During panel discussions Wednesday at the Scoop News Group-produced Amazon Web Services Innovate Day, chief information security officers downplayed the Sept. 30 deadline on targets called out in the Office of Management and Budget’s zero trust architecture strategy, expressing both confidence that they will hit the goals and readiness to turn the page on the January 2022 memorandum. 

“The status of OPM zero trust is pretty darn good,” said Office of Personnel Management CISO James Saunders. While there’s work to be done at OPM on the data pillar of the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, Saunders said that “overall, I think we’re on track and on target to hit the end of this fiscal year goal.”

The Department of the Interior — and its 11 bureaus and eight offices — may not have had quite so smooth a path, but CISO Stan Lowe said the agency is in a good position with its adoption of “practical zero trust.”

“We’re always going to live in a hybrid environment where I’m going to have legacy applications,” Lowe said. “It’s an ongoing, continuous thing. It’s not a destination, it’s a journey, because technology is going to change.”

The “ongoing” nature of meeting the White House’s zero trust benchmarks was on display at Interior with its work on implementing phishing-resistant multifactor authentication — a callout under the identity pillar of the strategy. 

When Lowe, a Federal Trade Commission and Veterans Affairs alum, took over as Interior’s CISO in 2023 after several years in the private sector, he was greeted by “a lot of legacy stuff … floating around the department.” He quickly discovered that what worked for one bureau might not for another — at least in those early stages of MFA adoption.

“The requirement says ‘phishing-resistant MFA.’ Well, that wasn’t necessarily possible [for some offices], so my position on that in the beginning, until we got to the point, was any MFA is better than no MFA,” Lowe said. 

Tackling the zero trust architecture pillars has been filled with trade-offs and shifting strategies of that kind for agency CISOs. Saunders, for example, said funding was the “biggest challenge” for OPM early on, especially coming off an August 2021 OMB memo on logging that “did not come with extra money” for agencies.

A $9.9 million investment from the Technology Modernization Fund to OPM in September 2021 ultimately proved to be a game-changer in fueling the agency’s zero trust work.

Still, a lesson in budgeting and prioritization was learned. “For a lot of these new cybersecurity investments, we need to engage with our business [counterparts] because TMF is only going to support us for so long,” Saunders said. “And that’s a continuous conversation; continuous engagement was not something that was necessarily a strong suit of the cybersecurity organization at the time.”

Shane Barney, CISO at U.S. Citizenship & Immigration Services, described zero trust as “the world’s biggest unfunded mandate for a lot of organizations.” That changed for USCIS when “all of [the Department of Homeland Security’s] different director heads” got in a room and “actually prioritized it first — and it’s not a small amount of money,” Barney said.

“They recognized the connection between security and the business being successful,” he said, adding that zero trust essentially amounts to good “cyber hygiene.”

For any CISO given a mandate to implement agency-wide technical change, internal cultural resistance is a frequent roadblock. Lowe joked that the security organization within Interior has a reputation of putting “the ‘no’ in ‘innovation.’’ 

But Lowe is entering the zero-trust sprint to the end of fiscal 2024 feeling “pretty optimistic.” After Interior weathered the Ivanti VPN vulnerability earlier this year, the veteran CISO said he’s ready for whatever comes next in the federal government’s cybersecurity journey.  

“Having worked in organizations that are fully zero trust and having gone through that journey with those organizations, I know this is possible,” Lowe said. “It’s just gonna take some intestinal fortitude and some hard decisions along the way to be able to get this done.”

The post Agency CISOs aren’t sweating a looming zero trust deadline appeared first on FedScoop.

The request for information, which is required by President Joe Biden’s recent AI executive order, appeared on the Federal Register public inspection Friday and is set for official publication Jan. 30. Comments are due within 60 days of publication.

OMB is asking specifically for comments on topics such as risks related to AI that agencies might consider when completing privacy impact statements — which agencies use to analyze the handling of information — and updates OMB might make to guidance to improve how agencies address and mitigate those risks.

“Existing privacy risks are escalating, and new privacy risks are emerging,” OMB said in the request. “It is important to hear from the public as OMB considers what updates to PIA guidance may be necessary to ensure that PIAs continue to facilitate robust analysis and transparency about how agencies address these evolving privacy risks.”

The post OMB seeks input on privacy impact assessments for AI use appeared first on FedScoop.

Jonathan Finch, the White House’s acting director for digital experience, said during a webinar Tuesday that the General Services Administration’s Technology Modernization Fund is staying especially busy with requests of that kind, which are coming in the aftermath of OMB M-23-22, released last September, and a December digital accessibility memo building off that guidance and the 21st Century Integrated Digital Experience Act of 2018. 

“One area that we are seeing a lot of interest in — I think it’s manifesting in what agencies are coming to TMF with — is the accessibility piece,” Finch said during the Advanced Technology Academic Research Center event. “And so we’re doubling down there.” 

The September OMB guidance, intended to better help agencies with the implementation of 21st Century IDEA, was part of a governmentwide initiative to modernize federal websites, digitize services and forms, bolster customer service and templatize shared services. Accessibility, Finch said, is a “foundational piece to the bigger picture here.”

“We believe very strongly that you can’t improve digital experiences if they’re not made in an accessible fashion,” Finch said. “And so I think we are signaling the focus there, and I think agencies are starting to respond. I know that a lot of the conversations that the TMF team has had with agencies has been around, how can they take steps to improve accessibility? And we’re excited about that.”

Rachel Sauter, technical investment manager at TMF, said during a panel discussion later in the event that the funding vehicle’s board put out a call for proposals in August tied to projects aimed at implementing 21st Century IDEA. 

That new streamlined process was targeted at addressing two pieces of the legislation’s requirements: digitizing paper in PDF forms and improving the accessibility of websites. 

Sauter said the TMF made those particular selections because “they felt like projects that agencies could tackle with an infusion of funds, whereas other areas of the act may require more extensive planning and policy decision-making.” The Office of Personnel Management, the Department of Veterans Affairs and the Bureau of Land Management are among the agencies TMF is working with in this area, Sauter noted.

Kevin Hoffman, director of design and user experience in the VA’s Office of the CTO’s Community of Practice, said that TMF investment is helping the agency “supercharge” three modernization projects: improving forms on va.gov at scale, integrating personalized patterns across the digital customer experience, and investing in data visualization, with the goal of helping those involved in clinical decisions.

When thinking about modernization more broadly, Finch said that the perspective of the White House and agencies should ultimately be one of collaboration. 

“It really does need to be an all-encompassing effort, for our industry partners, our agency delivery teams, across government initiatives like TMF, we each have a critical role to play here,” Finch said. “And when we come together, that’s really when we unlock the ability to deliver better digital experiences, and ultimately meet the expectations the public does have for us.”

The post White House is ‘doubling down’ on accessibility when it comes to digital experiences appeared first on FedScoop.

Section 508, which was established as a 1998 amendment to the Rehabilitation Act, remains the primary portion of federal law outlining agencies’ responsibilities for digital accessibility. Critically, compliance with Section 508 remains a major challenge for federal agencies. Regular automated testing conducted by the GSA has shown that many federal websites have at least one documented accessibility issue, like not including an image description. 

The assessment published on Thursday found that “overall compliance to Section 508 is well below expectations given the federal government has had over 20 years to implement programs capable of achieving and maintaining modern ICT Standards.” More than three quarters of the agencies that responded were at or below average in terms of compliance, the report explained, and less than 30 percent of top-viewed online content analyzed conformed with standards. 

GSA’s analysis called for required Section 508 training and increased agency oversight, along with potential new steps for Congress, like updating definitions in the accessibility statute and exploring steps for “proactively” enforcing the law. 

“The government as a whole is not meeting the minimum standard or legal obligation to provide equal access to all members of the public and federal employees with disabilities,” the assessment found. 

The new report, which is called the “Governmentwide Section 508 Assessment” and is based on compliance assessments submitted by many federal agencies, was required under the appropriations law signed at the end of last year. Those agency analyses, which asked officials about their investments in digital accessibility, like their staffing and technical evaluations, were due to GSA back in August. Agencies were previously required to submit semi-annual reports. 

At the time of publication, FedScoop hadn’t received responses to requests for comment on the report from the GSA, the U.S. Access Board, an independent government agency that focuses on accessibility issues and creates technical standards, or the three congressional committees supposed to receive the report — the House Oversight Committee and the Senate Appropriations and Homeland Security committees. 

The assessment comes after the White House last week released a memo meant to guide agencies in their compliance with Section 508 and help boost federal website accessibility. “All members of the public and all Federal employees should have equal access to government,” said an OMB spokesperson, who pointed to that memo.

Many Chief Financial Officers Act agencies contacted by FedScoop did not want to provide comment before the GSA’s publication of the report. Some, however, were willing to comment on their accessibility investments and the new OMB requirements. The Small Business Administration, for instance, said it remained committed to ensuring its website was accessible. 

“We are aware of the OMB memo and will continue to closely follow their guidance to ensure the SBA maintains the highest possible standards of accessibility not just on its website, but across all programs and services,” a spokesperson for the SBA told FedScoop.

The Environmental Protection Agency told FedScoop in advance of the report’s publication that 93 percent of its websites conformed with Section 508 and that nearly 150,000 of its websites were tested for compliance. The guidance shared by OMB “aligns” with the EPA’s existing planning, said Dominique Joseph, a spokesperson for the agency. She added that the agency’s Section 508 officer can collaborate with the agency’s chief information and acquisition officers and that updated guidance for the agency’s acquisitions was currently under review. 

“In the coming year, the 508 Program plans to expand its efforts to collect, measure and dashboard digital accessibility compliance data,” Joseph said. “For example, EPA intends to increase 508 compliance manual and automated assessments, leveraging existing tools [and] acquisition tools provided by GSA and expanding the complaints process. EPA would also like to centralize the collection of digital accessibility complaints and issues that are received across the agency.”  

This story was updated with comments from OMB.

The post Government not meeting minimum accessibility standards on federal websites, GSA report finds appeared first on FedScoop.

OMB’s “No TikTok on Government Devices” guidance was issued last February, but the Treasury Inspector General for Tax Administration’s review revealed that the tax agency’s CI division hadn’t cut off workers’ access to the app as of August, nor had it sought an exemption from the rule from the Treasury Department. 

Criminal Investigation officials told TIGTA that they did not plan to pursue a law enforcement exception for the 900 employees who could access TikTok via agency computers because the app could only be used “via a third-party software, which does not directly connect IRS devices to TikTok.” 

With regard to the 2,800 mobile devices within CI that are in violation of the OMB guidance, IRS management recommended that the unit move its phones over to device management software that the rest of the agency uses. That software, the report noted, does have the ability to block access to TikTok.

The IRS said it disagreed with TIGTA’s recommendation that the CI chief should coordinate with the agency’s chief information officer to ensure that TikTok access is cut off, saying that it “instead is establishing an internal process to adjudicate limited exceptions” and requests will be considered by IRS Commissioner Danny Werfel “or his designee.”

Aside from the access issues highlighted in the CI division, TIGTA found that the IRS was largely compliant with the TikTok ban, and in the cases where it wasn’t, corrective action was taken.

For example, TikTok was accessible on 23 mobile devices that were used by the agency’s Communications and Liaison group to monitor social media, but when informed of the oversight by TIGTA, the agency moved the devices over to the existing software, in the process cutting off access to the app.

The IRS also agreed to update its “Bring Your Own Device” policy — which allows agency employees to use personal devices for business purposes — to align with OMB guidance by October 2024. Prior to the TIGTA report, the agency’s guidance did not connect the TikTok ban to participants in that program.

The post IRS has compliance issues with government TikTok ban, report finds appeared first on FedScoop.

The Department of Agriculture, the National Science Foundation and the Small Business Administration all hit OMB’s August 2023 deadline to reach advanced (tier 3) status for logging, meaning the agencies are fully compliant with requirements for implementation, centralized access and log categories.

Agriculture and SBA officials told GAO that they were able to meet the logging due date thanks to internal efforts that preceded OMB’s August 2021 memo. An NSF official, meanwhile, credited “close coordination and enhanced licensing with its security incident and event management provider” for its timely compliance.

While Agriculture, NSF and SBA are outliers, the GAO report noted that all CFO Act agencies have made progress on the incident response requirements. Still, it’s critical that the 20 agencies that haven’t yet reached advanced levels do so quickly, the report emphasizes.

“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” the GAO report stated.

As of August 2023, the GAO reported that none of the remaining agencies were at intermediate (tier 2) levels on logging, while three — the General Services Administration, the Social Security Administration and USAID — had achieved basic (tier 1) status. USAID said in an email to FedScoop that it has since reached intermediate status, and told the GAO that it should be fully compliant by the end of this year. One unnamed agency is on the same timeline as USAID, while another said it would complete its requirements sometime in fiscal 2024.

Of the remaining 17 agencies in the not effective (0) logging tier, seven said they would reach advanced logging status within the fiscal 2024-2026 timeframe, and 10 did not share an updated timeline for completing the requirements.

GAO reported three primary impediments cited by agencies who have so far fallen short of the ability to “fully prepare to respond to cybersecurity incidents”: lack of staff, event logging technical challenges and limitations in cyber threat information sharing.

“Federal entities have ongoing efforts that can assist in addressing these challenges,” the GAO report said. “These efforts include onsite cyber incident response assistance from [the Cybersecurity and Infrastructure Security Agency], event logging workshops and guidance, and enhancements to a cyber threat information sharing platform.”

Federal IT officials have also cited a lack of funding as a barrier to fully meeting logging benchmarks. Paul Blahusch, the Department of Labor’s chief information security officer, said during Scoop News Group’s CyberTalks event last month that addressing enhanced logging standards had been challenging due to the fact that it was “potentially going to cost us quite a bit of money” and the agency hadn’t received any additional appropriations for the work. 

GAO noted two long-term efforts tied to the logging issue that should be rolled out in fiscal 2024: the implementation of the National Workforce and Education Strategy and a new threat intelligence platform from CISA. 

The watchdog also delivered 20 recommendations to 19 agencies, 16 of which agreed with the new instructions.

“Until agencies implement all event logging requirements outlined in OMB guidance, there is increased risk that they will not have complete information on their efforts to detect, investigate, and remediate cyber threats,” GAO said. “Moreover, the federal government as a whole may lack critical information and insights for identifying potentially significant cyber threats.”

This story was updated Dec. 8 with new information on USAID’s logging progress.

The post Only 3 agencies have hit deadline for cyber event logging standards, GAO finds appeared first on FedScoop.

In its FY2024 Federal Information Security and Privacy Management Requirements guidance, released Monday, OMB noted that the ubiquity and breadth of agency-used IoT devices underscores the federal government’s vulnerabilities to “new and more complex” cyber threats, a fact that necessitates the “strengthening of cybersecurity posture” of such devices. 

“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the guidance states. “This includes the interconnected devices that interact with the physical world — from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”

The guidance — which defines “covered IoT assets” as devices embedded with “programmable controllers, integrated circuits, sensors, and other technologies for the purpose of collecting and exchanging data with other devices and/or systems over a network in order to facilitate enhanced connectivity, automation, and data-driven insights across devices and systems” — comes on the heels of The Internet of Things Cybersecurity Improvement Act of 2020.

The IoT Act required the National Institute of Standards and Technology to issue IoT-related guidelines and standards, while also calling on the OMB director to review agency security policies and principles regarding the technology to ensure compliance.

OMB said it has “actively engaged with agencies over the past two years to learn about the diversity of IoT devices prevalent throughout the federal government,” setting the stage for the fresh instructions.

In addition to the IoT inventory deadline facing agencies, the guidance mandates the Chief Information Security Officer Council to stand up, within four months, a working group charged with creating IoT and operational technology playbooks that include sector-specific best practices. Those playbooks would then be distributed to agencies.  

“These efforts should leverage existing cybersecurity regimes and industry practices wherever feasible,” the guidance states, “so that IoT technology is appropriately integrated into the security frameworks and programs governing other forms of information technology.”

The post OMB guidance asks agencies to provide inventory of IoT assets appeared first on FedScoop.

The memo comes as the Biden administration beefs up its AI regulatory effort. On Monday, the president revealed a long-awaited executive order on artificial intelligence. While traveling, the vice president has also announced a series of new AI initiatives, including the creation of an AI Safety Institute and a funders program that involves philanthropic organizations focused on the technology.

“It’s pushing for and enabling agencies to really experiment, but also ensuring that if we’re getting into the health use cases and public safety use cases, that we have appropriate guardrails around that before we go too far,” Federal CISO Chris DeRusha said in an interview with FedScoop.

The memo strongly emphasizes AI innovation, instructing agencies to build IT infrastructure to support AI, collect data to train AI and evaluate potential applications of generative AI. At the same time, it also spells out AI systems that the government considers to be safety- or rights-impacting, such as automated security systems, risk assessments or emotion detection technology. Those systems are now subject to new requirements. 

“In a wide range of contexts including health, education, employment, federal benefits, law enforcement, immigration, transportation and critical infrastructure, the draft policy would create specific safeguards for uses of AI that impact the rights and safety of the public,” the White House said in a fact sheet regarding the OMB draft guidance.  

“This includes requiring that federal departments and agencies conduct AI impact assessments, identify, monitor and mitigate AI risks, sufficiently train AI operators, conduct public notice and consultation for the use of AI and offer options to appeal harms caused by AI,” the White House added.

As part of the guidance, each federal agency must designate a chief AI officer responsible for coordinating the use of AI, promoting AI innovation and managing AI risks. The order also requires that agencies convene AI governance bodies and that they develop enterprise AI strategies. 

The guidance stipulates that agencies may choose an existing official for its chief AI role, such as a chief technology officer, chief data officer or similar official “provided they have significant expertise in AI and meet the other requirements” spelled out by OMB.

The responsibility of that official will include serving as an agency’s senior adviser on AI, developing a plan to comply with the guidance, and responsibility for creating and maintaining an agency’s annual AI use case inventory.

DeRusha said that OMB has already seen the challenges that AI presents, but acknowledges the technology’s effectiveness in supporting tasks. He emphasized the limited knowledge around AI, specifically generative AI, and the need to categorize use cases to support the office’s future guidelines.

“That’s why we have this inventory of the 700-plus use cases, because it’s really important for us to understand, are those the right things for us to be focused on as pilots or when we’re still experimenting a little bit with the tech,” DeRusha said. “We need to know that those are the right decisions and the right, safe uses. That’s why we break it down by the use cases, break these things down from there by tasks.”

The White House said that the OMB memo will build upon the Biden administration’s Blueprint for an AI ‘Bill of Rights’, which takes a rights-based approach to regulating AI, as well the  National Institute of Standards and Technology’s risk-based AI RMF, which experts have compared and contrasted in the past few months.

The memo also creates changes to the process of creating AI inventories, which are already required by a 2020 executive order and legislation, including sharing more details on systems that could impact rights and safety. The Department of Defense also has new AI reporting requirements for its AI use cases. 

Notably, challenges with AI inventories were the subject of a major Stanford report published in 2022. FedScoop has continued to report on compliance issues within these disclosures, including errors and lack of consistency.

The memo does not impact AI systems that might be used as part of a national security system.

The post OMB draft AI guidance defines role of top agency AI official, adds to inventories appeared first on FedScoop.

The Government Service Delivery Improvement Act — introduced by Rep. Ro Khanna, D-Calif., and cosponsored by Reps. Byron Donalds, R-Fla., Barry Loudermilk, R-Ga., and William Timmons, R-S.C. — calls for increased accountability and coordination across federal agencies when it comes to how Americans interact with government technology. 

The OMB director would be responsible for selecting a senior staff member to head the effort, while the bill also calls on all agency heads to improve trust with the public and tap a senior official to spearhead the improvements in government services.

In a statement, Khanna noted the government’s “obligation to efficiently and effectively deliver quality services that Americans rely on,” including everything from health benefits to student loan programs. “With growing frustration over government dysfunction, Congress should help bring service delivery across agencies into the 21st century,” Khanna said. “The Government Service Delivery Improvement Act is a bipartisan solution that will directly help constituents by making the delivery of government services more efficient and reliable.”

Donalds said the federal government’s “antiquated” and “Byzantine” nature makes legislation of this kind necessary to ensure that a “modernized and innovative customer-centric approach to service” is adopted. And Loudermilk added that Americans deserve better customer service from federal agencies, “given they handle some of the most sensitive aspects of our lives.”

The Government Service Delivery Improvement Act is a natural follow-up to the 21st Century IDEA Act, which Khanna introduced in 2018 and then-President Donald Trump signed into law. 

That legislation called for a “consistent look” among government websites, in addition to compliance with Technology Transformation Service web standards. The law also included a variety of provisions for agency websites, including accessibility for people with disabilities, as well as requirements to promote e-signatures and digital forms. 

The new House bill comes a week after a bipartisan trio of senators introduced the Improving Government Services Act, which aims for shorter wait times and improved digital services for customers interacting with government websites. 

That legislation also includes a yearly requirement for agencies to enact customer experience action plans, intended to provide details gleaned from the private sector on how they’d offer taxpayers a better, more secure experience. 

Paul Lekas, senior vice president for global public policy & government affairs at the Software & Information Industry Association, said in a statement that the Government Service Delivery Improvement Act will “further the objectives of the 21st Century IDEA Act” by “designating specific federal officials with responsibility to continuously improve and enhance the digital delivery of government services.”

“This is an important step towards making government work better for its people,” he added.

Agencies have implemented the requirements of the IDEA Act with mixed results. OMB and the Office of the Federal CIO in September issued guidance, nearly five years after the law was passed, to better hold agencies accountable to the law’s statutes. 

The post Bipartisan House bill calls for more OMB oversight of agency digital services appeared first on FedScoop.

Speaking Tuesday at the Google Public Sector Forum, presented by Scoop News Group, Chris DeRusha, federal CISO and White House deputy national cyber director, noted that government authorization and assessment processes will be especially important when it comes to AI procurement.

“How do we ensure that we have an agile way of assessing the appropriate tools for government use and government-regulated data types? We can’t not do that,” DeRusha said. 

“We understand everybody’s really wanting to jump into the latest tools. But look, you know, some of these companies aren’t fully vetted yet, they are new entrants, and we have to ensure that you’re responsible for protecting federal data,” he added.

DeRusha said the government has “to go full bore in learning how to use this technology because our adversaries will do that.” To that end, the Biden administration last week released a database on AI.gov detailing hundreds of AI use cases within the federal government. 

Having that database should enable agencies to better drill down on specific AI applications, perform tests, launch pilot programs and ultimately see where the government can get “maximum benefit.” DeRusha cited better safety outcomes in transportation agencies as one possibility. 

And while “unintentional misuse” of AI worries DeRusha, ultimately the “benefits are so positive” for federal agencies when it comes to the technology.

Also top of mind for DeRusha is the implementation of the Biden administration’s National Cybersecurity Strategy, which was released in March, and the White House’s National Cyber Workforce and Education Strategy, published in July. 

DeRusha touted the benefits of having public-facing plans that note agency-specific responsibilities, quarterly targets and other details, essentially serving as a check on government officials to hold “ourselves accountable to ensure that we’re really making progress on all these things.” 

And after “decades of investments in addressing legacy modernization challenges,” DeRusha said now is the time for the government to prepare for “massive” long-term challenges, including, for example, those related to AI and the White House’s Counter-Ransomware Initiative, which now involves “almost 50 countries.”

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

The post Federal CISO says White House targeting AI procurement as part of conversation on looming executive order, guidance appeared first on FedScoop.