In a pair of priority open recommendations, the Government Accountability Office said the Federal Reserve and the Securities and Exchange Commission have succeeded in establishing coordination mechanisms with other federal regulators and financial working groups to identify the risks posed by blockchain-related products and services. But neither the Fed nor the SEC has “regularly” convened those bodies since the GAO delivered its recommendation in August 2023.

Lacking a cadence in convening these groups, the GAO said, means both agencies are unable “specifically to identify the full range of risks and regulatory challenges of existing and emerging blockchain products and services and provide a timely response to any unaddressed risks.”

The Fed, which neither agreed nor disagreed with the GAO’s recommendation, said it “routinely engages with the other federal financial regulators on emerging risks posed by blockchain-related products and services.” The banking regulator noted that it participates in information-sharing on identifying blockchain risks with other regulators in the Digital Asset Working Group, but the GAO is pushing for “planning processes for identifying and addressing such risks” within that group. 

“Fully implementing this priority recommendation would help the Federal Reserve and other financial regulators collectively identify risks posed by blockchain-related products and services and develop and implement a regulatory response in a timely manner,” the GAO stated.

The SEC, meanwhile, told the GAO that it works to identify crypto-related risks in the agency’s work with the Financial Stability Oversight Council, the President’s Working Group on Financial Markets and some international bodies. FSOC “established a coordination mechanism” through the Digital Asset Working Group, the SEC reported to the GAO, adding that the working group “meets regularly and has discussed a variety of topics, including regulatory developments, rulemakings, risks, data collection, and market developments.”

The GAO called the Digital Asset Working Group “a positive step,” but prodded the SEC to embrace planning documents.

“Such planning documents could include (1) objectives and meeting frequency; (2) processes for identifying the full range of risks and regulatory challenges concerning blockchain-related products and services (not only those related to financial stability); and (3) processes for responding to these risks and challenges within agreed-upon timeframes,” the GAO said.

Beyond blockchain, the GAO re-upped a second priority recommendation to the Federal Reserve, which was originally delivered in 2019. The watchdog wanted the Fed, along with other banking regulators and the Consumer Financial Protection Bureau, to finalize “written communication that gives banks specific direction on the appropriate use of alternative data in the underwriting process when partnering with fintech lenders.”

The Fed teamed with the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency a year ago in issuing interagency guidance on third-party risk management, but the GAO said that the guidance falls short on specificity.

The guidance “does not include specific direction to banks that engage with fintech lenders on the appropriate use of alternative data in the underwriting process,” the GAO wrote. “Rather, the guidance broadly applies to all topics and third-party relationships. Accordingly, it does not address specific topics, such as the use of alternative data, or specific types of third-party relationships, such as relationships with fintech companies.”

The post Fed, SEC need more consistent blockchain coordination, GAO says appeared first on FedScoop.

“We do not block AI any more than we block general internet access,” Howard Spira, chief information officer of Ex-Im, said during a Thursday panel discussion hosted by the Advanced Technology Academic Research Center (ATARC).

Spira said the agency is approaching generative tools with discussions about accountability and best practices, such as not inputting private information into tools like ChatGPT or other public large language models. “But frankly, that is just an evolution of policies that we’ve had with respect to just even search queries on the general internet,” Spira said.

He emphasized the importance of context in AI usage, noting that the agency — whose mission is facilitating U.S. exports — deals with the kinds of decisions that it believes are “a relatively low-risk environment” for AI. Most of the work the agency is doing with AI is with “embedded AI” that’s within its existing environments, such as those for cyber and infrastructure monitoring.

“We’re also actually encouraging our staff to play with this,” Spira said.

His comments come as agencies across the federal government have grappled with how to address the use of generative AI tools by employees and contractors. Those policies have so far varied by agency depending on their individual needs and mission, according to FedScoop reporting.

While some agencies have taken a permissive approach like Ex-Im, others are approaching the tools with more caution.

Jennifer Diamantis, special counsel to the chief artificial intelligence officer in the Securities and Exchange Commission’s Office of Information Technology Strategy and Innovation, said during the panel that the SEC isn’t jumping into third-party generative AI tools yet, citing unknowns and risks. 

There is, however, a lot of exploration, learning, safe testing and making sure guardrails are followed, Diamantis said. She added that while the agency is exploring the technical side, there is also an opportunity right now to explore the process, policy and compliance side of things to make sure they’re ready to manage risks if and when they do move forward with the technology. 

Diamantis, who noted she wasn’t speaking for the commission or commissioners, encouraged people to use this time to focus not just on the technology, “but also, what do you need in terms of governance? What do you need in terms of updating your lifecycle process? What do you need in terms of upskilling, training for staff?”

In addition to exploration, the SEC is also educating its staff on AI. Diamantis said those efforts have included trainings — such as a recent one on responsible AI — and having outside speakers, as well as establishing an AI community of practice and a user group.

Spira similarly noted that Ex-Im has working groups addressing AI and is including discussions about the technology in its continuous strategy process. This year, that process for its IT portfolio included having “the portfolio owners identify potential use cases that they were interested in exploring” and the identification of embedded use cases, he said.

Tony Holmes, another panelist and Pluralsights’s director of public sector presales solution consulting for North America, underscored the importance of broad training on AI to build a workforce that isn’t afraid of the technology. 

“I know when I talk to people in my organization, when I talk to people at agencies, there are a lot of people that just haven’t touched it because they’re like, ‘we’re not sure about it and we’re a little bit scared of it,’’’ Holmes said. Exposure, he added, can help those people “understand it’s not scary” and “can be very productive.”

The post Export-Import Bank taking open-minded approach on the use of generative AI tools appeared first on FedScoop.

During a webinar with the nonprofit consumer advocacy group Public Citizen, Gensler spoke of the “American affinity for centralization” in everything from cloud providers to search engines. The SEC chair predicted that the same will be true for large AI base models, upon which aggregators with an “insatiable desire for data” will rely.

“The whole financial sector, indirectly, will be relying on those central nodes,” Gensler said. “And if those nodes have it wrong, the monoculture goes one way, well, then there’s a risk in society and the financial sector at large.”

The SEC last July proposed rules to prohibit investment firms from using predictive data analytics, including AI, that put their interests above those of their clients. Those rules followed March 2022 recommendations from the agency’s Investor Advisory Committee, which called for ethical guidelines regarding AI models used by investment firms and financial institutions.

The SEC’s AI rulemaking received swift industry pushback, but Gensler has held steady in his beliefs about the dangers of AI-washing in the financial sector.

Despite the agency’s regulatory push, Gensler noted Wednesday that financial regulators wouldn’t actually have oversight powers for the large AI models from which financial institutions would draw.

With a government that’s used to “regulations and laws around entities and activities,” Gensler said the approach to AI in financial models should be viewed domestically and abroad as a “horizontal challenge” — though horizontal reviews likely still won’t be enough. 

“I think we’ve really got to think [about], ‘How do you keep some diversity in the system?’ And this is diversity of models and diversity of data sources,” Gensler said. “Otherwise, you end up with a pretty fragile system.”

With his hands tied on the more “macro” regulatory pursuits on AI and financial markets, Gensler said the SEC will do its best to address the “explainability” challenge posed by the technology.

“I think the macro issue and financial stability set of issues, it’s really trying to continue to raise the awareness amongst international colleagues about these challenges,” Gensler said. “I noticed that the Chief Justice of the Supreme Court, in his annual report, even spoke about AI. And so I think the awareness is raising, but I’ll stick to our lane of financial services, and particularly securities law.”

The post SEC Chair Gensler sounds alarm on risks of large AI-fueled financial models appeared first on FedScoop.

The technology giant disclosed the settlement in a regulatory filing on Nov. 3 and also warned it has received notice from the Securities and Exchange Commission that the regulator has made a preliminary decision to file an enforcement action against the company over the cyber breach.

“SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” SolarWinds disclosed in its 8-K filing. 

During the breach, which was disclosed in late 2020, suspected Russia-backed hackers used routine software updates to add malicious code into the company’s Orion software product, which was used as a vehicle for a major cyberattack launched against private and public sector entities.

At least eight federal government agencies had systems compromised as a result of the attack.

As part of the settlement, the software maker did not acknowledge any wrongdoing and alleged they were misled about its security apparatus in advance of the attack. The sum will be paid by the company’s insurers who authorized and approved the sum, according to an 8-K filing with the US Securities and Exchange Commission.

“The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement,” the company said in its 8K filing. 

The SolarWinds attack took place over the course of almost nine months and affected roughly 18,000 entities in total.

The cyberattack occurred because SolarWinds, an IT company that runs network management systems for thousands of clients, was infiltrated through the company’s Orion software updates distributing malware to its customers’ computers.

In early 2021, SolarWinds stockholders sued the company after the stock tanked from news of the supply chain attack on SolarWinds’s software, which was first publicly reported in December 2020. In the second half of 2021 the company asked a US federal judge to throw out the lawsuit, claiming that it was “the victim of the most sophisticated cyberattack in history,” and described the legal arguments of certain shareholders as a way to “convert this sophisticated cyber-crime” into an unfair and unrelated securities fraud lawsuit.

As a result of the Wells notice, the SEC could force the company to stop engaging in future violation of federal securities laws subject to the action, impose civil monetary penalties and other equitable relief within the agency’s authority. 

It remains unclear if or when the SEC will take enforcement action and what the potential consequences of this could be for SolarWinds.

The post SolarWinds agrees to pay $26M to settle shareholder lawsuit over 2020 cyberattack appeared first on FedScoop.

According to the regulator, Oracle subsidiaries in Turkey, the United Arab Emirates and India used slush funds to bribe foreign officials in return for business between 2016 and 2019.

Without either admitting or denying the SEC’s findings, Oracle has signed a cease and desist agreement that says it will not violate anti-bribery law. It has also agreed to pay $8 million in interest and a civil penalty of $15 million.

Oracle in December acquired Cerner for $28.3 billion, which operates the Millennium platform at the center of the Department of Veterans Affairs’ troubled electronic health record modernization program.

According to the SEC, its investigation also found that Oracle subsidiaries in Turkey and UAE had used slush fund money to pay for foreign officials to attend tech conferences in violation of Oracle policies and procedures. In some instances employees of the Turkey subsidiary used the funds for the officials’ families to accompany them on international conferences or to take side trips to California, the regulator argued in order documents.

It is the second time the SEC has sanctioned Oracle in connection with the creation of slush funds. In 2012, the company resolved charges relating to the creation of millions of dollars of side funds by Oracle 

SEC Foreign Corrupt Practices Act Unit Chief Charles Cain said: “The creation of off-book slush funds inherently gives rise to the risk those funds will be used improperly, which is exactly what happened here at Oracle’s Turkey, UAE, and India subsidiaries.”

“This matter highlights the critical need for effective internal accounting controls throughout the entirety of a company’s operations,” he added.

Commenting on the settlement, Oracle Corporate Communications Vice President Michael Egbert said: “The conduct outlined by the SEC is contrary to our core values and clear policies, and if we identify such behavior, we will take appropriate action.”

Editor’s note, Sept. 27, 2022: This story was updated to include comment from Oracle Corp.

The post Oracle to pay $23M to settle foreign bribery charges brought by SEC appeared first on FedScoop.

In legal documents published Monday, the regulatory body said the matter related to the technology company’s omission of material information in quarterly and annual results disclosures during its 2019 and 2020 fiscal years.

VMware has not admitted or denied any of the SEC’s findings as part of the settlement.

In its cease-and-desist complaint, the SEC said VMware had controlled the timing of certain revenue recognition by placing discretionary holds in selected sales orders. The regulator added that as part of this practice the delivery of license keys to clients was delayed.

“VMware employed discretionary holds when business objectives – including those for ‘bookings’ and revenue – had been achieved, in order not to exceed the company’s revenue guidance by too much and as a way, in the words of VMware personnel, to start the next quarter with a buffer or more momentum than it might have had otherwise,” the SEC argued.

According to the regulator, without omissions that resulted in quarter-end backlog reductions for the fiscal year 2020, VMware would have missed rather than met guidance and analyst consensus estimates for total revenue and guidance for license revenue. It would also have missed guidance for license revenue in the second quarter of that fiscal year, the SEC said.

The Securities Act of 1933 prohibits any person from directly or indirectly obtaining money or property by making any untrue statement of a material fact or any omission to state a material fact necessary to statements made.

VMware and the SEC did not respond to a request for comment.

The post VMware pays $8M to settle SEC cease-and-desist proceedings over prior revenue disclosures  appeared first on FedScoop.

Under the 10-year agreement, the technology company is tasked with transforming enterprise IT and providing agile development and cybersecurity services for the Electronic Data Gathering, Analysis and Retrieval system (EDGAR).

EDGAR is the SEC’s system for the automated collection, validation, indexing and acceptance of submissions from entities — including public companies — that are required by law to file forms with the agency. It was launched in 1984 as a pilot program by the SEC and now processes around 3,000 filings each day.

The contract expands the current scope of Maximus’s existing contract with the SEC in which it is tasked with providing IT support for EDGAR. The company assumed responsibility for the existing contract through its $430 million acquisition earlier this year of Attain.

The new contract was awarded through the SEC’s OneIT IDIQ contract vehicle. Attain in 2018 was one of three companies awarded an unrestricted contract as part of the OneIT project. In 2013, Attain was awarded its first work with the SEC through IT support contracts that included EDGAR.

Commenting on the contract win, Maximus Federal General Manager Teresa Wipert said the company was focused on helping the SEC to achieve its IT modernization and digital transformation goals.

The post Maximus awarded $323M contract to revamp EDGAR company filing system appeared first on FedScoop.

He takes up the role of assistant director at the unit, after previously working as chief enterprise architect at the Small Business Administration (SBA). Hunt reports directly to the agency’s CIO, David Bottom.

Prior to working at the SBA, he was cloud policy lead at the Office of Management and Budget, and before that was a digital services expert at the Department of Veterans Affairs.

Earlier in his career, Hunt held frontline development roles at nonprofit organizations including the Sunlight Foundation and the OpenGov Foundation. Before this, he worked in the private sector, including as a developer at WillowTree Apps and Boyd Caton and Grant Transportation Group.

During the COVID-19 pandemic, the SBA was tasked by Congress with distributing about $350 billion in small business loans and grants. The agency spends a little more than $100 million on IT annually.

The SEC’s Cloud Center of Excellence was established with a view to accelerating the implementation of new systems at the agency and to promoting experimentation. In 2019 the Office of Inspector General identified failings of the SEC’s adoption of cloud computing services, including that it had not effectively implemented strategy or tracked related goals.

The SEC did not respond to a request for comment on Hunt’s appointment.

The post Bill Hunt joins SEC’s Cloud Center of Excellence appeared first on FedScoop.

The emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) ordered all agencies using SolarWinds products to review their networks and disconnect or power down the company’s Orion software. Although many of the details of the hack remained unclear as of Monday afternoon, a few things helped explain CISA’s urgency: Orion has been available to the government for years through a complicated array of contracts, and the software operates at the heart of some crucial federal systems.

SolarWinds has been supplying agencies for a long time, first developing tools to help them understand how their servers were doing, and then branching out into network and infrastructure monitoring. Now IT teams can use those tools to manage virtualization and even security features such as privileged accounts and patching.

Orion is the framework tying all of those things together and helping system and network managers understand what’s going on. At least 32 federal agencies bought SolarWinds Orion software since 2006, according to a preliminary search of the Federal Procurement Data System – Next Generation (FPDS-NG) conducted by The Pulse of GovCon, a boutique market intelligence firm.

That footprint made Orion an attractive target to foreign spies, who used the company’s updating system to push out malware that allowed them to break into the departments of Commerce, Homeland Security and the Treasury. The attacks on the federal software supply chain are part of a campaign staged by Russian hacking group APT29, or Cozy Bear, on behalf of the SVR intelligence agency, The Washington Post first reported.

Many more agencies could be affected, but those were three confirmed by multiple media organizations as of Monday afternoon.

“It’s almost a nightmare scenario, when you think about it, because these are tools that people put into the most sensitive parts of their network, the network management centers, to help them understand what’s going on with everything from the Wi-Fi switch in the conference room to the server that might have the most sensitive data at the agency,” said a retired senior government official, who asked not to be identified to speak freely about the compromise.

“And the adversary has essentially had a conduit to push malware to bypass the firewalls and all the other normal security checks and could potentially have moved anywhere in the infrastructure from there,” the former official said.

A public assessment of SolarWinds’ full federal footprint remains difficult, however, in part because 48 different resellers were awarded some of the 204 known federal contracts for Orion products since 2006. The likelihood FPDS-NG has not recorded all such transactions is high.

Adding to the challenge CISA has of assessing the damage is the fact the Orion vulnerability has been used to deploy malware inside agency networks since March, according to federal officials.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, acting director of CISA, in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”

CISA’s emergency directive locks down federal networks, but the next steps will be to look for signs of penetration, identify malware, eradicate it, and potentially fix security configurations that were compromised.

U.S. Cyber Command — which has more mature processes and more experienced cyber protection teams in place for doing such things — is likely coordinating with CISA, the retired official said.

Assessing Orion’s reach

Any agencies that choose to cut ties with SolarWinds over this incident will need to replace the infrastructure they’re losing.

“The cleanup from this could be going on for months and could cost millions of dollars,” the retired official said. “A bunch of days have been ruined here that’s for sure; there’s going to be a lot of IT guys who are going to be working overtime for months to deal with this.”

That number is extensive if contract awards for SolarWinds Orion products on FPDS-NG are any indicator.

“Due to the limitations of these procurement systems and their classification procedures, we can assume that this is the floor — not the ceiling,” a Pulse spokesperson wrote FedScoop.

Since 2006, contracts for SolarWinds Orion products have been awarded by the:

• Bureaus of Land Management, Ocean Energy Management, and Safety and Environmental Enforcement, as well as the National Park Service and Office of Policy, Budget and Administration within the Department of the Interior
• Air Force, Army, Defense Logistics Agency, Defense Threat Reduction Agency, and Navy within the Department of Defense
• Department of Energy
• Departmental Administration and Farm Service Agency within the U.S. Department of Agriculture
• Federal Acquisition Service within the General Services Administration
• FBI within the Department of Justice
• Federal Highway Administration and Immediate Office of the Secretary within the Department of Transportation
• Federal Law Enforcement Training Center, Transportation Security Administration, Immigration and Customs Enforcement, and Office of Procurement Operations within the Department of Homeland Security
• Food and Drug Administration, National Institutes of Health, and Office of the Assistant Secretary for Administration within the Department of Health and Human Services
• IRS and Office of the Comptroller of the Currency within the Department of the Treasury
• NASA
• National Oceanic and Atmospheric Administration within the Department of Commerce
• National Science Foundation
• Peace Corps
• State Department
• Department of Veterans Affairs

While all of these agencies bought SolarWinds Orion products, that doesn’t necessarily mean they were still using them between March and June, when the company suspects the vulnerability was introduced during updates. Agencies that have ongoing contracts for SolarWinds Orion products include the Army, DOE, FLETC, ICE, IRS, and VA.

SolarWinds estimated that, of the 33,000 Orion customers in active maintenance during the relevant period, fewer than 18,000 installed products with the vulnerability, in a report it made to the Securities and Exchange Commission about the cyberattack.

The post SolarWinds’ federal footprint is large, and compromise is a ‘nightmare scenario’ for affected agencies appeared first on FedScoop.

Bottom will oversee the functionality and security of the agency’s IT systems starting in January.

He currently leads governmentwide projects improving agencies’ cloud and artificial intelligence deployments on special assignment to Federal CIO Suzette Kent and the Office of Management and Budget.

“I am attracted to the [SEC]’s critical mission, and the commissioners’ goal of elevating the organization’s performance through technology, data analytics and human capital,” Bottom said in the announcement.

Most recently, he served as both CIO and chief data officer at the Office of Intelligence and Analysis within the Department of Homeland Security.

Prior to that, Bottom spent 10 years as a senior executive at the National Geospatial-Intelligence Agency and was the chief innovation officer in IBM’s federal intelligence practice.

“David’s substantial experience working with complex information technology systems, including in the intelligence sector, will serve the agency well as we continue to focus on the security and operational effectiveness of our systems at the SEC,” said Chairman Jay Clayton in a statement.

Acting CIO Chuck Riddle will return to his dual deputy CIO and chief technology officer role.

The post SEC makes David Bottom CIO appeared first on FedScoop.