White House Announces 7 TMF Awards with Big Focus on Zero Trust

traffic_analyzer/istockphoto.com

Half of the awards announced publicly went to zero trust cybersecurity projects, with no funding going directly to pandemic response tech. One project remains classified.

The Biden administration publicly announced six of seven federal technology projects to be awarded funding through the Technology Modernization Fund, which received a major injection of $1 billion as part of the American Rescue Plan passed earlier this year.

The TMF—established in 2017 as a central fund from which agencies could apply for loans for IT upgrades—had made 11 awards previously, working with $175 million appropriated by Congress. However, as part of the second pandemic stimulus package, the fund got a $1 billion boost and a mandate to relax the repayment requirements for critical cybersecurity and pandemic-related projects.

Somewhere around a third of the $1 billion was awarded in this first round to three zero-trust cybersecurity projects, two cross-government programs run by the General Services Administration and a sixth focused on deploying technology to handle immigration issues at the Southwest Border.

Those six projects together total just over $311 million, the Office of Management and Budget announced Thursday.

The TMF Board approved a seventh project as part of the first tranche. However, all details on that project are classified, including the agency, the amount awarded and the nature of the work to be done.

“The administration is maximizing the flexibility of the TMF to modernize high-priority systems, elevate the foundational security of federal agencies, accelerate the growth of public-facing digital services, and scale cross-government collaboration and shared services,” Federal Chief Information Officer Clare Martorana, who chairs the TMF Board, said Thursday in a release. “These first ARP awards represent a set of strategic awards to improve technology at scale across all of these areas.”

The repayment terms—if any—for the seven awards were not disclosed as part of the announcement and OMB did not respond to Nextgov’s questions.

While the TMF Board leaned hard into cybersecurity awards, the body did not pick any projects aligned with the other congressional focus for the money: pandemic response. The funding—allocated to the TMF as part of the second COVID-19 stimulus package—was granted, in part, to fund critical technology needs brought to light by the pandemic, including tracking and analyzing health data, as well as the IT agencies use to ensure businesses and people get monetary and other assistance they need.

None of those technology issues are addressed by the new crop of awards.

The awards for zero trust follow the congressional mandate to focus TMF spending on critical cybersecurity issues in the wake of major software supply chain breaches—including SolarWinds and Microsoft Exchange earlier this year—and recent guidance from OMB and the Cybersecurity and Infrastructure Security Agency on implementing zero trust architectures.

Zero Trust Networking—Office of Personnel Management: $9.9 million

The federal human resources department is one of the three awardees focused on zero trust—a cybersecurity concept focused on monitoring users as they move throughout a system, rather than on boundary protections like firewalls and passwords.

“The operational benefits of this project include reducing the number of security tools required to monitor and maintain an effective cybersecurity program, cost savings and improved interagency communications and collaboration efforts,” according to a project summary posted to the TMF website. “By the end of this project, OPM will achieve significant progress on their journey to achieve an optimal level in the Cybersecurity and Infrastructure Security Agency Zero Trust Maturity Model.”

The agency has been a cybersecurity priority since 2015, when the public was made aware of a breach of the OPM-run background investigations program for security clearances. The hack—later attributed to Chinese state actors—compromised highly personal information of anyone who had ever applied for a federal job: more than 21.5 million Americans.

The project will start off with $7.4 million and receive additional funding as progress is shown.

Zero Trust Architecture—Education Department: $20 million

The Education Department will use its funding for a two-year plan to implement a zero trust architecture, including “strategy, architecture, design and an implementation roadmap.”

“The department will stand up an enterprise-wide program management office dedicated to zero trust as well as adopt an advanced architecture across cloud-computing environments in accordance with the developed roadmap,” the project summary states, adding that the resulting security setup should be both more effective and less burdensome for the user.

The department will get $15 million to get started, with an additional $5 million in reserve.

Advancing Zero Trust—General Services Administration: $29.8 million

The first of three project awards for GSA—which administers the fund through the TMF program office—will also be cybersecurity focused and will also center on zero trust architectures.

The GSA project will develop in three “blocks,” per the summary:

  • Users and devices: GSA will replace directory designs to meet the newer demands of telework and a multi-domain, hybrid cloud architecture approach with virtualization adhering to enhanced security principles.
  • Networks: GSA will focus on microsegmentation by leveraging a secure access service edge, or SASE, solution and upgrading their public buildings’ security network.
  • Security operations: GSA will adopt increased machine learning and artificial intelligence driven algorithms to help connect diverse data sources and highlight threats while providing security oversight for cyber supply chain risk management and enhancing core security operations centers to include governmentwide public-facing digital services.

The project will kick off with just under $11.3 million until it hits incremental milestones.

“These projects will have immediate impact on federal cybersecurity and help inform future awards as we work to implement modern security principles across the federal ecosystem,” said Federal Chief Information Security Officer Chris DeRusha, who also serves as an alternate member of the TMF Board. “The TMF Board and GSA will be tracking the progress of these projects, capturing lessons learned, and making adjustments along the way to help them be successful.”

Two remaining—public—projects fall within another, traditional prime focus area for the fund: governmentwide impact. Both of these awards also went to GSA:

Login.gov: $187 million

In the single largest TMF award to-date, GSA is set to receive more than $187 million to improve and expand use of the government’s single sign-on shared service.

The program—which other federal programs can purchase for a fee—allows users to create a single online account that can be used to access any government service that has been integrated. The program is currently used by 27 agencies across more than 200 citizen services.

The large award will go toward three specific improvement goals:

  • Increasing cybersecurity identification and protection for current and future users.
  • Add equitable identity verification and in-person options for vulnerable populations.
  • Grow the Login.gov environment by reducing the barrier to entry for agencies and allowing for a higher percentage of citizen participation.

The project will start off with upward of $27 million and receive the remaining funding as milestones are met.

MAX.gov Transition: $14.5 million

The MAX.gov website was created as an online space for officials across government to get information on OMB policies, coordinate interagency work and share experiences working on major programs. The system is now 14 years old and, according to OMB, seeing “significantly increased” use and engagement.

The program was shifted from OMB to GSA’s Technology Transformation Services, with plans to completely overhaul the backend and decommission the original MAX.gov by 2023.

The project will start off with $10 million, with the end goal of creating a “modernized, secure cloud-based solution for cross-agency collaboration, authentication and other shared services capabilities.”

The set of awards also include funding to help secure the Southwest Border while using “data and technology to more efficiently, effectively, and humanely process noncitizens encountered.”

Southwest Border Technology Integration Program—Homeland Security Department: $50 million

Managing immigration issues at the Southwest Border—whether at ports of entry or in between—has been a consistent issue for several administrations. While technologies have been deployed to improve the situation, these efforts have largely been disconnected.

The program “will provide standardized and secure data sharing across the federal enterprise and throughout the immigration lifecycle to improve border flow and capacity management and increase the timeliness and fidelity of data used by decision makers,” according to the summary. “This project will connect disparate systems, improve cross-agency collaboration and support data-driven decision-making.”

The project will kick off with an initial outlay of $8 million.