During panel discussions Wednesday at the Scoop News Group-produced Amazon Web Services Innovate Day, chief information security officers downplayed the Sept. 30 deadline on targets called out in the Office of Management and Budget’s zero trust architecture strategy, expressing both confidence that they will hit the goals and readiness to turn the page on the January 2022 memorandum. 

“The status of OPM zero trust is pretty darn good,” said Office of Personnel Management CISO James Saunders. While there’s work to be done at OPM on the data pillar of the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, Saunders said that “overall, I think we’re on track and on target to hit the end of this fiscal year goal.”

The Department of the Interior — and its 11 bureaus and eight offices — may not have had quite so smooth a path, but CISO Stan Lowe said the agency is in a good position with its adoption of “practical zero trust.”

“We’re always going to live in a hybrid environment where I’m going to have legacy applications,” Lowe said. “It’s an ongoing, continuous thing. It’s not a destination, it’s a journey, because technology is going to change.”

The “ongoing” nature of meeting the White House’s zero trust benchmarks was on display at Interior with its work on implementing phishing-resistant multifactor authentication — a callout under the identity pillar of the strategy. 

When Lowe, a Federal Trade Commission and Veterans Affairs alum, took over as Interior’s CISO in 2023 after several years in the private sector, he was greeted by “a lot of legacy stuff … floating around the department.” He quickly discovered that what worked for one bureau might not for another — at least in those early stages of MFA adoption.

“The requirement says ‘phishing-resistant MFA.’ Well, that wasn’t necessarily possible [for some offices], so my position on that in the beginning, until we got to the point, was any MFA is better than no MFA,” Lowe said. 

Tackling the zero trust architecture pillars has been filled with trade-offs and shifting strategies of that kind for agency CISOs. Saunders, for example, said funding was the “biggest challenge” for OPM early on, especially coming off an August 2021 OMB memo on logging that “did not come with extra money” for agencies.

A $9.9 million investment from the Technology Modernization Fund to OPM in September 2021 ultimately proved to be a game-changer in fueling the agency’s zero trust work.

Still, a lesson in budgeting and prioritization was learned. “For a lot of these new cybersecurity investments, we need to engage with our business [counterparts] because TMF is only going to support us for so long,” Saunders said. “And that’s a continuous conversation; continuous engagement was not something that was necessarily a strong suit of the cybersecurity organization at the time.”

Shane Barney, CISO at U.S. Citizenship & Immigration Services, described zero trust as “the world’s biggest unfunded mandate for a lot of organizations.” That changed for USCIS when “all of [the Department of Homeland Security’s] different director heads” got in a room and “actually prioritized it first — and it’s not a small amount of money,” Barney said.

“They recognized the connection between security and the business being successful,” he said, adding that zero trust essentially amounts to good “cyber hygiene.”

For any CISO given a mandate to implement agency-wide technical change, internal cultural resistance is a frequent roadblock. Lowe joked that the security organization within Interior has a reputation of putting “the ‘no’ in ‘innovation.’’ 

But Lowe is entering the zero-trust sprint to the end of fiscal 2024 feeling “pretty optimistic.” After Interior weathered the Ivanti VPN vulnerability earlier this year, the veteran CISO said he’s ready for whatever comes next in the federal government’s cybersecurity journey.  

“Having worked in organizations that are fully zero trust and having gone through that journey with those organizations, I know this is possible,” Lowe said. “It’s just gonna take some intestinal fortitude and some hard decisions along the way to be able to get this done.”

The post Agency CISOs aren’t sweating a looming zero trust deadline appeared first on FedScoop.

Key points include a forthcoming DHS-wide policy directive on artificial intelligence, new guidance from the Cybersecurity and Infrastructure Security Agency focused on AI security, and an expected report from the Countering Weapons of Mass Destruction Office focused on the technology’s risks. The roadmap also highlights several ways the agency plans to use or is already using artificial intelligence, including for tracking suspicious vehicle patterns at the border and assessing damage to buildings after disasters. 

“The unprecedented speed and potential of AI’s development and adoption presents both enormous opportunities to advance our mission and risks we must mitigate,” DHS Secretary Alejandro N. Mayorkas said in a press release. 

Several DHS applications focus on generative AI or language models, including building an AI sandbox to experiment with large language models. The document says U.S. Citizenship and Immigration Services is considering using LLMs to train officers working with refugee and asylum applicants, while Homeland Security Investigations, the agency’s investigative arm, is looking at using the technology to look for patterns in documents being analyzed as part of investigations. The Federal Emergency Management Agency, meanwhile, is planning to use generative AI to help with creating mitigation plans required for certain community resilience grants.   

The document also highlights other goals, including a new working group based in the Science and Technology Directorate that will eventually produce an action plan meant to address topics like algorithm training, pilots, and AI-enabled adversaries. The directorate will also create a testbed that will provide independent assessment services.

The roadmap comes as the agency ramps up its work on artificial intelligence. Last month, DHS announced it would hire 50 new AI experts for its AI Corps. Last year, the agency established an AI task force and released guidance meant to direct how employees use tools like ChatGPT and Dall-E.

DHS, per previous FedScoop reporting, has repeatedly updated its AI inventory, a public list of use cases required by a Trump-era executive order. That inventory has also been criticized by the Government Accountability Office for including a non-AI use case.

The post Department of Homeland Security lays out AI plans in new roadmap appeared first on FedScoop.

New forms of AI listed in the inventory include a system called RelativityOne, which is described as “a document review platform used to gain efficiencies in document review.” (That use case is similar to initiatives at other agencies, including the Department of State and the National Archives, that aim to use AI to search, track, and sort through troves of documents).

Other new tools disclosed include a previously unlisted facial recognition system being used by Immigration and Customs Enforcement, as well as technology being used by Customs and Border Protection to identify “proof of life” and stop fraud within an app created by the agency. Some use cases appear to have been renamed; for instance, there is now a “Machine Translation” use case that was previously described as “Language Translator”. Details of the new use cases were identified through a comparison of the agency’s current web pages with historic versions of its web pages saved on the Wayback Machine internet archive.

Changes to the agency’s inventory, which Executive Order 13960 requires agencies to produce, come amid ongoing FedScoop reporting and the work of other technology researchers highlighting patchwork compliance with AI disclosure requirements. Agencies are supposed to update these use cases annually.

The agency has also removed reference to other AI use cases, again, according to a comparison of current and historic web pages. For example, DHS’ AI inventory web page previously included a reference subsection focused on the Transportation Security Agency that only listed a system called PageRank, which had been described as using an algorithm to address Covid-19 risks at airports. Now, both the reference to the TSA and PageRank appear to have been deleted. In addition, a subsection for the Coast Guard previously listed on DHS’s inventory has also been removed — that subsection previously listed an AI program called the “Silicon Valley Innovation Program (SVIP) Language Translator.” 

Further, DHS has changed the format in which it discloses its AI inventory, creating new sub-sections and adding a separate spreadsheet to list instances of the technology. Reference to the RelativityOne tool is included under a new sub-section of the inventory, called DHS Enterprise, and is also listed on the new spreadsheet, which was published on July 26. 

The RelativityOne use case was not logged on the inventory as of late July, according to a version of the website saved by Wayback Machine.

The addition and removal of use cases is a reminder that the best practices for editing and changing these inventories may still be unclear. In the midst of FedScoop’s reporting, the Department of Transportation deleted a reference to the Air Traffic Office using ChatGPT for code-writing assistance. The State Department, meanwhile, still lists a project designed to use AI to forecast violence and Covid-19, despite the agency telling FedScoop that the use case was no longer active. DHS did not clarify by the time of publication whether removed projects are no longer active — or why two subagencies, the Transportation Security Agency and the Coast Guard, were removed from the inventory. 

The day before FedScoop published an investigation into agencies’ compliance with Executive Order 13960, the agency appears to have edited its main page for logging AI use cases to reference a new, separate “AI Use Case Inventory publication library page,” according to Wayback Machine. That spreadsheet is dated about two weeks after FedScoop first reached out to DHS — which did not respond to two requests for comment — about the state of its inventory. 

The post Homeland Security reveals new AI use cases — and removes references to others appeared first on FedScoop.

The Department of Health and Human Services Office of Inspector General is adjusting six foundational, zero-trust projects it identified based on the zero-trust strategy the Department of Defense released in November.

HHS OIG already has zero-trust technology procurements underway, though no deployments as of yet.

“We’re going to adjust that roadmap, based on the strategy that was released, because I like some of the 91 points that are in there,” said Chief Information Officer Gerald Caron, during the Fortinet Security Transformation Summit produced by Scoop News Group.

HHS OIG is “chasing” Technology Modernization Fund dollars right now, which would be a “gamechanger” for its zero-trust projects, Caron said. The agency recently entered Phase 2 of that process. 

Meanwhile DOD’s CIO for cybersecurity is working with the Chief Digital and Artificial Intelligence Office to propose a data tagging and labeling standard before the end of fiscal 2023.

“That’s critical to get to the later stages of zero trust, especially if you want to go to advanced zero trust, especially if you want to get sophisticated in the visibility and analytics pieces of zero trust,” said Randy Resnick, director of the ZT PMO. “Because if you don’t know what data you’re sitting on, if it’s not properly tagged or labeled, it’s very difficult to do that analytics.”

The standard will also enable better data sharing across the enterprise.

DOD is in the midst of its Program Objective Memorandum cycle, where components seeking funding for zero-trust projects may place their requests, but they won’t receive the money for two years after approval.  Resnick’s office is willing to offer bridge funding if the component can prove a “legitimate need,” give that zero trust is a “high priority” for DOD, Resnick said.

“I would suggest work with the portfolio office, and we will try to advocate for you for this year’s dollars, move things around,” he said.

U.S. Citizenship and Immigration Services is developing a more adaptive, fluid trust model because often a user or device on the network is simply trusted or it’s not.

Machine learning will soon be making those decisions and “driving a very different type of risk model,” said Chief Information Security Officer Shane Barney.

“You’re going to be adapting trust more in a real-time sense,” Barney said. “And it’s going to be taking a number of very critical factors that do that in your environment.”

The post Agencies finding their zero-trust priorities vary, funding needs less so appeared first on FedScoop.

But as they speed up their adoption of zero-trust security, they still face challenges with legacy applications and architectural gaps; compliance requirements; or financial and operational concerns. It’s not necessarily about adopting new technologies or products but rather an overall strategy that should be programmatically mapped according to each agency’s unique use-case requirements and capabilities.

That is evident according to federal leaders from nearly a dozen agencies who joined FedScoop to talk about their success thus far and the challenges as they implement zero trust. The interview series, Federal Zero Trust: Moving from Aspiration to Transformation, underwritten by Forcepoint, provided a platform for leaders to share their experiences.

“Taking the federal government in this significant shift towards the zero-trust paradigm is not a singular project; it’s not one thing; it’s a fundamental change to how we’re approaching federal agencies, their data and their security evolve. Our goal is to raise the baseline over the next few years, and everybody is starting in a different place with different parts of that journey,” says Mitch Herckis, director of federal cybersecurity in the Office of the CIO at OMB.

He explains that one of the biggest challenges is the “decades of technical debt that have been ignored” and how that manifests itself when agencies are unable to implement security measures. “It’s so important for us to think of this as a cohesive strategy in line with their broader IT development strategy, and how they’re thinking about not just their cybersecurity [budget] as a whole, and how they strategically invest that, but also how they’re investing in their overall IT modernization.”

The Department of Defense, meanwhile, recognizes that its security efforts set an example for the entire federal government. David McKeown, senior information security officer and deputy CIO at DOD, says, “we have an aggressive schedule. We want to be in alignment with the federal mandates called out in EO 14028 and the corresponding NSM-8, which is also going to cover zero trust for national security systems. We want to implement zero trust throughout the whole [department] by the end of FY27. We will stay in alignment in the near term with the three-year goal for the capabilities that are being called out there, but our zero-trust plan that we have right now is very well defined; we’re hoping to share that with the rest of the federal government.”

Although the DOD has a robust plan for traditional admin-type and command and control networks, they still have work to do on the weapon system and critical infrastructure front.

At the U.S. Navy, CISO Tony Plater details how they’re planning to implement zero trust principles across multiple networks, domains and functional silos. He also talks about working directly with the DOD Portfolio Management Office, so they don’t duplicate efforts and ensure greater synergy.

Plater shares his insights on the Navy’s move to Flank Speed, a single enterprise cloud environment for daily work. “Flank Speed is our core platform for extending our zero-trust architecture across the Navy enterprise….and we see it as meeting or fully integrating into the eventual zero-trust ecosystem requirements. Today, Navy users can access Flank Speed sources without using a VPN to connect to government networks. So that’s a big step forward for us,” he says.

Another agency that leveraged the cloud was the U.S. Citizenship and Immigration Services. CISO Shane Barney explains the agility of being 95% cloud-based and highlights how “[USCIS] started its zero trust journey many years ago, primarily because we were in the cloud; we recognized the value of cloud. And we recognize what we could do with the cloud, which would later become more known as zero trust; we just called it good cyber hygiene.”

He also discusses the importance of investing in security automation early. “Don’t make that one of the last things you do,” he says. “Make it the first thing you do because it’s much easier to add in the pieces of the puzzles as you go into that automation platform than it is to retrofit it in.”

Leaders understand the capabilities necessary to move forward in their journey, and each agency has different priorities to unify approaches across the pillars of zero trust to transform.

As Department of Labor CISO Paul Blahusch put it, “Zero trust is revolutionary, not evolutionary. It will take resources, technology, people and professional services.”

Other participants who shared their experiences in the video series include:

• Steven Hernandez, CISO, Department of Education
• Chezian Sivagnanam, Chief Enterprise Architect, National Science Foundation
• Stephen Haselhorst, Zero Trust Program Manager, FDIC
• Amy Hamilton, Senior Cybersecurity Advisor for Policy and Programs, Department of Energy

This video series was produced by Scoop News Group for FedScoop and sponsored by Forcepoint.

The post How agencies are moving zero trust from aspiration to transformation appeared first on FedScoop.

Oshinnaiye confirmed to FedScoop his move from one DHS agency, the U.S. Citizenship and Immigration Services, where he was deputy chief information officer, to another in TSA. He starts work at TSA on May 9.

Oshinnaiye joined DHS as an IT specialist in 2012, according to his LinkedIn profile, and rose to the position of division chief for enterprise infrastructure before becoming deputy CIO.

Earlier in his career, he worked as a technical specialist for IT technology and services company Electronic Data Systems.

Oshinnaiye starts work as TSA forges ahead with plans to reduce cybersecurity threats to airports and railways across the U.S. A recent directive requires high-risk air and rail transit entities to appoint cybersecurity coordinators, establish a contingency and recovery plan, and report cyberattacks to the government.

DHS launched the fourth in a series of 60-day cybersecurity sprints in September last year, aimed at strengthening the resilience of the transportation sector, in light of the “indiscriminate nature” of ransomware, said Alejandro Mayorkas.

News of the appointment was first reported by Federal News Network.

A TSA spokesperson confirmed the appointment.

This article was updated to include Oshinnaiye’s May 9 start date.

The post TSA appoints Yemi Oshinnaiye as CIO appeared first on FedScoop.

Gerald Caron said HHS OIG’s model consists of eight pillars, as opposed to the Department of Homeland Security‘s five, complete with functional capabilities — like loss prevention and segmentation under the data pillar and authentication and access under the user pillar.

DHS’s Cybersecurity and Infrastructure Security Agency drafted the Zero Trust Maturity Model in June to help agencies comply with the Cybersecurity Executive Order, but Caron finds some people still talk about the strategy like it’s solely the identity pillar.

“I start with the data,” Caron said, during the 2022 Zero Trust Summit presented by CyberScoop on Wednesday. “That’s what I’m protecting, that’s what the users are protecting, that’s what the bad guys want.”

That’s not to say the user and identity pillars aren’t important, but the first questions a cyber analyst will ask post-breach are what did the person have access to and was there exfiltration — data questions, he added.

HHS OIG’s model is changing the way its auditors and assessors evaluate IT systems because Caron watched one — with all its authorizations to operate and that passed all the National Institute of Standards and Technology‘s Security Program controls — totally fail on zero-trust controls and procedures.

“We’ve got to figure out a way to measure effectiveness and not just compliance because they are two different things in my eyes,” Caron said. “And that’s what we really want to be; we want to be effective at cybersecurity.”

The chief information security officer of U.S. Citizenship and Immigration Services, Shane Barney, echoed Caron’s sentiment that while there’s a place for compliance and it adds value, it will never be security.

USCIS threw out a compliance mindset when it “fell into” its zero-trust strategy through cloud migration about a decade ago, Barney said.

“I’m not going to knock the federal government; I love the federal government actually,” he said. “But we do so love our checkboxes, and we so love our scorecards.”

Once HHS OIG developed its zero trust functional capabilities model, the office compared it with DHS’s to identify gaps. HHS OIG asks vendors it works with to do the same.

That information serves as an input to HHS OIG’s roadmap with multiple objectives under each pillar. HHS OIG meets objectives through phased projects across every pillar.

Foundational projects include identity; data mapping, which entails taking an application and mapping all the data it handles to baseline what needs protecting; and implementing Trusted Internet Connections 3.0 to improve user experience.

“My users are part of my team,” Caron said.

The post HHS OIG took the Zero Trust Maturity Model a step further appeared first on FedScoop.

OCDO’s Data Quality Branch already created a process allowing USCIS‘s more than 1,000 data analysts to report data issues, and next the office wants to streamline processing of employment authorization documents (EADs).

To do that OCDO must first use data to determine which cases are easier to adjudicate among large groups before automating the process — thereby freeing up adjudicators to work on harder cases.

“Data standards are so important here because our legacy case management systems are very transactional; they’re not quite person-centric yet,” Puchek said, during a Data Foundation virtual event Tuesday. “So being able to link different records together or different receipts together around the same person — all these applications are really for the same person — has become incredibly important to reconcile as we are designing these latest streamlined processes.”

OCDO is about to refresh USCIS’s three-year-old data strategy, which has four goals: data management, business intelligence, network analytics and optimization. The exercise with involve making “hard choices” about what OCDO will and won’t address this year, but data standards are the priority, Puchek said.

Puchek is optimistic OCDO can implement more of the 108 data standards approved the last three years, despite them proving the hardest discipline to elevate among USCIS personnel due to aging internal systems.

“Now it’s considered technical debt,” Puchek said. “So it’s just hard to get it bumped up in the agile backlog and prioritize it.”

The post USCIS chief data officer prioritizing data quality in fiscal 2022 appeared first on FedScoop.

Reps. Gerry Connolly, D-Va., and Jody Hice, R-Ga., of the House Committee on Oversight and Reform are seeking to establish whether government departments have met an implementation deadline of Nov. 12, 2021, set by the Office of Management and Budget to begin accepting electronic identity proofing and authentication processes to release citizens’ personal data to lawmakers.

The lawmakers sent the request for information to the Internal Revenue Service, Social Security Administration, United States Citizenship and Immigration Services, the Department of Veterans Affairs and the Centers for Medicare and Medicaid Services.

“Please provide the status of your agency’s implementation of the requirement in the CASES Act and the OMB guidance that agencies accept ‘remote identity- proofing and authentication through digital processes,’ including the final date of implementation,” the lawmakers’ missive says.

The CASES Act was signed into law during the Trump administration with the intention of streamlining how members of Congress work with their constituents. As required by the law, OMB issued guidance requiring agencies to accept electronic identity proofing and authentication processes to release citizens’ personal data by the November 2021 deadline.

Before the CASES Act, privacy law required constituents to fax, scan or mail a sheet of paper to their congressional representatives simply to authorize the lawmaker to work with relevant federal agencies on their behalf. In particular, the Privacy Act of 1974 prohibits disclosure of federal agencies of any record contained in a system without the prior written consent of the individual to whom the record pertains.

The post Lawmakers seek information from agencies on CASES Act implementation appeared first on FedScoop.

U.S. Citizenship and Immigration Services (USCIS) isn’t the only player in the “grand life cycle of immigration,” and often the State Department or Customs and Border Protection interact with people — collecting documentation or facial recognition data — before they enter the country.

Existing data-sharing agreements or memorandums of understanding (MOUs) may date back decades and cover specific uses, failing to account for how much agencies like USCIS need to repurpose and reuse that data.

“There are too many MOUs out there that say only this system can talk to explicitly only this system, but it’s like wait, wait, wait, wait five other groups in our agency need the exact same data,” said Damian Kostiuk, chief director of USCIS’s Data Analytics Division, during an ACT-IAC webinar Tuesday. “No, don’t lock me out when this is critical; if I had it I could automate and help people get through the system faster.”

USCIS is working toward semantic models that link disparate data from multiple agencies, rather than rely on a single datapoint like facial recognition. Biographic and fingerprint data can also help triangulate a person’s identity, and their original interaction with the government may have been when the State Department verified a marriage certificate that can be digitized.

The Office of the Chief Data Officer within USCIS is standing up data quality and management programs targeting external, “golden” data key to identity verification held by other agencies.

“If we can get these to work together through data-sharing agreements, honestly I’m really excited about where we’ll be and what we can do to try and remove, as much as possible, bias from these algorithms,” Kostiuk said. “We’ll just have such a huge pool of information to be able to train them, as opposed to them being trained on various, specific subsets.”

Bias in facial recognition and other biometrics data is one of several challenges USCIS must overcome before the technologies can be used to help adjudicate benefits like green cards.

Prior to the pandemic, USCIS was working on a pilot using facial recognition to remotely verify identities. That pilot is being dusted off.

“Right now USCIS, by policy, is not currently allowed to use facial recognition for any part of the process that involves adjudication of a benefit,” said Ryan Koder, chief of biometrics and scheduling. “That’s stuff that … is going to have to change.”

The Customer Profile Management System (CPMS) is USCIS’s centralized repository for all biometric data captured from immigration applicants and allowing for identity management in the form of background checks, re-checks and card production. USCIS wants to match a facial recognition image collected using the CPMS app on a mobile device with images in its catalogue, a “gold standard,” said Timothy Murray, acting chief of the Information Records and National Security Delivery Division.

Most matches have a high level of confidence, but USCIS must address other considerations like bias; certain ethnicities haven’t matched well. The good news is other Department of Homeland Security agencies have deployed mobile apps doing similar things, and its Science and Technology Directorate is working to isolate and measure specific features that lead to bias in order to come up with a response policy.

USCIS must also come up with policies for data protection involving encryption, usability so other apps can leverage the biometrics being created, and fraud addressing the “considerable threat” of deepfakes no longer being perpetrated solely by state actors, Murray said.

A final consideration is privacy and ensuring biometrics collected are used only for their intended purpose.

USCIS’s data-sharing agreements “absolutely go through the ringer” with general counsel and privacy officers to identify those purposes, while the agency’s data management program ensures flags, or else explicit controls, are in place to prevent misuse, Kostiuk said. The next step is parsing anonymized, but statistically relevant data among different groups.

The post USCIS pursuing broader data-sharing agreements with other agencies appeared first on FedScoop.