The congressional watchdog noted in its release that the VA has implemented six of its 29 open priority recommendations, including the deployment of an automated data tool used to improve acquisition workforce records and taking steps to modernize the agency’s performance management system across the Veterans Health Administration. 

Assessing software licenses, however, is something that the VA needs to address, per the watchdog. In January, the GAO issued a report on software licenses throughout the federal government,  noting that the VA had neglected to regularly compare software license inventories that are currently used with purchase records. 

In the new priority recommendations, GAO noted that the federal government spends more than $100 billion yearly on cyber and IT-related investments. 

“Until VA implements this priority recommendation and consistently tracks and compares its inventories of software licenses to with known purchases, it is likely to miss opportunities to reduce costs on duplicative or unnecessary licenses,” the report states. 

Other high-risk governmentwide areas that could impact the VA, according to the GAO, are “improving the management of IT acquisitions and operations” and “ensuring the cybersecurity of the nation.”

Charles Worthington, the VA’s chief AI and technology officer, said in a recent interview with FedScoop that he believes the VA’s technical infrastructure “is actually on pretty good footing,” pointing to the agency’s migration to the cloud and using commercial products in the software-as-a-service model, “where it makes sense.”

Other priority recommendations from the GAO cover the VA’s electronic health records (EHR) modernization program, including one that directs the agency to implement “leading practices for change management.” The other nine involve evaluating whether the system is “operationally suitable and effective” to ensure that the system satisfies customer needs, establishing “user satisfaction targets” to protect patients’ health and safety from unnecessary risks, and validating that future systems are not deployed too early. 

“Implementing these … recommendations would also help solve existing problems with the system,” the GAO stated.

The post VA software license assessments called out in GAO recommendations appeared first on FedScoop.

In an interview with FedScoop, Charles Worthington, the VA’s CAIO and CTO, said the agency is engaged in targeted hiring for AI experts while also sustaining its existing modernization efforts. “I wish we could do more,” he said.

While Worthington wrestles with the proposed fiscal year 2025 funding reductions, the VA’s Office of Information and Technology also finds itself in the legislative crosshairs over modernization system upgrades, a supposed lack of AI disclosures and inadequate tech contractor sanctions and ongoing scrutiny over its electronic health record modernization initiative with Oracle Cerner. 

Worthington spoke to FedScoop about the VA’s embrace of AI, the status of its modernization push, how it is handling budget uncertainty and more.

Editor’s note: The transcript has been edited for clarity and length. 

FedScoop: I know that you’ve started your role as the chief AI officer at the Department of Veterans Affairs. And I wanted to circle back on some stuff that we’ve seen the VA engaged with this past year. The Office of Information and Technology has appeared before Congress, where legislators have voiced their concerns for AI disclosures, inadequate contractor sanctions, budgetary pitfalls in the fiscal year 2025 budget for VA OIT and the supply chain system upgrade. What is your response to them?

Charles Worthington: I think AI represents a really big opportunity for the VA and for every agency, because it really changes what our computing systems are going to be capable of. So I think we’re all going to have to work through what that means for our existing systems over the coming years, but I think really there’s hardly any part of VA’s software infrastructure that’s going to be untouched by this change in how computer systems work and what they’re capable of. So I think it’s obviously gonna be a big focus for us and for Congress over the next couple of years. 

FS: I want to take a step back and focus on the foundational infrastructure challenges that the VA has been facing. Do you attribute that to the emerging technologies’ need for more advanced computing power? What does that look like?

CW: I think overall, VA’s technical infrastructure is actually on a pretty good footing. We’ve spent a lot of time in the past 10 years with the migration to the cloud and with really leaning into using a lot of leading commercial products in the software-as-a-service model where that makes sense. So, by and large, I think we’ve done a good job of bringing our systems up to standard. I think it’s always a challenge in the VA and in government to balance the priorities of modernization and taking advantage of new capabilities with the priorities of running everything that you already have.

One of the unique challenges of this moment in time is that almost every aspect of the VA’s operations depends on technology in some way. There’s just a lot of stuff to maintain; I think we have nearly a thousand systems in operations. And then obviously, with something like AI, there’s a lot of new ideas about how we could do even more [to] use technology and even more ways to further our mission. 

FS: In light of these voiced concerns from legislators, as you progress into your role of chief AI officer, how do you anticipate the agency will be able to use emerging technologies like AI to its fullest extent?

CW: I think there’s really two priorities that we have with AI right now. One is, this represents an enormous opportunity to deliver services more effectively and provide great technology services to the VA staff, because these systems are so powerful and can do so many new things. One priority is to take advantage of these technologies, really to make sure that our operations are running as effectively as possible. 

On the other hand, I think this is such a new technology category that a lot of the existing processes we have around technology governance in government don’t apply in exactly the same ways to artificial intelligence. So in a lot of ways, there are novel concerns that AI brings. … With an AI system that is, instead, taking those inputs and then generating a best guess or generating some piece of content, the way that we need to make sure that those systems are working effectively, those are still being developed. At the same time, as we’re trying to take advantage of these new capabilities, we’re also trying to build a framework that will allow us to safely use and deploy these solutions to make sure that we’re upholding the trust that veterans put in us to manage their data securely. 

FS: In what ways is the agency prioritizing AI requirements, especially from the artificial intelligence executive order that we saw last October, and maintaining a competitive edge with the knowledge that the fiscal year 2025 budget has seen a significant clawback of funds?

CW: We are investing a lot in standing up, I would say, the AI operations and governance. We have four main priorities that we’re focused on right now. One is setting up that policy framework and the governance framework for how we’re going to manage these. We have already convened our first AI governance council meeting — we’ve actually had two of them — where we’re starting to discuss how the agency is going to approach managing our inventory of AI use cases and the policies that we’ll use. 

The second priority is really focused on our workforce. We need to make sure that our VA staff have the knowledge and the skills they need to be able to use these solutions effectively and understand what they’re capable of and also their limitations. We need to be able to bring in the right sort of talent to be able to buy and build these sorts of solutions. 

Third, we’re working on our infrastructure [to] make sure that we have the technical infrastructure in place for VA to actually either build or, in some cases, just buy and run AI solutions. 

Then, finally, we have a set of high-priority use cases that we’re really leaning into. This was one of the things that was specifically called out to the VA in the executive order, which was basically to run a couple of pilots — we call them tech sprints — on AI.

FS: I would definitely love to hear some insights from you personally about some challenges you’re anticipating with artificial intelligence, especially as you’ve referenced that the VA has already been using AI.

CW: I think one of the challenges right now is that most of the AI use cases are built in a very separate way from the rest of our computing systems. So if you take a predictive model, it maybe takes a set of inputs and then generates a prediction, which is typically a number. But how do you actually integrate that prediction into a system that somebody’s already using is a challenge that we see, I think, with most of these systems.

In my opinion, integrating AI with more traditional types of software is going to be one of the biggest challenges of the next 10 years. VA has got over a thousand systems and to really leverage these tools effectively, you’d ideally like to see these capabilities integrated tightly with those systems so that it’s all kind of one workflow, and it appears naturally as a way that can assist the person with the task they’re trying to achieve, as opposed to something that’s in a different window that they’ve got to flip back and forth between. 

I feel like right now, we’re in that awkward stage where most of these tools are a different window … where there’s a lot of flipping back and forth between tools and figuring out how best to integrate those AI tools with the more traditional systems. I think that’s just kind of a relatively unfigured-out problem. Especially, if you think of a place like VA, where we have a lot of legacy systems, things that have been built over the past number of decades, oftentimes updating those is not the easiest thing. So I think it really speaks to the importance of modernizing our software systems to make them easier to change, more flexible, so that we can add things like AI or just other enhancements.

The post VA’s technical infrastructure is ‘on pretty good footing,’ CAIO and CTO says appeared first on FedScoop.

During a Tuesday hearing regarding the VA OIT’s budget justification, Chairman Matt Rosendale, R-Mont., and ranking member Sheila Cherfilus-McCormick, D-Fla., both questioned how the budget would affect operations. 

Kurt DelBene, the VA’s CIO and assistant secretary for IT, acknowledged that “it is a challenging budget for us,” forcing the agency to “be very focused on where we invest.” Modernization funds, he said, will have to be “judiciously” allocated “against the highest-priority projects” that the agency has. 

DelBene said that the agency’s original budget submission to the Biden administration did not reflect the same reduction to development efforts specifically for technology as the FY25 document ultimately did. 

The FY25 budget in brief, released by the VA, listed the following reductions across OIT:

• Development allocations at $960,000, a 99.2% reduction, or approximately a $125 million decrease. 
• Enhancement funds at $45 million, an 87.7% decrease, previously standing around $363 million.
• Modernization funds for FY25 are $267 million, a 66.5% cut, previously having allocated funds just under $800 million. 

As a result of the clawed-back funds for VA OIT, DelBene said that the agency is going to have to have a “very strict prioritization of the work that we do.” 

“I do think that we will be able to address the critical projects that we need to address in FY25 with this budget,” he added. “I think we’re making some trade-offs, which will not work well if we sustain those over multiple years.”

In response to a question from Cherfilus-McCormick, DeBene pointed to the need for increases in future years “because you can’t just continue to be at a lower level” for these funding allocations. 

DelBene also noted that the department is looking at a decreased budget for replacing technology, such as PCs, which he estimated to cost between $15-$20 million. 

“We will replace PCs less frequently as a result,” DelBene said. “That’s my point, is that we can’t continue to do that every year. But I feel especially with some of the funding we’ve got recently and the fact the fleet has been updated, we can do that for one year and make that through. But we’re going to have to be diligent about it in future years.”

DelBene said his goal is to not allow veteran care to be hampered as a result of budgetary pitfalls.

“There are difficult choices that have to be made across the entire administration so I respect the challenges of making those cuts,” DelBene said.

The post Veterans Affairs’ IT budget sparks bipartisan concern for modernization and development appeared first on FedScoop.

“Frankly, there aren’t enough places for agencies to go across government when they have technical questions or need technical help, so we get a huge array of requests,” USDS Administrator Mina Hsiang said in an interview with FedScoop.  

Those requests, many of which are detailed in the 2024 impact report USDS released Thursday, can’t all be addressed. Hsiang said USDS works to fulfill “over a quarter” of the agency requests for partnership, with consultation but not full engagement provided on approximately 10% of those asks. 

“We do a lot of work to contemplate the size of the population impacted, the vulnerability of the population impacted, the change it will have on the service and how critical the service is for people’s livelihood,” she said.

In its report, USDS outlined progress on 10 different projects across agencies, covering topics including digital service accessibility, building veteran trust, federal benefits for families and more. 

A closer look at USDS projects

In its partnership with the Social Security Administration, USDS worked with the agency to “observe customers” and learn how the public engaged with SSA’s website. According to the report, the project would save an estimated $285 million over five years for infrastructure expenses. 

The partnership with SSA has “created momentum to improve service delivery” through transforming the agency’s static homepage, the report noted, replacing “complicated” policy language with a conversational eligibility screener and building development infrastructure that involves a content management system and more.

The USDS is currently working with the Department of Veterans Affairs’ Office of the Chief Technology Officer to develop software intended to improve the lives of veterans. In teaming with the agency on VA.gov, USDS aimed to build veterans’ trust in the VA. Per the report, veterans’ trust in the VA climbed from 70.4% in FY18 — the year of VA.gov’s relaunch — to 79.3% in FY23.

“The Veteran Experience Office does a very comprehensive work of engaging veterans and building an array of metrics together,” Hsiang said.

The impact report also touted USDS’s partnership with the Department of Health and Human Services to help modernize and implement services that support an interagency Life Experience Research Team, aiming for “simpler, more accessible and equitable” digital experiences. Specifically, the organization conducted research with a nationwide group of participants, documenting their experiences throughout pregnancy and childbirth along with any relevant interactions with the federal government. 

Working with an HHS Life Experience Research Team that included  representatives from the General Services Administration, the Department of Labor, the Department of Housing and Urban Development and others, USDS piloted three digital programs to support families, including a text message service called Notify.gov that allows government partners to send texts about benefits and support programs to the public.

“This is one of those places where we can partner very closely with an agency that’s building out a shared capability for more folks and give them direct feedback,” Hsiang said. “The team had a very good experience with it.”

Though not listed in the impact report, the USDS also worked “extremely closely” with the IRS on the implementation of its Direct File pilot program. Hsiang said the partnership was not included in the report due to a timing issue, but noted that USDS assisted in technical expertise, user research, product management and more. Direct File was utilized by over 140,000 taxpayers in its inaugural run, according to the IRS. 

“This pilot is only with 12 states, but obviously there’s real opportunities for growth there because building out that capability so that folks in every state can have this option will be important,” Hsiang said. “The tax code is huge and incredibly complex, so there were almost 20 million people who were eligible for this pilot, but it will be important to expand that capability to encompass more individuals.”

A busy year followed by more to come from USDS

For Hsiang, who has led USDS since September 2021, the release of the impact report represents what she views as “a year of launching things.”

“There’s a lot of programs here that are a demonstration of incredible value in themselves, but also a proof of concept of a new model working,” Hsiang said. 

USDS is investing in hiring both internally and with agency partnerships, Hsiang said, in an effort to capitalize on momentum to build long-term capacity within agencies. She confirmed that the USDS is working to support agencies in hiring more talent, including as part of efforts called out in the White House’s artificial intelligence executive order.

“I think there’s a lot of interest, but the talent moves quickly, gets hired quickly, looks for competitive salaries and opportunities,” Hsiang said. “That will definitely be a challenge, but one we’re excited to take on.”

Hsiang said her hope for this report is a “clear illustration” of what government talent is able to accomplish, and stressed the importance of USDS’s investment in technology-centered work.

“I think the report starts to give a real detailed window into the range of different types of work that we do and the short- and long-term impacts that it can have,” Hsiang said. “One of the things that we hear across government regularly is that technology ends up slowing people down instead of speeding them up, if it’s not implemented right. That is not what anyone intends and that’s not what we’re investing for.”

The post USDS impact report showcases ‘a year of launching things’ appeared first on FedScoop.

The VA is inching toward awarding contracts for its upcoming modernization of a supply chain management system, officials shared during a House Veterans’ Affairs Subcommittee hearing. The Supply Chain Modernization (SCM) acquisition will be an “indefinite delivery, indefinite quantity” services contract and the validation phase has been approved through the Federal Information Technology Acquisition Reform Act (FITARA) review, led by the agency’s chief information officer. 

Lawmakers across the aisle agreed that the VA is not meeting reporting requirements requested by the subcommittee’s chairman, Rep. Matt Rosendale, R-Mont., as laid out in the House-passed IT Reform Act of 2021, which requires the agency to submit information — including cost, schedule and performance metrics — for “any major technology project” to Congress before the VA expends funds.

“I do believe VA can be successful in this effort if they communicate requirements and resources related to programs, effectively,” ranking member Sheila Cherfilus-McCormick, D-Fla., said during the hearing. “As of now, we haven’t seen that effective communication.”

Michael Parrish, the VA’s chief acquisition officer and principal executive director, said during the hearing that the agency does not view the SCM as a “major” IT project because the VA has not established a “firm budget” or a “firm schedule.”

Parrish described the project as taking a modular approach and said that the VA is addressing subcomponents with separate technology solutions as a service instead of purchasing hardware “that otherwise would be obsolete over time.”

In the current bill text for the IT Reform Act, the threshold for a “major information technology project” is met if the dollar value of the project is estimated to exceed $1 billion for the lifecycle cost of the project, $200 million annually or if the project is designated as such by the department’s secretary or CIO, or the director of the Office of Management and Budget. 

“Without a doubt, the VA and the veterans it serves would benefit from a functional inventory management system, and the department could make better use of taxpayers’ dollars if the system used to order medical supplies were connected to the systems that pay for and track them,” Rosendale said in his opening remarks. “However, what is described in the VA’s request for proposals seems to be a bureaucratic, empire building, mega-project.”

During the hearing, Rosendale cited information given to the committee from the VA putting the lifecycle cost of the SCM system between $9 billion and $15 billion, and would require congressional funding into 2043. Parrish reiterated that the agency is not yet committed to any dollar amount for the project. 

“The [SCM] project is a gigantic effort, the likes of which we have only seen in the [Electronic Health Record] and we know how that has turned out,” Rosendale said. “It would try to knit together all-encompassing systems to manage every aspect of a unified VA supply chain, from tongue depressors to X-ray machines to printer paper to headstones.”

The VA’s Oracle Cerner-run electronic health record has seen a litany of challenges, including patient safety issues with EHR pharmacy software and a  veteran’s death tied to a scheduling error. The system was originally launched in 2020, in an effort to create interoperability of records between the VA and Department of Defense health care systems. The implementation of EHR was later suspended in 2023 as part of a reset, and the department noted that it was working toward holding Oracle Cerner accountable for delivering high-quality services.

The post Congress presses VA on modernization overhaul, supply chain system upgrade appeared first on FedScoop.

Generative AI applications are in “high demand” at the agency, VA spokesperson Gary Kunich told FedScoop. Amid that interest, the department now plans to test the use of generative AI to summarize feedback from VA.gov users and employee surveys run by the Veterans Experience Office, assist employees in human resources and the Veterans Benefits Administration with reading through internal policies, and draft contracting documents, including statements of work and descriptions of jobs. 

There are other generative AI projects, too. The agency is pursuing an ongoing pilot with GitHub Copilot, a generative AI-powered code-completion tool, as well as a generative AI “meta pilot” focused on search, summarization, and content drafting. Current AI tech sprints within the agency related to ambient dictation for clinical encounters and community care document processing also involve generative AI.

These use cases have not yet been listed on the agency’s public AI inventory, which agencies are required to produce annually by an executive order. As FedScoop reported earlier this year, agencies still vary widely in their approach to generative AI. 

But the VA has also ditched at least one generative AI pilot. Last year, the agency experimented with using generative AI in the form of a chatbot but later decided to abandon the project, according to Kunich. The current chatbot used by the agency remains rules- and retrieval-based, though it takes advantage of natural language understanding and processing. 

Current guidance for the technology at the agency, which FedScoop obtained through a public records request, states that no “web-based, publicly available generative AI service has been approved for use with VA sensitive data.” Department staff are also instructed to limit the sharing and saving of data on these systems and to check the output of large language models for accuracy. You can read that document here.

The post VA exploring multiple generative AI pilots, responding to ‘high demand’ from workforce appeared first on FedScoop.

Testifying at a House Veterans’ Affairs Subcommittee on Technology Modernization hearing, VA Deputy Inspector General David Case said an upcoming OIG report will highlight “unresolved, insufficiently communicated pharmacy-related patient safety issues.” 

While the VA fixed issues tied to inaccurate medication information that was input to its Health Data Repository, OIG found that Oracle and the VA’s Electronic Health Record Modernization Integration Office “did not test for medication and allergy data accuracy after that information was transmitted” to the repository from new EHR sites. 

“As of September 2023, there have been approximately 250,000 veterans who either received medication orders and/or had medication allergies documented in the new EHR,” Case said. “They may be unaware of the potential risk for a medication or allergy-related event if they visit a legacy EHR site.”

In response to questions from Subcommittee Chair Matt Rosendale, R-Mont., Case noted that if a medication check is based on wrong information listed in electronic health records, then a patient could be prescribed something that results in side effects or is ineffective. 

Rosendale pressed Mike Sicilia, executive vice president at Oracle, on why the contractor hasn’t corrected every coding error associated with the Health Data Repository. Sicilia said that during the testing of enhancements to the system, “another issue” surfaced and Oracle made the decision to “not roll out anything that did not pass all final safety checks.” The Oracle team fixed the issue Wednesday and was set to resume testing Thursday. 

“So in other words, we’re still working on the same problem that you’re trying to tell me that was resolved last year,” Rosendale said.

The OIG findings on lingering issues with the VA’s EHRM program come less than a month before a critical test of the system is set to begin with the March 9 opening of the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois. 

The Lovell center — the first fully integrated VA and Department of Defense joint health care system — will include the deployment of the EHRM program that was paused in April 2023 following myriad problems associated with the system’s rollout earlier that year.

Neil Evans, acting program executive director for the VA’s EHRM Integration Office, said the Lovell health system was exempted from the deployment pause given the “deep interdependencies” between the Department of Defense and VA health care systems. The DOD, Evans said, “has been able to successfully deploy the record across the rest of their enterprise health care system.”

“One of the three primary goals of the reset was to put our focus on” Lovell, Evans said. “We’ve been working to improve the system and do the enterprise work that we need to be able to successfully move forward with this program. But we’ve also been able to put a significant amount of attention on [the Federal Health Care Center] and we will benefit from the DOD’s experience in support of all of our users.”

Evans confirmed that the “core system” of the Defense Department’s EHR is the same as the VA’s, though some of the workflows are different. Pharmacy benefits are different in the VA compared with the DOD, Evans noted, but “having a single record will be important.”

Sicilia said the providers and pharmacists at the new facility will be ready to use the EHR system “with the current enhancements” once the doors open in North Chicago next month. A visit last week from the VA and Oracle team to provide training to those clinicians yielded positive feedback and “readiness for using the new pharmacy system,” he added.

“We are anxious to evaluate the deployment and get feedback from the pharmacists at Lovell,” Sicilia said. “It will provide valuable insight, along with the continued review with the feedback from other live sites for other enhancements that may be required as we seek to continually improve the system. Oracle looks forward to continuing to provide VA with a pharmacy module in the new EHR that enables veterans to receive their medication when they need it, and safely.”

The post VA has ‘unresolved’ patient safety issues with pharmacy software, OIG says appeared first on FedScoop.

During a Center for Strategic & International Studies panel discussion, tech leaders from the Treasury Department and the Department of Veterans Affairs detailed the ways in which they’re pleased with and frustrated by CISA, expressing an overarching sentiment that while the agency has been helpful, there’s room for improvement as it matures.

“We need really common operating standards to which we are aggressively held, versus this sort of voluntary, participative notion — ‘get in touch with us when you need it’ kind of thing,” said Jeff King, Treasury’s principal deputy chief information officer. 

Amber Pearson, deputy chief information security officer at the Department of Veterans Affairs, largely agreed, noting that she’d like to see “more expansion from CISA” when it comes to “those key areas.”

“When a cloud service provider, for example, misses that critical patch or there’s a threat indicator, you know, provide it to us,” she said. “What are those actions that we as a federal agency need to do next? And I think there’s a big gap there.”

Jeff Spaeth, the VA’s deputy CISO and executive director of information security operations, said the agency’s relationship with CISA has “really blossomed this year,” pointing to check-ins on a nearly weekly basis and the assignments of dedicated CISA representatives to the VA. 

But Spaeth also echoed Pearson’s comments on information-sharing. When CISA is “notified by some of these major vendors [of a vulnerability], and I’m not saying they don’t pass the information along, but sometimes it takes a while to get down [into some of the] really in-depth technical pieces instead of, ‘hey, this was a compromise,’” he said.

Many of the comments made during Tuesday’s panel mirrored findings from an October 2023 CSIS report, titled “CISA’s Evolving .gov Mission: Defending the United States’ Federal Executive Agency Networks.” The report called for major investments into the federal cybersecurity workforce, better preparation for cyber threats brought on by artificial intelligence and machine learning, and the adoption of a more standardized and centralized cyber defense strategy, akin to the Department of Defense Information Network.

The topic of defense came up frequently during Tuesday’s panel. King pointed specifically to two Microsoft breaches over the past year in which “significant portions” of the tech giant’s corporate infrastructure were “completely compromised, including the teams that do vulnerability management and incident response threat intelligence.” In cases like that, King said agency IT leaders look to CISA to “balance out the risk landscape.”

That was also the case with a Citrix vulnerability last October. A senior CISA official said at the time that the agency notified nearly 300 organizations that could have been vulnerable to the exploit. In exploits of that kind, King said that Treasury would “need [indicators of compromise] yesterday.” 

“We really need to kind of rethink the recover-and-respond part of this and less about the protect-and-defend part of it,” King said. “And I think that’s where CISA probably needs the opportunity to grow to kind of meet the threat where they are.”

The consensus from the panelists on the role of the Joint Cyber Defense Collaborative was that the CISA-managed nerve center — where federal, state and local and private cybersecurity experts come together to work on “actionable cyber risk information” — is on the right track but still in its infancy.

Going forward, Spaeth would like to see even more collaboration and involvement among federal agencies as part of the JCDC, which counts the Department of Homeland Security, U.S. Cyber Command, the National Security Agency, the Federal Bureau of Investigation, the Department of Justice, and the Office of the Director of National Intelligence, among others, as participants.  

“I know that we have ISACs out there,” Spaeth said, “but I think JCDC has really taken the charge for all federal agencies to share that type of information, or [coordinating] the quick reactions and trying to close the holes as quickly as possible.”

The agency representatives’ feelings on CISA and JCDC mostly aligned with private sector assessments shared Tuesday during a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing. 

Rob Lee, CEO and founder of Dragos, a company that focuses on operational technology and industrial control system cybersecurity, said it’s important to recognize that agencies like CISA are “putting in the effort to collaborate and that’s a beautiful thing,” but acknowledged that the JCDC is still suffering from “growing pains.”

“The reality is we’re not seeing a lot of success out of [the JCDC] currently, but I think that’s the growing pains,” Lee said. “When government ends up focusing, especially CISA, on the ‘here is the strategy’ level, it’s very effective. … When it gets to the tactical and actually having the experts around the table, that tends to be a bit lacking.”

Approaching security from a more defined and risk-based approach wouldn’t necessarily be an easy shift for CISA or the JCDC, the agency officials acknowledged. But focusing more on the latest threat vectors and threat actors as opposed to “ports, protocols and services,” Spaeth said, is a worthy target. 

“There needs to be, I think, more formulation if this is the way we’re going into a top-down, enforceable strategy,” King said. “And I recognize that is very much a divergence from the way that we’ve thought about cyber and acted on cyber probably over the past decade, if not two.”

CyberScoop reporter Derek B. Johnson contributed to this article.

The post Federal IT officials call on CISA for tougher standards, more coordination appeared first on FedScoop.

The new government website evaluation tool, which is called “gov metadata,” was created by Luke Fretwell and his son, Elias, as part of the Civic Hacking Agency, a project focused on technology for the public good. The system works by scanning government websites and then analyzing the presence of metatags, which can help search engines and other portions of the web to interpret aspects of an online page. A metatag might be a reference to a title or help boost a page’s presence on social media; based on the number of metatags present, the project gives a “score” to each website. 

The point of the project, Fretwell told FedScoop, was to show how well the government was performing on certain important aspects of web page operations. “When it comes to AI, and metadata and data, and customer experience and digital service — these three elements of it — there’s some fundamental things,” he said. (Editor’s note: Fretwell helped establish FedScoop’s digital and editorial operations in its early years, but he is not a current employee of Scoop News Group). 

The stakes can be high, notes Beau Woods, the founder and CEO of the cybersecurity company Stratigos Security. “If a website doesn’t set [metadata tags] up, or doesn’t set them up correctly, it can leave citizens wondering what the site is about [and] which one is the legitimate site,” he said. “It leaves room for other unofficial websites to go to the top of search rankings, and to be the first stop for the citizens when they’re browsing.” 

The U.S. government appears to be on par with other organizations, like academic institutions and nonprofits, that have limited budgets for IT and competing priorities, Woods added.  Importantly, the project wasn’t able to grade websites that its systems couldn’t properly scan.

According to the gov metadata tracker, federal agencies vary widely in how well they’re performing on metatags. Notably, a digital changelog established by the project shows that some government webpages were incorporating new metadata amid FedScoop’s reporting. 

An Office of Management and Budget spokesperson told FedScoop that the agency is working with implementation partners and relevant interagency bodies to expand “best practices on search engine optimization and the use of metadata.” 

“The use of metadata and other related search engine optimization practices plays an important role in ensuring that members of the public can easily discover government information and services via third-party search engines,” the spokesperson said. ”OMB acknowledges the opportunity for agencies to more consistently use metadata as they continually optimize their websites and web content for search. OMB, alongside key implementation partners, continues to support agencies in this and other related efforts to improve digital experiences.” 

Still, Fretwell says the initiative raises the question of what requirements exist around this aspect of federal website upkeep. “What’s the standard that the government is going to adopt for using metadata and actually using it [and] using those things?” Fretwell said in an interview with FedScoop. “Because it’s so varied.”

FedScoop was unable to identify specific metadata tag requirements for federal websites, but the topic has certainly been referenced before. Older government documents, including a 2016 memo focused on federal agency websites and digital services and a 2015 memo for .gov domains, have generally emphasized the importance of search engine optimization or metatags. Digital.gov mentions that standard metadata should be tagged and Search.gov, a government search engine, has metadata recommendations, too.

A memo issued by the Office of the Federal Chief Information Officer last fall — which provided further guidance for following the 21st Century Integrated Digital Experience Act and improving government websites — points to metadata several times. The memo says that agencies should use “rich, descriptive metadata” and use “descriptive metadata in commonly parsed fields” like “meta element tags.” It also states that agencies should use metadata tags to correctly note the timeliness of a page. The OMB spokesperson pointed to this memo and its emphasis on search optimization.

Though the scanner run by the Civic Hacking Agency appears to have a broader scope, a website scanning tool run by the General Services Administration designed to measure performance of federal websites picks up some aspects of website metadata. (The GSA explains in its GitHub documentation that it focuses on collecting data that is helpful to specific stakeholders). 

That GSA initiative also shows varied performance — for example, whether an agency is using a viewport tag, which helps resize pages so they’re more easily viewable on mobile devices. 

“GSA continues to prioritize SEO and accessibility best practices when curating and improving metadata,” an agency spokesperson said in a statement. In reference to the 2023 OMB memo, the spokesperson noted that GSA “continues to work with its web teams to optimize our content for findability and discoverability” and “focuses on metadata as well as things like improved on-site search, information architecture, user experience design, cross references, etc.” 

“Search.gov recommends metadata that supports foundational SEO techniques as well as our metadata-driven search filtering feature,” the GSA spokesperson added. 

In response to questions, the Federal Chief Data Officers Council said that while it had explored implications of metadata through its data inventory working group, the group hadn’t “targeted federal website metadata specifically.” The CDO Council added that it has yet to review the Civic Hacking Agency’s report. 

Agencies respond 

In response to FedScoop questions, several Chief Financial Officers Act agencies said they’ve investigated or will take steps to improve their metadata practices. A State Department spokesperson said the agency was “pleased” with some of its primary page grades but would also review the findings from the project, while the Environmental Protection Agency said that, after reviewing its score, it fixed all of the metadata issues identified.  The Nuclear Regulatory Commission also added its missing metatags to its site templates after FedScoop reached out.

Similarly, a spokesperson for the National Science Foundation said that it would meet metatag requirements “in the near future,” that missing tags will be tracked and incorporated into upcoming releases, and that the agency was assessing its compliance with Dublin Core and Open Graph standards, two specific types of metatags. 

The Agriculture Department said it would research whether its metadata were being pulled correctly. The agency also said it was updating its metadata creation process, including evaluating the accuracy of automatically generated tokens and updating its page creation workflow to emphasize page metadata. 

“We’re considering a cyclical review process for existing content to ensure metadata stays current with page updates. These changes will be passed down to all USDA website owners who manage their own content and we will coordinate with them to ensure the correct processes are in place,” an agency spokesperson told FedScoop. “The nature of our content management system is to not use XML content formats which impedes metadata from being included for each page. We are working to repair this process.” 

Some agencies pushed back on the findings. Terrence Hayes, press secretary at the  Department of Veterans Affairs, said it wasn’t apparent why certain metatags were chosen by the project, or which of the agency’s thousands of pages were being scanned, but added that the department was “reviewing the findings from the referenced report to better understand where gaps may exist.” 

Similarly, the Social Security Administration — which initially received an F — said some of the metatag issues identified were unnecessary but would implement changes to improve its score and meet Search.gov guidelines. (After a new scan by the site, the agency now has an A.)

Darren Lutz, press secretary for the agency, said that it instituted a new content management system for Social Security’s primary customer-facing pages and that each “new section or page that we launch features meticulously crafted metatags that summarize the content in clear, accessible language, ensuring optimization for search engines.”

“All new content will convey the noted metadata improvements,” Lutz added. “In the past year, we have launched four major new site sections, redirecting significant percentages of public web traffic from our legacy implementation to these modern and optimized web pages on our new platform.”

The Education Department — which has several websites managed by different entities — said that Civic Hacking Agency’s scores for its Ed.gov and G5 domains don’t reflect work being done on those sites, but also pushed back on how the tool evaluated its StudentAid.gov site, pointing to, for example, the description and robots field. While the Education Department acknowledged that some tags should be added to its NationsReportCard.gov page, a spokesperson said the tool was picking up archival pages and “content tagging isn’t feasible” for certain types of applications on that site. 

The Education Department plans to launch a new Ed.gov this coming summer, an agency spokesperson added. Meanwhile, its G5 domain for grant management “will be upgraded to significantly improve its usability, analytics and reporting, using machine-readable metadata and searchable content,” the spokesperson said. 

Several agencies, including the Departments of Commerce and Transportation, did not respond to requests for comment. Meanwhile, some agencies, like NASA, celebrated the scores they received. Notably, the space agency last year launched two new major websites: nasa.gov and science.nasa.gov. The agency has also been engaged in a multi-year web modernization project. 

“One of the driving goals of this major effort has been to improve the findability and search engine authority of these core sites through strong metadata tooling and training, and we believe this contributed to our report card score,” said Jennifer Dooren, the deputy news chief at NASA headquarters. 

Overall, the project appears to provide further incentive to improve site metadata. Several agencies, including the Environmental Protection Agency and the Department of Labor, noted the importance of the Civic Hacking Agency’s tool. 

“The feedback from the ‘gov metadata’ scoring system is invaluable to us as it helps gauge our performance in implementing basic metadata principles,” said Ryan Honick, a public affairs specialist at the Department of Labor. “It acts as a catalyst for ongoing improvement, driving us to refine our strategies for making our websites as accessible and user-friendly as possible.” 

The post On some basic metadata practices, US government gets an ‘F,’ per new online tracker appeared first on FedScoop.

While many of these actions are still preliminary, growing focus on the technology signals that federal officials expect to not only govern but eventually use generative AI. 

A majority of the civilian federal agencies that fall under the Chief Financial Officers Act have either created guidance, implemented a policy, or temporarily blocked the technology, according to a FedScoop analysis based on public records requests and inquiries to officials. The approaches vary, highlighting that different sectors of the federal government face unique risks — and unique opportunities — when it comes to generative AI. 

As of now, several agencies, including the Social Security Administration, the Department of Energy, and Veterans Affairs, have taken steps to block the technology on their systems. Some, including NASA, have or are working on establishing secure testing environments to evaluate generative AI systems. The Agriculture Department has even set up a board to review potential generative AI use cases within the agency. 

Some agencies, including the U.S. Agency for International Development, have discouraged employees from inputting private information into generative AI systems. Meanwhile, several agencies, including Energy and the Department of Homeland Security, are working on generative AI projects. 

The Departments of Commerce, Housing and Urban Development, Transportation, and Treasury did not respond to requests for comment, so their approach to the technology remains unclear. Other agencies, including the Small Business Administration, referenced their work on AI but did not specifically address FedScoop’s questions about guidance, while the Office of Personnel Management said it was still working on guidance. The Department of Labor didn’t respond to FedScoop’s questions about generative AI. FedScoop obtained details about the policies of Agriculture, USAID, and Interior through public records requests. 

The Biden administration’s recent executive order on artificial intelligence discourages agencies from outright banning the technology. Instead, agencies are encouraged to limit access to the tools as necessary and create guidelines for various use cases. Federal agencies are also supposed to focus on developing “appropriate terms of service with vendors,” protecting data, and “deploying other measures to prevent misuse of Federal Government information in generative AI.”

Agency policies on generative AI differ

The post How risky is ChatGPT? Depends which federal agency you ask appeared first on FedScoop.