NASA has so far taken a relatively proactive approach to generative AI, which the agency is considering for tasks like summarization and code-writing. Staff are currently working with the OpenAI tools built into Microsoft’s Azure service to analyze use cases. NASA is also weighing generative AI capabilities from its other cloud providers — and it’s in discussions with Google Cloud on plans to test Gemini, the competitor AI tool formerly known as Bard. 

Though NASA policy prohibits the use of sensitive data on generative AI systems, that won’t be the case forever. Jennifer Dooren, the deputy news chief of NASA, told FedScoop that the agency is now working with “leading vendors to approve generative AI systems” for use on sensitive data and anticipates those capabilities will be available soon. While the agency’s most recent AI inventory only includes one explicit reference to OpenAI technology, an updated list with more references to generative AI could be released publicly as soon as October. 

In the first weeks of 2023, and as ChatGPT entered the public lexicon, the agency’s internal discussions surrounding generative AI appeared to focus on two core values: researching and investing in technological advances and encouraging extreme caution on safety. Those conversations also show how the agency had to factor in myriad authorities and research interests to coordinate its use. 

“NASA was like anyone else during the time that ChatGPT was rolled out: trying to understand services like these, their capabilities and competencies, and their limitations, like any of us tried to do,” said Namrata Goswami, an independent space policy expert who reviewed the emails, which were obtained via a public records request. 

She continued: “NASA did not seem to have a prior understanding of generative AI, as well as how these may be different from a platform like Google Search. NASA also had limited knowledge of the tools and source structure of AI. Neither did it have the safety, security, and protocols in place to take advantage of generative AI. Instead, like any other institution [or] individual, its policy appeared to be reactive.” 

NASA’s response

Emails show early enthusiasm and demand internally for OpenAI technology — and confusion about how and when agency staffers could use it. In one January 2023 email, Brandon Ruffridge, from the Office of the Chief Information Officer at NASA’s Glenn Research Center, expressed frustration that without access to the tool, interns would have to spend time on “less important tasks” and that engineers and scientists’ research would be held back. In another email that month, Martin Garcia Jr., an enterprise data science operations lead in the OCIO at the Johnson Space Center, wrote that there was extensive interest in getting access to the tech.

By mid-February, Ed McLarney, the agency’s AI lead, had sent a message noting that, at least informally, he’d been telling people that ChatGPT had not been approved for IT use and that NASA data should only be used on NASA-approved systems. He also raised the idea of sending a workforce-wide message, which ended up going out in May. In those opening weeks, the emails seem to show growing pressure on the agency to establish permissions for the tool. 

“We have demand and user interest through the roof for this. If we slow roll it, we run [a] high risk of our customers going around us, doing it themselves in [an] unauthorized, non-secure manner, and having to clean up the mess later,” McLarney warned in a March email to other staff focused on the technology. Another email, from David Kelldorf, chief technology officer of the Johnson Space Center, noted that “many are chomping at the bits to try it out.”

But while some members of the space agency expressed optimism, others urged caution about the technology’s potential pitfalls. In one email, Martin Steele, a member of the data stewardship and strategy team at NASA’s Information, Data, and Analytics Services division, warned against assuming that ChatGPT had “intelligence” and stressed the importance of “The Human Element.” In a separate email, Steven Crawford, senior program executive for scientific data and computing with the agency’s Science Mission Directorate, expressed concerns about the tool’s potential to spread misinformation. (Crawford later told FedScoop that he’s now satisfied by NASA’s guardrails and has joined some generative AI efforts at the agency). 

Email from Steven Crawford, April 10, 2023.

In those first weeks and months of 2023, there were also tensions surrounding security and existing IT procedures. Karen Fallon, the director of Information, Data, and Analytics Services for NASA’s Chief Information Office operations, cautioned in March that enthusiasm for the technology shouldn’t trump agency leaders’ need to follow existing IT practices. (When asked for comment, NASA called Fallon’s concerns “valid and relevant.”)

Email from Karen Fallon, March 16, 2023.

In another instance, before NASA’s official policy was publicized in May, an AI researcher at the Goddard Space Flight Center asked if it would be acceptable for their team to use their own GPT instances with code that was already in the public domain. In response, McLarney explained that researchers should not use NASA emails for personal OpenAI accounts, be conscious about data and code leaks, and make sure both the data and code were public and non-sensitive. 

NASA later told FedScoop that the conversation presented “a preview of pre-decisional, pending CIO guidance” and that it aligned with NASA IT policy — though they noted that NASA doesn’t encourage employees to spend their own funds on IT services for space agency work. 

Email from Martin Garcia, Jr., April 7, 2023.

“As NASA continues to work to onboard generative AI systems it is working through those concerns and is mitigating risks appropriately,” Dooren, the agency’s deputy news chief, said. 

Of course, NASA’s debate comes as other federal agencies and companies continue to evaluate generative AI. Organizations are still learning how to approach the technology and its impact on daily work, said Sean Costigan, managing director of resilience strategy at the cybersecurity company Red Sift. NASA is no exception, he argued, and must consider potential risks, including misinformation, data privacy and security, and reduced human oversight. 

“It is critical that NASA maintains vigilance when adopting AI in space or on earth —wherever it may be — after all, the mission depends on humans understanding and accounting for risk,” he told FedScoop. “There should be no rush to adopt new technologies without fully understanding the opportunities and risks.” 

Greg Falco, a systems engineering professor at Cornell University who has focused on space infrastructure, noted that NASA tends to play catchup on new computing technologies and can fall behind the startup ecosystem. Generative AI wouldn’t necessarily be used for the most high-stakes aspects of the space agency’s work, but could help improve efficiency, he added.

NASA generative AI campaign.

“NASA is and was always successful due to [its] extremely cautious nature and extensive risk management practices. Especially these days, NASA is very risk [averse] when it comes to truly emergent computing capabilities,” he said. “However, they will not be solved anytime soon. There is a cost/benefit scale that needs to be tilted towards the benefits given the transformative change that will come in the next [three-to-five] years with Gen AI efficiency.”

He continued: “If NASA and other similar [government] agencies fail to hop on the generative AI train, they will quickly be outpaced not just by industry but by [nation-state] competitors. China has made fantastic government supported advancements in this domain which we see publicly through their [government] funded academic publications.”

Meanwhile, NASA continues to work on its broader AI policy. The space agency published an initial framework for ethical AI in 2021 that was meant to be a “conversation-starter,” but emails obtained by FedScoop show that the initial framework received criticism — and agency leaders were told to hold off.  The agency has since paused co-development on practitioners’ guidance on AI to focus instead on federal AI work, but plans to return to that work “in the road ahead,” according to Dooren.

The space agency also drafted an AI policy in 2023, but ultimately decided to delay it to wait for federal directives. NASA now plans to refine and publish the policy this year. 

The post Inside NASA’s deliberations over ChatGPT appeared first on FedScoop.

In a press release, NASA said that Salvagnini will help lead the agency’s work on developing AI technology, as well as its collaborations with academic institutions and other experts. Salvagnini will replace Kate Calvin, the agency’s chief scientist and former responsible AI official, in leading NASA’s efforts on the technology. 

“Artificial intelligence has been safely used at NASA for decades, and as this technology expands, it can accelerate the pace of discovery,” NASA Administrator Bill Nelson said in a statement. “It’s important that we remain at the forefront of advancement and responsible use. In this new role, David will lead NASA’s efforts to guide our agency’s responsible use of AI in the cosmos and on Earth to benefit all humanity.”  

NASA makes use of myriad forms of artificial intelligence, according to the agency’s AI inventory. 

NASA’s announcement comes after several agencies have already appointed individuals to the chief AI officer roles, including the National Science Foundation, the General Services Administration, and the Department of Veterans Affairs. Several others have also opted to name their chief data officers as their chief AI officers. 

The post NASA has a new chief AI officer appeared first on FedScoop.

Released Thursday by the Office of Science and Technology Policy, the National Science and Technology (NSTC) subcommittee on Research and Development Infrastructure said in its report that old and “inadequate” infrastructure at the federal level is responsible for agencies’ inability to “meet their current missions.” The subcommittee pointed to a 2024 document from NASA that reported over 75% of the agency’s infrastructure and facilities are “beyond original life design” and the agency faces a $3 billion maintenance backlog.

“The challenges that the U.S. [R&D infrastructure] enterprise is experiencing are not new and reflect decades of inadequate funding due to deprioritizing and maintenance at existing facilities, developing of new facilities and decommissioning of outdated facilities,” the report states.

The subcommittee called on federal agencies to “continue to revitalize” R&D infrastructure through assessing and prioritizing investments needed for legacy facilities and future infrastructure. Doing so would serve the purpose of facilitating both domestic and international collaborations — like material exchanges and evaluating capabilities for respective mission areas — through “benchmarking activities,” according to the report. 

The NSTC also recognized the need to convene an interagency working group to exchange information regarding planning, capability gaps and collaboration opportunities. 

Significantly, the report reminds agencies that “facility closures may result in U.S. dependence on international facilities and weigh the consequences if those capabilities are no longer possessed by the United States or its allies.”

NSTC states that the U.S. does not have a “seat at the table” for setting international R&D infrastructure governance, since some international facilities charge a membership fee for access to outsiders. The report attributes the inaccessibility to limitations from the appropriations process and the Anti-Deficiency Act, which prohibits agencies from assigning federal funds in advance or excess of the appropriations. 

The report warns that without a U.S. voice in international R&D infrastructure governance, there remains “an opening for competitors like [China] and Russia to have greater say in the governance of platforms that may require the development of novel or dual-use technology.”

OSTP did not respond to a request for comment by the time of publication.

The post White House report outlines R&D infrastructure pitfalls, emphasizes need for funding appeared first on FedScoop.

“NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required,” the report stated. 

Spacecraft are incredibly dependent on software and IT, the report concludes. Even though the space agency has included cybersecurity elements in some of its contracts, they need to be standardized. For this reason, the GAO is recommending that the chief engineer, the chief information officer, and the principal advisor for enterprise protection develop a specific timeline for actually updating “its spacecraft acquisition policies and standards” to deal with cybersecurity threats.

Yet NASA pushed back on some of the recommendations. Per the report, NASA’s CIO said it was “not feasible” for there to be one set of essential controls for all mission spacecraft. GAO pushed back on that response, writing that “NASA should leverage its space security guide to determine the controls that address the likely threats to its spacecraft.” 

NASA was also not interested in establishing a timeline, saying that it needed to carefully consider requirements. The space agency said that it had systems in place for dealing with the risks of space. 

“While we do not dispute this, we note that NASA’s space security guide recognizes that NASA does not currently have a cybersecurity risk management framework for end-to-end integrated space mission systems,” the auditing agency said in response. “Without a plan with identified timeframes, it is unknown when the agency will actually perform an update to incorporate, if necessary, any additional cybersecurity controls.”

The post NASA balks on timeline to incorporate cyber into spacecraft acquisition policies appeared first on FedScoop.

Through partners, its own internal research staff, and work w​ith NASA, the country’s aviation safety regulator is looking at a range of AI applications. The FAA has a chief scientific and technical advisor for artificial intelligence — machine learning, who is charged with expanding the country’s role in understanding how AI might be deployed in aviation contexts. And the agency is working on a plan, along with NASA, for certifying AI technologies for use in the national airspace system.

“We are harnessing predictive analytics, machine learning, and artificial intelligence to develop streams of data,” Polly Trottenberg, the FAA’s acting administrator, said in a note within one of the agency’s recent four-year research plans. “These capabilities allow us to create new tools and techniques and adopt new technologies.”

But hurdles remain for actually deploying AI. While the FAA has implemented risk management standards for the safety of national airspace, the agency told FedScoop it still needs to “adapt AI risk management methodologies and best practices from the National Institute of Science and Technology,” along with other institutions. The FAA has released several use cases in its AI inventory, but many of them are still somewhat modest, experts told FedScoop. Other uses are still in the research phase. 

There are further constraints, too. While the FAA is investing in research and development related to artificial intelligence, the aviation industry is more broadly facing ongoing safety issues with Boeing aircraft and an overworked population of air traffic controllers. And then there’s the matter of ensuring that flying stays safe, despite excitement about using artificial intelligence.

“It’s still very early days,” noted Anand Rao, a Carnegie Mellon data science and AI professor. “They’re taking a conservative, cautious approach.” 

The FAA declined to make Dr. Trung T. Pham, the agency’s chief AI leader, available for comment, nor did it answer FedScoop’s questions about staff within the agency focused specifically on artificial intelligence. The FAA, along with the Department of Transportation, have also declined to provide further detail about a mention of ChatGPT for software coding that agency staff removed from its AI inventory last year. Still, documents about several AI use cases from the agency, along with interviews with experts, provide insight into the FAA’s approach to the technology.

FAA pursues no-frills approach to AI

When asked about the most promising use cases for AI, a spokesperson for the FAA pointed to several, including predictive analytics that could help mitigate safety risks, assistance with decision support, automating certain processes, and improving engagement through virtual assistants. Some of those use cases have already been disclosed in the Department of Transportation’s executive order-required AI inventory while others are discussed in the agency’s four-year research plan. The DOT recently edited its inventory and some of the use cases appear to have been redacted, though the agency did not respond to a request for comment. 

Some of these AI applications are related to the weather, including a convective weather avoidance model meant to analyze how pilots navigate thunderstorms. The agency is also looking at an effort to use AI to support air traffic controllers, per the four-year research plan, as well as using artificial intelligence to address aviation cybersecurity. And the FAA is studying the use of AI and voice recognition technology to improve flight simulations used in pilot training. Still, many of the AI use cases identified by FedScoop are rudimentary or still relatively early in their deployment, while others remain in the research phase. 

Several that are in use are relatively modest — and reflect the agency’s circumspect approach. The FAA’s Office of Safety and Technical Training, which conducts data analysis and investigations, has already deployed a model for use by the runway safety team. The internal tool assists the team with automatically classifying runway incursions as part of their analysis. FedScoop obtained documents describing how this system works —  but the technology discussed in those documents, Rao said, represent well-tested algorithms that have been around since the 1990s and early 2000s, and not the newer technology used for systems like ChatGPT. 

Another is the “regulatory compliance mapping tool,” which is essentially an internal search engine-esque system for regulatory concepts. The tool is built off a database of documents provided by organizations like the FAA, federal agencies, and the International Civil Aviation Organization, a branch of the United Nations that focuses on aviation. The idea for the tool, which leverages natural language processing, is to reduce “research time from days or weeks to hours,” according to a presentation by the Aeronautical Information Standards Branch dated Sept. 20. 

Still, the tool is “essentially just a database,” said Syed A.M. Shihab, an assistant professor of aeronautics and engineering at Kent State University, and not particularly advanced. While around 175 FAA employees can access the tool, the agency told FedScoop, the platform is used fewer than 20 times a week, according to that same presentation. The FAA, which said the “internal FAA tool” is in the “development phase,” appears to have spent more than $1 million with a company called iCatalyst — which did not respond to a request for comment —  to build it, according to a federal government contracts database. 

“The FAA is continually working to make our processes more efficient. The Regulatory Compliance Mapping Tool (RCMT) is an initiative that can significantly speed up safety research,” the agency said in a statement. In March, the agency said security authorization would kick off later that month and that it had completed a Section 508 self-assessment process. 

Other systems disclosed in the AI inventory either don’t use the technology yet or haven’t been deployed. These include a tool to help transcribe conversations between pilots and another, called ROMIO, meant to help pilots understand cloud structures, according to FAA documents.

FAA’s AI work goes beyond disclosed use cases

Other AI work is ongoing, but it’s not clear if or how it’s been deployed. The FAA has worked with researchers at Georgia Tech and the University of Maryland to use AI for measuring collision risk, according to federal contract records. It also appears to have procured the development and implementation of a machine learning model from a company called Deep AI Solutions for its safety information sharing system. 

The FAA’s work with NASA, meanwhile, includes looking at AI for “runway configuration management, digitization of standard operating practices and letters of agreements, and natural language processing,” per a spokesperson. It also represents NASA’s machine learning airport surface model, which was supposed to help the FAA capture the location of routes, taxiways, and runways using a real-time machine learning system. NASA said this work has helped contribute to a framework it’s working on with the aviation agency. 

And at the MIT-based Lincoln Laboratory, which is funded by the Defense Department and the FAA, researchers aren’t focusing on AI for safety-critical applications, according to Tom Reynolds, who leads the lab’s air traffic control systems group. For example, the lab is researching a technology called “the offshore precipitation capability” to assist with weather radar coverage gaps. “Things that are more advisory and not directly in the loop of deciding where individual aircraft fly, but rather helping air traffic controllers with situational awareness and strategic decision making,” Reynolds said. 

Technically, the FAA has been looking at AI for decades — and lots of preliminary work with the technology does seem to be underway. For example, in March, the FAA announced a data challenge meant to help use artificial intelligence to address problems concerning the national airspace, and it’s recently hosted workshops on machine learning, too. Email records show that the FAA is invited to monthly meetings of the Department of Transportation’s AI task force. 

The FAA is working with industry and international counterparts on an AI roadmap, and developing a certification research framework for artificial intelligence applications with NASA. The plan is focused on developing a way of certifying AI applications that could be deployed in the national airspace in a highly safe way. It’s expected to launch later this year, the space agency said. 

Still, most of the AI work at the FAA isn’t for direct use in aviation. That reality reflects the broader challenge of using the technology in a safety critical context. In meetings with industry, the agency’s chief adviser for aircraft computer software has highlighted the challenge of approving AI software, while Pham, the agency’s AI chief AI, has detailed concerns about traceability, per a blog post on the website of RCTA, a nonprofit aviation modernization group. 

Similarly, a roadmap the FAA is working on with other aviation agencies around the world has encountered several challenges, including issues with predictability and explainability, the tracking of datasets that might feed AI models, training humans to work alongside AI, model bias, and safety.

“Because aviation is a safety critical industry and domain, in general, stakeholders involved in this industry are slower to adapt AI models and tools for decision-making and prediction tasks,” said Shihab, the Kent State professor. “It’s all good when the AI model is performing well, but all it takes is one missed prediction or one inaccurate classification, concerning the use cases, to compromise safety of flight operations.”

The post In deploying AI, the Federal Aviation Administration faces unique challenges appeared first on FedScoop.

The TMF will provide NASA with nearly $6 million to automate network management, standardize network configurations and modernize legacy infrastructure across all of the space agency’s locations, according to a press release from the General Services Administration. The funds would also allow NASA to implement cybersecurity requirements, as the agency’s interactions with sensitive data makes it a “prime target for hackers and other entities,” the press release stated.

The DOL, meanwhile, will use $42 million in TMF-provided funds to undertake a “significant” modernization effort that would replace the agency’s Integrated Federal Employee Compensation System, or iFECS, with a cloud-based system that utilizes automation technologies, according to the release. This would streamline processes that injured and ill workers interact with and further protect those services. 

The GSA noted that the DOL is looking to enhance the efficiency of services and make them less prone to “cybersecurity, operational and financial risk.”

“These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public,” Clare Martorana, the federal CIO and TMF Board chair, said in the statement. “From strengthening NASA spacecraft control to supporting injured and ill workers through the DOL’s Office of Workers’ Compensation Programs.”

NASA is facing “significant” security threats that are attributed to the value of agency data, per the release, and the TMF funds will enable the space agency to accelerate cybersecurity and operational upgrades two years earlier than originally anticipated. This would also support the collection of additional telemetry data to align with federal cybersecurity mandates.

Similarly, the DOL is looking to bolster data security with the funds due to the sensitive information surrounding federal employee health records and annual claims. The shift to a new, cloud-based system “promises” to reduce claim adjudication times and enhance customer interactions.

Further, the agency reported that its “aging” infrastructure and “complex” workflows were responsible for hindered case management for workers that are ill and/or injured.

The latest round of investments follows the recently released appropriations package, which clawed back $100 million from the TMF, deflating support for government IT modernization projects that the fund received through the American Rescue Plan.

“Unlocking the potential of government through technology modernization requires strategic investment and a commitment to driving meaningful change,” Larry Bafundo, acting TMF executive director, said in the release. “TMF is pivotal in enabling federal agencies to invest in their own ability to adapt, evolve, and better serve their citizens in a rapidly changing world.”

The post New TMF investments support NASA, DOL modernization and cybersecurity efforts appeared first on FedScoop.

While the astronaut process itself did not change, NASA became aware of OPM’s systems that support automation alongside continuous evaluations and improvements through the partnership between agencies, J. Patrick Sharpe, USA Hire program manager at OPM, said in an email to FedScoop. NASA is now taking advantage of features and capabilities offered by OPM-managed sites, including USAJOBS, USA Staffing and USA Hire. 

Now, according to Sharpe, the astronaut application process is fully automated and has a new “online competency-based pre-screen assessment.” Additionally, NASA has since implemented all three integration offerings from USA Staffing: request processing, new hire and data APIs. 

Sharpe noted that once the cycle is done for 2024 astronauts, both OPM and NASA plan to review the application process and determine any necessary changes or improvements. Significantly, OPM reported having added online interviewing capabilities and accessible mobile assessments to USA Hire specifically over the past year, and “will be working with NASA and other federal agencies in the near future to fully implement these capabilities as part of the hiring process,” according to Sharpe.

“USAJOBS continuously works to assess and improve the user experience using human centered design methodology,” Sharpe said. “USAJOBS improved the application experience for all federal occupations, including the astronaut candidate, by implementing a new user interface explaining the application process more clearly and clarifying the required application materials.”

Sharpe said that the modernized approach for the astronaut application process in concert with the pre-screen assessment “reduced burden on NASA’s HR staff and allied the Astronaut Office to focus on the highest quality candidates in the applicant pool for further evaluation.”

This is the second time that NASA and OPM have teamed up for the astronaut application process, the first being in 2020 when OPM reportedly assisted with a manual review of applications for NASA’s partially automated application process.

Sharpe said that because of the “success of the 2020 application cycle,” NASA decided to partner with OPM for 2024. 

For the astronaut position, OPM reported that NASA received over 12,000 applicants during the 2020 cycle. The space agency then selected 10 applicants from the original pool, according to a release shared with FedScoop. 

“NASA’s maximization of USA Staffing’s data and interconnection capabilities has increased automation, transparency, data quality and enhanced the overall hiring manager and HR user experience throughout the hiring process,” Sharpe said in the email.

The hiring systems for federal agencies go through “extensive usability testing” as part of the evaluation and review of the technology and processes for each site, according to Sharpe. 

Sharpe shared that USA Staffing is currently working on new capabilities for high-volume hiring; he reported that the staffing system is collaborating with multiple agencies to support and understand the challenges that come with high-volume hiring. 

USA Staffing is looking to design new tools so HR professionals and hiring managers can more efficiently hire at scale. The new capabilities, according to Sharpe, will include expanded integrations for personnel processing and tracking systems, the ability for agency leaders to establish hiring goals and provide data to track progress. 

Sharpe said that these changes will help those responsible for hiring to have data flow across systems “without duplicative effort and reducing the risk of human error.” 

By providing data and offering the ability to establish hiring goals, Sharpe said agencies can report to Congress and identify areas in need of improvement as well as find “creative ways to connect high-quality applicants for federal jobs with managers who have the legal authority to hire them.”

NASA did not respond to FedScoop’s request for comment by the time of publication.

The post NASA and OPM take steps to modernize astronaut applications appeared first on FedScoop.

The announcement is an initial move since it only establishes a new section of the Federal Acquisition Regulation but doesn’t formally create any policies or rules. The eventual goal is for provisions related to these topics spread throughout other regulatory sections to be reorganized under a new concentrated section where contracting officers can access the information in a singular place. 

“Currently, the policies and procedures for prohibitions, exclusions, supply chain risk information sharing, and safeguarding information that address security objectives are dispersed across multiple parts of the FAR, which makes it difficult for the acquisition workforce to locate, understand, and implement applicable requirements,” the posting stated. 

It continued: “This new part will provide contracting officers with a single, consolidated location in the FAR that addresses their role in implementing requirements related to managing information security and supply chain security when acquiring products and services.”

The new section could address topics including the cybersecurity supply chain, concerns related to emerging technologies, and “foreign-based risks.” Since no new procedures or policies are being implemented, there will be no public comment period. 

The post Some federal agencies want to make IT security contracting rules simpler to find appeared first on FedScoop.

The theft was described as a “Houston SpaceX Unauthorized Access incident where 3 crew training ipads and 2 crew training IPads were stolen,” according to a personally identifiable information incident ticket document that FedScoop obtained via a public records request. The ticket references both the acronym for Johnson Space Center, which is based in Texas, and the Kennedy Space Center, where NASA launches astronauts on SpaceX’s crew module to the International Space Station. 

The ticket, which was filed with NASA’s office of the chief information officer, says the theft was discovered on July 24, 2023. The reports obtained by FedScoop also show additional incidents involving PII, including other missing devices.

NASA did not answer FedScoop’s questions about the alleged theft, including whether a police report was filed, what kind of personally identifiable information might be on these devices, and whether they were owned by SpaceX or NASA. The space agency only said the incident was still under investigation and pointed to its procedures on lost devices.

“NASA takes the security of its information and information technology (IT) seriously. All users of NASA IT must read and affirm (and revalidate annually) the NASA Cybersecurity and Privacy Rules of Behavior that require incident reporting whenever government furnished property is lost/stolen or missing,” Jennifer Dooren, the NASA deputy news chief, said in an email. “Users are to immediately report IT security incidents and all suspected or confirmed loss of control over PII (personally identifiable information) or unauthorized disclosures of PII to NASA’s Security Operations Center.” 

A message to SpaceX’s media email address did not receive a response. It’s not clear what components within NASA are involved in the investigation. The NASA Office of Inspector General did not provide a comment, and a September 2023 report to Congress did not appear to directly reference the incident. 

The civilian space industry isn’t considered critical infrastructure, noted Sean Costigan, the managing director of resilience strategy at the software firm Red Sift, which means it’s not subject to the oversight, reporting and incident response procedures required of the defense industry. He added that it would be speculative to guess what personal information might have been on the devices, or if that personal information would even be valuable. Administrators have “profound ability to locate, lock, and wipe devices,” particularly on devices made by Apple, he noted.

The incident comes amid longstanding concerns about NASA’s cybersecurity and device management practices. Back in 2008, the NASA OIG office flagged in a letter concerns about lost and stolen devices, noting that the loss of one laptop “could have a profound impact on Agency operations.” In 2012, NASA noted that the theft of an encrypted laptop resulted in the loss of algorithms used to control the International Space Station. That was one of 48 incidents involving stolen devices that took place between April 2009 and April 2011, according to NASA testimony to the House of Representatives. 

The topic has continued to come up. In 2014, a NASA OIG report found the agency did not, at the time, have an accurate inventory of mobile devices, including tablets. A 2021 NASA OIG report focused on the space agency’s cyber readiness, noting that lost and stolen equipment can be a “common attack vector” for cyber incidents and pointed to hundreds of instances of “loss/theft of equipment” annually. 

A Government Accountability Office review published in 2018 found major issues with NASA’s cybersecurity operations, too. 

“One would hope that the stolen iPads would have been encrypted and password protected so that the sensitive training information inside is preserved,” said Greg Falco, an aerospace and systems engineering professor at Cornell who focuses on aerospace cybersecurity. “iPads are interesting theft targets because while many devices are stolen for data, iPads are also stolen just for a high resale value. This theft could have been anything from someone trying to make a quick buck on the black market or a nation-state threat actor seeking sensitive data about how to train US astronauts.”

There have been other cybersecurity issues at NASA beyond lost devices. For instance, NASA confirmed to FedScoop that at one point, it deployed “mitigations” in response to three breaches of its social agency accounts that took place before 2021, though no other details were provided. Still, this incident raises questions about the extent to which NASA has addressed its lost device challenge — particularly as the agency expands its work with private companies, like SpaceX. 

“Whether defense or civilian sector, the space industry is a prime target for cyber bad actors ranging from criminals to nation-states,” Costigan told FedScoop. “Given the dependencies and interactions with the physical world, the space industry needs to prepare for cyber incidents it is likely to have in the future.”

At the same time, lost and stolen devices remain an ongoing cybersecurity concern for the federal government more broadly. Last month, FedScoop reported on incidents involving employees with the Federal Emergency Management Agency that took their devices abroad, including to countries like China and Iraq, without authorization. 

The post NASA investigating 2023 theft of astronaut training devices appeared first on FedScoop.

The new government website evaluation tool, which is called “gov metadata,” was created by Luke Fretwell and his son, Elias, as part of the Civic Hacking Agency, a project focused on technology for the public good. The system works by scanning government websites and then analyzing the presence of metatags, which can help search engines and other portions of the web to interpret aspects of an online page. A metatag might be a reference to a title or help boost a page’s presence on social media; based on the number of metatags present, the project gives a “score” to each website. 

The point of the project, Fretwell told FedScoop, was to show how well the government was performing on certain important aspects of web page operations. “When it comes to AI, and metadata and data, and customer experience and digital service — these three elements of it — there’s some fundamental things,” he said. (Editor’s note: Fretwell helped establish FedScoop’s digital and editorial operations in its early years, but he is not a current employee of Scoop News Group). 

The stakes can be high, notes Beau Woods, the founder and CEO of the cybersecurity company Stratigos Security. “If a website doesn’t set [metadata tags] up, or doesn’t set them up correctly, it can leave citizens wondering what the site is about [and] which one is the legitimate site,” he said. “It leaves room for other unofficial websites to go to the top of search rankings, and to be the first stop for the citizens when they’re browsing.” 

The U.S. government appears to be on par with other organizations, like academic institutions and nonprofits, that have limited budgets for IT and competing priorities, Woods added.  Importantly, the project wasn’t able to grade websites that its systems couldn’t properly scan.

According to the gov metadata tracker, federal agencies vary widely in how well they’re performing on metatags. Notably, a digital changelog established by the project shows that some government webpages were incorporating new metadata amid FedScoop’s reporting. 

An Office of Management and Budget spokesperson told FedScoop that the agency is working with implementation partners and relevant interagency bodies to expand “best practices on search engine optimization and the use of metadata.” 

“The use of metadata and other related search engine optimization practices plays an important role in ensuring that members of the public can easily discover government information and services via third-party search engines,” the spokesperson said. ”OMB acknowledges the opportunity for agencies to more consistently use metadata as they continually optimize their websites and web content for search. OMB, alongside key implementation partners, continues to support agencies in this and other related efforts to improve digital experiences.” 

Still, Fretwell says the initiative raises the question of what requirements exist around this aspect of federal website upkeep. “What’s the standard that the government is going to adopt for using metadata and actually using it [and] using those things?” Fretwell said in an interview with FedScoop. “Because it’s so varied.”

FedScoop was unable to identify specific metadata tag requirements for federal websites, but the topic has certainly been referenced before. Older government documents, including a 2016 memo focused on federal agency websites and digital services and a 2015 memo for .gov domains, have generally emphasized the importance of search engine optimization or metatags. Digital.gov mentions that standard metadata should be tagged and Search.gov, a government search engine, has metadata recommendations, too.

A memo issued by the Office of the Federal Chief Information Officer last fall — which provided further guidance for following the 21st Century Integrated Digital Experience Act and improving government websites — points to metadata several times. The memo says that agencies should use “rich, descriptive metadata” and use “descriptive metadata in commonly parsed fields” like “meta element tags.” It also states that agencies should use metadata tags to correctly note the timeliness of a page. The OMB spokesperson pointed to this memo and its emphasis on search optimization.

Though the scanner run by the Civic Hacking Agency appears to have a broader scope, a website scanning tool run by the General Services Administration designed to measure performance of federal websites picks up some aspects of website metadata. (The GSA explains in its GitHub documentation that it focuses on collecting data that is helpful to specific stakeholders). 

That GSA initiative also shows varied performance — for example, whether an agency is using a viewport tag, which helps resize pages so they’re more easily viewable on mobile devices. 

“GSA continues to prioritize SEO and accessibility best practices when curating and improving metadata,” an agency spokesperson said in a statement. In reference to the 2023 OMB memo, the spokesperson noted that GSA “continues to work with its web teams to optimize our content for findability and discoverability” and “focuses on metadata as well as things like improved on-site search, information architecture, user experience design, cross references, etc.” 

“Search.gov recommends metadata that supports foundational SEO techniques as well as our metadata-driven search filtering feature,” the GSA spokesperson added. 

In response to questions, the Federal Chief Data Officers Council said that while it had explored implications of metadata through its data inventory working group, the group hadn’t “targeted federal website metadata specifically.” The CDO Council added that it has yet to review the Civic Hacking Agency’s report. 

Agencies respond 

In response to FedScoop questions, several Chief Financial Officers Act agencies said they’ve investigated or will take steps to improve their metadata practices. A State Department spokesperson said the agency was “pleased” with some of its primary page grades but would also review the findings from the project, while the Environmental Protection Agency said that, after reviewing its score, it fixed all of the metadata issues identified.  The Nuclear Regulatory Commission also added its missing metatags to its site templates after FedScoop reached out.

Similarly, a spokesperson for the National Science Foundation said that it would meet metatag requirements “in the near future,” that missing tags will be tracked and incorporated into upcoming releases, and that the agency was assessing its compliance with Dublin Core and Open Graph standards, two specific types of metatags. 

The Agriculture Department said it would research whether its metadata were being pulled correctly. The agency also said it was updating its metadata creation process, including evaluating the accuracy of automatically generated tokens and updating its page creation workflow to emphasize page metadata. 

“We’re considering a cyclical review process for existing content to ensure metadata stays current with page updates. These changes will be passed down to all USDA website owners who manage their own content and we will coordinate with them to ensure the correct processes are in place,” an agency spokesperson told FedScoop. “The nature of our content management system is to not use XML content formats which impedes metadata from being included for each page. We are working to repair this process.” 

Some agencies pushed back on the findings. Terrence Hayes, press secretary at the  Department of Veterans Affairs, said it wasn’t apparent why certain metatags were chosen by the project, or which of the agency’s thousands of pages were being scanned, but added that the department was “reviewing the findings from the referenced report to better understand where gaps may exist.” 

Similarly, the Social Security Administration — which initially received an F — said some of the metatag issues identified were unnecessary but would implement changes to improve its score and meet Search.gov guidelines. (After a new scan by the site, the agency now has an A.)

Darren Lutz, press secretary for the agency, said that it instituted a new content management system for Social Security’s primary customer-facing pages and that each “new section or page that we launch features meticulously crafted metatags that summarize the content in clear, accessible language, ensuring optimization for search engines.”

“All new content will convey the noted metadata improvements,” Lutz added. “In the past year, we have launched four major new site sections, redirecting significant percentages of public web traffic from our legacy implementation to these modern and optimized web pages on our new platform.”

The Education Department — which has several websites managed by different entities — said that Civic Hacking Agency’s scores for its Ed.gov and G5 domains don’t reflect work being done on those sites, but also pushed back on how the tool evaluated its StudentAid.gov site, pointing to, for example, the description and robots field. While the Education Department acknowledged that some tags should be added to its NationsReportCard.gov page, a spokesperson said the tool was picking up archival pages and “content tagging isn’t feasible” for certain types of applications on that site. 

The Education Department plans to launch a new Ed.gov this coming summer, an agency spokesperson added. Meanwhile, its G5 domain for grant management “will be upgraded to significantly improve its usability, analytics and reporting, using machine-readable metadata and searchable content,” the spokesperson said. 

Several agencies, including the Departments of Commerce and Transportation, did not respond to requests for comment. Meanwhile, some agencies, like NASA, celebrated the scores they received. Notably, the space agency last year launched two new major websites: nasa.gov and science.nasa.gov. The agency has also been engaged in a multi-year web modernization project. 

“One of the driving goals of this major effort has been to improve the findability and search engine authority of these core sites through strong metadata tooling and training, and we believe this contributed to our report card score,” said Jennifer Dooren, the deputy news chief at NASA headquarters. 

Overall, the project appears to provide further incentive to improve site metadata. Several agencies, including the Environmental Protection Agency and the Department of Labor, noted the importance of the Civic Hacking Agency’s tool. 

“The feedback from the ‘gov metadata’ scoring system is invaluable to us as it helps gauge our performance in implementing basic metadata principles,” said Ryan Honick, a public affairs specialist at the Department of Labor. “It acts as a catalyst for ongoing improvement, driving us to refine our strategies for making our websites as accessible and user-friendly as possible.” 

The post On some basic metadata practices, US government gets an ‘F,’ per new online tracker appeared first on FedScoop.