An agency spokesperson said in an email to FedScoop that the cyber risk assessment process — recommended to the EPA in a July 2019 Government Accountability Office report — is on track to be finished “by November 22.” The EPA had previously told the GAO that it was committed to a “late summer to early fall” timeline.

In its original recommendation, the GAO made the case for the administrator of the EPA to establish a process to conduct an agency-wide cybersecurity risk assessment as a means to protect against “a growing number of threats to their information technology systems and data” — a recommendation applicable to all federal agencies. Adopting a “risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks,” the GAO said at the time, would help the EPA “better manage” its cyber risks.

While the EPA has updated its cybersecurity risk management strategy, the agency told the GAO last month that it “was continuing to plan” for the assessment and was “in the process of updating an internal procedure to address ongoing risk assessment activities.” 

The EPA spokesperson told FedScoop that updates to the agency’s enterprise risk assessment procedure would include a variety of additional performance metrics, citing logging maturity, strong authentication, critical vulnerability remediation and priority security control specifically.

The agency’s updated procedure for assessing cyber risks will also feature a modified risk-scoring system, the spokesperson added. That portion of the assessment will now include “enterprise and component-level risk scores, which will be added to the senior executive dashboard.”

“The procedures also include activities to consolidate the various cybersecurity dashboards into one overall dashboard that provides an executive level view of EPA’s risk posture,” the spokesperson said. 

In the priority open recommendations document released by the GAO this week, the watchdog warned that absent an established process for overseeing a cyber risk assessment, the EPA “may be missing opportunities to identify trends in cybersecurity risks, target systemic risks to the agency and its systems, and prioritize investments in risk mitigation activities.”

The EPA has been active recently on the cybersecurity front, stepping up its warnings to the country’s water utilities of increasingly serious cyber threats. This month, the agency issued an alert about rising threats to the water sector and said it will boost its inspections and enforcement efforts. 

That alert came two months after an EPA and White House warning to U.S. governors about cyberattacks capable of “disabling” water facilities. The EPA said it would establish a task force focused specifically on defending the water sector from cyber threats.

The post EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment appeared first on FedScoop.

The “Clean Air in the Cloud Act,” introduced Tuesday by Rep. Gerry Connolly, D-Va., pushes the EPA to update the IT system for storing AirNow and the Air Quality System (AQS). The bill’s requirements come directly from recommendations in a September 2023 Government Accountability Office study that Connolly requested. 

“I requested the GAO report on this issue because the federal government is only as good as the IT it utilizes,” Connolly said in a press release. “That’s true across government and it’s certainly true for the EPA. It is my hope that, with this legislation, the EPA can resolve the challenges posed by AQS and AirNow to best deliver results for the American people they service.”

The watchdog recommended that the EPA consider an operational analysis along with developing and documenting a business case for a new IT system. Those would be rooted in considerations for how a system would be able to address challenges posed by the existing legacy systems. The agency agreed with both recommendations.

However, the EPA disagreed with a GAO recommendation that the agency should identify factors for assessing if the agency’s systems are ready for either replacement or retirement.

The GAO found that the use of multiple systems for air quality monitoring “results in inefficient use of resources” for EPA and other monitoring agencies. Agency officials reported that finding and retaining IT staff who could work with AQS’s “outdated software” was “particularly challenging.”

While the EPA declined to comment on the new legislation, a spokesperson said that the agency is “happy to provide technical assistance when asked.”

The post House bill calls on EPA to update IT systems that store air quality data appeared first on FedScoop.

The new government website evaluation tool, which is called “gov metadata,” was created by Luke Fretwell and his son, Elias, as part of the Civic Hacking Agency, a project focused on technology for the public good. The system works by scanning government websites and then analyzing the presence of metatags, which can help search engines and other portions of the web to interpret aspects of an online page. A metatag might be a reference to a title or help boost a page’s presence on social media; based on the number of metatags present, the project gives a “score” to each website. 

The point of the project, Fretwell told FedScoop, was to show how well the government was performing on certain important aspects of web page operations. “When it comes to AI, and metadata and data, and customer experience and digital service — these three elements of it — there’s some fundamental things,” he said. (Editor’s note: Fretwell helped establish FedScoop’s digital and editorial operations in its early years, but he is not a current employee of Scoop News Group). 

The stakes can be high, notes Beau Woods, the founder and CEO of the cybersecurity company Stratigos Security. “If a website doesn’t set [metadata tags] up, or doesn’t set them up correctly, it can leave citizens wondering what the site is about [and] which one is the legitimate site,” he said. “It leaves room for other unofficial websites to go to the top of search rankings, and to be the first stop for the citizens when they’re browsing.” 

The U.S. government appears to be on par with other organizations, like academic institutions and nonprofits, that have limited budgets for IT and competing priorities, Woods added.  Importantly, the project wasn’t able to grade websites that its systems couldn’t properly scan.

According to the gov metadata tracker, federal agencies vary widely in how well they’re performing on metatags. Notably, a digital changelog established by the project shows that some government webpages were incorporating new metadata amid FedScoop’s reporting. 

An Office of Management and Budget spokesperson told FedScoop that the agency is working with implementation partners and relevant interagency bodies to expand “best practices on search engine optimization and the use of metadata.” 

“The use of metadata and other related search engine optimization practices plays an important role in ensuring that members of the public can easily discover government information and services via third-party search engines,” the spokesperson said. ”OMB acknowledges the opportunity for agencies to more consistently use metadata as they continually optimize their websites and web content for search. OMB, alongside key implementation partners, continues to support agencies in this and other related efforts to improve digital experiences.” 

Still, Fretwell says the initiative raises the question of what requirements exist around this aspect of federal website upkeep. “What’s the standard that the government is going to adopt for using metadata and actually using it [and] using those things?” Fretwell said in an interview with FedScoop. “Because it’s so varied.”

FedScoop was unable to identify specific metadata tag requirements for federal websites, but the topic has certainly been referenced before. Older government documents, including a 2016 memo focused on federal agency websites and digital services and a 2015 memo for .gov domains, have generally emphasized the importance of search engine optimization or metatags. Digital.gov mentions that standard metadata should be tagged and Search.gov, a government search engine, has metadata recommendations, too.

A memo issued by the Office of the Federal Chief Information Officer last fall — which provided further guidance for following the 21st Century Integrated Digital Experience Act and improving government websites — points to metadata several times. The memo says that agencies should use “rich, descriptive metadata” and use “descriptive metadata in commonly parsed fields” like “meta element tags.” It also states that agencies should use metadata tags to correctly note the timeliness of a page. The OMB spokesperson pointed to this memo and its emphasis on search optimization.

Though the scanner run by the Civic Hacking Agency appears to have a broader scope, a website scanning tool run by the General Services Administration designed to measure performance of federal websites picks up some aspects of website metadata. (The GSA explains in its GitHub documentation that it focuses on collecting data that is helpful to specific stakeholders). 

That GSA initiative also shows varied performance — for example, whether an agency is using a viewport tag, which helps resize pages so they’re more easily viewable on mobile devices. 

“GSA continues to prioritize SEO and accessibility best practices when curating and improving metadata,” an agency spokesperson said in a statement. In reference to the 2023 OMB memo, the spokesperson noted that GSA “continues to work with its web teams to optimize our content for findability and discoverability” and “focuses on metadata as well as things like improved on-site search, information architecture, user experience design, cross references, etc.” 

“Search.gov recommends metadata that supports foundational SEO techniques as well as our metadata-driven search filtering feature,” the GSA spokesperson added. 

In response to questions, the Federal Chief Data Officers Council said that while it had explored implications of metadata through its data inventory working group, the group hadn’t “targeted federal website metadata specifically.” The CDO Council added that it has yet to review the Civic Hacking Agency’s report. 

Agencies respond 

In response to FedScoop questions, several Chief Financial Officers Act agencies said they’ve investigated or will take steps to improve their metadata practices. A State Department spokesperson said the agency was “pleased” with some of its primary page grades but would also review the findings from the project, while the Environmental Protection Agency said that, after reviewing its score, it fixed all of the metadata issues identified.  The Nuclear Regulatory Commission also added its missing metatags to its site templates after FedScoop reached out.

Similarly, a spokesperson for the National Science Foundation said that it would meet metatag requirements “in the near future,” that missing tags will be tracked and incorporated into upcoming releases, and that the agency was assessing its compliance with Dublin Core and Open Graph standards, two specific types of metatags. 

The Agriculture Department said it would research whether its metadata were being pulled correctly. The agency also said it was updating its metadata creation process, including evaluating the accuracy of automatically generated tokens and updating its page creation workflow to emphasize page metadata. 

“We’re considering a cyclical review process for existing content to ensure metadata stays current with page updates. These changes will be passed down to all USDA website owners who manage their own content and we will coordinate with them to ensure the correct processes are in place,” an agency spokesperson told FedScoop. “The nature of our content management system is to not use XML content formats which impedes metadata from being included for each page. We are working to repair this process.” 

Some agencies pushed back on the findings. Terrence Hayes, press secretary at the  Department of Veterans Affairs, said it wasn’t apparent why certain metatags were chosen by the project, or which of the agency’s thousands of pages were being scanned, but added that the department was “reviewing the findings from the referenced report to better understand where gaps may exist.” 

Similarly, the Social Security Administration — which initially received an F — said some of the metatag issues identified were unnecessary but would implement changes to improve its score and meet Search.gov guidelines. (After a new scan by the site, the agency now has an A.)

Darren Lutz, press secretary for the agency, said that it instituted a new content management system for Social Security’s primary customer-facing pages and that each “new section or page that we launch features meticulously crafted metatags that summarize the content in clear, accessible language, ensuring optimization for search engines.”

“All new content will convey the noted metadata improvements,” Lutz added. “In the past year, we have launched four major new site sections, redirecting significant percentages of public web traffic from our legacy implementation to these modern and optimized web pages on our new platform.”

The Education Department — which has several websites managed by different entities — said that Civic Hacking Agency’s scores for its Ed.gov and G5 domains don’t reflect work being done on those sites, but also pushed back on how the tool evaluated its StudentAid.gov site, pointing to, for example, the description and robots field. While the Education Department acknowledged that some tags should be added to its NationsReportCard.gov page, a spokesperson said the tool was picking up archival pages and “content tagging isn’t feasible” for certain types of applications on that site. 

The Education Department plans to launch a new Ed.gov this coming summer, an agency spokesperson added. Meanwhile, its G5 domain for grant management “will be upgraded to significantly improve its usability, analytics and reporting, using machine-readable metadata and searchable content,” the spokesperson said. 

Several agencies, including the Departments of Commerce and Transportation, did not respond to requests for comment. Meanwhile, some agencies, like NASA, celebrated the scores they received. Notably, the space agency last year launched two new major websites: nasa.gov and science.nasa.gov. The agency has also been engaged in a multi-year web modernization project. 

“One of the driving goals of this major effort has been to improve the findability and search engine authority of these core sites through strong metadata tooling and training, and we believe this contributed to our report card score,” said Jennifer Dooren, the deputy news chief at NASA headquarters. 

Overall, the project appears to provide further incentive to improve site metadata. Several agencies, including the Environmental Protection Agency and the Department of Labor, noted the importance of the Civic Hacking Agency’s tool. 

“The feedback from the ‘gov metadata’ scoring system is invaluable to us as it helps gauge our performance in implementing basic metadata principles,” said Ryan Honick, a public affairs specialist at the Department of Labor. “It acts as a catalyst for ongoing improvement, driving us to refine our strategies for making our websites as accessible and user-friendly as possible.” 

The post On some basic metadata practices, US government gets an ‘F,’ per new online tracker appeared first on FedScoop.

While many of these actions are still preliminary, growing focus on the technology signals that federal officials expect to not only govern but eventually use generative AI. 

A majority of the civilian federal agencies that fall under the Chief Financial Officers Act have either created guidance, implemented a policy, or temporarily blocked the technology, according to a FedScoop analysis based on public records requests and inquiries to officials. The approaches vary, highlighting that different sectors of the federal government face unique risks — and unique opportunities — when it comes to generative AI. 

As of now, several agencies, including the Social Security Administration, the Department of Energy, and Veterans Affairs, have taken steps to block the technology on their systems. Some, including NASA, have or are working on establishing secure testing environments to evaluate generative AI systems. The Agriculture Department has even set up a board to review potential generative AI use cases within the agency. 

Some agencies, including the U.S. Agency for International Development, have discouraged employees from inputting private information into generative AI systems. Meanwhile, several agencies, including Energy and the Department of Homeland Security, are working on generative AI projects. 

The Departments of Commerce, Housing and Urban Development, Transportation, and Treasury did not respond to requests for comment, so their approach to the technology remains unclear. Other agencies, including the Small Business Administration, referenced their work on AI but did not specifically address FedScoop’s questions about guidance, while the Office of Personnel Management said it was still working on guidance. The Department of Labor didn’t respond to FedScoop’s questions about generative AI. FedScoop obtained details about the policies of Agriculture, USAID, and Interior through public records requests. 

The Biden administration’s recent executive order on artificial intelligence discourages agencies from outright banning the technology. Instead, agencies are encouraged to limit access to the tools as necessary and create guidelines for various use cases. Federal agencies are also supposed to focus on developing “appropriate terms of service with vendors,” protecting data, and “deploying other measures to prevent misuse of Federal Government information in generative AI.”

Agency policies on generative AI differ

The post How risky is ChatGPT? Depends which federal agency you ask appeared first on FedScoop.

The proposal, which is called the Artificial Intelligence Environmental Impacts Act of 2024, would have the National Institute of Standards and Technology create a methodology to evaluate the environmental consequences AI might create. Critically, the bill comes amid growing focus on AI’s energy consumption and compute requirements. 

“There is a Dickensian quality to the use of AI when it comes to our environment: It can make our planet better, and it can make our planet worse,” Sen. Ed Markey, D-Mass., said in a statement. “Our AI Environmental Impacts Act would set clear standards and voluntary reporting guidelines to measure AI’s impact on our environment. The development of the next generation of AI tools cannot come at the expense of the health of our planet.” 

The bill was introduced by Sens. Markey and Martin Heinrich, D-N.M., as well as Reps. Anna Eshoo, D-Calif., and Don Beyer, D-Va. The proposal has several components: The Environmental Protection Agency would conduct a study into the climate impact of AI, while NIST would create an AI Environmental Impact consortium and develop a voluntary reporting system for companies to disclose potential climate impacts of their models.

The legislation would also have the Department of Energy, NIST, and the EPA submit a joint report within four years. Collectively, the agencies would also be expected to provide recommendations for future legislation. 

The bill has the support of several climate groups, as well as the AI company Hugging Face. It also comes as Congress ramps up its effort to create new legislation focused on the emerging technology. Notably, Rep. Beyer told FedScoop last month that he expects that AI legislation could finally be approved in 2024. 

The post Democratic lawmakers propose legislation to study AI’s environmental impacts appeared first on FedScoop.

The agreement is meant to boost the agency’s enterprise operations and work in support of “human health and the environment,” according to a press release shared by the company. 

“We must confront the nation’s most urgent health and environmental challenges today by expanding our range of innovative technology capabilities, aligning those capabilities to our mission, and optimizing our overall mission support operations,” EPA Chief Information Officer Vaughn Noga said in a statement included in that release. 

The Information Technology Enterprise Development contract “provides new opportunities to meet these challenges through technical innovation and strengthens our efforts to protect human health and the environment for the American public,” he added.

The ITED program is supposed to help automate aspects of EPA’s business operations and introduce emerging technologies, among other goals. Notably, CGI has worked with the EPA on a variety of other technology programs, including the Central Data Exchange, a key part of the agency’s electronic data reporting system. 

The contract is a reminder that software and other technology play a major role in assisting environmental regulators. It also comes amid a range of other IT challenges at the agency. For example, the Government Accountability Office recently flagged that the agency’s air quality tracking systems require major updates. Earlier this summer, the agency’s watchdog found that a system used to monitor radiation included vulnerabilities.

The post CGI lands multi-year EPA contract on IT enterprise development appeared first on FedScoop.

“Because of the significance of the data collected, analyzed, and hosted within [the Analytical Radiation Data System], the impact of these data being compromised poses a significant risk to public health,” the agency’s Office of the Inspector General said in a Wednesday report.

The report found EPA’s Office of Air and Radiation (OAR) didn’t follow the agency’s own timelines or create plans of action to fix vulnerabilities in the system, which is used to detect radiation changes in things like air and drinking water. 

In a response included in the report, OAR cited “resource limitations” as one of the reasons for the deficiencies and said it was working on the inspector’s recommendations. The inspector said it now considers those recommendations “resolved with corrective actions pending.” 

The findings were a part of the inspector’s evaluation for the agency’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014, a key information system security law, for fiscal year 2022. 

Overall, the EPA received the third highest of five possible maturity levels, which means it “consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking,” the report said. 

As part of the assessment, the inspector’s office assessed vulnerability scan results, which it said identified more than 20,000 “critical vulnerabilities that could impact remotely operated computers on the Agency’s network in various ways, such as remote code execution, denial of service, and memory corruption.”

The inspector said the agency couldn’t provide plans — known as Plan of Action and Milestone (POA&M) — for eight vulnerabilities it randomly selected. The OAR attributed that failure “to the significant number of vulnerabilities identified for ARadDS and the limited resources to address them.”

The office told the inspector that ARadDS is difficult to patch because it’s not connected to the agency-wide network and doesn’t receive automated updates. Patches must be done manually and issues arise with software and hardware restrictions. As a result, the OAR said, it uses a database version of the system that is not up-to-date in software or hardware. 

The inspector recommended the OAR implement a plan for prioritizing patch installations in a timeframe consistent with agency policy and document associated plans of action and milestones for the system. 

In response to the report, the EPA’s Office of Air and Radiation (OAR) agreed with the findings and said it was already making changes to address the vulnerabilities, including “separating the ARadDS network from the Agency’s network and running its own 72-hour scans to identify security weaknesses and flaws,” the inspector said. 

Among the actions it has in progress, the OAR cited a request for funding from the Technology Modernization Fund. That request was granted Thursday in an announcement from the General Services Administration, which manages the fund.

The $2.5 million award would help modernize hardware and software for ARadDS’s network and prepare it for a possible migration to the cloud, OAR said.

The post Deficiencies in EPA’s radiation data system pose ‘significant risk to public health,’ watchdog says appeared first on FedScoop.

Following a bargaining period, the National Archives and AFGE have signed a memorandum of understanding under which all permanent positions will be eligible for telework, with a maximum of five telework days per week.

NARA is the latest agency to reach an agreement with a federal government union over the post-pandemic working environment for staff. At the end of November, the National Science Foundation signed a four-year collective bargaining agreement with the AFGE, which included expanded telework and remote work for employees.

In a statement on Dec. 19, AFGE Local 2578 President Ashby Crowder said: “AFGE and the National Archives and Records Administration (NARA) have recently reached a telework agreement that seeks to make the agency more efficient and worker friendly.”

“Now all permanent positions are telework eligible,” he added. “This is a change from before the pandemic … this means at the very least, all bargaining unit employees can have an ad hoc telework agreement in place, and when telework happens, it’s based on business needs.”  

AFGE added that the memorandum makes improvements in other areas for staff including scheduling flexibilities and electronic monitoring.

In March last year, AFGE struck a return-to-office agreement with Environmental Protection Agency as part of which employees have the right to request telework or other flexibility in certain situations.

Agencies across the federal government moved to a telework posture where possible during the pandemic to ensure continuity of services while protecting the health of employees.

As the United States emerged from the worst of the pandemic, some agencies adopted more widespread teleworking options for staff to improve retention and expand the government’s potential pool of candidates.

However, telework has at times proved politically contentious. In March last year, Senior House Republicans sought clarification from the Equal Employment Opportunity Commission over the agency’s plans to end telework for staff.

In a letter obtained by FedScoop at the time, ranking members of two House committees called on leaders at the EEOC to end telework for all of its about 2,000-strong workforce.

The post National Archives reaches telework agreement with AFGE union appeared first on FedScoop.

Epley joins the agency on Sept. 12 from the Environmental Protection Agency, where he served in leadership roles including as principal deputy assistant administrator for administration and resources management, chief IT operations officer, and deputy chief technology officer.

In his new role, Epley will lead day-to-day operations within the Office of the CIO and assist the CIO in formation of the strategic direction for protecting and modernizing IT, cybersecurity and the use of data across the DOE enterprise.

According to LinkedIn, he also has variety of prior public and private sector technology management experience, including as a director of an identity access management program at the Department of Veterans Affairs and as a program manager at Northrop Grumman.

In an internal memo announcing the appointment, obtained by FedScoop, CIO Ann Dunkin said: “Brian is a seasoned professional with more than 25 years’ experience across federal and state government and the commercial sector.” 

She added: “Throughout his career, he has distinguished himself as an innovative change leader with the unique ability to deliver strategically aligned and mission-focused services. His experience in building coalitions, creating a shared vision, and actively partnering with customers will be immensely helpful as he joins me to help lead our remarkable organization. Please join me in congratulating Brian!”

Earlier this year in April, DOE named senior IT official Emery Csulak as chief data officer, a role that had previously remained vacant since at least January 2021.

He started work in the role April 11 and moved into the post after serving as principal deputy chief information officer at the agency.

The Department of Energy had not responded to a request for comment at the time of publication.

The post Department of Energy appoints Brian Epley as principal deputy CIO  appeared first on FedScoop.

The contract, which has a one-year base plus six one-year option periods, is for managed application, infrastructure, networking, enterprise and security services.

As part of the task order, GDIT will develop and operate the agency’s enterprise IT infrastructure and application platforms. This includes cloud computing, application platform management, enterprise network and security operations, enterprise identity access management and cybersecurity.

Commenting on the award, GDIT President Amy Gilliland said: “GDIT will partner with the EPA to deliver a reliable, secure and technologically advanced IT infrastructure that will support agency initiatives fundamental to protecting human health and the environment.”

The latest managed services contract comes as the EPA continues work to modernize IT infrastructure and telecommunications across the agency.

Late last year, the department said it intended to resubmit disconnection orders for 268 services rendered unnecessary by the GSA’s Enterprise Infrastructure Solutions (EIS) contract.

EPA‘s Office of Inspector General at the time found services like analog phone and digital subscriber lines still weren’t disconnected as of May 2021, and eight disconnection orders took between one and 61 months to complete — costing the agency $7,850.

The post EPA awards $661.6M digital modernization and managed services contract to GDIT appeared first on FedScoop.