Within government, there are existing projects that are more mature than AI chatbots and are immediately ready to deliver more efficient government operations. Through a partnership between three offices, the Department of State is seeking to automate the cumbersome process of document declassification and prepare for the large volume of electronic records that will need to be reviewed in the next several years. The Bureau of Administration’s Office of Global Information Services (A/GIS), the Office of Management Strategy and Solutions’ Center for Analytics (M/SS CfA), and the Bureau of Information Resource Management’s (IRM) Messaging Systems Office have piloted and are now moving toward production-scale deployment of AI to augment an intensive, manual review process that normally necessitates a page-by-page human review of 25-year-old classified electronic records. The pilot focused mainly on cable messages which are communications between Washington and the department’s overseas posts. 

The 25-year declassification review process entails a manual review of electronic, classified records at the confidential and secret levels in the year that their protection period elapses; in many cases, 25 years after original classification. Manual review has historically been the only way to determine if information can be declassified for eventual public release, or exempt from declassification to protect information critical to our nation’s security.

However, manual review is a time-intensive process. A team of about six reviewers works year-round to review classified cables and must use a triage method to prioritize reviewing the cables most likely to require exemption from automatic declassification. In most years, they are unable to review every one of the between 112,000 and 133,000 electronic cables under review from 1995-1997. The risk of not being able to review each document for any sensitive material is exacerbated by the increasing volume of documents. 

This manual review strategy is quickly becoming unsustainable. Around 100,000 classified cables were created each year between 1995 and 2003. The number of cables created in 2006 that will require review grew to over 650,000 and remains at that volume for the following years. While emails are currently an insignificant portion of 25-year declassification reviews, the number of classified emails doubles every two years after 2001, rising to over 12 million emails in 2018. To get ahead of this challenge, we have turned to artificial intelligence. 

Considering AI is still a cutting-edge innovation with uncertainty and risk, our approach started with a pilot to test the impact of the process on a small scale. We trained a model, using human declassification decisions made in 2020 and 2021 on cables classified confidential and secret in 1995 and 1996, to recreate those decisions on cables classified in 1997. Over 300,000 classified cables were used for training and testing during the pilot. The pilot took three months and five dedicated data scientists to develop and train a model that matches previous human declassification review decisions at a rate of over 97 percent and with the potential to reduce over 65 percent of the existing manual workload. The pilot approach allowed us to consider and plan for three AI risks: lack of human oversight of automated decision-making, the ethics of AI, and overinvestment of time and money on products that aren’t usable.

The new declassification tool will not replace jobs. The AI-assisted declassification review process requires human reviewers to remain part of the decision-making process. During the pilot and the subsequent weeks of work to put the model into production, reviewers were consistently consulted and their feedback integrated into the automated decision process. This combination of technological review with human review and insight is critical to the success of the model. The model cannot make a decision with confidence on every cable, necessitating that human reviewers make a decision as they normally would on a portion of all cables. Reviewers also conduct quality control. A small, yet significant, percentage of cables with automated confident decisions are given to reviewers for confirmation. If enough of the AI-generated decisions are contradicted during the quality control check, the model can be re-trained to consider the information that it missed and integrate reviewer feedback. This feedback is critical to sustaining the model in the long term and for considering evolving geopolitical contexts. During the pilot, we determined that additional input from the Department’s Office of the Historian (FSI/OH) could help strengthen future declassification review models by providing input about world events during the years of records being reviewed.

There are ethical concerns that innovating with AI will lead to governing by algorithm. Although the descriptive AI used in our pilot does not construct narrative conversations like large language models (LLMs) and ChatGPT, it is designed to make decisions by learning previous human inputs. The approximation of human thought raises concerns of ethical government when it replaces what is considered sensitive and specialized experience. In our implementation, AI is a tool that works in concert with humans for validation, oversight, and process refinement. Incorporating AI tools into our workflows requires continually addressing the ethical dimensions of automated decision-making. 

This project also saves money — potentially millions of dollars’ worth of personnel hours. Innovation for the sake of being innovative can result in overinvestment in dedicated staff and technology, which is unable to sustain itself or end up in long-term cost savings. Because we tested our short-term pilot within the confines of existing technology, when we forecast the workload reduction across the next ten years of reviews, we anticipate an almost $8 million savings on labor costs. Those savings can be applied to piloting AI solutions for other governmental programs managing increased volumes of data and records with finite resources, such as information access requests for electronic records and Freedom of Information Act requests.

Rarely in government do we prioritize the time to try, and potentially fail, in the interest of innovation and efficiency. The small-scale declassification pilot allowed for a proof of concept before committing to sweeping changes. In our next phase, the Department is bringing the pilot to scale so that the AI technology is integrated with existing Department technology as part of the routine declassification process.

Federal interest in AI use cases has exploded in only the last few months, with many big and bold ideas being debated. While positive, these debates should not detract from use cases like this, which can rapidly improve government efficiency and transparency through the release of information to the public. Furthermore, the lessons learned from this use case – having clear metrics of success upfront, investing in data quality and structure, starting with a small-scale pilot — can also be applied to future generative AI use cases as well. AI’s general-purpose capabilities mean that it will eventually be a part of almost all aspects of how the government operates, from budget and HR to strategy and policy making. We have an opportunity to help shape how the government modernizes its programs and services within and across federal agencies to improve services for the public in ways previously unimagined or possible.  

Matthew Graviss is chief data and AI officer at the Department of State, and director of the agency’s Center for Analytics. Eric Stein is the deputy assistant secretary for the office of Global Information Services at State’s Bureau of Administration. Samuel Stehle is a data scientist within the Center for Analytics.

The post The Department of State’s pilot project approach to AI adoption appeared first on FedScoop.

The IT leader steps down after three years in the role, but according to sources will remain in government service. 

He has served at the State Department since 2008, when he joined the Bureau of Information Resource Management as deputy manager for the IT Cost Center Working Capital Fund. 

Merrick’s previous roles at State include a period as director of the office of digital in the Bureau of International Information Programs, and as director of the Office of Innovative Infrastructure. 

Before working at State, Merrick for a period was a financial management consultant and IT project manager at PwC, and before that served for nearly a decade as a commissioned officer in the Army. 

During his tenure at State, the IT leader helped to oversee the agency’s transition to the cloud, including the initial implementation of a three-year data strategy launched in September last year.

Speaking at a FedScoop-hosted event earlier this year, Merrick said the speed of recent events has helped to make the case for wholesale organizational change and closer collaboration between sub-agencies at State. 

“In today’s day and age we are facing unprecedented expectations: speed of delivery, speed of information, the need for data analytics to drive decisions at very senior levels. The need to operationalize activities very quickly,” he said.

No further details of Merrick’s next destination were immediately available.

The State Department did not immediately respond to a request for comment.

The post State Department head of cloud programs Brian Merrick to leave post appeared first on FedScoop.

OIG found the Bureau of Information Resource Management hadn’t addressed 90 of its unclassified recommendations as of July 30 — 57% of which dated back to fiscal 2019 or earlier.

The bulk of those recommendations, 26 to be exact, pertained to configuration management of products and systems to ensure information security, prompting OIG to recommend the under secretary for management track IRM’s future progress.

“Because the under secretary for management is responsible for ensuring that corrective actions on OIG recommendations are actually taken, OIG recommends that the under secretary monitor the status of corrective actions for the open recommendations addressed to IRM and take actions if necessary until they have been implemented and closed,” reads the report.

Of the other unaddressed recommendations, 11 related to risk management, 11 to identity and access management, 10 to shared services, eight to IT investments, six to data protection and privacy, four to security training, four to continuous monitoring, four to contingency planning, three to information system security officers, one to supply chain risk management, two to general IT policies, and three to other IT topics.

OIG made two recommendations to Under Secretary Carol Perez, the first that her office verify IRM has plans of action and milestones (POA&M) documented for all 90 of its OIG recommendations. The undersecretary disagreed.

“If the end goal is for IRM to close their open recommendations with OIG, a realistic concern is that developing a separate action plan for each recommendation would prove overly cumbersome,” Perez wrote in her response. “IRM’s staff, time and resources are better spent working on compliance-related activities, maintaining a high standard of day-to-day operations, and communicating directly with OIG.”

As a result OIG marked the recommendation unresolved, arguing agencies are required to develop POA&M by the National Institutes of Standards and Technology and that the under secretary must submit her own POA for the recommendation.

The undersecretary accepted OIG’s second recommendation that her office develop a method for periodically reviewing IRM’s efforts because it already had one in place, so OIG marked the recommendation closed.

“[T]he office of the acting under secretary for management provides a spreadsheet of open recommendations from OIG to IRM, with a high-level visual depiction of IRM’s compliance,” reads the report. “After IRM provides a response to the acting under secretary for management, she reviews the data and ensures that IRM is up-to-date on compliance efforts.”

The post Information security a ‘major management challenge’ at the State Department appeared first on FedScoop.

OIG performed an audit of the department’s process for selecting and approving IT investments and found the Bureau of Information Resource Management could do more to centralize oversight and avoid duplicative purchases. The State Department spent $2.5 billion on IT in fiscal 2019.

The audit was a follow-up to a March 2016 report that found the State Department lacked a “defined process” that met Office of Management and Budget requirements, although five of OIG’s seven recommendations have since been closed.

“Until additional actions are taken, IRM will not be able to fully identify duplicative systems and related cost-saving opportunities, optimize its IT investments, or promote shared services,” reads the follow-up report released Wednesday.

OIG recommended IRM conduct a benchmark assessment of the agency’s IT portfolio to find duplicative systems — despite mitigating duplication by creating a process for comparing investment requests — and then implement a strategy to combine, implement or replace such systems.

Despite adopting OMB guidance and updating internal policy on recording IT investment in a portfolio management system, iMatrix, IRM needs a way to review reorganizations, OIG recommended.

IRM verbally concurred with OIG’s recommendations in a July 15 meeting.

OIG further recommended the Bureau of Administration identify IT-related acquisitions of $10,000 or more, a finding it agreed with.

IRM failed to make substantial progress on two OIG recommendations from the 2016 report. The bureau still hasn’t reviewed the IT investment methods of all bureaus of enforced the requirement that they and other State Department offices avoid duplication.

“These actions are needed to improve accountability and to further identify and avoid duplicative IT investments,” reads the report.

The post State Department IT investments lack central oversight, IG report finds appeared first on FedScoop.

Both the Bureau of Information Resource Management within the State Department and the Navy moved to the cloud to automate processes, integrate security into the software development process and deploy updates faster.

The embrace of the cloud as an enabler of DevSecOps and cybersecurity more broadly represents an evolution in agencies’ approaches to the technology.

“Two years ago the biggest driver was ‘my boss told me to,'” said Tom Santucci, director of IT modernization within the Office of Government-wide Policy within the General Services Administration, during an ATARC event. “Now people are starting to see the benefits of this.”

IRM functions as the main provider of IT resources, from infrastructure to messaging, for the State Department, and its Systems Development Division deploys software solutions for any domestic or overseas office with a business need. The bureau moved its previously separate development and production environments to the cloud over the last few years to bridge the two.

Now IRM can not only run up a build agent in the development environment to automate tests or scans but actually create a pipeline to push it to the staging or production environments for users.

“It was possible before the cloud, but it was a larger tactical effort and a larger security effort because you had differences between environments,” said David Vergano, systems development division chief of IRM, during a FedInsider event. “So the cloud backbone is helping to make things smoother, and now we can really try to change how we do things because we have the tooling.”

The department’s other offices come to Vergano with the particular cloud products they want to use, and he advises them to use Federal Risk and Authorization Management Program-certified tools to smooth acquisition and ensure security.

Like IRM, the Naval Information Warfare Systems Command’s (NAVWAR’s) Program Executive Office for Digital and Enterprise Services (PEO Digital) is delivering environments that can be built once and adapted to multiple use cases. Cloud platforms that enable continuous integration/continuous deployment (CI/CD) and DevSecOps make that work easier, but migration isn’t always immediately affordable.

“In [the Department of Defense], nobody has buckets of funding laying around to dump into modernizing their architectures so that everyone in July 2021 can move toward containers and microservices,” said Taryn Gillison, program executive director of the digital platform application services portfolio.

Alternatively, PEO Digital is developing enabling capabilities like Naval Identity Services, infrastructure as code (IaC) and middleware.

If PEO Digital can automate testing and tools for the Navy’s various components, it allows them to shift focus to modernization, Gillison said.

Hurdles remain for NAVWAR, however — namely installation timelines. Gillison said she’s “impatient” to see cloud-to-ship software pushes and other policy changes happen more broadly.

In the prior six to 12 months, 52% of IT executives at public sector organizations said they’d chosen a new cloud provider, according to an Ensono report from June. That number jumped to 85% in the prior 24 months, with 78% of public sector respondents citing security as a concern.

With most public sector organizations managing their cloud environments centrally, a multi-cloud model prevails — largely due to the flexibility it affords agencies, Clint Dean, a vice president at Ensono, told FedScoop.

That jives with DOD canceling its $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud procurement, citing its intent to launch the multi-cloud, multi-vendor Joint Warfighter Cloud Capability (JWCC) environment.

“As much as Amazon, Microsoft and Google would have us believe, maybe there’s not as much brand loyalty as folks think there is,” Dean said.

The post DevSecOps is fueling agencies’ cloud migrations appeared first on FedScoop.

The ITEC now has working groups in architecture, workforce, field first, cybersecurity, mobility, and collaboration that consist evenly of Bureau of Information Resource Management and other bureaus’ IT leadership.

The department spent the past eight months embracing a de facto, agile model for delivering remote applications to its teleworking employees, but now it’s shifting its focus to governance, McGuigan said.

“The goal of that is to bring together all of the collective requirements of the department, so we understand what needs to be done out there,” McGuigan said during an ACT-IAC event Friday. “And then feed that back to our chief architect, our [chief information security officer] and say, ‘Look, where do we have enough commonality of needs that we should be doing things in an enterprise way?'”

State Department‘s more than 50 bureaus will occasionally have different IT needs requiring specific technologies, he added. But they’ll be expected to either participate in an enterprise capability, like a cloud service with an authority to operate, or create a new technical capability they share with the rest of ITEC.

Bureaus have an “obligation” to make faster, better, more cost-effective capabilities available to the rest of the department, McGuigan said.

Occasionally bureau IT leaders are skeptical, but engagement hasn’t really been an issue because the ITEC model enables them to act independently without being “chaotic,” he added.

“The only option that’s not encouraged, that’s not allowed is to go silent, to go dark because you don’t want to engage,” McGuigan said.

The post State Department shifts focus to aligning IT and bureau governance appeared first on FedScoop.

An Office of the Inspector General (OIG) review of the Bureau of Information Resource Management (IRM), which handles IT for the department, recommended the agency undergo a strategic realignment.

“That created an opportunity to take an office that was duplicative in some areas and doing a little bit of acquisitions and convert it to just focus on IT,” Ken Rogers, acting deputy chief information officer of business management and planning at IRM, told FedScoop. “This is really taking the letter and the spirit of the Federal Information Technology Acquisition Reform Act and putting it into practice.”

The OIG-approved IT Acquisitions Office (IAO) will fall under the purview of Rogers, who estimates it will be operational by spring 2020.

Rogers is in the process of moving contracting officer representatives into the new office, rewriting position descriptions and recruiting additional talent — all while updating policy and creating the office’s structure.

IAO will have four divisions: an IT acquisition service for helping program offices get their procurements off the ground, two execution offices for contracting technology and services respectively, and a vendor performance management office for establishing standards and metrics. Each office will be staffed by eight to 10 federal employees with contract support on a surge basis.

“On the programmatic side, we are flat-footed in so many places,” Rogers said during an AFFIRM discussion Thursday. “The number of contracts we execute, where the last option year we don’t have a plan for what we’re doing next — and six months into the last option year we’re scrambling because now we don’t have time to do a procurement — that happens a lot.”

The office will create a shift from doing acquisitions for agencies building widgets to technology business management services. Every agency in the State Department will be able to use a service contract when they need anything, from technology towers to edge computing.

“They’ll be able to buy off of vehicles that already exist for them,” Rogers told FedScoop.

The post State Department to launch IT Acquisitions Office appeared first on FedScoop.

NCCoE — part of the National Institute of Standards and Technology, which released its definition of zero trust for public comment in late September — is “about to walk on that journey of zero trust and begin to build out some different security architectures that model some of the work in government and perhaps financial institutions to be able to think about where you can use some of the nobs and levers over time,” Donna Dodson, chief cybersecurity adviser at NIST, said Thursday in reference to the strong cybersecurity tools already available in government.

Zero trust refers to the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources, according to NIST.

Many agencies already have elements of zero-trust architectures in place. For instance, some have “great authentication capabilities,” but they may not use them enough or in the right situations, Dodson said at the Ignite ‘19 Cybersecurity Conference on Thursday.

While many employees want to plug in their personal identity verification card on Monday, when they log on to their agency’s network, and take it with them when they log out on Friday, that’s not always appropriate, she added.

“We need to be able to take what we have in place today and perhaps augment it a bit so that we can dial the nobs for individuals or for different roles within the organization,” Dodson said.

The Cybersecurity and Infrastructure Security Agency is doing just that through its Continuous Diagnostics and Mitigation program, which pushes new policies out to agencies, said Jeanette Manfra, assistant director for cybersecurity at CISA.

Agencies can improve their zero-trust security posture by limiting network access by group as much as possible — only allowing senior leaders access to the most sensitive datasets, Manfra said.

“What we consistently see is adversaries targeting one individual and then — because that individual had access they shouldn’t have or was connected to something that they had no reason for their job to be connected to — they’re now able to lateral throughout and gain higher-level access,” she said.

Meanwhile, the State Department is eyeing an architecture that will allow it to perform deep packet inspection similar to the Chicago Board of Trade, said CIO Stuart McGuigan. For years the board has had the capability to open packets and interrogate the metadata to see what’s being bought at what price and quantity, before flagging anomalies or else adding it to the data.

McGuigan wants his agency’s first use case to be a messaging layer, rather than a heavily trafficked one that runs a lot of apps.

“Something that has a more restricted domain of users and so, therefore, is useful but very narrow in terms of the use case and packets that are flying around the network,” he said. “You can push it to really having order of magnitude better authentication and packet-level monitoring.”

The post NIST to test federal ‘zero trust’ security architectures appeared first on FedScoop.

Such networks are the department’s largest and consist of everything from security cameras to door lock sensors.

The problem is getting Bureau of Diplomatic Security personnel to acknowledge all of that relies on an IT backbone provided by the Bureau of Information Resource Management, said Steven Haines, division chief of contracting and procurement for the former.

“They’d like to think that it’s not information technology, so there’s been kind of a slow recognition that we need to consider IT contracting methods and IT considerations when designing these systems — the purpose of which is security,” Haines said. “And there’s been somewhat of a push and pull, or a difficulty, in getting the right folks at the table to collaborate between our IT apparatus and our security folks.”

The General Services Administration’s Multiple Award Schedule Consolidation — the move from 24 contracting schedules to one — could help smooth things over, Haines said.

Integrated product teams have been meeting and boiling down the large, centralized, long-term contracts awarded to industry vendors to key terms and conditions to be included in a single solicitation. Schedules are divided into supply and service subcategories called special item numbers, or SINs, of which there will be 475 less when the process is finished.

GSA’s final solicitation is due out Oct. 1 and will be written in plain verbiage, said Kevin Mitchell, branch chief of the Law Enforcement and Security Division within GSA.

“It’s going to really simplify the way procurement takes place against schedules,” Mitchell said.

The schedule the State Department uses to procure IT systems for security, Schedule 84, and the one it uses purely for IT, Schedule 70, will be gone. Instead, vendors will be able to offer security and IT under a single contract vehicle.

“Taking that difficulty out of the mix for us is certainly something that we welcome,” Haines said.

Other changes in State Department contracting have already started to happen, he added. The department is moving away from 250-page written proposals toward oral presentations, on-the-spot scenarios and demonstrations to save time and money.

Industry has also responded to agencies’ flat budgets by low-bidding service contracts, Haines said.

“But the [ensuing] difficulty in retention and recruitment results in such extreme cases as we experienced not two months ago — a number of critical positions in critical locations threatening to walk off the job because their pay had been cut by some 60 percent,” he said. “That’s untenable for a security organization.”

The State Department is looking at total compensation packages as a technical evaluation factor in some cases, Haines said, and companies have gotten creative trading salaries for benefits.

Because industry often scrambles to figure out how projects will be competed, the department is planning a series of industry day communications, webinars, videos and uploads offering details further in advance.

Haines said the State Department is also embracing category management — the use of more governmentwide, strategic contract vehicles to reduce duplication of effort and leverage multi-agency expertise.

When the agency can’t piggyback off a Best-in-Class contract, it will consider designing one.

“If we can’t identify something that exists — that is perfect for the needs of the interagency — then we may be standing up something new,” Haines said.

The post State Department wants IT and security arms to better work together appeared first on FedScoop.

The request calls for input from industry about how it could provide a suite of IT services for the data centers of the bureau, which manages the State Department’s technology operations.

The request calls on respondents to incorporate small and disadvantaged businesses or joint ventures in their response.

“IRM requires the contractor to provide enterprise-level domestic data center service offerings, and administrative support services including a software-defined infrastructure, Data Center Information Management (DCIM), cloud and overseas virtual infrastructure (VI) support,” the request said.

The IRM currently oversees four data centers that provide infrastructure-as-a-service operational support 300 State Department sites and 275 missions worldwide.

Agency officials are looking for respondents to provide best practices solutions on how the State Department can “harmonize, and enhance its mission-delivery capability” in its IT service areas with following objectives:

• Increased organizational agility.
• Lowering time and cost for service delivery.
• Better business stakeholder and IT alignment.
• “Frictionless” cooperation and coordination between service providers.
• Standards development and adherence.
• Better innovation approaches to IRM processes.

Deputy Secretary of State John J. Sullivan told the House Foreign Affairs Committee in September that the State Department was moving forward with IT modernization plans, including cloud migration, sometime in the future.

The request is a set-aside for small businesses and has a response deadline of Nov. 13 at 7 a.m. EST.

The post State Department’s IRM looking for small biz IT data center operations appeared first on FedScoop.