FCW Insider: Dec. 21

The shutdown showdown shifts back to the Senate on Friday. Democrats are expected to reject a continuing resolution with $5.7 billion in spending on a border wall. If President Trump and House conservatives remain dug in on their position, a partial government shutdown will be triggered at midnight on Dec. 21 – the last federal work day before the holidays. Get the full story.

Election security is expected to be one of the first issues Democrats tackle when they take over the House of Representatives in January. There's a bipartisan bill kicking around the Senate, but the Trump administration has yet to support new policy. Derek B. Johnson explains the state of play.

The transformation of the newly renamed and enhanced cyber agency at the Department of Homeland Security will take place in 2019, with a fully functioning CISA in 2020 as the goal. Mark Rockwell reports.

The Department of Justice announced criminal charges against two Chinese nationals accused of a years-long campaign to hack U.S. government agencies and private companies around the world in order to steal trade secrets and intellectual property. Derek has more.

The growth of IoT combined with the increased complexity of network environments has the potential to create a perfect security storm. In this FCW commentary, Paul Parker of SolarWinds explains how CDM can help agencies manage this growing complexity at scale.

The deadline has been extended for Federal 100 nominations -- you now have until Friday, Jan. 4, to get them in. Happy holidays!

Editor's note: FCW Insider is taking a break after Dec. 21, returning to regular weekday publication Jan. 2. We'll publish a brief email bulletin in the event that news breaks on government funding or other topics over the holidays.

Quick Hits

*** The National Institute of Standards and Technology released version 2.0 of the Risk Management Framework on Dec. 20. Formally titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," NIST SP 800-37 Revision 2 was developed in response to President Donald Trump's 2017 cybersecurity executive order.

NIST Senior Fellow Ron Ross said on Twitter that "RMF 2.0 is the first framework in the world to address security, privacy, and supply chain risk in an integrated manner--at the organization, mission/business process, and system levels."

*** The Department of Homeland Security will use a group of existing contracts to fulfill its IT needs rather than design a follow-on to EAGLE II. DHS plans to tap vehicles at the General Services Administration and the National Institutes of Health. The move is an effort by DHS to focus on modernizing its IT and on a "drive toward data, accountability, and transparency in our actions,” DHS Chief Procurement Office Soraya Correa said in a statement.

***The Defense Department closed out its third hackathon program, Hack the Air Force 3.0, with 120 valid cybersecurity vulnerabilities found in public-facing Air Force websites and services. The program ran from Oct. 19 through Nov. 22 and resulted in $130,000 in prize money for participating hackers.

This latest program run made the Air Force the first military service to host a bug bounty program three times, HackerOne, which facilitates the program, announced in a Dec. 20 release.

DOD launched its first bug bounty program in 2016 called Hack the Pentagon, an effort that has since spread to all the military services with success. The Defense Department also recently expanded its bug bounty programs, contracting three companies HackerOne, Synack, and BugCrowd for $34 million in October.

Capt. James Thomas of Air Force Digital Services said that bug bounty programs for the Air Force not only helps make systems and websites more secure but helps with talent exposure.

“By opening up these types of challenges to more countries and individuals, we get a wide range of talent and experience we would normally not have access to in order to harden out networks,” Thomas said in a statement.

So far, the Air Force has paid $350,000 in bug bounty rewards for the discovery of more than 430 security vulnerabilities.

*** The Transportation Security Administration needs to get a better handle on its role in securing the nation's energy pipeline infrastructure, according to a Dec. 19 report from the Government Accountability Office. TSA is responsible for security inspections of more than 2.7 million miles of pipeline, infrastructure that is vulnerable to both cyber and physical attack as well as accidents and operator errors. According to GAO, the agency hasn't kept up needed levels of staffing in its pipeline security operations or kept its risk assessment methodology up to date.