According to a statement, USMS on Feb. 22 declared a major incident after briefing senior agency officials and is working to address any potential risks arising from the incident.

“The Department’s remediation efforts and criminal and forensic investigations are ongoing. We are working swiftly and effectively to mitigate any potential risks as a result of the incident,” the agency said.

USMS first discovered the incident on Feb. 17 and disconnected the affected system before subsequently initiating a forensic investigation. 

Details of the breach were first reported on Tuesday by NBC. USMS spokesperson Drew Wade at the time told the news organization that the affected system contained law enforcement sensitive information, including returns from legal process, administrative information and personally identifiable information (PII) relating to subjects of USMS investigations, third parties and certain USMS employees.

The USMS breach is the latest incident involving PII to affect a key federal agency system in recent months.

In December, the Centers for Medicare and Medicaid Services disclosed details of a breach at a subcontractor that it said may have exposed the personally identifiable information of about 245,000 Medicare beneficiaries.

That same month, Immigration and Customs Enforcement launched an investigation after a spreadsheet containing sensitive details about 6,252 immigrants seeking protection in the U.S. was inadvertently uploaded to a public-facing website.

According to a survey carried out by nonprofit (ISC)² in October, just 42% of government cybersecurity professionals feel they have the necessary tools and staff to respond to cyber incidents within the next two to three years.

U.S. government and military were among five industry categories from which survey respondents were least likely to express confidence about their organization’s ability to respond to potential cyber incidents.

The post US Marshals Service responding to ransomware ‘major incident’ appeared first on FedScoop.

Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), violated its obligations to CMS and potentially 254,000 of its 64 million Medicare beneficiaries whose personally identifiable and protected health information may have been exfiltrated, according to the agency.

President Biden issued an executive order in February 2021 in an effort to shore up agencies’ supply chains, after Russia-linked hackers breached federal contractor SolarWinds’ software supply chain  — compromising nine agencies. Supply chain attacks continue to increase, prompting multiple reviews by the Department of Homeland Security’s Cyber Safety Review Board.

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS.”

ASRC Federal resolves system errors related to Medicare beneficiary entitlement and premium payment records and supports premium collection from direct payers for CMS. Subcontractor HMS suffered a ransomware attack on its corporate network on Oct. 8, which it notified CMS of the next day.

After an initial investigation, CMS concluded on Oct. 18 its data that HMS handled was potentially compromised for some Medicare beneficiaries.

CMS continues to notify beneficiaries whose information may have been exfiltrated by letter that they’ll receive an updated Medicare card with a new Medicare Beneficiary Identifier, which also may have been compromised; free credit monitoring services; and incident updates.

No CMS systems were breached or Medicare claims data involved. But names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare Beneficiary Identifiers, banking information including routing and account numbers, and Medicare entitlement, enrollment and premium information were potentially compromised, according to the agency.

Affected beneficiaries are advised to destroy their old Medicare card upon receipt of the new one, contact their financial institutions and enroll in Equifax Complete Premier credit monitoring for free using the letter’s instructions.

“At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” reads the letter sent to affected beneficiaries.

Healthcare Management Solutions was contacted for comment.

The post CMS subcontractor breach potentially exposes data of 254,000 Medicaid beneficiaries appeared first on FedScoop.

Following an internal investigation by the VA’s Data Breach Response Service, the agency removed a spreadsheet containing personal details including vaccination status, according to a notice sent to the agency’s bargaining unit employees that was obtained by FedScoop. Federal Times first reported about the data breach.

Approximately 500,000 employees’ vaccination records were last year disclosed without permission and were sent to various members of Veterans Health Administration (VHA) senior leadership, according to the American Federation of Government Employee’s (AFGE) union, which filed a grievance.

Under the Health Insurance Portability and Accountability Act, regulated entities are prohibited from disclosing an individual’s protected health information, which includes COVID-19 vaccination status.

“Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information,” said Jessica Bonjorni, chief of human capital management for the VA said in a notice to AFGE bargaining unit members on Nov. 9 and Nov. 10.

“Offering the highest levels of privacy protection to VA employees remains a top priority for both VA and AFGE. VA has investigated the matter, and the at-issue spreadsheet has been removed,” she added.

The spreadsheet that was incorrectly disclosed in the data breach in October 2021 included employee names and indicated whether or not they had been vaccinated, according to the AFGE National VA Council.

A VA spokesperson said: “VA remains committed to providing the highest levels of privacy protection to its employees. We investigated this matter and concluded on November 16, 2021, that the breach demonstrated a low risk of compromise.”

The emailed notice sent by Bonjorni said that the agency will complete any additional required investigations.

Editor’s note, 12/1/22: This story was updated to include comment from the VA.

The post VA admits to improperly disclosing COVID-19 vaccine data for 500,000 staff appeared first on FedScoop.

Task force members want to include startups and small businesses developing privacy technologies among NAIRR‘s users, but exactly how resources, capabilities and policies would be integrated continues to be discussed, according to co-chair Manish Parashar.

Members previously stated that U.S.-based researchers and students — primarily in academia but also with companies that have received federal grants like Small Business Innovation Research or Small Business Technology Transfer funding — are target users of the NAIRR. Privacy technologies they’re developing could help the resource protect personally identifiable information (PII).

“Yes, the task force is certainly discussing how privacy-enabling technologies could help enhance the privacy aspects of NAIRR usage,” Parashar told FedScoop. “However, the task force has also discussed how privacy requires more than just technical solutions, and we expect a full range of considerations when contemplating privacy, civil rights and civil liberties.”

Data used to train machine learning (ML) algorithms can be anonymized to a degree, but the process is never absolute, which means PII can be correlate with enough effort.

Startups like integrate.ai, which advocates privacy by design, see an opportunity for the NAIRR to not only include them but use their privacy-enhancing technologies: federated learning, differential privacy, homomorphic encryption and secure multi-party computation.

“I would love to see a privacy track, a privacy initiative that both leverages the research value of the resource but also supports the whole initiative to actually protect the privacy of that information,” said Karl Martin, senior vice president of technology at integrate.ai.

Martin envisions a cluster of researchers and companies with a mandate to support the NAIRR with privacy-enhancing technologies that others may or are required to use to access the resource’s data, in addition to advancing their own work.

Database-style access controls are the “most basic” form of privacy limiting organizations based on data type, and they would likely become “frustrating” for NAIRR users, Martin said.

On the other hand, federated learning allows ML algorithms to be built without directly accessing data and can be compounded with additional layers of privacy, like differential privacy, to make reverse engineering back to the original data difficult, he added.

Whatever privacy technologies the task force ultimately recommends should be based on a smart data philosophy, opting for ones associated with the data rather than the systems.

“What’s the value of this data?” Martin said. “Then what are the protection mechanisms that can surround the data?”

The post National AI Research Resource must balance the value of its data with privacy appeared first on FedScoop.

Murali Y. Venkata, 56, of Aldie, Virginia, was the DHS Office of Inspector General‘s IT Division acting branch chief when he conspired with two other people in his office to steal government software to create their own to sell back to agencies, according to the Department of Justice.

Venkata’s co-conspirators Charles K. Edwards, the former acting inspector general of DHS OIG, and Sonal Patel, another official in the office, pleaded guilty to theft in January 2022 and April 2019 respectively.

Venkata was further convicted of wire fraud, aggravated identity theft and obstruction, charges that forced him to take administrative leave in October 2017 after joining DHS in June 2010.

The prosecution argued Venkata assisted Edwards setting up three computer servers in the latter’s home so developers in India could access them remotely and use the stolen source code and data to design a commercial case management system.

In his time at DHS OIG and, before that, the U.S. Postal Service OIG Venkata had access to software systems — one for case management and others for holding personally identifiable information.

The case was prosecuted by senior attorneys from the DOJ and from the Civil Rights Section of the U.S. Attorney’s Office for the District of Columbia.

The post Former DHS official convicted of stealing government data, software to create commercial version appeared first on FedScoop.

The DHS Science & Technology Directorate issued a solicitation that gives companies two years to create products capable of automatically flagging anomalies — like unattended bags or people being where they shouldn’t — to monitor vulnerable, populated places deemed “soft targets.”

DHS S&T’s Silicon Valley Innovation Program funds companies’ development of new technologies in four phases, but its latest solicitation comes at a time when artificial intelligence used to monitor people is rapidly advancing.

“Right now we have a lot of cameras on us, but we basically don’t worry about them most of the time because there’s an implicit understanding nobody’s really watching those cameras,” Jay Stanley, senior policy analyst with the ACLU Speech, Privacy and Technology Project, told FedScoop. “No one is going to pay a million security guards to watch every camera feed, but with AI you can do that.”

While various DHS arms have explored using AI to detect anomalies and “suspicious individuals,” DHS S&T’s “broad” solicitation would impose video surveillance in a variety of everyday situations, Stanley said.

The solicitation defines soft targets as “locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack” like malls or stadiums. What types of threats DHS S&T hopes to mitigate, other than “attacks” and “crime,” aren’t made clear, but its Surface Transportation Explosives Threat Detection Program supported the development of the Forensic Video Exploitation and Analysis (FOVEA) tool used by local agencies like the Washington Metropolitan Area Transit Authority to identify crimes that have already occurred on video.

WMATA receives about 20 to 30 requests per day, including those from federal agencies, for FOVEA video analysis to assist in criminal and noncriminal cases. Developed by the Massachusetts Institute of Technology Lincoln Laboratory, the tool is set up in about 20 WMATA metro stations.

FOVEA lets security personnel tag people to items they leave behind and reconstruct their paths across multiple camera feeds, which is helpful given the amount of bomb threats DHS alerts WMATA to, said Bryan Doucette, coordinator of WMATA’s Digital Video Evidence Unit, during DHS S&T’s virtual industry day Tuesday. The tool has also been used to track abducted children in amber alert emergencies.

Still no commercial product allows these tasks to be performed in real time, and DHS S&T wants to be “proactive” with its research and development efforts, said Ali Fadel, Physical Security program manager.

“It is impossible for first responders to be everywhere at all times,” Fadel said, in the original announcement. “S&T is therefore creating and supporting the development of tools that serve as force-multipliers.”

Unfortunately the force being multiplied could be the “chilling effect” on people’s normal behavior, for fear of triggering an autonomous security alert, Stanley said.

While he didn’t rule out the development of “reasonable” tools in very specific circumstances, Stanley said autonomous video analytics could change what it means to be in public in the U.S. With terrorist attacks — DHS’s usual reason for developing security technologies — exceedingly rare, the analytics could be applied to “far more prosaic acts of wrongdoing,” he added.

DHS S&T didn’t comment prior to publication, but a spokesperson did point out the solicitation requires proposed solutions ensure privacy and personally identifiable information residing in information systems be protected. Only personal information needed to fulfill tasks is to be disclosed or accessed by authorized personnel, and proposed solutions must provide “robust” audit trails verifying both and secure data during collection, transmission and storage, according to the solicitation.

The agency isn’t considering facial recognition analytics as part of the solicitation and won’t be purchasing any systems that come out of it, though DHS does provide funding for end users like WMATA to procure them.

The first deadline for companies’ applications is April 28, 2022, and the final deadline August 29, 2022, at 12 p.m. PT on both dates.

“The question we have to ask society is whether we want to allow AI tools to be used to watch everybody all the time because some people might be doing something wrong someplace, somewhere,” Stanley said. “That could justify pretty much watching everything.”

The post DHS seeks to automate video surveillance on ‘soft targets’ like transit systems, schools appeared first on FedScoop.

Differential privacy — systems that withhold information on people in datasets while publicly sharing data on group patterns — will be used with forthcoming census products like the demographic and housing characteristics file.

The bureau already employed differential privacy to mitigate the risk of census respondents being re-identified when it released redistricting data, used to redraw legislative boundaries every decade, in August. But GAO found there’s no way of knowing if that’s currently “realistic and achievable” with forthcoming data products.

“The success of a program depends in part on having a reliable schedule that defines when work will occur,” reads GAO’s report. “Without a specific and complete schedule, the bureau may be unable to accurately plan for and track progress on disclosure avoidance steps for future data products.”

The Decennial Directorate cited the fact its schedule is being updated in phases for not yet setting deadlines for additional disclosure avoidance activities, but it expected to make “key decisions in the winter and spring.

GAO recommended the bureau update its schedule of activities with specific timeframes because of their potential to impact “key features” of the 2030 census being decided over the next three years, and the agency agreed.

“The Census Bureau will prepare a formal action plan addressing this recommendation upon GAO’s issuance of the final report,” wrote the Department of Commerce, within which the bureau resides, in its response.

Previously the bureau mitigated indirect disclosure of personally identifiable information through data suppression, swapping an rounding, but advances in technology saw it identify a vulnerability in published 2010 census data in 2018. The bureau reconstructed the sex, age, race and ethnicity information of some people using that data, so it turned to differential privacy in 2020.

Since then the Data Stewardship Executive Policy Committee has held several meetings to discuss user outreach and make decisions around differential privacy, and the bureau has published several demonstration data products.

The bureau continues to assess 2020 census data quality with tools like the independent Post-Enumeration Survey (PES), a sampling of the population used to estimate the number of people and houses missed or counted more than once, as well as undercounts and overcounts of the population by demographic — with national estimates released March 10 and state estimates expected June 30, 2022.

Tool releases are delayed because the COVID-19 pandemic delayed census operations beginning with field data collection, but GAO raised concerns about 2020 census planning — including the development of new IT systems — back in 2017 when it was placed on the High-Risk List.

“[C]ontinued attention and oversight is warranted, as multiple data products have yet to be produced and key activities related to data privacy and quality remain to be completed,” GAO’s report reads.

The post Report: Census Bureau should set timeframes for protecting respondents’ data privacy appeared first on FedScoop.

“Although the Login.gov team is researching facial recognition technology and conducting equity and accessibility studies, GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations,” said Dave Zvenyach, director of TTS, in a statement provided to FedScoop.

“There are a number of ways to authenticate identity using other proofing approaches that protect privacy and ensure accessibility and equity.”

Login.gov ensures users are properly authenticated for agencies’ services and verifies identities, and the Technology Transformation Services team that manages it is also studying facial recognition equity and accessibility.

GSA‘s methodical evaluation of the technology contrasts with that of the IRS, which announced Monday that it would transition away from using ID.me‘s service for verifying new online accounts after the company disclosed it lied about relying on 1:many facial recognition — a system proven to pose greater risks of inaccuracy and racial bias.

Login.gov currently collects a photo of a state-issued ID and other personally identifiable information, which are validated against authoritative data sources. The last step involves either sending a text message to the user’s phone number or a letter to their address containing a code that must be provided to Login.gov to complete identity verification.

More than 60 applications across 17 agencies — including USAJOBS at the Office of Personnel Management and the Paycheck Protection and Disaster Loan Application programs at the Small Business Administration — use Login.gov, encompassing more than 17 million users.

GSA’s rejection of facial recognition for Login.gov was first reported by The Washington Post, but the technology is most certainly in the agency’s, and the government’s, future.

The White House Office of Science and Technology Policy is crafting an Artificial Intelligence Bill of Rights to protect people from technology infringements and focused its initial request for information on biometrics like facial recognition.

While OSTP’s definition of biometrics needs refining, not all facial recognition algorithms are prejudicially biased. Technical and operational bias also exist and don’t necessarily lead to inequitable outcomes.

“There are not direct correlations between technical and operational biases and prejudicial bias,” Duane Blackburn, science and technology lead at MITRE‘s Center for Data-Driven Policy, told FedScoop in January. “Even though in a lot of policy analyses they’re treated as equivalent.”

The post GSA won’t use facial recognition with Login.gov for now appeared first on FedScoop.

Of the privacy incidents at Customs and Border Protection, the Federal Emergency Management Agency, Immigration and Customs Enforcement, and the Transportation Security Administration, only the first two were deemed “major.”

Incidents placing sensitive information at risk are on the rise governmentwide, but GAO found all four agencies identified and reported theirs in a timely fashion — although CBP failed to report its most recent risk assessment findings or its decision not to notify people affected due to low risk of harm.

“Fully documenting remediation activities helps ensure that all appropriate steps have been taken to lessen potential harm that the loss, compromise or misuse of PII could have on affected individuals,” reads the GAO report released Friday.

GAO recommended CBP fully document its risk assessments and recommendations for notifying people affected in privacy incidents in its incident database.

Of the two other agencies reviewed, DHS Headquarters had a privacy incident but no breach of personally identifiable information (PII), while the Coast Guard reported no incidents.

DHS and its contractors maintain “large amounts” of PII, from dates of birth to Social Security Numbers, and the department has privacy policies in place for contractor-operated systems that its agencies don’t always comply with, according to the report.

Headquarters and the Coast Guard only partially administered annual and targeted, role-based privacy training for employees and contractors, so GAO recommended DHS’s Privacy Office begin providing it for contractors handling PII.

The Coast Guard failed to address gaps in privacy compliance, so GAO recommended it set a timeframe for developing a gap assessment and work with its acquisition office to ensure contractors accept privacy requirements.

Both the Coast Guard and TSA failed to evaluate new instances of PII sharing with third parties, so GAO recommended they fully document the process.

The DHS Privacy Office responded to GAO’s recommendations that it would review privacy training and requested GAO close its recommendations the Coast Guard create a gap assessment and both that agency and TSA evaluate new PII sharing with third parties. But GAO found no evidence those recommendations had been addressed.

DHS further agreed to work with CBP to update the department’s Privacy Incident Handling Guidance.

“This proposed language will include clearly delineated roles for the posting of finalized risk assessments and an incident journal input when an accident is categorized as MAJOR/SIGNIFICANT,” reads DHS’s response letter.

The post 2 DHS agencies mostly handled ‘major’ privacy incidents effectively appeared first on FedScoop.

Housed within the Technology Transformation Services, 10x selected the projects from a pool of 250 internal submissions to fit three themes: rebuilding public trust, environmental protection and promoting equity.

The announcement comes as 10x nears completion of two Phase 4, public-facing technologies.

“We’re moving from shipping prototypes to shipping live products,” Will Cahoe, project coordinator for 10x, told FedScoop. “And I think this is a testament to how we’ve matured as a program over the last couple of years.”

The 10x program was developed to “crowdsource ideas from federal employees and turn them into real products that improve the public’s experience with the federal government.”

Phase 1 in the 10x process is the “investigation” phase and consists of a two-week sprint in which project teams determine if their ideas are worthwhile by considering legal and regulatory hurdles, consulting experts in the space, and ensuring similar government projects aren’t already ongoing.

A public trust project being evaluated currently would aggregate all agency Freedom of Information Act responses in one place.

Environmental projects address climate change, national parks and conservation issues, with one currently looking to ameliorate sewage spills into public water resources. That project also crosses into the equity space because it would identify underserved communities that are affected.

The equity theme aligns with the Biden administration’s priority of racial equity in the president’s American Rescue Plan and asks who’s left behind by government services. Translation products, as well as those supporting everyone from rural and tribal populations to former inmates, fall in this category.

Phase 2 is a six- to eight-week “discovery” phase, where project teams decide if there’s a solution to the problem identified in Phase 1. Some remain undecided, but 10x has nine definite Phase 2 projects — one of which is a COVID-19-inspired effort to provide contact tracing for GSA buildings in the event of another public health crisis.

In Phase 3 “development” begins with engineers being tasked to build a minimum viable product, potential partner agencies being identified and an end goal of solving one problem for one active customer. 10x has four Phase 3 projects, the latest of which kicked off Monday.

The Combating Bias in Artificial Intelligence and Machine Learning Implementation project is ahead of schedule in that the product is already live. A suite of digital tools helps data and program professionals identify different types of bias — possibly racial or gender-based — within datasets that will ultimately power AI pipelines.

10x is collaborating with the Census Bureau on the project.

“My understanding is that the Census Bureau is going to be on the forefront of using this new technology because they’re really a data agency,” Cahoe said. “They have so much data, and a lot of the census open data is what’s going to be used to power these kinds of AI implementations across government.”

Phase 4 attempts to “scale” solutions to as many users as possible and identify alternative funding to keep products sustainable when the 10x seed money dries up.

Of 10x’s two Phase 4 projects, Site Scanner is just ending.

There are a lot of mandates for .gov websites, and the Site Scanner platform delivers customizable scans keeping agency web managers abreast of accessibility, uptime and downtime, related security certificates used, and required data files listed. The product is live, additional scans continue to be added and TTS will manage the platform within its Digital Analytics Program portfolio.

The other Phase 4 project is DevOps for Privacy Offices, which created a live dashboard empowering such offices to respond to security issues with people’s personally identifiable information (PII). The dashboard, which resides within TTS’s Identity Management portfolio, could eventually help implement the Creating Advanced Streamlined Electronic Services for Constituents (CASES) Act and allow people to see what agency systems hold what PII of theirs.

10x’s phased approach to innovation investment mitigates risk by increasing the funding and time devoted to projects as they advance, which only a third do from phase to phase.

“We do not view closing down projects as failures,” Cahoe said. “We view it as a success because one of the great value propositions of 10x is that we can save money and prevent duplication.”

The funding for 10x comes out of the Federal Citizen Services Fund (FCSF), just like other programs within the TTS Solutions office: the Federal Risk and Authorization Management Program, USA.gov, U.S. Web Design System, and Data.gov. While the FCSF received $150 million in the American Rescue Plan Act, 10x won’t see a funding increase because it’s funded specifically out of a smaller pot called the Digital Services Fund.

That dollar cap means 10x is at its hiring limit currently, but it did launch a new website Tuesday detailing its work. And the program could always receive more funding during the budget process, as consistent as that funding has been throughout 10x’s life.

“Are we going to be getting a bump next year? I couldn’t tell you,” said Nico Papafil, 10x director. “I hope we do.”

The post More mature 10x program selects 22 new projects appeared first on FedScoop.