Scott Flanders, who will assume the permanent CIO position Sunday, is charged with managing and employing technology to enhance “information access and strengthen agency performance,” the NRC’s release states. Additionally, Flanders’s office is also charged with overseeing cyber and information security, data management, artificial intelligence and more.

Flanders “has risen through the ranks at the NRC over many years and has been an outstanding member of the senior executive service since 2004,” Raymond Furstenau, NRC’s acting executive director for operations, said in the release. “His experience with the government’s use of information technology and his deep understanding of the NRC mission will help the agency navigate the challenges of the future.”

As deputy CIO, Flanders “planned, directed and oversaw resources” to ensure IT and information management systems’ delivery to support the agency’s goals and priorities, the NRC said. 

Flanders joined the NRC in 1991 as a reactor engineer intern, and later served in the agency’s Office of Nuclear Material Safety and Safeguards’ Division of Site Safety and Environmental Analysis and in the Office of New Reactors as the director, according to CIO.gov. Additionally, he served as the deputy director of the Division of Waste Management and Environment Review in the ONMSS.

Flanders takes over as NRC’s permanent IT chief  amid an internal push on artificial intelligence. A staff letter sent earlier this month recommended the agency follow an AI framework that outlines AI governance, hiring new talent, upskilling existing workers, maturing the commission’s data management program and allocating resources to support AI integration into IT infrastructure.

The post Nuclear Regulatory Commission names permanent CIO appeared first on FedScoop.

According to a consumer data breach notice filed with the Maine attorney general’s office, the attack was described as an “external system breach” and “hacking” that impacted more than 6,000 people. The alert came after the company discovered “anomalous activity in its email environment” on July 12, 2021, also according to a filing with New Hampshire’s attorney general. 

That notice said that either an “unauthorized” actor or actors obtained access to company email accounts between March 2 and July 13 of that year — though Chemonics couldn’t identify the specific emails that were impacted, the company said in the disclosure. “The investigation also found no conclusive evidence of data exfiltration, and we have no evidence of actual or attempted misuse of personal information,” the notice stated.

The extent to which different types of information were released is unclear. The Maine notification said that driver’s license numbers and non-driver identification card numbers were released. The New Hampshire notice said that emails with individuals’ names and social security numbers were revealed in the breach — though “financial account information without corresponding access codes” was also included in some emails. The legal website JD Supra wrote that “access credential information” was also accessed, but the author did not respond to FedScoop’s request regarding the source of that information. 

Chemonics isn’t answering questions about what steps it’s taken to address the potential impact of the event on USAID, which the company works with in myriad partner countries. Nor did the company address whether it reported the incident to the Cybersecurity and Infrastructure Security Agency, the type of information impacted, or whether it has suffered any other breaches. 

“We are continually adapting and updating our cybersecurity policies and procedures to ensure we are current with the ever-evolving cyber threat landscape that impacts us all,” a Chemonics spokesperson said in response to a series of questions from FedScoop. “While we cannot comment on any specific cybersecurity incident, we are committed to safeguarding all data entrusted to us.” 

The spokesperson continued: “It is our practice to work transparently and proactively with our staff, clients, and partner organizations who may be affected by any potential incident, including complying with applicable laws. Cybersecurity continues to be a priority focus for Chemonics as we seek to achieve meaningful development impact in complex contexts around the world.”

Turke & Strauss, a law firm specializing in data breaches, states on its website that it’s investigating the company over the incident. The firm declined to discuss their work on the topic.

Notably, Chemonics appears to have had three chief information security officers in the past three years, though the company did not answer FedScoop’s question about whether anyone held the position before October 2021, when an individual on LinkedIn said that they started the position. The data breach notifications written in 2021 came from Pete Souza, who was described at the time as the director of cybersecurity, infrastructure, and system administration at Chemonics.

Those impacted were provided identity theft protection from the company, as well as active credit monitoring, per the disclosures. Notices for residents of states including Vermont, Montana, Massachusetts, and other states are available online. 

In regard to the incident, CISA referred FedScoop to Chemonics. So did a USAID spokesperson, who only added the following: “USAID takes the security and confidentiality of all our partners very seriously. Strong cybersecurity practices and policies are critical to the success of USAID and its partners. “

Back in May 2021, the Russian-backed group Midnight Blizzard, which was previously called Nobelium, orchestrated a cyberattack by impersonating USAID through its Constant Contact email marketing service to send “malicious links” to organizations that worked with the agency. Chemonics did not address whether this breach was related to Midnight Blizzard or that particular incident. 

The post A major USAID contractor said it was hacked in 2021. It’s still not sharing details appeared first on FedScoop.

GSA said in a release that the pilot will offer users the ability to match a “live selfie” with a self-supplied form of photo identification like a driver’s license. The agency said it will not use images “for any purpose other than verifying identity,” and reaffirmed the platform’s commitment to user privacy. 

This effort comes after the agency’s previous notice of Login.gov’s plans to use an evidence-based identity verification system that follows National Institute of Standards and Technology guidelines. GSA said at the time that the offering of biometric identification would “complement Login.gov’s already strong anti-fraud capabilities” and protect against sophisticated identity fraud attempts and cyberattacks.

Technology Transformation Services Director Ann Lewis said in the new release that GSA looks forward “to soon launching this new identity verification pathway for our agency customers that will protect user data, prevent fraud, and align with IAL2 guidelines — all while doubling down on our strong commitment to privacy, accessibility, and security.”

The GSA said the pilot will begin with interested agency partners and will look to add others over the summer. 

GSA also noted that it expects to complete an independent, third-party assessment of IAL2 compliance later this year.

The post Login.gov pilot to include option for biometric verification appeared first on FedScoop.

The Government Accountability Office highlighted that the FDA’s medical device cybersecurity formal agreement is five years old and needs to be updated with the help of the Cybersecurity and Infrastructure Security Agency, a move that would improve agency coordination and clarify responsibilities.  

“According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits,” the GAO report stated. 

“Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”

The GAO report found that the FDA’s authority over medical device cybersecurity has increased in recent years. This is attributable to December 2022 legislation that mandated that medical device manufacturers submit to FDA their plans to identify and address cybersecurity vulnerabilities for any new medical device that were introduced to consumers starting in March 2023. 

The GAO report also noted that FDA officials are currently implementing new cybersecurity authorities from past legislation and have not yet identified the need for any additional authority. 

According to FDA guidance, if medical device manufacturers do not fix cyber vulnerabilities, the agency can find that the manufacturers have violated federal law and can be penalized through enforcement actions.

The GAO report recommended that the FDA and CISA update their medical device cyber agreement to reflect organizational and procedural changes that have occurred. Both agencies agreed with the recommendations.

The post FDA cybersecurity agreement on medical devices needs updating, watchdog finds appeared first on FedScoop.

Teams that compete in the “AI Cyber Challenge,” which the Defense Advanced Research Projects Agency will lead, can win prizes worth up to $18.5 million. The agency has also allocated an additional $7 million in prize money for small businesses that participate.

As part of the competition, researchers will use AI technology to fix software vulnerabilities, with a particular focus on open-source software. Leading AI companies Anthropic, Google, Microsoft and OpenAI will make their technology available for the challenge, according to the Biden administration.

The White House’s announcement comes amid continued concern over rising cyber supply-chain risk across the federal government and the private sector. Last September, the Office of Management and Budget stipulated that all software providers would have to self-attest to the security of their products before deploying them on federal agency systems.

It also follows the decision by seven leading AI companies in July to sign onto a set of voluntary commitments brokered by the Biden administration, and proposals from lawmakers including Senate majority leader Chuck Schumer, D-NY, about how the regulatory landscape for the technology should look in future.

“What they come up with, the challenge winners, we definitely look forward to applying across the federal government, because we’re looking for ways to accelerate finding and fixing vulnerabilities,” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology within the White House, said in response to FedScoop questions on a press call.

“And we’re certainly particularly interested in approaches they come up with, for example, help[ing] us identify bugs in energy grid bugs and signaling systems of transportation and help us not only find them, but fix them,” Neuberger added. 

Given the competition’s focus on open-source software, the Open Source Security Foundation (OpenSSF), which is a project of the Linux Foundation, will serve as a challenge adviser.

“Because the focus here is on open source software that is critical and used throughout our society and throughout the internet, I would expect that a rising tide lifts all boats here,” said DARPA Deputy Director Rob McHenry, also speaking on a press call.

“So that will help us integrate this into their secure software development lifecycle in a way that will help the federal government and will also go much, much broader than that,” said McHenry.

Competing teams will participate in a qualifying event in Spring 2024, where up to 20 top scoring teams will be invited to participate in the semifinal competition at DEF CON 2024. Of the top scoring teams, up to five, will receive monetary prizes and continue to the final phase of the competition, to be held at the annual DEF CON hacker convention in 2025. 

This weekend, President Biden’s Chief Science and Technology Adviser Arati Prabhakar will travel to Las Vegas to attend this year’s DEF CON conference. She is scheduled to take part in events highlighting the Biden administration’s ongoing work to promote the development of responsible AI technology.

Elias Groll contributed to this report.

The post White House launches AI cyber challenge to identify and fix open-source software vulnerabilities appeared first on FedScoop.

U.S. government and military were among five industry categories from which survey respondents were least likely to express confidence about their organization’s ability to respond to potential cyber incidents.

The findings were outlined in a cybersecurity workforce study commissioned earlier this year by (ISC)², which surveyed over 11,000 cybersecurity professionals. (ISC)² is a major nonprofit association for certified cybersecurity professionals.

Of the cybersecurity professionals surveyed, 61% said their primary concern in the next two years is the potential risks of emerging technologies like blockchain, AI, VR, quantum computing, and keeping up with changing government regulatory requirements.  

According to the survey, 70% of respondents reported that their respective organizations don’t have enough cyber employees, and data from the study also revealed the need for 3.4 million more cyber workers globally to secure digital assets effectively.  

More than half of the survey respondents with cyber workforce shortages said that staff deficits put their organization at a “moderate” or “extreme” risk of a cyberattack. 

“As a result of geopolitical tensions and macroeconomic instability, alongside high-profile data breaches and growing physical security challenges, there is a greater focus on cybersecurity and increasing demand for professionals within the field,” said Clar Rosso, CEO of (ISC)².

“The study shows us that retaining and attracting strong talent is more important than ever. Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective.”

The survey showed also that while 75% of cyber professionals report strong job satisfaction and passion about their work, over 70% still feel overworked, while a quarter of respondents below age 30 consider “gatekeeping and generational tensions” as a top-five challenge for them in the next two years.

When it comes to diversity, equity and inclusion with the cybersecurity landscape, the survey showed that 55% of cyber employees believe diversity will increase among their teams within two years but 30% of female and 18% of non-white cyber employees feel discriminated against at work currently. 

The post Government cyber experts feel they lack resources for breach response, finds (ISC)² survey appeared first on FedScoop.

“We think that there’s room for discussion about what’s the future of cyber intelligence really is in partnership with Cyber Command, NSA and others across the community to really define where we need to go,” Lt. Gen. Scott Berrier, director of the Defense Intelligence Agency, said Friday at the Billington Cybersecurity Summit.

DIA is responsible for providing intel on foreign militaries and owning all the intelligence directorates, or J2s, at the combatant commands.

Specifically, Berrier discussed the challenge cyber intelligence provides compared with other domains, especially considering the plethora of open source information that now exists, both with threat intelligence firms and things like social media.

“If you think about foundational military intelligence, it’s based on understanding what the foreign militaries have, what the capabilities are based on the physical presence of these things. It’s harder in cyber, because you may know where a cyber facility physically is located, but you really don’t know what activity is going on inside that facility. You don’t know what tools are being taken advantage of. You don’t know what networks are being operated on,” Berrier said. “When you add the layer of complexity of all the publicly available information, what’s going on in social media in that space is huge and it’s a large, large gap, I think, for the intelligence community. We definitely have to get better.”

DIA last year was charged with being the defense intelligence enterprise manager for open source intelligence for all of DOD, Berrier said, which is raising discussions about what that means from a cyber context.

Others have pointed to the fact that intelligence support to cyber is still relatively new within the department.

“When we started in intelligence, intelligence support to cyber defense just wasn’t a mission. Now, it’s something that we do every day in support of the defense of the DoD Information Network,” Dave Frederick, executive director of U.S. Cyber Command, said during the same session, adding that Cybercom is a “tough customer” when it comes to cyber intelligence.

Berrier said that when it comes to intelligence support to cyber ops, there’s a lot to peel back. There’s a defensive component and an offensive component, he said, noting he looks forward to working with Cybercom on this.

In fact, DIA will be adding a cyber component to its replacement of the Military Intelligence Integrated Database, which was built 20 years ago to house intelligence data globally for the defense intelligence enterprise.

The Machine-Assisted Analytic Rapid-Repository System (MARS), which Berrier said should completely replace the legacy system by 2024, will eventually have five modules, one of which will be cyber.

“Understanding what those cyber facilities are worldwide, who operates within those facilities and how they operate will definitely be a large component. And I think we’ll build towards our understanding and knowledge of cyber operations worldwide,” he said.

The post DIA director sees room for improvement in cyber intelligence and support appeared first on FedScoop.

The new colonel-led, or O-6 level, program office will be under Program Executive Office Intelligence Electronic Warfare and Sensors and will be aptly called Program Manager Cyber and Space, officials told reporters at Aberdeen Proving Ground on Tuesday.

It will migrate the offensive cyber programs and capabilities from the current portfolio of program manager Electronic Warfare and Cyber (EW&C) and also incorporate the highly sensitive space capabilities from Product Manager Tactical Exploitation of National Capabilities. Currently, the offensive cyber portfolio is run by a lieutenant colonel, or O-5.

The new office is necessitated by the amount of joint work the Army is doing on behalf of U.S. Cyber Command to deliver capabilities and programs for the cyber mission force across all the services, which grew too big to continue to manage out of the EW&C office.

The services, as executive agents, are responsible for procurement for larger acquisition programs on behalf of Cyber Command for the entire cyber mission force.

The Army is currently the executive agent for something called the Joint Common Access Platform (JCAP), which will provide the infrastructure for those offensive missions. The services’ cyber units will move to the firing platform from separate tools they operate now, more tightly linking their efforts in cyberspace, one of the domains the military is trying to protect as a joint force.

JCAP is part of the larger Joint Cyber Warfighting Architecture (JCWA), which guides all the acquisition priorities and programs for Cyber Command.

ManTech won a $265 million contract in 2020 to support JCAP.

Officials have said the current model for the program allows for a bi-monthly forum to assess gaps, threats, requirements and emerging technology to plan for the injection of capabilities on a faster cycle to outpace threats.

The aim of the program’s agile software acquisition approach is to add new capabilities faster.

“JCAP delivered our first instance or first delivery, we call it MVCR, our first minimum viable capability here a few months ago,” Mark Kitz, program executive officer for IEW&S, told FedScoop at the TechNet Augusta conference in August. “Every other month, we’re doing planning increments, following full agile. We’re delivering full capabilities, almost weekly … We’re continually working with the user and following full agile methodology [because] if we don’t have a DevSecOps, an agile approach to delivery, we’re going to fail on cyber.”

Other joint efforts the IEW&S’s cyber office is working on includes delivering a cyber development environment for the Air Force and Navy, though Kitz noted that this is not a joint solution yet in the executive agent sense.

Within the JCWA is a requirement for a Joint Development Environment. The Army, as part of its own requirements, created the Rapid Cyber Development Network (RCDN), which allows for the free flow of tactics, techniques and procedures as well as a place to rapidly develop and test cyber tools.

The Army is providing this to the Air Force and Navy, but Cyber Command has still not made a decision as to an executive agent for the Joint Development Environment.

“I think Cyber Command is evolving what is that long-term requirement that adds on what the Air Force and the Army have invested in, because Air Force has significant capability in that same area,” Kitz said.

He noted that when Cybercom gains enhanced budget authority in 2024, which will give it responsibility for direct control and management of budgeting, it should not affect the new cyber office.

“I don’t think it’ll have a significant effect,” he said. “The finances will go through Cyber Command. The [program executive memorandum], the financial process, will just shift from the Army to Cyber Command.”

He also clarified that given the RCDN is an Army requirement currently, it has thus far fallen outside of the forthcoming enhanced budget authority for Cybercom.

The new office will also continue work on the Army’s tactical cyber gear, which includes the Tactical Cyber Equipment, a man-packable system that allows expeditionary cyber teams from the 915^th Cyber Warfare Battalion to conduct operations plugging into equipment that resides in brigades.

The Army to date has maintained a tight linkage between the cyber and electronic warfare enterprise. On the tactical level they are closely aligned given most tactical cyber is conducted through radio frequency operations.

“Candidly, I think that’s a risk,” Kitz said regarding the potential for diminished coordination with cyber moving out of the electronic warfare program office. “I think we’ve got to take that risk in order to have the right personnel and infrastructure in place. But I also think that we’re integrating EW with our collection infrastructure, with our data infrastructure that we have in our [intel systems and analytics] portfolio. Those core dependencies, and enabling EW already exist in my organization.”

Kitz said the integration directorate within the PEO is charged with building the architecture and touchpoints given that risk exists across the entire program executive office.  

The post Army to create new offensive cyber and space program office appeared first on FedScoop.

“I’m really impressed with the MFEW program that the Army has,” Gabe Camarillo, undersecretary of the Army, told reporters Tuesday at Aberdeen Proving Ground regarding the Multi-Function Electronic Warfare-Air Large program. “I got to see one of the prototypes out in the field today from [Program Executive Office Intelligence, Electronic Warfare and Sensors] and came away really impressed,” he said.

MFEW is a pod capable of serving as the first brigade-organic airborne electronic attack asset and providing limited cyberattack capability. The fiscal 2022 budget saw a cut in what previous budget plans had forecasted would be $12 million in procurement. The Army added back $3 million for MFEW in its fiscal 2023 budget request.

Camarillo was at Aberdeen Proving Ground to witness progress on a variety of network and electronic warfare capabilities the Army is building.

Officials from IEW&S explained to reporters that MFEW had to “prove it” following the loss of procurement funds, but ultimately, through testing, realized incredible return on investment.

“We needed to be able to produce the data, have confidence in the data [and] we got to that point where the milestone decision was covered in the data that we had,” Col. Ed Barker, the deputy program executive officer, said.

The testing allowed the program office to go back to Army officials and articulate what it can do, which in turn, led to the procurement of six pods, William Utroska, deputy project manager for PEO IEW&S, told reporters.

Given the system is now going to be platform agnostic, officials described a wide range of capabilities and uses across the Army depending on the mission set, making it extremely versatile. Provided a platform has an Ethernet port and power, the pod can fly on it, officials said.

“That’s why this is multifunction. Depending on the mission, this can be — if you want something more precise, there are other platforms, but this is multifunction, gives you a range, deep sensing,” Utroska said.

The pod is designed to do electronic attack — jamming, electronic support and sensing — as well as limited cyberattack through radio frequency-delivered effects. The latter also allows the pod to perform military information support operations by delivering information or messaging via radio frequency.

Despite initially being designed to fly on unmanned systems, which against sophisticated adversaries can be vulnerable, officials said the pod itself makes the platforms it is mounted on more survivable in that it can find targets and attack them, which in turn, protects the aircraft.

Officials said it will be tested with the High Accuracy Detection and Exploitation System (HADES) program — a jet that is part of the Army’s overall plan to modernize aerial intelligence systems. In this role, it would primarily be an electronic or communications intelligence (ELINT) asset used for deep sensing. There could be some limited electronic attack, but officials have said that would be more challenging at those higher altitudes.

“Electronic attack, I would say no. I think we’re still in the learning phase and still understanding what type of capability would be effective at that altitude, especially HADES at 40-45,000 feet is a challenge for electronic attack,” Mark Kitz, program executive officer for IEW&S, told FedScoop in an interview at the TechNet Augusta conference last week. “But for detection and ELINT capability, absolutely.”

Officials noted that at those high altitudes, some adjustments might need to be made to the pod given it is meant to fly between 15,000 and 25,000 feet but can go as high as 42,000 feet before needing to do extra cooling.

“We got to figure out where’s the sweet spot,” Barker said.

There has been interest from the Army’s future vertical lift cross-functional team for the pod as well.

“We’re working with the future vertical lift CFT because they have EW requirements and they know we’ve already done a lot of the work upfront,” Utroska said. “We just have to determine what form factor and what [size, weight and power] is required … For other platforms, we can provide a smaller form factor if there’s a requirement.”

The Army is betting MFEW underpins several service priorities.

“The other takeaway here too is between the long-range precision fires, those interdependencies, future vertical lift, across the Army’s priorities — this is one of those enabling functions, enabling capabilities that’s going to allow the Army to address a wide range of our top priorities between long-range precision fires, future vertical lift,” Barker said.

Officials also said the Air Force is interested in the pod, or at least the underlying capability. The service expressed interest in mounting it on A-10s and is working with the Army to buy down risk on requirements development for a new payload system based on open architectures.

The open architecture nature of the pod is its secret sauce, officials said.

“I will say that one of the things that’s great about it is the adoption of modular open system architectures. I think that’s one area where I think the Army is heading in the right direction,” Camarillo said. “Giving us the ability to not just look at sensor payloads and EW payloads, but how they fit in certain components, how we can plug and play over time, to give us an opportunity to do that tech insertion and to stay ahead of what the threat might be and also have the latest generation capabilities. I walked away today very impressed from that perspective.”

The post After zeroing out procurement, Army now finding aerial jammer to be critical enabler for multi-domain operations appeared first on FedScoop.

Last week, the Army announced this new triad between Army Cyber Command, Army Space and Missile Defense Command and Army Special Operations Command, which aims to to deliver more options to commanders in an integrated fashion.

“Probably the biggest contribution was one being able to take a fusion of traditional intelligence and what we were seeing publicly available information, in order to inform the commander forward of what we were seeing,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said during a presentation at the TechNet Augusta conference Wednesday.

Adversaries are globally focused, and so is the Army.

“Three operational units with unique authorities and capabilities — and we see the globe,” she said. “We were seeing some things in the electromagnetic spectrum, we were seeing things in the information environment and we were able to provide that back very quickly because of the Big Data Platform and the [Cyber Military Intelligence Group], that intelligence group, being able to turn that pretty quickly.”

The Cyber Military Intelligence Group (CMIG) directs, synchronizes and coordinates intelligence support for cyber, information and electronic warfare operations while also providing support to U.S. Cyber Command and other combatant commands. It was created to perform functions not found anywhere else within the Army or intel community, and blend open source information with military intelligence.

Big data platforms exist across U.S. Cyber Command, the Defense Information Systems Agency, Army Cyber Command and the Marine Corps. They are essentially hybrid cloud environments that allow for storage, computation and analytics across networked sensors. When forces conduct cyber missions, they collect data and use high-powered analytics to make sense of it. Big data platforms do just that, but also share that analysis in an easy-to-access repository for other forces. The Army’s version is called Gabriel Nimbus.

The CMIG is already having tangible effects despite being so new.

“I have been absolutely impressed with how quickly they can take an RFI from myself or from Cyber Command on a particular subject and pull that information together into a report,” Barrett said. “You might think that serialized reporting takes a long time. These guys are turning this pretty quick. [It’s] pretty valuable.”

The post New Army intel unit having big impact on recently established ‘triad’ appeared first on FedScoop.