The congressional watchdog noted in its release that the VA has implemented six of its 29 open priority recommendations, including the deployment of an automated data tool used to improve acquisition workforce records and taking steps to modernize the agency’s performance management system across the Veterans Health Administration. 

Assessing software licenses, however, is something that the VA needs to address, per the watchdog. In January, the GAO issued a report on software licenses throughout the federal government,  noting that the VA had neglected to regularly compare software license inventories that are currently used with purchase records. 

In the new priority recommendations, GAO noted that the federal government spends more than $100 billion yearly on cyber and IT-related investments. 

“Until VA implements this priority recommendation and consistently tracks and compares its inventories of software licenses to with known purchases, it is likely to miss opportunities to reduce costs on duplicative or unnecessary licenses,” the report states. 

Other high-risk governmentwide areas that could impact the VA, according to the GAO, are “improving the management of IT acquisitions and operations” and “ensuring the cybersecurity of the nation.”

Charles Worthington, the VA’s chief AI and technology officer, said in a recent interview with FedScoop that he believes the VA’s technical infrastructure “is actually on pretty good footing,” pointing to the agency’s migration to the cloud and using commercial products in the software-as-a-service model, “where it makes sense.”

Other priority recommendations from the GAO cover the VA’s electronic health records (EHR) modernization program, including one that directs the agency to implement “leading practices for change management.” The other nine involve evaluating whether the system is “operationally suitable and effective” to ensure that the system satisfies customer needs, establishing “user satisfaction targets” to protect patients’ health and safety from unnecessary risks, and validating that future systems are not deployed too early. 

“Implementing these … recommendations would also help solve existing problems with the system,” the GAO stated.

The post VA software license assessments called out in GAO recommendations appeared first on FedScoop.

Because the tax agency had “not completed its documentation of several elements” of the models used for its National Research Program audits, the IRS could struggle to “retain organizational knowledge, ensure the models are implemented consistently, and make the process more transparent to future users,” according to the Government Accountability Office.

The IRS first piloted AI techniques for sampling tax returns in NRP audits during the 2019 filing season. The tax agency selected 4,000 returns for audit through that new AI-powered methodology, while an equal share was chosen through its traditional selection process. The following year, the NRP sample was approximately 1,500, all selected with the AI-informed process, and in 2021, 4,000 returns were picked based on two different AI samples.

The GAO noted that the implementation of redesigned sample selection processes “can be a complex undertaking,” especially when an emerging technology like AI is added to the mix. With that in mind, the watchdog pointed to the usefulness of its AI accountability framework.

“The AI Framework emphasizes the importance of documentation to help ensure that the AI system’s objectives are met,” the GAO wrote. “It further emphasizes that documentation can offer a way for agencies to provide transparency, such as (1) what the system is for, (2) what it is not for, (3) how it was designed, and (4) what its limitations are.”

The GAO’s audit found that the IRS had fallen short in two framework areas: clearly defining and documenting roles and responsibilities for each step of the AI sample selection process, and documenting the variables used to develop and run those selection models.

As the IRS reviewed the GAO report in April and responded with comments, it made two changes to address the watchdog’s concerns: writing a draft memo that listed the people responsible for steps in the AI development and sample selection process, and updating a technical document with specifics on variables and the code behind the AI models. 

“These actions will increase IRS’s ability to effectively implement and ensure operational effectiveness of the AI models,” the GAO said.

The post IRS dinged by GAO for subpar documentation of AI audit models appeared first on FedScoop.

In a pair of priority open recommendations, the Government Accountability Office said the Federal Reserve and the Securities and Exchange Commission have succeeded in establishing coordination mechanisms with other federal regulators and financial working groups to identify the risks posed by blockchain-related products and services. But neither the Fed nor the SEC has “regularly” convened those bodies since the GAO delivered its recommendation in August 2023.

Lacking a cadence in convening these groups, the GAO said, means both agencies are unable “specifically to identify the full range of risks and regulatory challenges of existing and emerging blockchain products and services and provide a timely response to any unaddressed risks.”

The Fed, which neither agreed nor disagreed with the GAO’s recommendation, said it “routinely engages with the other federal financial regulators on emerging risks posed by blockchain-related products and services.” The banking regulator noted that it participates in information-sharing on identifying blockchain risks with other regulators in the Digital Asset Working Group, but the GAO is pushing for “planning processes for identifying and addressing such risks” within that group. 

“Fully implementing this priority recommendation would help the Federal Reserve and other financial regulators collectively identify risks posed by blockchain-related products and services and develop and implement a regulatory response in a timely manner,” the GAO stated.

The SEC, meanwhile, told the GAO that it works to identify crypto-related risks in the agency’s work with the Financial Stability Oversight Council, the President’s Working Group on Financial Markets and some international bodies. FSOC “established a coordination mechanism” through the Digital Asset Working Group, the SEC reported to the GAO, adding that the working group “meets regularly and has discussed a variety of topics, including regulatory developments, rulemakings, risks, data collection, and market developments.”

The GAO called the Digital Asset Working Group “a positive step,” but prodded the SEC to embrace planning documents.

“Such planning documents could include (1) objectives and meeting frequency; (2) processes for identifying the full range of risks and regulatory challenges concerning blockchain-related products and services (not only those related to financial stability); and (3) processes for responding to these risks and challenges within agreed-upon timeframes,” the GAO said.

Beyond blockchain, the GAO re-upped a second priority recommendation to the Federal Reserve, which was originally delivered in 2019. The watchdog wanted the Fed, along with other banking regulators and the Consumer Financial Protection Bureau, to finalize “written communication that gives banks specific direction on the appropriate use of alternative data in the underwriting process when partnering with fintech lenders.”

The Fed teamed with the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency a year ago in issuing interagency guidance on third-party risk management, but the GAO said that the guidance falls short on specificity.

The guidance “does not include specific direction to banks that engage with fintech lenders on the appropriate use of alternative data in the underwriting process,” the GAO wrote. “Rather, the guidance broadly applies to all topics and third-party relationships. Accordingly, it does not address specific topics, such as the use of alternative data, or specific types of third-party relationships, such as relationships with fintech companies.”

The post Fed, SEC need more consistent blockchain coordination, GAO says appeared first on FedScoop.

An agency spokesperson said in an email to FedScoop that the cyber risk assessment process — recommended to the EPA in a July 2019 Government Accountability Office report — is on track to be finished “by November 22.” The EPA had previously told the GAO that it was committed to a “late summer to early fall” timeline.

In its original recommendation, the GAO made the case for the administrator of the EPA to establish a process to conduct an agency-wide cybersecurity risk assessment as a means to protect against “a growing number of threats to their information technology systems and data” — a recommendation applicable to all federal agencies. Adopting a “risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks,” the GAO said at the time, would help the EPA “better manage” its cyber risks.

While the EPA has updated its cybersecurity risk management strategy, the agency told the GAO last month that it “was continuing to plan” for the assessment and was “in the process of updating an internal procedure to address ongoing risk assessment activities.” 

The EPA spokesperson told FedScoop that updates to the agency’s enterprise risk assessment procedure would include a variety of additional performance metrics, citing logging maturity, strong authentication, critical vulnerability remediation and priority security control specifically.

The agency’s updated procedure for assessing cyber risks will also feature a modified risk-scoring system, the spokesperson added. That portion of the assessment will now include “enterprise and component-level risk scores, which will be added to the senior executive dashboard.”

“The procedures also include activities to consolidate the various cybersecurity dashboards into one overall dashboard that provides an executive level view of EPA’s risk posture,” the spokesperson said. 

In the priority open recommendations document released by the GAO this week, the watchdog warned that absent an established process for overseeing a cyber risk assessment, the EPA “may be missing opportunities to identify trends in cybersecurity risks, target systemic risks to the agency and its systems, and prioritize investments in risk mitigation activities.”

The EPA has been active recently on the cybersecurity front, stepping up its warnings to the country’s water utilities of increasingly serious cyber threats. This month, the agency issued an alert about rising threats to the water sector and said it will boost its inspections and enforcement efforts. 

That alert came two months after an EPA and White House warning to U.S. governors about cyberattacks capable of “disabling” water facilities. The EPA said it would establish a task force focused specifically on defending the water sector from cyber threats.

The post EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment appeared first on FedScoop.

The Government Accountability Office found no evidence that the tax agency has conducted a “comprehensive review of the rules and filters contained” in its Dependent Database, an automated program that identifies returns with possible noncompliance risk. The DDB is considered first-wave AI by the GAO due to it having “expert knowledge encoded into a computer system.” 

“While IRS regularly reviews the program, the review process does not comprehensively consider data inputs and assumptions that could inform IRS about the demographic equity of the audit selection process, creating the potential for unintended bias in audit selection,” the report stated. “For example, GAO found that some risk scores contained in the DDB program vary by sex, which could skew selection, and have not been updated since 2001.”

A 2023 Stanford University study found that Black taxpayers are roughly three-to-five times more likely to be audited than filers of other races. The IRS later confirmed the study’s findings, with Commissioner Danny Werfel writing in a letter to Congress that the agency would be “laser-focused” on addressing racial disparities in auditing.  

The GAO noted that the tax agency does not collect data about taxpayers’ race and ethnicity, meaning that predictions about a return’s risk for noncompliance with tax codes doesn’t take either factor into account. But according to the GAO, IRS research still shows “the existence of racial disparities in audits,” with “unintentional algorithmic biases” identified as a possible source.

“Specifically, that research noted (1) limitations in the data used to determine residency and relationship tests for [Earned Income Tax Credit] eligibility, and (2) outdated models as possible contributions to algorithmic bias and, consequently, racial disparities in audits,” the report states.

Once a return is flagged by the DDB program, it is then evaluated by the agency’s Systems Research and Application (SRA) model, which determines the filer’s risk score. Considered second-wave AI, the SRA is a data-mining and machine-learning model that the IRS uses to pinpoint audit patterns and predict outcomes. 

The GAO identified “some components” of the IRS Wage & Investment Division’s “automated audit selection process that could potentially skew selection toward returns with certain demographic characteristics that may not necessarily represent returns with the highest risk of noncompliance.” The SRA ranks risk scores from highest to lowest, and W&I starts with the highest until meeting “its predetermined audit workload,” the watchdog noted.

The GAO pushed the IRS to abide by its AI accountability framework, particularly with regard to “a variety of monitoring activities” that should be followed “to ensure AI systems function as intended.”  

“The agency may be missing opportunities to improve the likelihood that IRS is properly identifying returns at highest risk of noncompliance if it does not consider additional performance measures in reviewing its automated audit selection process,” the report said.

The GAO delivered six recommendations to the IRS regarding its audit selection processes, all of which were agreed to by the agency.

The post IRS’s AI system to flag returns for audit may include unintended bias, report finds appeared first on FedScoop.

While facial recognition, a type of  biometric validation, is commonly used with law enforcement agencies, GSA sees the Login.gov pilot as a way to further defend against sophisticated fraud and cyber threats. The work with tech equity experts will “incorporate learnings, as applicable” into the pilot, a GSA spokesperson said in an email to FedScoop, and comes after the agency conducted an equity study on remote identity proofing to “improve outreach practices, user testing and user experience for underserved communities in civic tech design.”

The goal of the upcoming pilot, which will run through the fall, is to evaluate overall user experience throughout the new workflow and to find where individuals become stuck or confused throughout the process so the “team can iteratively make improvements,” the agency spokesperson said.

“Login.gov is committed to leveraging best-in-class facial matching algorithms that, based on testing in controlled environments, have been shown to offer high-levels of accuracy in reduced algorithmic bias,” they added. 

The equity study on remote identity proofing included 4,000 participants, as of April, who were tasked with testing five different vendors for this technology. GSA plans to release a report with the results from the equity study in a peer-reviewed publication this year. 

GSA recently concluded a procurement process that expands the set of “identity vendors” that Login.gov has access to, the spokesperson said. The agency shared plans to evaluate how and when to integrate new solutions. 

“The general availability launch timing is not dependent on this integration process,” the spokesperson said. 

Candice Wright, director of the Government Accountability Office’s Science, Technology Assessment and Analytics team, said in an email to FedScoop that the GSA’s equity study on remote identity can assist the agency in ensuring that the biometric validation technology is “more accurate for all demographic groups.”

“The accuracy of biometric identification technologies is improving overall, but there are still issues with technologies that can perform less accurately for certain subgroups, such as people with darker skin,” Wright said, pointing to a recent GAO report that found comprehensive evaluations of technology as a key consideration to assist in addressing differential performance.

The biometric validation tool, the GSA spokesperson said, uses a “privacy-preserving” approach that compares a selfie that a user takes against their photo identification. The spokesperson emphasized that the data provided by the user is “protected by ensuring it will never be used for any purpose unrelated to verifying your identity” by Login.gov or the vendors with whom it works. 

Login.gov’s biometric technology will be provided by a commercial vendor that, according to the spokesperson, employs an algorithm that is considered proprietary but is one of the leading options as measured by the National Institute of Standards and Technology’s Face Recognition Vendor Test (FRVT).

“Agencies could achieve more comprehensive testing by providing guidance to technology vendors so that they design their products in ways that support more standardized testing,” Wright said.

NIST’s test for vendors, which last year was split into the Face Recognition Technology Evaluation (FRTE) and Face Analysis Technology Evaluation (FATE), measures the performance of facial recognition tech as it is applied across a variety of applications, such as visa image verification, identification of child exploitation images and more. 

The GSA noted last month that the biometric validation technology is compliant with NIST’s digital identity guidelines for achieving “evidence-based remote identity verification” at the IAL2 level, or the standard that “introduces the need for either remote or physically-present identity proofing.”

The post Login.gov’s upcoming biometric pilot aims to focus on equity, usability appeared first on FedScoop.

The “Clean Air in the Cloud Act,” introduced Tuesday by Rep. Gerry Connolly, D-Va., pushes the EPA to update the IT system for storing AirNow and the Air Quality System (AQS). The bill’s requirements come directly from recommendations in a September 2023 Government Accountability Office study that Connolly requested. 

“I requested the GAO report on this issue because the federal government is only as good as the IT it utilizes,” Connolly said in a press release. “That’s true across government and it’s certainly true for the EPA. It is my hope that, with this legislation, the EPA can resolve the challenges posed by AQS and AirNow to best deliver results for the American people they service.”

The watchdog recommended that the EPA consider an operational analysis along with developing and documenting a business case for a new IT system. Those would be rooted in considerations for how a system would be able to address challenges posed by the existing legacy systems. The agency agreed with both recommendations.

However, the EPA disagreed with a GAO recommendation that the agency should identify factors for assessing if the agency’s systems are ready for either replacement or retirement.

The GAO found that the use of multiple systems for air quality monitoring “results in inefficient use of resources” for EPA and other monitoring agencies. Agency officials reported that finding and retaining IT staff who could work with AQS’s “outdated software” was “particularly challenging.”

While the EPA declined to comment on the new legislation, a spokesperson said that the agency is “happy to provide technical assistance when asked.”

The post House bill calls on EPA to update IT systems that store air quality data appeared first on FedScoop.

With a healthy dose of skepticism formed through years of protecting digital infrastructure from advanced threats, many federal cybersecurity practitioners have significant concerns about AI, viewing it as a technology that needs corralling. That’s especially true for large language models and other data sources, they say. 

“It’s garbage in, garbage out,” said Paul Blahusch, CISO for the Department of Labor. “If our adversary can poison that data, well, we’re going to start getting the wrong information back out from our artificial intelligence. It’s going to say, ‘Day is night, night is day. Black is white, white is black.’ And are we going to just take that and say, ‘Oh well, that must be what it says because the AI said so?’”

Speaking during an Advanced Technology Academic Research Center webinar last week, Blahusch and other government and industry cyber experts painted AI as a technology that’s not entirely new, having found itself in the cultural zeitgeist thanks to ChatGPT. But it’s one that can and will be put to better use.

“I’m sure that my … antivirus [software] has been using some form of AI and machine learning for a long time,” Blahusch said. “The whole idea of artificial intelligence within cyber tooling has been there for a while — all our threat intel types of analyses use some of that. But we can certainly take it to the next level.”

That next level should come in the form of reducing burdens on the federal cyber workforce, Blahusch said. When it comes to data analysis, those employees can focus on “higher-value work” if AI systems are positioned to handle the rest. 

“I don’t have all the resources to have 100 people looking at streams,” he said. “I need technology to help me with that and have my limited number of people do the things that human beings need to do.”

Jennifer R. Franks, director of the Government Accountability Office’s Center for Enhanced Cybersecurity, Information Technology & Cybersecurity Team, acknowledged during the panel that she’s “not really an AI enthusiast,” but as a cyber professional who also works in privacy and data protection, the technology is “here to stay.” 

New uses of automation in government work are necessary given staffing shortages, but humans will still play a critical role since emerging technologies like AI also bring on additional vulnerabilities, she said. 

“We can’t be naive to the risk-based approaches that we have to take, making sure that we still have human decision-making. You know that is going to help us in managing some of the complexities,” Franks said. “We have to make sure that … we’re managing some of the controls around the tools and technologies and the machine learning aspect of the codes that are going into the algorithms, [so they] are not compromised.”

As a former federal IT manager now on the industry side, Youssef Takhssaiti said government cyber officials need to embrace AI, leveraging the technology’s ability to analyze network traffic, detect anomalies, automate responses to standard attack scenarios and myriad other defensive techniques. 

But procurement officers also “have to be very careful when it comes to adopting or purchasing” AI products, according to Takhssaiti, a Treasury Department and Consumer Product Safety Commission alum who’s working on a PhD in artificial intelligence. 

“Everyone is focused on speed to market — how can I get my product and application out to the market and consumers,” said Takhssaiti, now global GRC director for Aqua Security. “Before adopting any [AI products], two key things to focus on: Are they a vulnerability for you or as vulnerability-free as they could be? And what do they do with my data? Is it being used to retrain these models?”

Whether it’s continuing to embrace zero-trust architectures, dabbling in AI or looking out for the next big defensive thing in cyber, federal security professionals agree that threat protection strategies need to take an “all of the above” approach while also leaning on tried-and-true mitigation methods.  

“We’re still actively deploying and implementing the initiatives as ZTA across our various environments. But now we have AI, right?” Franks said. “But we cannot still forget … the basic cyber hygiene strategies. … And then going forward, we have to redesign and strengthen where it is we need to go so that we can stay ahead of the vulnerability curve.”

The post Federal cyber leaders proceed with caution on AI as a defensive tool appeared first on FedScoop.

“NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required,” the report stated. 

Spacecraft are incredibly dependent on software and IT, the report concludes. Even though the space agency has included cybersecurity elements in some of its contracts, they need to be standardized. For this reason, the GAO is recommending that the chief engineer, the chief information officer, and the principal advisor for enterprise protection develop a specific timeline for actually updating “its spacecraft acquisition policies and standards” to deal with cybersecurity threats.

Yet NASA pushed back on some of the recommendations. Per the report, NASA’s CIO said it was “not feasible” for there to be one set of essential controls for all mission spacecraft. GAO pushed back on that response, writing that “NASA should leverage its space security guide to determine the controls that address the likely threats to its spacecraft.” 

NASA was also not interested in establishing a timeline, saying that it needed to carefully consider requirements. The space agency said that it had systems in place for dealing with the risks of space. 

“While we do not dispute this, we note that NASA’s space security guide recognizes that NASA does not currently have a cybersecurity risk management framework for end-to-end integrated space mission systems,” the auditing agency said in response. “Without a plan with identified timeframes, it is unknown when the agency will actually perform an update to incorporate, if necessary, any additional cybersecurity controls.”

The post NASA balks on timeline to incorporate cyber into spacecraft acquisition policies appeared first on FedScoop.

In its report, the congressional watchdog highlighted “new and continuing” shortcomings with information systems and the safeguarding of assets, issues that increase the likelihood of unauthorized access to sensitive IRS data. The security deficiencies also pose a threat of disruption to critical agency operations, the GAO warned.

“The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements,” the GAO said in its report. “IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.”

The GAO’s audit of fiscal years 2022 and 2023 financial statements from the IRS revealed three new deficiencies, after the agency had taken “corrective actions” to address 51 previous recommendations from the watchdog — 15 of which have been completed and the remaining 36 are in progress.

Those newly identified deficiencies, which the GAO characterized as “sensitive in nature,” cover control problems in security management, access and configuration management. 

Configuration management appeared to present the most significant issues for the IRS, according to the report. Security settings for specific servers that support financial reporting-related systems were not consistently implemented; the watchdog delivered four recommendations to address that deficiency. 

For the security management control problem, the IRS failed to “consistently create a plan of action and milestones for identified weaknesses on a timely basis.” On access controls tied to monitoring and audits, the agency didn’t review and certify a monthly security report in a timely fashion. The GAO made one recommendation apiece for those deficiencies. 

IRS Commissioner Danny Werfel said in a letter responding to a draft version of the GAO’s report that the agency is “committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security.”

The post Security flaws in IRS systems pose risk to financial statements, GAO says appeared first on FedScoop.