“We do not block AI any more than we block general internet access,” Howard Spira, chief information officer of Ex-Im, said during a Thursday panel discussion hosted by the Advanced Technology Academic Research Center (ATARC).

Spira said the agency is approaching generative tools with discussions about accountability and best practices, such as not inputting private information into tools like ChatGPT or other public large language models. “But frankly, that is just an evolution of policies that we’ve had with respect to just even search queries on the general internet,” Spira said.

He emphasized the importance of context in AI usage, noting that the agency — whose mission is facilitating U.S. exports — deals with the kinds of decisions that it believes are “a relatively low-risk environment” for AI. Most of the work the agency is doing with AI is with “embedded AI” that’s within its existing environments, such as those for cyber and infrastructure monitoring.

“We’re also actually encouraging our staff to play with this,” Spira said.

His comments come as agencies across the federal government have grappled with how to address the use of generative AI tools by employees and contractors. Those policies have so far varied by agency depending on their individual needs and mission, according to FedScoop reporting.

While some agencies have taken a permissive approach like Ex-Im, others are approaching the tools with more caution.

Jennifer Diamantis, special counsel to the chief artificial intelligence officer in the Securities and Exchange Commission’s Office of Information Technology Strategy and Innovation, said during the panel that the SEC isn’t jumping into third-party generative AI tools yet, citing unknowns and risks. 

There is, however, a lot of exploration, learning, safe testing and making sure guardrails are followed, Diamantis said. She added that while the agency is exploring the technical side, there is also an opportunity right now to explore the process, policy and compliance side of things to make sure they’re ready to manage risks if and when they do move forward with the technology. 

Diamantis, who noted she wasn’t speaking for the commission or commissioners, encouraged people to use this time to focus not just on the technology, “but also, what do you need in terms of governance? What do you need in terms of updating your lifecycle process? What do you need in terms of upskilling, training for staff?”

In addition to exploration, the SEC is also educating its staff on AI. Diamantis said those efforts have included trainings — such as a recent one on responsible AI — and having outside speakers, as well as establishing an AI community of practice and a user group.

Spira similarly noted that Ex-Im has working groups addressing AI and is including discussions about the technology in its continuous strategy process. This year, that process for its IT portfolio included having “the portfolio owners identify potential use cases that they were interested in exploring” and the identification of embedded use cases, he said.

Tony Holmes, another panelist and Pluralsights’s director of public sector presales solution consulting for North America, underscored the importance of broad training on AI to build a workforce that isn’t afraid of the technology. 

“I know when I talk to people in my organization, when I talk to people at agencies, there are a lot of people that just haven’t touched it because they’re like, ‘we’re not sure about it and we’re a little bit scared of it,’’’ Holmes said. Exposure, he added, can help those people “understand it’s not scary” and “can be very productive.”

The post Export-Import Bank taking open-minded approach on the use of generative AI tools appeared first on FedScoop.

Speaking during an ATARC webinar Thursday, Chakib Chraibi said Congress had the foresight to allow the National Technical Information Service (NTIS) to partner with top tech companies, academic institutions and nonprofits outside of the Federal Acquisition Regulation to address national data challenges and accelerate AI-based capabilities within all agencies.

NTIS is part of the Department of Commerce and works with agencies to determine how they are collecting, labeling and classifying, and using data to improve those processes and ensure machine-learning models can be trusted.

The agency stood up a Data Skills Working Group a few years ago and mapped skills for roles like data engineer, data scientist and data analyst.

The government wants the U.S. to be the global leader in what Chraibi said is the “premier technology of the 21st century,” going so far as to issue an AI Bill of Rights on Tuesday affirming its commitment to democratic values from development to deployment. But the field is evolving rapidly — machine-learning models becoming more explainable within weeks, not years — meaning agencies must improve their access to quality data.

“The issue is that a large number of federal agencies are still struggling with old data architectures that serve hundreds of applications in a vertically oriented, siloed approach,” Chraibi said.

Agencies also need mitigation policies in place beginning with prototyping to address AI risks like bias as they arise, Chraibi said.

A number of AI frameworks exist promoting responsible AI that agencies can choose from, but they can’t be implemented without metrics quantifying the explainability of the model.

“At NTIS we have a very agile framework that we work with,” Chraibi said. “And we work very tightly with the agency because they are the experts.”

Another area where agencies need to improve is ensuring they have the requisite data engineering and architecture skills on staff to modernize their infrastructure. Machine learning skills, while important, come later, Chraibi said.

“We try to know what are the skills that are within the Department of Commerce and what [employees] need to become a data analyst to upscale from within, as well as identify what we need from outside,” Chraibi said.

The post NTIS chief data scientist: Public-private partnership authority can help agencies with explainable AI appeared first on FedScoop.

Speaking to ATARC members Wednesday, Corey Stambaugh said it will take one or two more years to move talent through the pipeline given the five NQISRCs were only established in the past two years.

A McKinsey & Co. report found there were 851 quantum technology job postings nationally in December compared with 290 Master’s-level graduates in the field annually, and demand may reach about 10,000 workers by 2025. Looking to close the gap, the Department of Energy leveraged the $625 million it received in the National Quantum Initiative Act to obtain $340 million in matching funds from industry and universities for the NQISRCs, and already their ecosystem includes researchers from about 70 institutions.

“We’re going to see more people entering the pipeline just from that initial investment,” Stambaugh, whose office resides within the White House Office of Science and Technology Policy, said.

NQISRCs prioritize a diverse, equitable and inclusive workforce through traditional degree programs, retraining certificate programs and training partnerships with industry. 

Both the Quantum Science Center (QSC) and Co-design Center for Quantum Advantage (C2QA) host quantum summer schools, while Next Generation Quantum Science and Engineering’s (Q-NEXT) Open Quantum Initiative created an undergraduate fellowship for minority quantum scientists.

“The centers have taken a multipronged approach to train the next generation of QIS scientists and researchers and to create new pipelines for underrepresented groups,” said Irfan Siddiqi, director of the Quantum Systems Accelerator (QSA), in a statement. ​“We’re all putting forth special efforts to support a diverse quantum workforce in a fast-growing field.”

OSTP aims to translate QIS from agency and industry labs to the market, which goes beyond the development of quantum computers and sensors with agencies, Stambaugh said. 

NQISRCs are researching quantum materials beyond silicon, quantum simulators, distribution of quantum entanglement, quantum networking via testbeds, and correcting quantum error.

“Applications are really going to be what makes or breaks the field,” Stambaugh said. “So are we finding the real applications that’ll benefit society and continue to justify investment.”

National Security Memorandum-10 issued in May represented the Biden administration’s first public policy statement on quantum computing. The memo acknowledged the risks posed by quantum computers while emphasizing cryptographic agility — agencies’ need to establish timely transition and technology protection plans.

At the same time, the White House has cautioned against agencies transitioning before the National Institute of Standards and Technology has finished issuing a post-quantum cryptography standard. Stambaugh took that a step further, saying agencies may even need to wait until NIST’s standards are internationally recognized by standards developing organizations like the Institute of Electrical and Electronics Engineers.

The National Quantum Initiative plans to release its third-ever supplement to a president’s budget proposal soon.

“We need a whole-of-government and society strategy to harness the economic, security and scientific benefits. We need to be investing in R&D,” Stambaugh said. “We need to continue to foster this next generation of scientists and engineers in the workforce, and partnerships both domestic and international are going to be critical to that.”

The post Policy adviser says workforce gains from federal quantum center efforts still a year or more away appeared first on FedScoop.

NIST‘s National Cybersecurity Center of Excellence continues to build out a holistic network infrastructure featuring required and optional security controls with the help of 12 industry partners.

Dubbed the 5G Cybersecurity Project, the effort will ultimately yield a reference architecture for enabling security functions unaddressed by the 3rd Generation Partnership Project’s internationally recognized standards for mobile telecommunications.

“We can show how a network provider could build out this trusted and secure infrastructure, as well as demonstrate to people who consume the 5G networks what sort of optional features they can ask for their providers to turn on,” Bartock said, during the ATARC and FMG Mobile Breakfast Summit on Tuesday. “They can leverage them to make sure that, once their phone connects to the network, they know the security that the whole network is providing.”

NCCoE intends for the 5G network to build agencies’ trust in the underlying infrastructure — which lends itself to cloud technologies like virtualization and containerization — down to the radio access network, he added.

The reference architecture will not only document the network’s design and architecture but map it to the NIST Cyber Framework, 800-53 Controls and relevant telecom standards to help agencies validate their level of security. Mitigations the NCCoE is trying to achieve will be included.

NCCoE is using a hardware root of trust to measure the boot times of all servers that make up the data center, so it can create an allowed list of those still in a trusted state within the environment. That list can be extended to a network function orchestrator, which controls the servers those functions run on.

Additional use cases will be added to the reference architecture in the future like secure slicing, where an agency requests its own 5G network slice — separating traffic from the general offering and customizing security features, Bartock said.

Industry partners participating in the 5G Cybersecurity Project include hardware vendors like Dell, Intel and AMI; telecom vendors like Nokia, AT&T and T-Mobile; and network security vendors like Palo Alto Networks and Cisco.

The post NIST’s 5G demo network nears completion appeared first on FedScoop.

Speaking at the ATARC Zero Trust Summit on Tuesday, the Cybersecurity and Infrastructure Security Agency’s senior cyber architect said the group — chartered under the Federal Chief Information Officer (CIO) Council — meets about once a month to discuss how agencies are moving forward in spite of tight budgets.

The CIO Council has multiple working groups in addition to four principal committees. Working groups must be approved by the council’s executive committee, have a clearly defined scope and goals and deadlines for the completion of deliverables.

Ever since the White House issued the Cyber Executive Order in 2021, requiring agencies to submit zero-trust security architecture implementation plans, CIOs and chief information security officers have expressed concerns the money isn’t there.

“We are starting to see agencies receive funding toward zero trust initiatives,” Connelly said.

A voting member on the Technology Modernization Fund Board, he pointed out that the U.S. Agency for International Development was awarded $5.6 million Aug. 3 to accelerate its transition to a new identity, credential and access management (ICAM) solution.

USAID now estimates more than 50% of users will be onboarded to the passwordless technology by fiscal 2024.

“TMF funding will allow USAID to accelerate its zero trust initiative across an anytime, anywhere organization of over 13,000 end users worldwide, improve customer experience, and reduce mission risks as it helps execute the administration’s foreign assistance and development priorities,” said Paloma Adams-Allen, deputy administrator for management and resources, in the announcement.

Other avenues agencies have for cost-effective implementation of zero-trust security include CISA’s Federal High-Value Asset program, which helps them protect their most sensitive data, as well as Trusted Internet Connection (TIC) 3.0 overlays.

Connelly manages the TIC program, which provides agencies with modern security architectures for protecting their IT environments through use cases complementing the five pillars of the Zero Trust Maturity Model. TIC overlays let cyber vendors map their services to the program’s capabilities.

Vendor assistance is also key to modernizing the Federal Risk and Authorization Management Program (FedRAMP), which the TIC team coordinates with and has seen an increasing number of cloud services authorized to use the most sensitive, unclassified data.

“We’ve seen a number of FedRAMP High baselines have started to be accelerated as agencies are moving some of the most sensitive data to the cloud,” Connelly said. “It’s critical that the vendors are able to provide these types of services to help the agencies as they move to TIC 3.0 and [Secure Access Service Edge]-type solutions.” 

CISA, together with the Office of Management and Budget and U.S. Digital Service, continues to review agencies zero-trust security architecture implementation plans to understand their needs and gaps, as well as challenges across agencies.

That information is relayed to the CyberStat working groups that CISA hosts once or twice monthly for about 600 federal officials and contractors to discuss implementing the pillars of zero trust: identity, devices, networks, applications and workloads, and data.

“I think we’re helping agencies move forward as well as we can,” Connelly said.

The post Federal CIO Council working group addressing zero trust funding challenges: CISA cyber official appeared first on FedScoop.

Identity, credential and access management (ICAM) program management offices or other governance bodies aren’t universal yet, despite the Cybersecurity and Infrastructure Security Agency encouraging them, because most federal investments in training produce red and blue teamers — offensive- of defensive-minded professionals.

The first pillar of the federal zero-trust architecture strategy released in January is identity: agencies managing identities to allow staff access to applications while protecting them with multi-factor authentication (MFA). But the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) Workforce Framework buries identity “three layers deep” in “nichey” network or software engineering roles, rather than making it a standalone position, said Matt Topper, president and solutions catalyst, at Uberether.

“Nobody ever talks about, ‘I want to be an identity engineer.’” Topper said, during an ATARC webinar Tuesday. “That makes you the best blue teamer because you actually understand how these things work together.”

In the past cyber professionals typically attended security or identity conferences but rarely both. Agencies’ increasing use of cloud and ICAM technology and attacks like the SolarWinds hack, where Active Directory Federation Services allowed infiltrators to gain administrative privileges, have “blurred the lines” between the two communities, said Grant Dasher, ICAM expert at CISA.

For instance, CISA Director Jen Easterly tweets regularly about phishing-resistant MFA, and red teamers use their knowledge of identity engineering to gain access to networks, Dasher said.

“I think that the number of people in our community who have deep identity expertise is not significant,” Dasher said. “And they sort of move around between the agencies or, in some cases, retire.”

Fostering that expertise means building those skills among a new generation of experts, who understand the parts of identity that are unique to government, industry and how they work together, he added.

That talent will be essential to moving agencies beyond the personal identity verification (PIV) and common access card (CAC) smartcard authentication that prevails across government to other factors, the adoption of which should increase with additional NIST guidance in the next year, Topper said.

The federal zero-trust architecture strategy emphasized new approaches to cyber and experimentation with authentication and network security.

“The lesson will be whether we can pull it off over the coming years,” Dasher said.

CISA is looking to simplify agencies’ adoption of cloud identity technologies and continues to develop the forthcoming Zero Trust Maturity Model.

The years 2023-25 should prove pivotal for MFA adoption, especially with planned NIST guidance on derived credentials and digital identity guidelines, Topper said. 

NIST Special Publication (SP) 800-63-3 Revision 4 is expected out this fall and will, for the first time, include a dedicated SP 800-63C Federation and Assertions. The document will cover identity federation between agencies, industry partners and citizens; federated authentication transactions and identity federation assurance levels.

“Those are super exciting because those are going to set the next decade of identity standards and patterns that we’re going to follow,” Topper said.

The post Lack of identity engineers hinders agencies’ MFA adoption appeared first on FedScoop.

ATARC’s Digital Mobile Credentials Lab will showcase six use cases where devices serve as identifiers to access buildings and workstations, while an Identity Management Working Group lab will have vendors demonstrate the feasibility of a Derived Fast Identity Online 2 (FIDO2) Credential (DFC).

Personal Identity Verification (PIV) cards and Common Access Cards (CACs) became the standard at agencies around the turn of the millennium, but such physical credentials proved hard to disburse with the onset of the pandemic and remote work.

“Identity management is one of the five main pillars of zero trust,” Tom Suder, ATARC president, told FedScoop. “But we’ve seen during the pandemic that it’s really a challenge.”

Like its Zero Trust Lab launched in September, ATARC’s new labs are focused on generating more government-specific use cases.

The onboarding of enumerators for the decennial census creates tremendous demand for credentials, as does the Federal Emergency Management Agency scaling its workforce during disasters. Mobile phones the government typically issues to employees present an opportunity for a post-PIV and CAC environment, Suder said.

ATARC established a memorandum of understanding with General Services Administration for the Digital Mobile Credentials Lab, after the agency brought the use case of its USAccess shared service, which provides PIV cards across more than 110 agencies.

Among the technologies the lab will showcase are Public Key Infrastructure (PKI) and FIDO2 credentials; physical access control and logical access control system (PACS/LACS) technical architectures; and identity, credential and access management (ICAM) solutions.

The six use cases are:

• mobile phone-PKI authentication to PACS providing access to a building,
• mobile phone authentication to workstations or web applications using a x509 authentication certificate,
• mobile phone authentication to workstations or web applications using FIDO2 credentials,
• mobile phone or tablet authentication for temporary personnel using a x509 authentication certificate,
• mobile phone or tablet authentication to PACS with x509 authentications, and
• credentials provisioned to a wallet or container on a mobile phone or tablet.

Likely a partly physical, partly virtual lab, it will feature some of the same companies as the Zero Trust Lab, and a “fairly immediate” launch is expected, Suder said.

Meanwhile the DFC Lab came out of a recently published Identity Management Working Group white paper, which requested demos proving the feasibility of agencies issuing and managing FIDO2 hardware tokens tied to existing physical credentials. 

FIDO2 lets users authenticate using mobile devices, so they no longer need their PIV cards or CACs on them at all times. What’s more, the DFC would be transferable if an employee switched agencies.

“These controls are established practices that minimize the risk of impersonation and allow for managing which resources an end user can interact with while leveraging a DFC,” the white paper reads. “Currently, no such guidance exists for the issuance and management of FIDO2 credentials, and enterprise use of these credentials has been limited for this reason.”

The post ATARC announces 2 labs to spur government adoption of modern credentials appeared first on FedScoop.

Speaking during the ATARC Health IT Virtual Summit, Gil Alterovitz said a few Presidential Innovation Fellows are assisting NAII staff in developing field survey questions for existing AI projects.

The VA’s work aligns with the National AI Research Resource task force’s recent recommendation that funding and personnel be put toward studying trustworthiness and developing best practices for working responsibly with data and models. Similarly the Pentagon replaced a 3-star governance body with the 4-star Chief Digital and AI Office Governing Council to improve transparency as it accelerates AI efforts.

NAII already created a voluntary checklist, for researchers starting to build AI models, that it’s piloting at different VA medical centers and reflects the nine ethical principles listed in the Trustworthy AI Executive Order issued in December 2020.

“Just having the list itself is educational,” Alterovitz said. “And the results and decisions that were made — in terms of which type of software to use, which approach in terms of the data — were different in the medical center that had that [checklist], compared to one that did not.”

The planning checklist builds on the work of VA’s National Center for Ethics in Health Care and the Food and Drug Administration and helps researchers ensure AI project participants and veterans’ data are secure and training data is free of bias.

Survey questions on the checklist for existing AI projects follow three tracks: research and development, quality improvement, and procurement and contracting.

NAII is looking to expand the latter checklist to more VA medical centers, and a few other agencies have expressed interest in using it, Alterovitz said.

At the same time NAII is developing the checklist, it’s creating an initial AI project inventory to be released in accordance with the executive order in a couple of weeks.

NAII is also running another AI Tech Sprint — which awards cash prizes and carries the potential for contracts — aimed at workforce development. Teams have until August 1 to apply to develop platforms evaluating VA employees’ knowledge base and determining who among them is best suited for AI training.

Such training is increasingly important because the technology is moving away from humans simply telling AI what to do, to that being more of a conversation.

“In the future, we’re going to have more of these human-AI interactions that are two-way,” Alterovitz said. “It’s going to be important to educate our workforce in that area.”

The post VA piloting trustworthy AI checklists for new and existing projects appeared first on FedScoop.

Speaking during an ATARC webinar Thursday, Dan Chandler said the idea is to use all the network information at OMB’s disposal to alert a user when their trust score isn’t high enough in real time — rather than simply reject their request.

The Cybersecurity Executive Order issued in May 2021 accelerated agencies’ efforts to implement zero-trust security architectures, but funding and expertise for systems like the one OMB envisions remain scarce.

“System may be too strong a word,” Chandler said. “This is an idea that we’re starting to develop.”

The comments after Federal CIO Clare Martorana last month told FedScoop that OMB aspires to implement new trust measures as it works to improve security and customer experience.

Agencies use tools like Google Authenticator and others from Amazon Web Services and Microsoft Azure to authenticate users, but trust in them changes depending on current events. If a zero-day vulnerability is found in one of those services, trust in it may drop a certain percentage, Chandler said.

If implemented, OMB’s desired system would compare a session’s trust score to the trust requirement on a function of feature. If a user’s score is too low to grant access, a list of options for raising their score — like reauthenticating or inputting a personal identity verification card — might even be provided, Chandler said.

The Department of Commerce is also interested in evaluating the trust of users and devices, but network evidence isn’t feeding into and informing its zero-trust architecture yet.

“We’re just not there yet because the investments haven’t come through,” said Lawrence Anderson, deputy chief information officer at the Department of Commerce. “But at some point we’re going to need some advanced tools to get to that advanced level of zero trust that we want to get to.”

Meanwhile the General Services Administration is working on another authentication solution that is expected to cost slightly less than Login.gov.

OMB has run the MAX.gov system, which performs authentication using PIV cards, for years. Agencies use MAX.gov for their budget systems and other use cases.

“MAX.gov is being transitioned to GSA,” Chandler said. “So by the end of next year GSA is supposed to have stood up an alternative solution which, as I understand it, is going to be based on Azure Active Directory.”

The post OMB working to develop system for real-time zero trust scoring appeared first on FedScoop.

The Department of Homeland Security Office of Intelligence & Analysis is assisting with the pilot, in the late planning stage, of an automation that will be available in a year, according to Chief Information Security Officer Eric Sanders.

President Trump established the NVC in 2018 to streamline information sharing between the intelligence community (IC), agencies and law enforcement when determining the threat posed by people crossing U.S. borders. That calculus changes when dealing with a U.S. citizen.

“We want to make sure that we are protecting privacy, to the extent we’re supposed to, when it comes to U.S. persons,” Sanders said, during an ATARC panel discussion Tuesday.

I&A is one of nine DHS components with an intelligence mission and the only one where it’s the sole mission, providing information to the IC and state, local, tribal and territorial governments. The office helped CBP create the NVC with a focus on automating vetting, which sped up the process for Afghani refugees.

While facial recognition isn’t part of NVC’s process to Sanders’ knowledge, automation, especially using microservices, helps agencies share intelligence better and faster.

“Whereas before they had to work manually with the FBI and [the National Counterterrorism Center] to adjudicate somebody wanting to come into the country, we’re now able to automate that across the IC to make sure that we’re getting a holistic understanding of the person or persons that are trying to enter the country,” Sanders said.

Sanders also wants to automate the assessment and authorization of new security capabilities, particularly low-risk ones, freeing up employees to focus on bigger problems.

“Whether you’re talking about the [National Security Memorandum] or the [Cybersecurity] Executive Order and zero trust, you’re not going to get there without automation,” he said.

Role-based access controls aren’t enough in zero-trust environments. Attributes need to be assigned to people and things to make access decisions in real time with large volumes of data coming in quickly, Sanders said.

I&A’s priority is automating data sharing between domains so it can continue to trust people across environments over time, as threat actors’ tactic get more sophisticated. That requires monitoring even low-level environments threat actors access first, before moving into high-level ones, Sanders said.

The task is easier to do in some environments than others, with I&A considering the use of tokens or other, cost-effective solutions in line with the IC’s future state.

“A lot of these classified systems are inside buildings where multi-factor is harder to do,” Sanders said. “I can’t use my cellphone for multi-factor authentication in a secure environment.”

The post National Vetting Center piloting automation of citizenship verification appeared first on FedScoop.