In a series of panel discussions at the “Federal Innovation Series: Leading in the Era of AI” event, agency officials and technology experts from Microsoft touched on ways government agencies are harnessing AI to enhance mission support, ensure responsible innovation, and bolster cybersecurity. The event was presented by FedScoop and sponsored by Microsoft.

Candice Ling, senior vice president of Microsoft’s federal business, kicked off the conference with a call to action for government agencies to embark on a transformational journey through a process of co-innovation and collaboration to modernize government operations. Ling highlighted Microsoft’s commitment to responsible and ethical AI solutions to safeguard government systems. She stressed how the company’s principles for responsible AI — including accountability, inclusiveness, reliability, safety, fairness, transparency, and privacy and security — and Microsoft’s experience working with federal agencies can help agencies capitalize on AI to innovate faster and more effectively.

Eileen Vidrine, chief data and AI officer at the Department of Air Force, outlined the department’s goals to provide the necessary framework to “operationalize data and AI for decision advantage” and to be “AI-ready by 2025 and AI-competitive by 2027.” She also reiterated the importance of partnerships across the Air Force, the Defense Department, industry and academia to keep pace with AI’s potential.

Federal Reserve System Chief Innovation Officer Sunayna Tuteja spoke about the importance of problem-solving and the need for appropriate guardrails when designing AI solutions. She encouraged government leaders in the audience to understand but get comfortable with the risks of AI and embrace innovation’s inherent uncertainty. The public sector doesn’t spend enough time thinking about the risk of not doing something, she told the audience.

Chris DeRusha, Federal CISO at OMB, Ginny Badanes, senior director at Microsoft Democracy Forward, and Glen Johnson, chief technology officer at the Department of State, delved into AI’s role in revolutionizing government cybersecurity. AI dramatically expands the capacity of federal agencies to detect anomalies, analyze data, and automate responses to cyber threats, they said.

Pritha Mehra, CIO of the U.S. Postal Service, revealed how USPS is leveraging AI to provide “accurate predictions of where your package is, when it’s going to be delivered and within the exact time.” AI is also helping USPS to document and rewrite legacy code, automate customer calls concerning passport applications and increase its ability to detect fraud, she said.

Brian Abrahamson, associate laboratory director and chief digital officer at Pacific Northwest National Laboratory, urged attendees to educate themselves on the possibilities of AI. He emphasized the importance of pilot projects and shared examples of AI’s transformative applications.

Michael Pencina, chief data scientist at Duke Health and vice dean for data science at the Duke University School of Medicine, joined Jennifer Rostami, assistant commissioner at the General Services Administration’s Technology Transformation Services unit, to discuss the need for ground rules around AI. They underscored the importance of ensuring transparency, trustworthiness, and fairness in applying AI in government. Building trust through governance frameworks and developing blueprints for employees and partners are critical steps public sector leaders need to take, they said.

Also speaking at the event were Patricia O’Neill-Brown, senior advisor at the Defense Intelligence; Kimberly Sablon, principal director for trusted AI and autonomy at the Department of Defense; and James-Christian Blockwood, executive vice president at the Partnership for Public Service. Adding additional perspective from Microsoft were Corporate Vice President, U.S. Government Affairs Fred Humphries; Microsoft Federal General Manager Brian Keith; Director for AI Public Policy Danyelle Solomon; Federal Security CTO Steve Faehl; and Vice President Federal Civilian Heidi Kobylski.

The innovation summit came on the heels of a landmark executive order focused on artificial intelligence and new OMB guidance issued by the Biden administration earlier in the week.

Also noted during the event was a new research report, “Gauging the impact of Generative AI on Government,” released by FedScoop last month, which examined how federal agency leaders are preparing to adopt AI. Microsoft underwrote the report.

Learn more about how AI can support government services from Microsoft.

The post Government leaders share strategies for embracing AI at federal innovation summit appeared first on FedScoop.

Speaking Tuesday at the Google Public Sector Forum, presented by Scoop News Group, Chris DeRusha, federal CISO and White House deputy national cyber director, noted that government authorization and assessment processes will be especially important when it comes to AI procurement.

“How do we ensure that we have an agile way of assessing the appropriate tools for government use and government-regulated data types? We can’t not do that,” DeRusha said. 

“We understand everybody’s really wanting to jump into the latest tools. But look, you know, some of these companies aren’t fully vetted yet, they are new entrants, and we have to ensure that you’re responsible for protecting federal data,” he added.

DeRusha said the government has “to go full bore in learning how to use this technology because our adversaries will do that.” To that end, the Biden administration last week released a database on AI.gov detailing hundreds of AI use cases within the federal government. 

Having that database should enable agencies to better drill down on specific AI applications, perform tests, launch pilot programs and ultimately see where the government can get “maximum benefit.” DeRusha cited better safety outcomes in transportation agencies as one possibility. 

And while “unintentional misuse” of AI worries DeRusha, ultimately the “benefits are so positive” for federal agencies when it comes to the technology.

Also top of mind for DeRusha is the implementation of the Biden administration’s National Cybersecurity Strategy, which was released in March, and the White House’s National Cyber Workforce and Education Strategy, published in July. 

DeRusha touted the benefits of having public-facing plans that note agency-specific responsibilities, quarterly targets and other details, essentially serving as a check on government officials to hold “ourselves accountable to ensure that we’re really making progress on all these things.” 

And after “decades of investments in addressing legacy modernization challenges,” DeRusha said now is the time for the government to prepare for “massive” long-term challenges, including, for example, those related to AI and the White House’s Counter-Ransomware Initiative, which now involves “almost 50 countries.”

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

The post Federal CISO says White House targeting AI procurement as part of conversation on looming executive order, guidance appeared first on FedScoop.

Speaking Thursday at the Zero Trust Summit, hosted by CyberScoop, Chris DeRusha noted that the White House had seen significant advances over agencies’ approach to sharing systems data and urged further progress.

He said: “We need this folks, we need it. Because if we can’t know what’s happening in these networks, we can’t know how the bad guys move around. We can’t know when they’re gone.”

DeRusha added: “I’m excited … I know it’s a hard one. But you know what else it’s doing? It’s helping us with centralization. It’s moving the ball forward because it’s forcing around specific things, specific projects to get all the federated components to be working together towards the common goal of getting them data in one place, so we ourselves together.”

Logging, log retention and log management requirements for federal government agencies were included in section eight of the May 2021 Cybersecurity Executive Order issued by the Biden administration in the wake of the SolarWinds attack.

The guidance, contained within the EO, focused on ensuring centralized access and visibility for the highest-level enterprise security operations center of each federal agency, and was followed by a memorandum instructing agencies to increase the sharing of relevant information.

The White House in that memo included a maturity model for event log management intended to guide agencies’ implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.

Speaking at the event, DeRusha said he understood the costs associated with log management, and that over time the White House will continue to fine tune logging requirements for agencies. 

The post Federal CISO hails improving federal agency log management appeared first on FedScoop.

Speaking Thursday, Chris DeRusha said the executive branch agency is focused on introducing measures that will codify long-term cultural change, such as listing costs associated with the cybersecurity approach as a specific budget line item.

“That gives the resource management side something easy to deal with,” the cybersecurity leader said, speaking at the CyberTalks conference presented by CyberScoop.

DeRusha added that obtaining further clarity on agencies’ zero-trust spend is key to ensuring long-term adoption of zero trust.

Memorandum M-22-09 was issued in January this year to provide a roadmap for the implementation of zero trust by 2024. The document included concrete requirements relating to multi-factor authentication, DNS request encryption and the segmentation of network perimeters.

At the time, the order was intended to provide an initial starting point for the cybersecurity approach, and to provoke the adoption of more comprehensive strategies at federal departments.

The order identified top cybersecurity priorities, including the consolidation of agency identity systems and treating all internal networks as untrusted. The latest plan moves agencies further towards fulfilling the requirement included in the Cybersecurity Executive Order issued last May by President Biden.

“We didn’t seek to write the pure end-state document for zero trust,” DeRusha noted.

The post White House has moved to zero trust implementation phase: Chris DeRusha appeared first on FedScoop.

“It seems like a pretty logical thing to do,” DeRusha said Friday, commenting on the requirements, “But, frankly, it’s not something we’d done to date.”

Already the Office of Management and Budget submitted two proposals to the Federal Acquisition Regulation (FAR) Council to eliminate specific contract clauses harming information sharing while including others identified as best practices through a data call.

The Cybersecurity Executive Order issued in May 2021 directed OMB and partner agencies to recommend updates to the FAR Council, and both proposals will be posted for public comment shortly.

The federal cybersecurity leader was speaking at the ACT-IAC Cybersecurity Forum.

Procurement is where most cybersecurity slowdown occurs, and streamlining contract clauses will reduce the time from requests for proposals to production, DeRusha added.

Agencies shouldn’t wait for new FAR requirements to be published to begin standardizing security requirements, said Steven Hernandez, CISO for the Department of Education. The department already has a FAR deviation it uses to include supply chain actions, secure software requirements, and Federal Risk and Authorization Management Program adherence in contracts.

Already software startups are adhering to the deviation and beating out incumbents for new Education contracts.

“We had some folks step up, that we had never done business with before, and say, ‘We can do all this, and we would be happy as can be to partner with the Department of Education in growing security,’ not just on security specific actions but also in our mission space,” Hernandez said.

The Department of Justice launched a Cyber-Civil Fraud Initiative in October to prosecute contractors that fail to report cyber incidents to the agencies they’re working with.

Given tensions over the Russian invasion of Ukraine, the federal cyber community is “seriously concerned” with a potential cyberattack — direct or something like NotPetya that spreads uncontrollably to affect critical infrastructure, DeRusha said.

For that reason OMB and the Office of the National Cyber Director, where DeRusha is deputy, are emphasizing agencies rearchitecting systems and establishing security controls like encryption to reduce threats to a manageable level.

“I don’t think we want a Shields Up mentality in perpetuity,” DeRusha said. “It’s something that is going to be really hard to sustain.”

That’s one reason the White House’s immediate cyber agenda has been so aggressive.

OMB’s draft memo on implementing the Secure Software Development Framework is forthcoming and represents the government using its buying power to drive industry toward safer practices.

Other near-term White House priorities include establishing centralized endpoint detection and response and developing secure multifactor authentication.

The Cyber Safety Review Board is a new coming together of senior government officials and industry representatives with a goal of publicly reporting cyber incidents post-review.

Lastly the White House is working with the inspectors general community to identify a subset of security performance metrics that should be reviewed annually.

“We’re now really dialing in a bit more on the things that are hopefully showing actual risk reduction in our environments and recent attack surfaces,” DeRusha said.

The post FAR updates that would mandate cyber incident reporting for contractors a year or more away appeared first on FedScoop.

Testifying before subcommittee of the House Homeland Security Committee Tuesday, Eric Goldstein said CISA has made “tremendous” progress as the cyber operational lead for civilian agencies and wants to work with Congress to annualize American Rescue Plan Act investments in its efforts — starting with the fiscal 2023 budget.

Deploying endpoint detection and response (EDR) tools is one such effort, part of a broader push begun by the Cybersecurity Executive Order (EO) issued one year ago to move agencies from perimeter-based to zero-trust security.

“Not even a year-and-a-half after execution of the executive order, we will have EDR deployments in place and underway at over half of the federal government with more rolling out in the months to come,” Goldstein said. “We have seen great uptake across federal civilian agencies, but the work needs to continue.”

A cross-agency review team with representatives from CISA, the Office of the National Cyber Director and Office of Management and Budget is currently reviewing the zero-trust implementation plans agencies submitted in accordance with the EO.

Among other things, CISA wants to ensure agencies are making the right funding requests to continue the work.

“That’s how we’re going to track progress,” said Chris DeRusha, deputy national cyber director and federal chief information security officer. “We’re going to get specific with each of these agencies and hold them accountable to those plans over multi-year.”

CISA met all of its deadlines under the executive order and continues to bring its Continuous Diagnostics and Mitigation (CDM) program Dashboard 2 and new cyber shared services to agencies.

Other CISA efforts include fully implementing relatively new authorities to conduct persistent threat hunting across agencies’ networks and encouraging adoption of software bills of materials (SBOMs) to provide a granular view into third-party supply chain risks. But all of that requires sustained funding.

“In order to get where we need to be, we need continued focus and continued investment in both cybersecurity and IT modernization across the entire federal civilian executive branch,” Goldstein said.

The post CISA expects most agencies to be deploying endpoint detection by FY23 appeared first on FedScoop.

DeRusha said during Palo Alto Networks’ Ignite ’21 event that he and his team at the Office of Management and Budget are “actively spending time trying to find new models” to attract cybersecurity talent to join the government and he pointed to USDS’s “tour-of-duty” model as an example of how the federal government can attract tech specialists to work with the federal government for short terms, typically less than two years.

The idea is that such a team would deploy “on-the-ground support … similar to what you see with U.S. Digital Service model, what they do for delivery,” DeRusha said. “Not fully the same model, but can you come up with something that looks like that for the cyber security side is something that we’re actively exploring.”

DeRusha credited USDS as a “really good model” because it not only attracts top technical talent to the federal government but also because it takes a user-centered approach when working with agencies.

“They get lots of highly skilled technical talent to come do tours of duty and tours of service. I think that’s the thing that we want to tap into is what model should we create on this side to get that same spirit of interest in serving?” he said. “And then how do we effectively deploy it in a way that is needed and useful, that we don’t make assumptions? And we don’t want to say you need ‘x’ and then find out that we were wrong. It really needs to be organic, with the agencies explaining to us what they need, and then also building a solution for that.”

As DeRusha — now dual-hatted as deputy national cyber director — leads the administration’s work to modernize cybersecurity under the recent cybersecurity executive order, he said building a strong cyber workforce is an integral part of a “three-legged stool,” along with strategy and funding, needed to implement cyber reforms.

“And if you don’t have any one of those three working symbiotically, it’s going to be really hard to make progress,” he said.

DeRusha is far from the only one in government exploring ways to narrow the cybersecurity skills gap in government. Earlier this week, the Department of Homeland Security launched a new system of its own to enable more effective recruitment, development and retention of cybersecurity talent.

The post Federal CISO teases idea of a USDS-like program to attract cyber talent appeared first on FedScoop.

Instead the Federal Zero Trust Strategy sets goals and requires actions of agencies that will help them achieve a degree of maturity in a few years, after which new goals and actions will be established, said Chris DeRusha.

The public comment period for the draft strategy ended Sept. 21, and finalizing and executing the strategy over the next three to six months is DeRusha’s top priority.

“It’s really our security modernization strategy when you read it,” DeRusha said, during the ACT-IAC Cybersecurity Summit on Wednesday.

The strategy covers a lot of capabilities the federal government has been trying to get agencies to implement for years, including asset inventories and identity and access management, he added.

Going hand-in-hand with the strategy is reform of the Federal Information Security Modernization Act, last updated in 2014. Lawmakers proposed a reform bill Monday, and part of the federal CISA’s job is to provide FISMA guidance to agencies.

The focus with FISMA reform is to get agencies to implement testing security measures, from DevSecOps to penetration testing to vulnerability disclosure programs, DeRusha said.

“The challenge is we largely do know what we need to do, but there are scarce skill sets to implement the latest and greatest technology solutions,” he added.

Agencies transition slowly as a result.

Compliance-based models also present a problem because, while they allow agencies to gauge their performance, they’re not sustainable given the dump of new federal directives like the cyber executive order or the zero trust strategy and logging memo out of OMB, DeRusha said.

“We have to help them balance those,” he said.

DeRusha’s office is helping implement a new model where the Cybersecurity and Infrastructure Security Agency and agency inspectors general assess cyber sufficiency and performance.

That model will take time to implement however, and public-private partnership is critical to its success.

“This is no time for status quo,” DeRusha said.

The post OMB opts for zero trust goals in lieu of impossible deadline appeared first on FedScoop.

Responsibility for selecting how the TMF should spend its money sits with the Technology Modernization Fund Board, which is made up of seven senior officials: three permanent board members, and four temporary members appointed by the director of the Office of Management and Budget.

First, the TMF Board issues a call for submissions — known as initial project proposals — to identify ideas for IT modernization that could have some of the biggest effects across government.

Board members then use four key benchmarks to decide which projects to take forward from the initial proposal stage: impact on user mission, feasibility, opportunity enablement and common solutions.

Impact on user mission translates in part to how visible a modernization program will be to the taxpayer. Feasibility, meanwhile, includes factors such as how much support a proposal has from inside an agency, and the credibility of the intended implementation strategy.

The board then decides which proposals should make it to the second selection stage and invites successful applicants to present a full project proposal. At this point, it will conduct an in-depth analysis of the financial plan included with each project.

At the second stage, the board then makes a final decision about which projects should receive funding. A contract is then drawn up between the GSA-managed TMF program office and the agency project team.

Funds are then disbursed incrementally to the successful applicants, and each project is assessed on a quarterly basis by the board to ensure they remain on track.

Commenting on the disbursement of funds on Thursday, Federal Chief Information Security Officer Chris DeRusha emphasized that the TMF Board would use the latest round of awards as a learning process for IT modernization best practice.

“The TMF Board and GSA will be tracking the progress of these projects, capturing lessons learned, and making adjustments along the way to help them be successful,” he said.

The post How the Technology Modernization Fund Board decides which projects to fund appeared first on FedScoop.

The Office of Personnel Management, General Services Administration and the departments of Homeland Security and Education will receive support for new proposals through the distribution, which in total hands out $311 million to agencies for projects largely focused on addressing cybersecurity, data privacy concerns and the move to zero trust. The board did not reveal the repayment terms for each project.

It is the seventh funding round since the TMF was established and responds directly to the Biden administration’s cybersecurity executive order, which mandated federal agencies to make rapid improvements in digital security.

OPM will receive $9.9 million in support for a zero-trust networking project, which is focused on protecting the privacy of two million civilian federal employees whose data is housed at the agency.

GSA has received a total of $231.4 million for three separate projects. The agency has been given $29.8 million to improve its zero-trust architecture, and $187.1 million to improve digital security at federal government authentication service Login.gov. It will also receive $14.5 million to support the rollout of interagency collaboration site Max.gov.

DHS will receive $50 million in support for a technology integration program intended to “more efficiently, effectively, and humanely process noncitizens encountered at our Southwest Border.”

The Department of Education has been awarded $20 million to assist with the adoption of zero-trust architecture, which the department says will help to protect the data of over 100 million students and borrowers that it supports.

The TMF board has also selected one classified project, for which no further funding details were available.

Commenting on the awards, Federal CIO Clare Martorana said: “The $1 billion for the Technology Modernization Fund was provided in the American Rescue Plan for essential emergency relief, and is a vital part of the administration’s response to the COVID-19 pandemic and the significant cybersecurity incidents impacting federal operations.”

“The administration is maximizing the flexibility of the TMF to modernize high-priority systems, elevate the foundational security of federal agencies, accelerate the growth of public-facing digital services, and scale cross-government collaboration and shared services. These first ARP awards represent a set of strategic investments to improve technology at scale across all of these areas,” she added.

The TMF in March received $1 billion through the American Rescue Act — the largest injection of funds since it was established in 2017. The additional infusion was intended to boost support for projects where service upgrades could be shared across agencies, that address immediate security gaps, or would improve the public’s ability to access government services.

After receiving the additional $1 billion, the TMF board introduced a prioritization process for funding certain projects and introduced a new degree of repayment flexibility.

The TMF has historically operated under a full repayment model, meaning that agencies are expected to adhere to a repayment plan, where projects are expected to yield financial savings that the agencies pay back within five years. However, the TMF board is now able to consider projects where partial repayment or minimal repayment is likely, based on assessments of the scope of projects.

Funding for the latest project awards will be distributed incrementally and will be tied to performance targets and delivery milestones. The selected projects will be reviewed quarterly by the TMF board to ensure they are on schedule and milestones are met.

TMF projects are proposed in a two-phase process, and agencies in the second step – the full project proposal – are expected to provide detailed financial information, and if necessary, make the argument why repayment flexibility should be extended.

Prior to the additional $1 billion injection earlier this year, the TMF in total had received $175 million in funding. The fund was created by the Modernizing Government Technology Act, signed by then-President Donald Trump.

Editor’s note: This story was updated to include a per-project breakdown of new funding awards.

The post Technology Modernization Fund support awarded to 7 new agency IT projects appeared first on FedScoop.