XLA Awarded DOJ FMASS II BPA Call Orders

XLA Awarded DOJ FMASS II BPA Call Orders


The Department of Justice recently awarded Call Orders under the Financial Management Assistance Support Services II BPA to XL Associates, Inc., together with its partner Deva & Associates, P.C.


Under two new orders, the team will be supporting both the Criminal Division’s Office of Administration and the Fraud Section to provide accounting operations support and travel support services. XLA has been providing similar support services to multiple offices across the Department of Justice over the past eighteen years.  XLA embraces this opportunity to expand business processes, internal controls, and financial management systems that protect the integrity of DOJ programs, financial operations, and reporting.


“We’re honored for the opportunity to expand our solutions within DOJ and now assist multiple clients within the Criminal Division,” said XLA Chief Operating Officer Nelson McClung.  “The XLA team is committed to being a responsive professional services partner to DOJ by delivering effective results to support the agency’s dynamic needs,” he added.



Vulnerability Chaining – Considerations Across the Enterprise

Vulnerability Chaining – Considerations Across the Enterprise

By: Dr. Nikki Robinson, DSc, XLA

Cyber threats are constantly evolving and becoming more sophisticated. The hackers, or bad actors, are getting smarter and more resourceful all the time. Our Red Teamers, ethical hackers, and cyber warriors are aware of many of the tactics used by these malicious actors. They use these same methods to investigate and test organizations’ networks to ensure security controls are in place. But what are our Defenders and partners in IT Operations learning of attack methods? Are Executive leadership aware of the capabilities of these attackers? This conversation needs to be open throughout the organization, from the top to the bottom, to increase the security posture and awareness of methods of attack.

Our Network Defenders and IT Operations are unfortunately, not always taught about the Tactics, Techniques, and Protocols (TTPs) used by attackers. While not every organization may operate like this, does every third-party vendor or contractor you work with know these terms and TTPs? Every opening from one network to another organization could allow a potential vector of attack. We often look at vulnerabilities and security controls as individual issues, and the term “vulnerability chaining” is not used in audit or assessment meetings.

Vulnerability chaining is defined by the Common Vulnerability Scoring System (CVSS) User Guide as a situation where multiple vulnerabilities are exploited in a single attack to compromise a host (FIRST, 2020). A good example of vulnerability chaining would be an attacker enumerating usernames (considered an informational level vulnerability), to then use a tool called Burp Intruder to utilize a weak security question and answer, to then login to the account by resetting the password (considered Low vulnerabilities) (Trustwave, 2019). This type of attack shows how several vulnerabilities scored as Low or even Informational, can be used in combination to create a Critical attack. Defenders however, may only look at missing security controls or vulnerabilities one at a time, especially in a larger environment.

The more software, hardware, and hybrid environments used in an organization makes this a complicated situation. Each application, Operating System (OS), and hardware will have software or firmware updates which need to be managed. Some applications are updated weekly or every other week, making patch management a full-time job. The more complex the environment, the more difficult patch management becomes. This leaves IT Operations groups scrambling to patch and update every application on every device. Blue Teams consist of security analysts who monitor the network for security vulnerabilities and typically provide information back to the IT Operations groups if anomalies are detected.

With the latest use of a SolarWinds dll to create backdoors into untold numbers of networks, the conversation around patching and vulnerabilities needs to extend beyond the Security team. Vulnerabilities cannot be looked at as singular entities but should be looked at as a piece of the puzzle. Each vulnerability could lead to a security misconfiguration, or an administrator who has excessive privileges across the network. The initial malicious dll could lead to a variety of other attacks, including credential theft, other malware drops, or network traversal. Add on top of that any other vulnerabilities or patches missing in the environment, the attacker could leverage those as well once in the system. 

There are several ways organizations can work to lessen complexity and increase efficiency with patch management strategies. The first is to consolidate applications, which would reduce patching time of multiple applications and lower the threat profile by having fewer unpatched applications. The second would be to remove end of life (EOL) software, most EOL products are highly exploitable and easy for attackers to use in an attack. The third is to work towards a virtual or mobile environment where images can be patched, instead of OS and applications on mobile devices (laptops or tablets).

Creating a partnership and educational opportunities between Security teams and IT Operations / Engineering groups would create an environment where Security is viewed holistically. If more defenders are taught ethical hacking concepts, vulnerability chaining methodologies, as well as TTP’s, they would have a deeper understanding of why patch management is so essential. Security should be a conversation between all teams in the Enterprise, to help prevent attacks, but also respond to Incidents in an efficient manner.


 About XLA 

Headquartered in Vienna, VA, XL Associates, Inc. (XLA) is an IT-enabled Law Enforcement and Security services enterprise principally engaged in providing cybersecurity, data management and analytics, technical solutions, and international program-support services to the Federal government. With more than 30 years of overall experience supporting mission-critical requirements including homeland security, law enforcement, and international development, XLA delivers quality, agile, and cost-effective solutions, as proven by growth and repeat customers. Our Engineers and IT professionals bring a passion for innovation as well as significant experience in information technology and cyber security. We are a company that values ethics, integrity, and teamwork in pursuing exceptional performance in our business activities and in ultimately meeting our contractual obligations. XLA upholds and demands the highest standards in personal and professional conduct at every level of our business activities


FIRST. (2020). Retrieved from Common Vulnerability Scoring System version 3.1: User Guide: https://www.first.org/cvss/user-guide

Trustwave. (2019). Retrieved from Chaining Low/Info Level Vulnerabilities for Pwnage: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chaining-low-info-level-vulnerabilities-for-pwnage/

XLA Wins 5 Year IT Security Support Services Contract at NARA

XLA Wins 5-Year IT Security Support Services Contract at NARA


Vienna, VA., March 23, 2020 – XL Associates, Inc. (XLA) is thrilled to announce that The National Archives and Records Administration (NARA), has awarded a 5 year task order for IT Security Support Services to XLA.


NARA is the nation’s record keeper and it is an independent agency established in 1934 to identify, protect, preserve, and make publicly available the historically valuable records of all three branches of the Federal government.  Archives has locations from coast-to-coast, protect and provide public access to millions of records and provide Federal agencies superior records storage, access, and disposition services through a national network of facilities distributed across approximately 45 geographic locations.


Since 2006, XLA has supported NARA by providing Cybersecurity services in support of the office of the CIO performing authorization & accreditation, vulnerability assessment, incident response, policy development, annual training development, systems administration, and security engineering support services. XLA also supports other functions within NARA’s Information Services organization, providing Information Security Support Officer (ISSO) support services, Homeland Security Presidential Directive-12 (HSPD-12) Compliant Personal Identity Verification (PIV) Authentication Engineering and Design, and Configuration Management for many of the enterprise-wide initiatives.


XLA brings years of knowledge and experience serving as subject matter experts in the information system security arena, having built and delivered many of the mission-critical services and modules used within enterprise security management systems.  A defining feature of XLA’s security methodology is the constant striving to automate tasks to improve the performance of our engineers, reduce mundane data analysis, and provide improved views of the security posture in an agency. XLA consistently deliver tangible results that save agencies time and money and establish the foundation for future improvements.


“We are very proud of our talented workforce and we look forward to continuing supporting NARA and meet the organizational challenges of NARA’s IT transformation,” states Asim Malik, Director, Programs and Technical Solutions at XLA. “XLA has been a reliable partner during NARA’s maturation and adaptation to the ever-changing cybersecurity landscape. This win is a true testament of our credibility in providing critical mission support activities enabling XLA to expand our presence into areas that require high-level clearances.”


About XLA

Headquartered in Vienna, VA, XL Associates, Inc. (XLA) is an IT-enabled Law Enforcement and Security services enterprise principally engaged in providing cybersecurity, data management and analytics, technical solutions, and international program-support services to the Federal government.