While facial recognition, a type of  biometric validation, is commonly used with law enforcement agencies, GSA sees the Login.gov pilot as a way to further defend against sophisticated fraud and cyber threats. The work with tech equity experts will “incorporate learnings, as applicable” into the pilot, a GSA spokesperson said in an email to FedScoop, and comes after the agency conducted an equity study on remote identity proofing to “improve outreach practices, user testing and user experience for underserved communities in civic tech design.”

The goal of the upcoming pilot, which will run through the fall, is to evaluate overall user experience throughout the new workflow and to find where individuals become stuck or confused throughout the process so the “team can iteratively make improvements,” the agency spokesperson said.

“Login.gov is committed to leveraging best-in-class facial matching algorithms that, based on testing in controlled environments, have been shown to offer high-levels of accuracy in reduced algorithmic bias,” they added. 

The equity study on remote identity proofing included 4,000 participants, as of April, who were tasked with testing five different vendors for this technology. GSA plans to release a report with the results from the equity study in a peer-reviewed publication this year. 

GSA recently concluded a procurement process that expands the set of “identity vendors” that Login.gov has access to, the spokesperson said. The agency shared plans to evaluate how and when to integrate new solutions. 

“The general availability launch timing is not dependent on this integration process,” the spokesperson said. 

Candice Wright, director of the Government Accountability Office’s Science, Technology Assessment and Analytics team, said in an email to FedScoop that the GSA’s equity study on remote identity can assist the agency in ensuring that the biometric validation technology is “more accurate for all demographic groups.”

“The accuracy of biometric identification technologies is improving overall, but there are still issues with technologies that can perform less accurately for certain subgroups, such as people with darker skin,” Wright said, pointing to a recent GAO report that found comprehensive evaluations of technology as a key consideration to assist in addressing differential performance.

The biometric validation tool, the GSA spokesperson said, uses a “privacy-preserving” approach that compares a selfie that a user takes against their photo identification. The spokesperson emphasized that the data provided by the user is “protected by ensuring it will never be used for any purpose unrelated to verifying your identity” by Login.gov or the vendors with whom it works. 

Login.gov’s biometric technology will be provided by a commercial vendor that, according to the spokesperson, employs an algorithm that is considered proprietary but is one of the leading options as measured by the National Institute of Standards and Technology’s Face Recognition Vendor Test (FRVT).

“Agencies could achieve more comprehensive testing by providing guidance to technology vendors so that they design their products in ways that support more standardized testing,” Wright said.

NIST’s test for vendors, which last year was split into the Face Recognition Technology Evaluation (FRTE) and Face Analysis Technology Evaluation (FATE), measures the performance of facial recognition tech as it is applied across a variety of applications, such as visa image verification, identification of child exploitation images and more. 

The GSA noted last month that the biometric validation technology is compliant with NIST’s digital identity guidelines for achieving “evidence-based remote identity verification” at the IAL2 level, or the standard that “introduces the need for either remote or physically-present identity proofing.”

The post Login.gov’s upcoming biometric pilot aims to focus on equity, usability appeared first on FedScoop.

TMF investments to the Departments of Education, Commerce and State total just under $50 million. 

The State Department received two investments: $18.2 million to increase diplomacy through generative AI and $13.1 million to transition its identity and access management systems to a zero-trust architecture model.

The AI investment is intended to “empower its widely dispersed team members to work more efficiently and improve access to enhanced information resources,” including diplomatic cables, media summaries and reports. On the zero trust investment, State said it is planning to expedite the creation of a comprehensive consolidated identity trust system, as well as centralizing workflows for the onboarding and offboarding process.

Clare Martorana, the federal CIO and TMF board chair, said in a statement that she’s “thrilled to see our catalytic funding stream powering the use of AI and improving security at the State Department.” 

State recently announced a chatbot for internal uses and revised its public AI use case inventory to remove nine items from the agency website. Additionally, the agency has started to encourage its workforce to use generative AI tools like ChatGPT. 

The Department of Education, meanwhile, is using a $5.9 million allocation to assist the Federal Student Aid office on a new StudentAid.gov feature called “My Activity” to centralize documents and data to track activities and status updates. The FSA is anticipating “a reduction in wait times and the need for customer care inquiries,” per the GSA release. 

Education also recently announced an RFI for cloud computing capabilities for the FSA office, a follow-on contract for its Next Generation Cloud. 

Finally, the Department of Commerce’s National Oceanic and Atmospheric Administration will put its $12 million TMF investment toward modernizing weather.gov through a redesign to “enhance information accessibility” and “establish a sustainable, mobile-first infrastructure.” NOAA reported plans to integrate translation capabilities for underserved communities’ benefit. 

The release noted that NOAA’s associated application programming interface “faces challenges, causing disruptions in accessing dependable weather information for the American public.”

Martorana said she was “equally excited about the TMF’s two other critical investments — with students getting more modern access to manage their education journeys and the public gaining access to life-saving weather information in an accessible manner for all.”

These investments come after a second appropriations package to fund the government for fiscal year 2024 threatened to claw back $100 million from the TMF. Both the GSA and the Office of Management and Budget have faced challenges in convincing lawmakers to meet funding levels proposed by the Biden administration.

Martorana recently called on Congress to fund the TMF, pointing to the funding vehicle as a way to improve service delivery for the public across the government.

The post New TMF investments boost agency projects in generative AI, digital service delivery, accessibility appeared first on FedScoop.

The agency said Friday in a request for information that it is conducting market research to identify a service provider to modernize and “continuously improve” the existing cloud environment provided by Amazon Web Services. 

The department said in the RFI that FSA “must evolve cloud capabilities” for general purpose business use, to meet federal requirements laid out in a 2021 executive order on improving national cybersecurity and to “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.”

The request states that within the first year of awarding a contract, all on-premise applications and infrastructure that remains will move to the cloud. In the second and third year of the contract, “the entire cloud environment must be optimized and modernized as a dedicated workstream” through cloud native design principles in order to take advantage of the commercial cloud’s full benefits. 

“The preponderance of FSA’s applications will migrate into FSA [Next Generation Cloud], managed by the FSA chief information officer,” the request states.

This effort is unrelated to the recent updates to the Free Application for Federal Student Aid, which was recently overhauled to leverage cloud technologies for the transmission and delivery of FAFSA data, an agency spokesperson said in an email to FedScoop.

The post Department of Education begins market research for cloud capabilities appeared first on FedScoop.

“Bias means different things for different agencies,” Werntz said during a virtual agency event Tuesday. Bias that “deals with people and rights” will be relevant for many agencies, he added, but for CISA, the questions become: “Did I collect data from a number of large federal agencies versus a small federal agency [and] did I collect a lot of data in one critical infrastructure sector versus in another?”

Internal gut checks of this kind are likely to become increasingly important for chief data officers across the federal government. CDO Council callouts in President Joe Biden’s AI executive order cover everything from the hiring of data scientists to the development of guidelines for performing security reviews.

For Werntz, those added AI-related responsibilities come with an acknowledgment that “bias-free data might be a place we don’t get to,” making it all the more important for CISA to “have that conversation with the vendors internally about … where that bias is.”

“I might have a large dataset that I think is enough to train a model,” Werntz said. “But if I realize that data is skewed in some way and there’s some bias … I might have to go out and get other datasets that help fill in some of the gaps.”

Given the high-profile nature of agency AI use cases — and critiques that inventories are not fully comprehensive or accurate — Werntz said there’s an expectation of additional scrutiny on data asset purchases and AI procurement. As CISA acquires more data to train AI models, that will have to be “tracked properly” in the agency’s inventory so IT officials “know which models have been trained by which data assets.” 

Adopting “data best practices and fundamentals” and monitoring for model drift and other potentially problematic AI concepts is also top of mind for Werntz, who emphasized the importance of performance security logging. That comes back to having an awareness of AI models’ “data lineage,” especially as data is “handed off between systems.” 

Beyond CISA’s walls, Werntz said he’s focused on sharing lessons learned with other agencies, especially when it comes to how they acquire, consume, deploy and maintain AI tools. He’s also keeping an eye out for technologies that will support data-specific efforts, including those involving tagging, categorization and lineage.

“There’s a lot of onus on humans to do this kind of work,” he said. “I think there’s a lot of AI technologies that can help us with the volume of data we’ve got.” CISA wants “to be better about open data,” Werntz added, making more of it available to security researchers and the general public. 

The agency also wants its workforce to be trained on commercial generative AI tools, with some guardrails in place. As AI “becomes more prolific,” Werntz said internal trainings are all about “changing the culture” at CISA to instill more comfort in working with the technology.

“We want to adopt this. We want to embrace this,” Werntz said. “We just need to make sure we do it in a secure, smart way where we’re not introducing privacy and safety and ethical kinds of concerns.” 

The post CISA’s chief data officer: Bias in AI models won’t be the same for every agency appeared first on FedScoop.

One challenge that remains at the forefront of those efforts is ensuring that today’s increasingly dynamic and distributed IT environments continue to meet the government’s complex security, regulatory and data privacy compliance rules — while learning how best to capitalize on AI’s potential to serve the public.

Google Cloud’s understanding and recognition of those challenges was widely reflected in a series of sweeping announcements at last week’s Google Cloud Next ’24, that promise new levels of security, flexibility and AI-assisted capabilities to Google Cloud’s public sector customers.

Building AI capabilities within protected workspaces

When it comes to securely managing public sector data, agencies using Google Cloud gain immediate benefits by building on top of its foundational architecture. Because the architecture was built for the cloud and also incorporates a substantial portion of federal security controls, it’s possible to demonstrate security compliance and obtain operating authority in weeks instead of months when folding in applications like Workspace or AI models like Gemini.

Another way agencies can enhance the security of their workloads is by using the Google Cloud Assured Workloads, which also have foundational government security compliance assurances built in, according to a panel of technology experts speaking at Google Cloud Next ’24.

The panelists, representing NASA, Palo Alto Networks, SAP and Google Cloud, argued that using zero-trust and compliance-as-a-code technologies has become essential to creating and maintaining easily reproducible compliant workload environments. That’s in part because of the diversity of government agency compliance requirements, from FedRAMP to the Department of Defense Impact Level 2, 4, and 5 security controls. 

By deploying workloads in pre-certified, software-defined environments set up to limit activity to compliant products and restrict where data can flow and who can access it, agencies can better ensure their workloads meet government requirements.

“Moving to Assured GCP is not just an upgrade; it’s a transformational leap forward,” said Collin Estes, the CIO of MRI Technologies working at NASA.

He pointed to two benefits: The “ability to generate compliant documentation as both a product of these large language models as well as helping us produce very well-structured definitions of what we’re doing, based on your actual implementations within Google Cloud. It is not a human saying, here’s what we do. It is us generating what we do from our environment. I think that’s going to really change the game in terms of how federal agencies manage risk across these portfolios.”

Among other benefits, the panelists pointed to:

Streamlining software development – Transitioning to Assured GCP allows government bodies to leverage and deploy cutting-edge technologies and methodologies, such as containerization and microservices, with unprecedented ease.

Focusing on the mission – By moving to Assured GCP, organizations can shift their focus from the backend to what truly matters—their mission. This shift represents not just an operational change but a philosophical one, where technology becomes an enabler rather than a hurdle in support of agency missions.

According to Palo Alto Networks Senior Manager Michael Clark, another reason for adopting Assured Workloads is the volume of data and the compute intensity with all this data. “We’re at that critical pivot point. We’ve been using this data to learn new threats and find zero-day threats so that we can enforce zero trust, improve security protection mechanisms, and map into new areas of innovation for threat detection and automated remediation.”

When building a compliant environment, SAP’s NVP Architecture and Product Launch, Hunter Downey, urged session attendees “to build it within a framework that I can ensure controls are in place, so I can rinse and repeat across 20 to 100 different teams, potentially touching 1,000 or 5,000 developers. If you start with the lowest common denominator, you’re going to fail. The reason why we partnered with GCP Assured Workloads is because you’re able to control the flow of information and messages. The minute the data goes global, it’s a different jurisdiction.”

Among other AI-related developments announced at Google Cloud Next ‘24:

• Google Public Sector achieves Top Secret and Secret cloud authorization. 

• Gemini for Google Cloud is a new generation of AI assistants for developers, Google Cloud services and applications that help users work and navigate security challenges more effectively.
• See more announcements here. 

Learn more about how Google Public Sector can help your organization “Kickstart your AI and security journey”.

This article was produced by Scoop News Group and sponsored by Google Public Sector. Google Public Sector is an underwriter of AI Week.

The post How Google Cloud AI and Assured Workloads can enhance public sector security, compliance and service delivery at scale appeared first on FedScoop.

The TMF will provide NASA with nearly $6 million to automate network management, standardize network configurations and modernize legacy infrastructure across all of the space agency’s locations, according to a press release from the General Services Administration. The funds would also allow NASA to implement cybersecurity requirements, as the agency’s interactions with sensitive data makes it a “prime target for hackers and other entities,” the press release stated.

The DOL, meanwhile, will use $42 million in TMF-provided funds to undertake a “significant” modernization effort that would replace the agency’s Integrated Federal Employee Compensation System, or iFECS, with a cloud-based system that utilizes automation technologies, according to the release. This would streamline processes that injured and ill workers interact with and further protect those services. 

The GSA noted that the DOL is looking to enhance the efficiency of services and make them less prone to “cybersecurity, operational and financial risk.”

“These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public,” Clare Martorana, the federal CIO and TMF Board chair, said in the statement. “From strengthening NASA spacecraft control to supporting injured and ill workers through the DOL’s Office of Workers’ Compensation Programs.”

NASA is facing “significant” security threats that are attributed to the value of agency data, per the release, and the TMF funds will enable the space agency to accelerate cybersecurity and operational upgrades two years earlier than originally anticipated. This would also support the collection of additional telemetry data to align with federal cybersecurity mandates.

Similarly, the DOL is looking to bolster data security with the funds due to the sensitive information surrounding federal employee health records and annual claims. The shift to a new, cloud-based system “promises” to reduce claim adjudication times and enhance customer interactions.

Further, the agency reported that its “aging” infrastructure and “complex” workflows were responsible for hindered case management for workers that are ill and/or injured.

The latest round of investments follows the recently released appropriations package, which clawed back $100 million from the TMF, deflating support for government IT modernization projects that the fund received through the American Rescue Plan.

“Unlocking the potential of government through technology modernization requires strategic investment and a commitment to driving meaningful change,” Larry Bafundo, acting TMF executive director, said in the release. “TMF is pivotal in enabling federal agencies to invest in their own ability to adapt, evolve, and better serve their citizens in a rapidly changing world.”

The post New TMF investments support NASA, DOL modernization and cybersecurity efforts appeared first on FedScoop.

In these relatively nascent days, some federal cyber officials have said they believe that AI provides more of an advantage to defenders than attackers in cyberspace, while others warn that the pace of innovation looms as a threat to the country. 

But from a workforce standpoint, agency cyber experts believe that the worst fears of AI replacing humans won’t be realized. 

Speaking during an Advanced Technology Academic Research Center event last week on intelligent data and cyber resilience, federal IT leaders delivered a clear message to the cyber workforce: “Automation will not replace humans,” said Amy Hamilton, senior cybersecurity adviser for policy and programs at the Department of Energy. 

“What it’s going to do is enable us and make it better. Every single time I see the stats on the cybersecurity workforce — trust me, there is more than enough work to go around. Don’t worry about your job going away from AI. AI is just going to be your personal assistant and help you even more.”

Hamilton, who previously served as a cybersecurity policy analyst with the Office of Management and Budget, pointed to the 2021 breach of a water treatment plant in Oldsmar, Fla., as an example of the need for human response. An Oldsmar plant operator flagged the issue of dangerous levels of sodium hydroxide before they were released into the system. 

“It happened that somebody was monitoring it, they noticed it, they prevented chemicals from” entering the system, Hamilton said. “We have to make sure that we’re putting all the checks and balances in place.”

Though subsequent reporting questioned whether an outside hacker was actually responsible for the Oldsmar incident, Hamilton’s point about the importance of continuous monitoring remains.

“One of the things about sites that are mostly based on operational technology is they are designed for failover to manual, and a lot of people are like ‘automate, automate,’” she said. “You can do that, but is that a lot of risk? By having humans monitoring these systems as well as what we’ve talked about with the importance of the automation, it’s going to come into play.”

In DOE’s 16-page AI inventory, four use cases employ robotic processing automation, while another from the Lawrence Livermore National Laboratory leverages automation and robotics for “accelerating hardware development and interpretation of sensor data to improve process reliability.”

Alyssa Feola, a cybersecurity adviser at the General Services Administration, also expressed concern about removing humans from the cyber workforce. Leaving all system reviews to AI tools could lead to “really tainted stuff,” she said. 

“We need these people to do this work,” Feola said. “We’re not going to automate people out of these jobs because it is going to take people doing the work, and I think that’s what’s really most important.”

Working with AI in federal agencies is just one piece of the current technological evolution that the government and society more broadly are undergoing. These “new challenges” are a lot to process, Hamilton said, but there’s really only one path forward.

“Now, we have to change the way that we’re thinking and as older people need to be much more open to the next generation and opening up these concepts, because technology is going to keep changing,” she said. “We have to change with it.”

The post AI won’t replace cybersecurity workforce, agency leaders say appeared first on FedScoop.

In a statement to FedScoop, a GSA spokesperson said the agency has put corrective actions in place and intends to provide the plan to OIG later this month. The spokesperson said the report will include “enhancements to acquisition processing procedures that ensure that compliance with all applicable laws is precisely documented.”

GSA’s Office of the Inspector General released a report in January detailing the agency’s purchase and use of Chinese-manufactured video-conference cameras with “known security vulnerabilities” that were not compliant with the Trade Agreements Act of 1979, or TAA.

At the time of the original report, OIG shared that GSA records indicated that the non-compliant video cameras had not been updated and remained susceptible to vulnerabilities. Out of 210 active cameras, the OIG report noted that 37 had not been updated with the most recent software version, which was from September 2022. Additionally, 29 of the cameras “had not been updated to the June and July 2022 software versions that addressed the prior security vulnerabilities,” the report found.

The GSA spokesperson told FedScoop that as of Friday, the agency “has 172 OWL devices that are approved for use around our environment. All 172 devices have been updated to the latest software version.” The spokesperson added that the GSA has not found any additional security vulnerabilities and that it has a “strong zero trust architecture to prevent cyber threats and bad actors.”

“GSA is confident that the use of the OWL video conference cameras has been and remains secure under our security protocols,” the spokesperson said. “GSA took several measures to assure the ongoing security of these devices, including limiting their connectivity to the internet, discontinuing a subset of the cameras that did not meet our standards and conducting ongoing threat monitoring, patching and maintenance.”

The agency’s Office of Digital Infrastructure Technologies (IDT) “misled a contracting officer with egregiously flawed information” to purchase 150 video cameras as part of a pilot project overseen by the GSA’s Federal Acquisition Services’ Federal Systems Integration and Management Center (FEDSIM), according to the report.

GSA Chief Information Officer David Shive and Deputy Inspector General Robert Erickson testified Thursday before the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation regarding the audit’s findings. Shive said he was unaware of “any evidence suggesting that GSA IT personnel sought to intentionally mislead acquisition.”

“As a result of this audit, GSA has put in place new processes and improved documentation requirements,” Shive said. “The team has strengthened our alternatives of analysis documentation … [allowing] for possible solutions to be adequately analyzed and locked down once the analysis is completed.”

In response to a question from subcommittee Chairwoman Nancy Mace, R-S.C., about possible intentions behind the purchase, Erickson said that the OIG’s report did not find any evidence of ill intent, referring to the purchase as “gross incompetence.”

The OIG recommended four action items for the GSA in its original report, including to “return, or otherwise dispose of, previously purchased TAA-noncompliant cameras.” The agency partially concurred with that point, stating that a subset of cameras that did not meet GSA standards was discontinued and that it is “confident that the use of the detailed video conference cameras are secure under our current security protocols.”

The headline of this story was updated March 4, 2024, to better characterize the OIG’s findings.

The post GSA working on corrective action plan following OIG report on ‘noncompliant’ video-conferencing camera purchase appeared first on FedScoop.

The series, “Accelerating the Mission with AI and Security,” produced by Scoop News Group for FedScoop and underwritten by Google for Government, invited leaders to share where they hope to see the most significant return on investment for AI implementation in the coming year.

Artificial intelligence to meet core mission needs

Workforce augmentation was a highly discussed use case for AI implementation in the series.

FEMA’s Office of the Chief Financial Officer is one agency that has been strategically working on a generative AI tool to improve mission efficiency.

Christopher Kraft, Assistant Administrator, Financial Systems for FEMA’s OCFO shared that his office is developing a proprietary generative AI tool – owned and operated by FEMA and DHS – to generate draft responses to budget requests that his team can review for accuracy.

The Department of Labor CISO Paul Blahusch discussed how his agency is leaning into AI with a dedicated AI office inside the Office of the CIO to help develop and implement tools and techniques to streamline workflows, which can translate into cost avoidance and improved programs. He referred to three AI implementation areas his agency is focusing on, including cybersecurity, back-office support, and assisting constituents in accessing services more quickly.

For agencies like the U.S. Patent and Trademark Office, using AI as an augmented assistant has been developing even further over the past three years, according to CISO Jamie Holcombe, providing each examiner with an augmented intelligence system next to them.

“So, during its searches, it can bring up not just one thing but a myriad of things that pertain to the uniqueness of that patent application or trademark registration. So, you really have to think that the examiners don’t want one thing, they want a plethora of things to say, ‘yes,’ it is unique and novel, or ‘no, it’s not,’” Holcombe explains. “AI and generative AI has helped in that regard because each examiner has a customized version that just applies to them.”

Many leaders see generative AI as a way to improve standard workflow procedures. Department of Commerce CIO Andre Mendes, said that for tasks that are incredibly onerous, his department is looking at how AI can be used to break through some of the clutter.

“In HR processes, for example, position descriptions are not really that exciting, but at the end of the day, consume an enormous amount of people and time and resources, and where we can, I think, leverage AI to dramatically improve and optimize those environments,” he explained.

Improved security for federal data

Agencies like U.S. Citizen and Immigration Services (USCIS) are far along in their cloud migration strategies, which means that data security strategies must now shift to account for an explosion of digital resources.

“All the immigration data that has to be cataloged and identified and tagged is a monstrous task. And frankly, there is no easy button to push when you’re talking about the volume and scale of data that we have, and the amount of change that it goes through on even a daily basis,” shared USCIS CISO Shane Barney.

“We have, from a cybersecurity perspective, in my plans I am building, what we’re referring to as a security integration platform, which is an open source-based platform, and it has a whole AI/machine learning piece built into it based on open-source principles and practices, as well as some software platforms that will be integrated into the security program. And more on the threat hunting side of things where we’re looking for those abnormal changes in the environment that could indicate a breach.”

His agency leadership is waiting on further White House guidance on AI implementation but is working on foundational principles that can help the organization move forward with implementation plans quickly, referring to an open cybersecurity schema framework USCIS has been working on.

“I see it as the future. It’s the way we have to handle it; the future of cybersecurity is data,” said Barney.

This sentiment was echoed by other leaders who want to improve how they manage, store and analyze data to strengthen their agency’s security posture. Centers for Medicare and Medicaid Services (CMS) CISO Robert Wood said that his agency is building a security data lake to minimize data silos.

According to Wood, generative AI models could play a more significant role in empowering the government workforce to ask plain language questions to get actionable insights from data if properly structured and react more quickly to security threats and vulnerabilities.

Other participants who shared their insights in this series included:

• David Shive, CIO, U.S. General Services Administration
• Guy Cavallo, CIO, Office of Personnel Management
• Dr. Kelly Fletcher, CIO, Bureau of Information Resource Management, Department of State
• Josh Lehman, Director, Office of Business and Customer Assurance, U.S. Food and Drug Administration
• Russell Marsh, Director, Cybersecurity Operations, National Nuclear Security Administration

This video series was produced by Scoop News Group, for FedScoop, and sponsored in part by Google for Government.

The post Federal leaders on accelerating the mission with AI and security appeared first on FedScoop.

The issue was highlighted in a DHS inspector general’s report published last July that pointed to concerns about how the emergency management agency handles the security of government-issued mobile devices. 

Among other issues, the report centered on concerns with international travel. FEMA policies stipulate that employees cannot bring government devices abroad, while DHS policy requires the use of loaner devices and that any device detected internationally (without authorization) is turned off. The inspector general found that FEMA was not effectively tracking whether data on devices taken on international travel had been wiped. 

FEMA is still working on fixes, originally expected in December of last year, to address the issue, which heightens security risks and violates broader Department of Homeland Security mobile device policy.

The document obtained by FedScoop similarly shows scores of devices detected abroad by FEMA. Many of them were tracked in countries that Americans commonly visit for vacation, including the Dominican Republic, the United Kingdom, and Mexico. But the list — which displays devices that had access restricted and were then beginning to be investigated after being used abroad — also shows that employees brought government devices to countries that fall under the International Traffic in Arms Regulation country list. 

The document provides some insight into how FEMA handles the issue. While most of the incidents are unlabeled, some note that a case was investigated, that there was a tracking action, or a request for comment was issued, a spokesperson for FEMA told FedScoop. The document also displays dates that refer to when there was an update to the device in DHS’s Enterprise Incident Database, or ECOP, portal. 

“If you’re a large government organization, I think it’s always better to err on the side of safety and caution and preparation and training rather than have employees not know the potential risks,” said Kristin del Rosso, the public sector field chief technology officer at Sophos, a security and hardware firm. “There are different countries that have different rules [and] some don’t respect personal privacy… If you’re in a customs border zone [and] you don’t have access to your devices, they can do what they want with those devices.” 

She said the OIG report didn’t raise “massive alarm bells” but it was good the agency was addressing the problem. 

Notably, in February 2022, the Federal CIO Council released the final version of its guidance for international travel and government devices. The guidance establishes that government devices taken abroad risk being stolen, compromised, or damaged physically — while also potentially exposing personal and government application data and account information. A blog announcing the guidance noted that both government and industry employees could be targeted by foreign adversaries looking to procure government data.

For a sense of scope, FEMA maintains tens of thousands of mobile devices, the OIG report outlines. The agency uses a cloud-based management system for monitoring the data on these devices, as well as connecting them to FEMA’s network. One particular branch of the agency’s Office of Chief Information Officer, the Mobility Service Center, is in charge of sanitizing devices that encounter security concerns, while another section called the Security Operations Center is supposed to detect devices abroad. 

Ultimately, the OIG report found that 227 mobile devices without authorization were detected by FEMA internationally, and, that within a sample of nine, only two were turned off — those two were on the ITAR list. FEMA did not provide the OIG any documentation as to whether those devices were sanitized, according to the report. The audit looked at mobile device management between October 2020 and April 2022 — a somewhat distinct source of data from the one obtained by FedScoop, which came from the OCIO and includes incidents between October 2021 and June 2022. Still, the OIG document also shows that employees took devices to countries like China and Iraq.

A FEMA spokesperson said: “DHS and FEMA are committed to continuously improving our cybersecurity posture to ensure information stored on mobile devices remains secure while supporting employee productivity. We take this matter seriously and have protocols and tools in place to ensure devices are used securely and in accordance with policy, regardless of location. We recognize the sensitivity around devices being taken to countries with heightened security risks and have specific procedures for when employees travel with government devices.” 

To deal with this problem, FEMA concurred with several recommendations made by the DHS OIG in the report, including implementing new documentation of device wiping, modifying mobile technology sanitization procedures, communicating requirements to sanitize devices taking on authorized international travel, and updating FEMA’s response playbook procedure to require disabling devices taken abroad without authorization. 

But while FEMA initially said it would complete those recommendations by the end of 2023, an agency spokesperson told FedScoop that completing them is still an “ongoing process.” The DHS OIG did not confirm whether it had received an update from FEMA about its progress. The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget both declined to comment and directed FedScoop to FEMA. 

“We take this matter seriously and have protocols and tools in place to ensure devices are used securely and in accordance with policy, regardless of location,” said a spokesperson for DHS in a statement to FedScoop. “We recognize the sensitivity around devices being taken to countries with heightened security risks and have specific procedures for when employees travel with government devices. “ 

The DHS spokesperson continued: “We appreciate DHS OIG’s work which showed that there have been inconsistencies in following these policies and procedures in the past. FEMA has completed work to address each recommendation in OIG’s July report and expects these recommendations to be resolved and closed following OIG’s review of our documentation.”

The post FEMA employees brought government devices abroad without authorization, including to China and Iraq, document shows appeared first on FedScoop.