The series, “Accelerating the Mission with AI and Security,” produced by Scoop News Group for FedScoop and underwritten by Google for Government, invited leaders to share where they hope to see the most significant return on investment for AI implementation in the coming year.

Artificial intelligence to meet core mission needs

Workforce augmentation was a highly discussed use case for AI implementation in the series.

FEMA’s Office of the Chief Financial Officer is one agency that has been strategically working on a generative AI tool to improve mission efficiency.

Christopher Kraft, Assistant Administrator, Financial Systems for FEMA’s OCFO shared that his office is developing a proprietary generative AI tool – owned and operated by FEMA and DHS – to generate draft responses to budget requests that his team can review for accuracy.

The Department of Labor CISO Paul Blahusch discussed how his agency is leaning into AI with a dedicated AI office inside the Office of the CIO to help develop and implement tools and techniques to streamline workflows, which can translate into cost avoidance and improved programs. He referred to three AI implementation areas his agency is focusing on, including cybersecurity, back-office support, and assisting constituents in accessing services more quickly.

For agencies like the U.S. Patent and Trademark Office, using AI as an augmented assistant has been developing even further over the past three years, according to CISO Jamie Holcombe, providing each examiner with an augmented intelligence system next to them.

“So, during its searches, it can bring up not just one thing but a myriad of things that pertain to the uniqueness of that patent application or trademark registration. So, you really have to think that the examiners don’t want one thing, they want a plethora of things to say, ‘yes,’ it is unique and novel, or ‘no, it’s not,’” Holcombe explains. “AI and generative AI has helped in that regard because each examiner has a customized version that just applies to them.”

Many leaders see generative AI as a way to improve standard workflow procedures. Department of Commerce CIO Andre Mendes, said that for tasks that are incredibly onerous, his department is looking at how AI can be used to break through some of the clutter.

“In HR processes, for example, position descriptions are not really that exciting, but at the end of the day, consume an enormous amount of people and time and resources, and where we can, I think, leverage AI to dramatically improve and optimize those environments,” he explained.

Improved security for federal data

Agencies like U.S. Citizen and Immigration Services (USCIS) are far along in their cloud migration strategies, which means that data security strategies must now shift to account for an explosion of digital resources.

“All the immigration data that has to be cataloged and identified and tagged is a monstrous task. And frankly, there is no easy button to push when you’re talking about the volume and scale of data that we have, and the amount of change that it goes through on even a daily basis,” shared USCIS CISO Shane Barney.

“We have, from a cybersecurity perspective, in my plans I am building, what we’re referring to as a security integration platform, which is an open source-based platform, and it has a whole AI/machine learning piece built into it based on open-source principles and practices, as well as some software platforms that will be integrated into the security program. And more on the threat hunting side of things where we’re looking for those abnormal changes in the environment that could indicate a breach.”

His agency leadership is waiting on further White House guidance on AI implementation but is working on foundational principles that can help the organization move forward with implementation plans quickly, referring to an open cybersecurity schema framework USCIS has been working on.

“I see it as the future. It’s the way we have to handle it; the future of cybersecurity is data,” said Barney.

This sentiment was echoed by other leaders who want to improve how they manage, store and analyze data to strengthen their agency’s security posture. Centers for Medicare and Medicaid Services (CMS) CISO Robert Wood said that his agency is building a security data lake to minimize data silos.

According to Wood, generative AI models could play a more significant role in empowering the government workforce to ask plain language questions to get actionable insights from data if properly structured and react more quickly to security threats and vulnerabilities.

Other participants who shared their insights in this series included:

• David Shive, CIO, U.S. General Services Administration
• Guy Cavallo, CIO, Office of Personnel Management
• Dr. Kelly Fletcher, CIO, Bureau of Information Resource Management, Department of State
• Josh Lehman, Director, Office of Business and Customer Assurance, U.S. Food and Drug Administration
• Russell Marsh, Director, Cybersecurity Operations, National Nuclear Security Administration

This video series was produced by Scoop News Group, for FedScoop, and sponsored in part by Google for Government.

The post Federal leaders on accelerating the mission with AI and security appeared first on FedScoop.

Gerald Caron said HHS OIG’s model consists of eight pillars, as opposed to the Department of Homeland Security‘s five, complete with functional capabilities — like loss prevention and segmentation under the data pillar and authentication and access under the user pillar.

DHS’s Cybersecurity and Infrastructure Security Agency drafted the Zero Trust Maturity Model in June to help agencies comply with the Cybersecurity Executive Order, but Caron finds some people still talk about the strategy like it’s solely the identity pillar.

“I start with the data,” Caron said, during the 2022 Zero Trust Summit presented by CyberScoop on Wednesday. “That’s what I’m protecting, that’s what the users are protecting, that’s what the bad guys want.”

That’s not to say the user and identity pillars aren’t important, but the first questions a cyber analyst will ask post-breach are what did the person have access to and was there exfiltration — data questions, he added.

HHS OIG’s model is changing the way its auditors and assessors evaluate IT systems because Caron watched one — with all its authorizations to operate and that passed all the National Institute of Standards and Technology‘s Security Program controls — totally fail on zero-trust controls and procedures.

“We’ve got to figure out a way to measure effectiveness and not just compliance because they are two different things in my eyes,” Caron said. “And that’s what we really want to be; we want to be effective at cybersecurity.”

The chief information security officer of U.S. Citizenship and Immigration Services, Shane Barney, echoed Caron’s sentiment that while there’s a place for compliance and it adds value, it will never be security.

USCIS threw out a compliance mindset when it “fell into” its zero-trust strategy through cloud migration about a decade ago, Barney said.

“I’m not going to knock the federal government; I love the federal government actually,” he said. “But we do so love our checkboxes, and we so love our scorecards.”

Once HHS OIG developed its zero trust functional capabilities model, the office compared it with DHS’s to identify gaps. HHS OIG asks vendors it works with to do the same.

That information serves as an input to HHS OIG’s roadmap with multiple objectives under each pillar. HHS OIG meets objectives through phased projects across every pillar.

Foundational projects include identity; data mapping, which entails taking an application and mapping all the data it handles to baseline what needs protecting; and implementing Trusted Internet Connections 3.0 to improve user experience.

“My users are part of my team,” Caron said.

The post HHS OIG took the Zero Trust Maturity Model a step further appeared first on FedScoop.

Deadlines give chief information security officers (CISOs) something to point to during discussions with agency leadership over which zero-trust security goals to fund during the budgeting process.

Currently the draft strategy simply requires agencies to complete its identity, device, network, application and data actions by the end of fiscal 2024 — a broad deadline that doesn’t offer guidance on how to prioritize them individually.

“There’s a lot of value in a strategy document, and I’m a big fan,” said Shane Barney, CISO at U.S. Citizenship and Immigration Services, during an AFCEA Bethesda webinar Wednesday. “But there’s also a lot of value in adding teeth.”

Agencies can’t drum up the resources for a zero-trust security architecture overnight, said Sheena Burrell, deputy chief information officer at the National Archives and Records Administration. Planning and alternative funding sources, like the Technology Modernization Fund, are needed.

NARA intends to use TMF funds to build out its zero-trust architecture in accordance with the recent cybersecurity executive order and subsequent OMB guidance.

“My agency is putting in for some of our cybersecurity issues looking at our high-value assets, trying to modernize those systems, as well as looking at our zero-trust architecture and these other key pieces and putting in a request for that Technology Modernization Fund because we didn’t have that money,” Burrell said. “And we didn’t have those resources when [this guidance] came out.”

That the strategy states the goal of a zero-trust model is to place the entire enterprise on the public internet is “revolutionary” and will help agencies design their architectures and define trust, Barney said. And he’s a “big fan” of the requirement that agencies develop a network segmentation plan in consultation with the Cybersecurity and Infrastructure Security Agency to submit to OMB.

Barney would like to see a “no humans in production” requirement — where products are automatically deployed to a production environment without manual intervention — however. USCIS isn’t 100% of the way there yet.

“Humans in production should be a break-glass event; in other words it should be something that’s an emergency,” Barney said. “You moving product into production should be an automated pipeline.”

The strategy should also add an extra layer of security for token-based authentication, so it’s not just multi-factor but multi-tiered. Think adding YubiKey infrastructure — that’s separate from the regular, challenge-handshake authentication protocol — for high-level access accounts.

“Because one of the things you saw with SolarWinds was the ability for threat actors to use or compromise some of our core security in terms of identity,” Barney said.

Barney also took issue with the strategy’s requirement that CISA adapt the Continuous Diagnostics and Mitigation program to avoid the use of privileged software agents wherever possible. The problem there is a number of security tools like Splunk require privileged accounts to run, so the strategy should be clarified to explain what mitigation, monitoring and risk-based scenarios are needed, he said.

The post Federal zero-trust strategy needs more deadlines say tech officials appeared first on FedScoop.