The Government Accountability Office (GAO) has called on the Department of Defense (DOD) to revisit its chief information officer risk ratings, improve data collection initiatives and develop data strategies for its business systems and software acquisition pathways to help enhance acquisition monitoring.

GAO made the recommendations after it found that DOD lacked data strategies and had not yet completed metrics for two acquisition pathways as of this February, according to a report published Wednesday.

“Without important data from acquisition pathways and systems, DOD risks not having timely quantitative insight into program performance, including its acquisition reform efforts,” the GAO report reads.

The congressional watchdog found that the Pentagon has initiated measures to improve the transparency and sharing of data it uses for acquisition monitoring and has made policy and organizational changes to enhance its information technology acquisition management. Some of these changes are improving data transparency and implementing Agile software development.

“As of December 2020, program officials for the 22 major DOD business IT programs that were actively developing software reported using approaches that may help to limit cost and schedule risks,” the report states.

These approaches include implementing continuous iterative software development, developing a cybersecurity strategy and conducting developmental cybersecurity testing.

The Federal Communications Commission (FCC) plans to consider at its July 13th open meeting an order that would amend rules for a program that seeks to reimburse telecommunications carriers for removing and replacing equipment and services that pose risks to national security.

FCC established rules for the reimbursement program in compliance with the Secure and Trusted Communications Networks Act of 2019 and FCC said Tuesday that the latest order would raise the customer eligibility cap for participation in the program.

The amended rules would allow communications services providers with 10 million or fewer customers to take part in the reimbursement program.

The document seeks to modify eligibility rules for communications equipment and services manufactured or provided by Huawei or ZTE and allow telecommunications providers to use reimbursement funds for equipment and services purchased, leased or obtained on or before June 30, 2020.

The order would implement the prioritization scheme stipulated in the Consolidated Appropriations Act if the demand for reimbursement funding exceeds the congressional appropriations of $1.89 billion.

The commission adds a definition of “provider of advanced communications services” to existing reimbursement program rules and offers some clarifications to some requirements of the reimbursement program through the document.

Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), said in an interview published Tuesday that the new executive order provides CISA with new authorities to counter cyberattacks, including the development of a common playbook for cyber incident response.

He said the standard playbook requirement will help CISA better codify and implement joint incident responses.

“This really builds upon authorities that CISA received last year from the National Defense Authorization Act, where we were directed to stand up a Joint Cyber Planning Office (JCPO). This JCPO is essential to the maturation of CISA’s incident coordination and planning role,” Goldstein said.

In accordance with the new executive order, Goldstein said CISA is working with the Office of Management and Budget (OMB) on a cloud security strategy to help agencies protect cloud environments as they continue to implement the telework arrangement for their workforce.

“The EO further accelerates existing work to mature our regime around securing cloud environments and making sure that all federal cloud environments are adopting the right practices and the right security controls to reasonably protect the use of those environments for sensitive federal work,” he noted.

Goldstein shared his insights on zero-trust frameworks, ransomware payments and cyberattacks on critical infrastructure and discussed how CISA works to get third-party suppliers involved in safeguarding the software supply chain.

“The executive order calls out the need to make progress in initiatives like a software bill of materials, which is an essential step forward in understanding the components and the lineage of the critical software utilized across federal networks. None of these solutions is a complete answer in itself, but collectively, they really move us forward in understanding and managing risk posed by third-party vendors,” he said.

The National Security Agency (NSA) has announced a Mitre-developed framework designed to bolster the cyber resilience of national security systems, as well as the defense industrial base. 

The NSA-funded D3FEND framework provides defensive countermeasures that cybersecurity professionals can use against common cyberattacks, NSA said Tuesday.

D3FEND complements Mitre's existing ATT&CK framework, which focuses on the behavior and common tactics employed by malicious cyber actors. 

ATT&CK describes cyber adversary techniques, as D3FEND helps cybersecurity operators customize systems in ways that correspond to specific cyber threats. Government and industry organizations may use both D3FEND and ATT&CK to analyze and report cybersecurity situations.

Interested cybersecurity professionals may contract Mitre to submit feedback on the D3FEND framework via this link.

NATO hopes to introduce a defense technology accelerator that will enable the alliance to work with academia, private sector and nongovernmental organizations to expedite trans-Atlantic collaboration on emerging technologies, C4ISRNET reported Tuesday.

David van Weel, assistant secretary-general for emerging security challenges at NATO, said the alliance intends to have the initial components of the Defence Innovation Accelerator of the North Atlantic (DIANA) set up by 2022 and expects the accelerator to achieve initial operating capability by 2023.

He noted that DIANA will focus on defense and national security and will have headquarters in Europe and North America that will work with test centers across member countries to co-design, validate and test applications in the areas of emerging and disruptive technologies.

DIANA will build and oversee a network that will help startups advance growth initiatives and support the alliance’s technology needs through grant programs. 

Van Weel said the accelerator will support the development of seven emerging and disruptive technologies: artificial intelligence; quantum-enabled technologies; big data processing; hypersonics; biotechnology; space and autonomy.

DIANA will also enable small businesses to connect with pre-qualified investors through a trusted capital marketplace. Van Weel said NATO will work to protect technologies from “illicit transfers” by screening investors ahead of time.

NATO will also back companies working on dual-use technologies through a venture capital fund and van Weel said the NATO Innovation Fund would be underwritten by approximately $83 million on an annual basis and would run for about 15 years.