intent of Zero Trust architectures centers around applying unified policy to every transaction that occurs between enterprise resources, and doing so in ways that are agnostic to the IT Silo that they reside in. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” NIST 800-207 aptly They go on to explain that the scope of this posture includes all assets, workflows, network accounts, and the like. In summary, police everything, abstract production traffic intent from the underlying infrastructure that supports it, and institute a unified security posture to execute the policing at every network entry point. Regardless of the domain. We all know that this is a tectonic but much-needed shift in our industry. I’d go so far as to say that the successful instantiation of this approach across Federal IT environments is critical to our national security going forward. Management Complexities Enterprise IT domains contain varied mixtures of OEM solutions, home-grown tools, and utilize a wide variety of protocols to intercommunicate that aren’t necessarily standardize. Each of these domains is normally managed by separate IT teams who specialize in maintaining those environments. In the federal landscape, each of these domains aren’t just managed by separate enterprise IT teams, but are commonly managed by different contractors. Therefore, IT security organizations have a difficult time achieving and maintaining the necessary operational awareness required to enforce centralized policy. These cultural complexities exacerbated by budgeting concerns have created a fatalistic mentality when it comes to far-reaching mandates. This is where the tectonic shift in architectural and administrative approach is so necessary. This is where multidomain architectures shine. Let’s define a common baseline of enterprise domains seen across traditional IT environments: Cloud Data Center Enterprise Networking Extended Enterprise (IoT, OT/ICS) Remote Access But to deliver a successful Zero Trust across the enterprise, it is first necessary to understand some foundational building blocks on which to construct our architectural approach: We can’t have MULTIDOMAIN POLICY without first achieving fuller We can’t deliver macro and micro-segmentation without first having robust MULTIDOMAIN We can’t have multi-vendor MULTIDOMAIN Zero Trust POLICY without sensical INTEGRATIONS to stitch each enterprise domain together. Let’s face it, enterprise IT environments don’t simply include infrastructure from a single manufacturer, or even a few key manufacturers. Rather, our Enterprise IT environments are represented by a plethora of IT manufacturers specializing in different niches of IT and the domains they are commonly found in. These environments are managed by different Federal IT organizations, different contractors who support these Federal IT organizations, and many different teams that support each common IT silo. Different teams that support oft-compartmentalized areas like Network Security Operations, Network Operations, Data Center Operations, Institutional Services, Wide Area Networking contracts, Operational Technologies, and dotted lines to different leadership oversight like CIO Programs, CTO Architecture, the Cyber Security Office, and the audit oversight bodies that they are subjected to. Each of these make up a complex support structure that isn’t necessarily streamlined for efficiency. Summary and Overarching Goals In articles to follow, you’ll see us referencing the IT Manhattan Project framework several times. Though many details of the framework can’t be discussed due to their sensitivity, the foundational principles are relevant across the board when pursuing intrinsic multidomain Zero Trust. Establish Visibility (Administration, Telemetry, Assurance) Define Straightforward Policy Structure and Hierarchy (Auth Chains) Perform Multidomain Integrations (API Integrations) Deploy Software-Defined Framework (Day-0, Programmable Fabrics, Multi-OEM Fabric Integrations) Establish Sensical Automation Runbooks (Day-2 Operations) We will also explore some areas that deliver unexpected value to the agency business in immediate ways. All of this will help create a cohesive story that helps CIOs, CISOs, and enterprise architects alike communicate the criticality of this multidomain Zero Trust approach to agency leaders across the federal spectrum.

Government Business

Article | March 11, 2022

The biggest IT challenge local governments faced during the COVID-19 pandemic has been scaling existing infrastructure to accommodate many more workers than they had planned for, IT leaders said during a June 17 panel discussion. “Our remote access solution was originally scaled for a major snow day, not for 3,000 to 4,000 remote users,” Charles Gore, IT security manager for Loudoun County, Va., said during a webinar presented by CompTIA’s Public Technology Institute. “We were looking at 500 users remote. We had to spread the scoping across multiple technologies, which we had, but we needed to very quickly adjust to accommodate the new users.”

Article | May 27, 2021

As the country battles to recover from COVID-19, transit leaders are calling for the next federal relief package to appropriate substantial funding to allow public transit to play its critical part in the economy’s recovery. In the interim, many of these transit and mobility authorities throughout the nation are moving forward with capital improvement projects already in the pipeline and in various phases of development. They will soon be announcing large projects, especially in quickly growing regions, and their planning documents list upcoming initiatives that range from mid-size construction projects to sprawling billion-dollar programs that focus on aging infrastructure. The following are just a few examples of upcoming projects from tollway and mobility authorities. California Just east of San Francisco, the Tri-Valley-San Joaquin Valley Regional Rail Authority in late June approved $46.8 million in funding for the next stage in Valley Link, a 42-mile light-rail line. This project will connect a planned train station in North Lathrop to an existing station in Pleasanton. Another $13 million previously dedicated to the project paid for conceptual design work that is near completion. Also, elsewhere in the state, the Transportation Corridor Agencies, in coordination with Caltrans, is proposing a $180 million project to add a direct 241/91 Express Connector linking the northbound 241 Toll Road to the eastbound 91 Express Lanes and the westbound 91 Express Lanes to the southbound 241 Toll Road. The connector will alleviate traffic and improve access to toll lanes in Orange and Riverside counties. Texas The Central Texas Regional Mobility Authority has several forthcoming procurements and will be soliciting bids in early August for the third phase of the 183A extension project. This $180 million project will create a 6.6-mile extension of the busy tollway north from Leander to east of Liberty Hill. Construction is expected to begin in early 2021. New Jersey The New Jersey Turnpike Authority has $24 billion in various road and infrastructure projects in its Proposed 2020 Capital Improvement Program released in March 2020. The authority has outlined 24 projects that provide system solutions and upgrades. One of the largest initiatives is a $2.9 billion project to replace approximately 200 bridge decks. Another large undertaking, projected to cost about $1.4 billion, is described as raising a section of Garden State Parkway above a revised 100-year floodplain. Florida Florida’s 2021 budget earmarks $90 million for an ambitious tollway project spanning hundreds of miles. The Multi-use Corridors of Regional Economic Significance, or M-CORES, plan calls for construction of 340 miles of new toll roads by 2030. M-CORES outlines new road infrastructure for three corridors: the Suncoast Connector from Citrus County to Jefferson County; the Northern Turnpike Connector from the northern terminus of Florida’s Turnpike northwest to the Suncoast Parkway; and the Southwest-Central Florida Connector from Collier County to Polk County. Initiated by a state Senate bill in 2019, this is a $10 billion project. Kansas The city of Overland Park and the Kansas Turnpike Authority are conducting a study that could lead to a $300 million project for U.S. 69. City leaders turned to the Turnpike Authority for help with widening the highway which has become the most congested in the state. The collaborative effort would include widening the highway to six lanes, with two of them being tolled. Illinois The Illinois Tollway Authority is closing its bid filing period for a more than $100 million project to reconstruct a section of Interstate 294, and numerous other projects are slated to occur in the next several years. A project to reconstruct the northbound C-D Road has a cost projection of between $25 and $50 million. Another planned project includes demolishing and rebuilding the Southbound Mile Long Bridge with a cost of more than $100 million. Another interesting project outlined involves building ongoing ramps from 75th Street to Interstate 55 which will also cost approximately$100 million. Pennsylvania The Pennsylvania Turnpike Commission (PTC) released a request for information to determine how best to structure procurements to replace and enhance the commission’s tolling Customer Service Center system and customer service operations. A number of contracting opportunities will result from this initiative. The commission is inviting responses from software application development companies with innovative products in the customer relationship management, customer account management, and customer experience spaces. System integrators and/or software developers with expertise in CRM, customer account management, call centers, customer contact systems and CX, and transactional/financial processing and billing systems also are also encouraged to respond. PTC is also interested in input from customer service firms specializing in the design and integration of innovative customer contact systems with new or existing applications. In addition to construction and engineering projects, numerous tollway authorities are moving toward all-electronic toll collections. The Pennsylvania Turnpike Commission moved from toll collectors to all-electronic this year, and the Bay Area Toll Authority suspended in-person toll collecting in March because of COVID-19. This trend will provide numerous opportunities for IT companies in the near future as transit and mobility authorities search for technology solutions to modernize the driving experience on toll roads. Mary Scott Nabers is president and CEO of Strategic Partnerships Inc., a business development company specializing in government contracting and procurement consulting throughout the U.S. Her recently released book, Inside the Infrastructure Revolution: A Roadmap for Building America, is a handbook for contractors, investors and the public at large seeking to explore how public-private partnerships or joint ventures can help finance their infrastructure projects.

Article | April 20, 2020

As discussed in my last blog post on North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) Compliance in Azure, U.S. and Canadian utilities are now free to benefit from cloud computing in Azure for many NERC CIP workloads. Machine learning, multiple data replicas across fault domains, active failover, quick deployment and pay for use benefits are now available for these NERC CIP workloads.