MITRE’s new AI Assurance and Discovery Lab is designed to assess the risk of systems using AI in simulated environments, red-teaming, and “human-in-the-loop experimentation,” among other things. The lab will also test systems for bias and users will be able to control how their information is used, according to the announcement.

In remarks presented at the Monday launch, Keoki Jackson, senior vice president of MITRE National Security Sector, pointed to the corporation’s poll that found less than half of the American public respondents thought AI would have the trust needed for applications. 

“We have some work to do as a nation, and that’s where this new AI lab comes in,” Jackson said.

Mitigating the risks of AI in government has been a topic of interest for lawmakers and was a key component of President Joe Biden’s October executive order on the technology. The order, for example, directed the National Institute of Standards and Technology to develop a companion to its AI Risk Management Framework for generative AI and create standards for AI red-teaming. MITRE’s new lab bills itself as a testbed for that type of risk assessment.

“The vision for this lab really is to be a place where we can pilot … and develop these concepts of AI assurance — where we have the tools and capabilities that can be adopted and applied to the special the specialized needs of different sectors,” Charles Clancy, MITRE senior vice president and chief technology officer, said at the event. 

Clancy also noted that both the “assurance” and “discovery” aspects of the new lab are important. Focusing too much on assurance and getting “tangled up in security” could prevent from balancing “against the opportunity,” he said. 

Members of the Virginia congressional delegation were also present to express their support at the event, which was held at MITRE’s McLean, Virginia, headquarters where the new lab is located. The three lawmakers were Reps. Gerry Connolly and Don Beyer, and Sen. Mark Warner. All are Democrats. 

Warner, in remarks at the event, said he worries that the race for the best large language model by companies like Anthropic, Open AI, Microsoft, and Google might be so intense that those entities aren’t building in assurance. 

“Getting it right is critical as any mission I can imagine, and I think, unfortunately, that we’re going to have to make sure that we come up with the standards,” Warner said. He added that policymakers are still trying to figure out whether the federal government houses AI expertise in one location, such as NIST or the Office of Science and Technology Policy, or spreads it out across the government. 

For MITRE, working on AI projects isn’t new. The corporation has been doing work in that space for roughly 10 years, Miles Thompson, MITRE’s AI assurance solutions lead, told FedScoop in an interview at the event. “Today really codifies that we’re going to provide this as a service now,” Thompson said of the new lab.

As part of its approach to evaluation, MITRE created its own process for AI risk assessment it calls the AI Assurance Process, which is consistent with existing standards for things like machinery and medical devices. Thompson described the process as “a stake in the ground for what we think is the best practice today,” noting that it could change with the evolving landscape. 

Thompson also said the level of assurance for that process changes depending on the system and how it’s being used. The consequences for something like Netflix’s recommendations system are low whereas those for AI for self-driving cars or air traffic control are dire, he said.

An example of how MITRE has applied that process to work with an agency is its recent work with the Federal Aviation Administration, Thompson said. 

The FAA and its industry partners came to MITRE to talk through potential tweaks to a standard inside the agency pertaining to software in airborne systems (DO-178C) that doesn’t currently address AI or machine learning, he said. Those conversations addressed the question of how that standard might change to be able to say “this use of AI is still safe,” he said. 

The post MITRE launches lab to test federal government AI risks appeared first on FedScoop.

The latest round of grading awarded one A, 10 Bs, 10 Cs, and three Ds to federal agencies, Rep. Gerry Connolly, D-Va., announced at a roundtable discussion on Capitol Hill. While the grades were generally a decline from the last iteration of the scorecard, Connolly said that starting at a “lower base” was expected with the addition of a new category. “The object here is to move up.”

Carol Harris, director of the Government Accountability Office’s IT and Cybersecurity team, who was also at the roundtable, similarly attributed the decline to the cloud category.

“A large part of this decrease in the grades was driven by the cloud computing category, because it is brand new, and it’s something that we’ve not had a focus on relative to the scorecard,” Harris said.

The FITARA scorecard is a measure of agency progress in meeting requirements of the 2024 Federal IT Acquisition Reform Act that has over time added other technology priorities for agencies. In addition to cloud, the new scorecard also changed existing metrics related to a 2017 law, added a new category grading IT risk assessment progress, and installed a progress tracker.

“I think it’s important the scorecard be a dynamic scorecard,” Connolly said in an interview with FedScoop after the roundtable. He added: “The goal isn’t, let’s have brand new, shiny IT. It’s to make sure that our functions and operations are better serving the American people and that they’re protected.”

Harris also underscored the accomplishments of the scorecard, citing $4.7 billion in savings as a result of closing roughly 4,000 data centers and $27.2 billion in savings as the result of eliminating duplicative systems across government.

“So, tremendous accomplishments all coming out of FITARA and the implementation of FITARA,” she said.

The Thursday roundtable featured agency representatives from the Office of Personnel Management, the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the U.S. Agency for International Development. USAID was the only agency to get an A.

Updated scorecard

Among the changes, the new scorecard updated the existing category for Modernizing Government Technology to reflect whether agencies have an account dedicated to IT that “satisfies the spirit of” the Modernizing Government Technology Act, which became law in 2017.

Under that metric, each agency must have a dedicated funding stream for government IT that’s controlled by the CIO and provides at least three years of flexible spending, Connolly said at the roundtable.

The transparency and risk management category has also evolved into a new CIO investment evaluation category, Connolly said in written remarks ahead of the roundtable. That category will grade how recently each agency’s IT Dashboard “CIO Evaluation History” data feed reflects new risk assessments for major IT investments, he said.

The 17th scorecard also added a progress tracker, which Connolly said Democrats on the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation worked on with the GAO to create. Connolly is the ranking member of that subcommittee.

“This section will provide transparency into metrics that aren’t being regularly updated or do not lend themselves to grading across agencies,” Connolly said, adding the data “still merits congressional attention, and we want to capture it with this tool.”

The progress tracker also allows stakeholders to keep tabs on categories the subcommittee has retired for the scorecard.

The release of a new scorecard has in the past been a hearing, but Connolly indicated the Republican majority declined to take the issue up. 

At the start of the meeting, Connolly said he was “disappointed” that “some of the Republican majority had turned their backs on FITARA.” He later noted that by “the difference of two votes, this would be called a hearing instead of a meeting.”

FITARA scorecard grades in September were also announced with a roundtable and not a hearing.

“FITARA is a law concerning federal IT management and acquisition,” a House Committee on Oversight and Accountability spokesperson said in a statement to FedScoop. South Carolina Republican Rep. Nancy Mace’s “subcommittee has held a dozen hearings in the past year concerning not only federal information technology management and acquisition, but also pressing issues surrounding artificial intelligence, and cybersecurity. These hearings have been a critical vehicle for substantive oversight and the development of significant legislation.”

This story was updated Feb. 2, 2024, with comments from a House Committee on Oversight and Accountability spokesperson.

The post FITARA scorecard adds cloud metric, prompts expected grade declines appeared first on FedScoop.

In a new report, the Government Accountability Office said that while agency use of FedRAMP — the Federal Risk and Authorization Management Program — increased by about 60% between July 2019 and April 2023, the Office of Management and Budget and the General Services Administration, which the program operates under, still have work to do to alleviate challenges.

Several agencies, for example, disclosed that they used services that were not FedRAMP-authorized, despite an OMB requirement that all executive branch agencies use providers authorized by the program, the report said. That’s due in part to the absence of program oversight, GAO said.

“One reason that agencies have continued to use cloud services that are not FedRAMP authorized is that OMB has not adequately monitored agencies’ compliance with the program, as we recommended in our December 2019 report,” the report said. GAO has labeled that recommendation a priority. 

FedRAMP was created in 2011 to give federal agencies a standard process to authorize secure cloud services across the federal government. However, many in the federal IT space — particularly those firms that wish to provide cloud services to agencies — have criticized the program for being too slow-moving, costly and inconsistently implemented, creating a barrier to entry for some commercial cloud companies. In the decade-plus since FedRAMP was created, there have been numerous attempts via operations, policy and law to reform and tweak the program.

The GAO report ultimately made three new recommendations. It said OMB should issue guidance on tracking the cost of sponsoring a FedRAMP authorization and finalize its proposed guidance. It also said that GSA should develop a plan for guidance on how cloud service providers can navigate a specific Federal Information Processing Standard (FIPS 140-3) requirement, which is needed for authorization.

According to the report, GSA agreed with its recommendation and OMB didn’t comment on its recommendations. 

The watchdog acknowledged that OMB and the FedRAMP program management office within GSA have efforts underway to address some of the issues, including proposed guidance from OMB aimed at modernizing the program and FIPS guidance. But until each of those pieces of guidance is finalized, “the challenges may continue to increase the time spent and costs incurred when pursuing FedRAMP authorizations,” GAO said.

In a Thursday statement, Rep. Gerry Connolly, D-Va., who wrote the bipartisan FedRAMP Authorization Act, said he “welcomed” the report and is “encouraged by GAO’s finding that the guidance the Administration is developing pursuant to the FedRAMP Authorization Act will address the deficiencies in the program that GAO has identified.” 

“I urge OMB and GSA to finalize relevant FedRAMP guidance and agency implementation plans as required by the legislation, which we fought hard to enact,” said Connolly, who serves as ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation.

Among the issues GAO highlighted in the report were differences in how costs for FedRAMP authorizations are apprised. Its review of cost estimates from cloud services providers and agencies found variation “anywhere from tens of thousands to millions of dollars.” That’s partially the result of agencies and providers using different methods for the costs they included, the report said. It pointed to a lack of guidance.

“The varying methods were allowed as OMB had not provided agencies with guidance on what costs should be tracked and reported for pursuing authorizations,” the report said. “Accordingly, the lack of consistent data will prevent OMB from determining whether its goal of reducing FedRAMP costs will be achieved.”

The report also found that cloud services providers going through the FedRAMP authorization process had to change their encryption methods to adhere to a security requirement for those systems under the Federal Information Processing Standards, a set of IT requirements published by the National Institute of Standards and Technology. Cloud service providers need to comply with FIPS to achieve FedRAMP authorization, the report said.

According to the report, the acting director of FedRAMP said the program management office has draft guidance being reviewed by OMB that will address issues with the FIPS requirements but didn’t provide a timeline for issuing that guidance.

The post Agency FedRAMP usage increased but challenges persist, watchdog finds appeared first on FedScoop.

There was bipartisan agreement during the “Advances in Deepfake Technology” hearing that the government should play a role in regulating deceptive, AI-generated deepfake photos and videos that could harm people, particularly related to fake pornographic material. 

Approximately 96 percent of deepfake videos online are nonconsensual pornography, and most of them depict women, according to a study by the Dutch AI company Sensity.

Rep. Gerry Connolly, D-Va., ranking member of the House Oversight Subcommittee on Cybersecurity, IT, and Government Innovation, said additional funding for the Defense Advanced Research Projects Agency and the National Science Foundation is “critical” to creating advanced and effective deepfake detection tools. 

Dr. David Doermann, the interim chair of computer science and engineering at SUNY Buffalo, said during the hearing that DARPA was taking the lead within the federal government to tackle deepfakes, but highlighted that there was more that the agency could do.

“I think the explainability issues of AI are things that DARPA is looking at now,” Doermann said. “But we need to have the trust and safety aspects explored at the grassroots level for all of these things” within DARPA.

Connolly noted that the Biden administration’s recent AI executive order included productive steps to tackle deepfakes, leaning “on tools like watermarking that can help people identify whether what they’re looking at online is authentic as a government document or tool of disinformation.” 

“The order instructs the Secretary of Commerce to work enterprise-wide to develop standards and best practices for detecting fake content and tracking the providence of authentic information,” Connolly added.

Legislation to tackle deepfakes was introduced in May by Rep. Joe Morelle, D-N.Y. The “Preventing Deepfakes of Intimate Images Act” would make the sharing of nonconsensual deepfake pornography illegal. 

The proposed bill includes provisions to ensure that giving consent to create an AI image does not equate to consent to share the image. The bill also seeks to protect the anonymity of plaintiffs that sue to protect themselves from deepfake content.

The post AI deepfake detection requires NSF and DARPA funding and new legislation, congressman says appeared first on FedScoop.

The suggestions were among those that seemed to generate interest at a Tuesday roundtable on Capitol Hill, including some legislative interest in fixing cloud procurement from Connolly, the ranking member of the House Committee on Oversight and Reform’s subcommittee focused on cybersecurity and IT. 

The roundtable discussion followed the release of the latest Federal IT Acquisition Reform Act (FITARA) scorecard, which measures agency progress in meeting that statute’s requirements and centered on how agencies are progressing with cybersecurity improvements in government. 

Those in attendance included IT and cyber officials from the departments of Commerce, Veterans Affairs and State, Social Security Administration, Government Accountability Office, and General Services Administration.

Among the challenges for the government procuring cloud services is an absence of the definition of “cloud” in the Federal Acquisition Regulation (FAR), Carol Harris, a director for GAO’s IT and cybersecurity team, noted at the meeting. Harris said the GAO is currently looking into the main challenges for cloud procurement.

“In addition, there’s not a type of contract available that covers a consumption-based pricing model, which is what you do when you procure cloud,” Harris said. “And so because of these outdated requirements in the FAR, these agencies are having to do these workarounds, and that’s a major problem.”

Harris suggested there’s an opportunity for congressional action. 

“I have to admit, I did not know, and neither did GAO until recently, that the FAR – the major procurement vehicle of the federal government — has no definition of cloud,” Connolly told FedScoop after the meeting. 

He added: “We’re going to fix that.”

Harris also noted that there are challenges for agencies in how to effectively hire employees with cloud expertise, and agencies are awaiting requirements and deadlines from the Office of Management and Budget on the application rationalization component of the government’s cloud computing strategy “Cloud Smart.” 

Another suggestion on the performance metrics themselves came from Kelly Fletcher, chief information officer for the State Department, who pointed to the volume of cybersecurity scores agencies are given, including FITARA and Performance.gov metrics.

“In no way to impugn any of the scores, I think they’re all really valuable, but the problem is when I try to explain to my leadership ‘how are we doing on cybersecurity,’ frankly, I can pick and choose,” Fletcher said. 

She added: “I think some consistency across these public metrics would be very helpful.”

Connolly, in response, noted that FITARA is tied to the elements in the statute it stems from, but said he wasn’t sure if lawmakers were aware there were competing scores when they created the scorecard. “I think it’s good feedback for us to try to at least stay cognizant of those other measurements,” Connolly said.

The post Improving cloud procurement, consistent performance metrics among tech officials’ suggestions to Congress during FITARA meeting appeared first on FedScoop.

The number of CFO Act agencies receiving A grades on the 16th FITARA Scorecard — a measure of CIOs’ progress in meeting the requirements of the 2024 Federal IT Acquisition Reform Act that has evolved to incorporate other tech policies, laws and programs — grew to three since the previous grades were issued in December 2022. Those top-graded agencies are the departments of Education and Labor, and the U.S. Agency for International Development, which was the only one to earn an A last time around.

Meanwhile, six other agencies also improved their overall scores from a C to a B: the departments of Agriculture, Energy, Homeland Security and Interior, Office of Personnel Management, and Social Security Administration.

The rest of the field remained unchanged, sitting with either B or C grades.

Typically the House Oversight Committee hosts a hearing to review what’s been a biannual scorecard release since 2015 and calls on a variety of CIOs and federal IT leaders to testify on progress. But this time around, more than nine months since the last scorecard’s release, the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation will host a roundtable led by Ranking Member Rep. Gerry Connolly, D-Va., on Tuesday afternoon with representatives from the Government Accountability Office, General Services Administration, departments of State, Veterans Affairs and Commerce, and Social Security Administration.

In his prepared opening remarks for that roundtable, Connolly said: “While the Chairwoman [Rep. Nancy Mace] has an ambitious agenda this Congress, we could not allow a lapse in having a scorecard and we remain committed to working with Chairwoman Mace on the evolution the FITARA Scorecard and have been collaborative in changes.”

“While I look forward to our Subcommittee FITARA oversight hearing later this year, we cannot abandon our traditional biannual oversight cadence of FITARA. As we consider incorporating many insights offered at today’s discussion into future FITARA Scorecards, I look forward to collaborating beyond just this event to create a thoughtful, effective, and bipartisan tool that empowers our CIOs and then holds them accountable for transformational IT change.”

Based on the scorecard the committee provided to FedScoop in advance of the roundtable, it appears a pair of new categories are being previewed for addition to the tool: one focused on cloud and another that is an aggregate measuring CIO reporting structure, budget and acquisitions.

The post One-third of agencies make gains in latest FITARA scorecard appeared first on FedScoop.

Reps. Gerry Connolly, D-Va., and Nancy Mace, R-S.C., introduced the Modernizing Government Technology Reform Act of 2023 on Monday, largely revising and adding some additional requirements to the original Modernizing Government Technology Act, passed in 2017. 

The new bill would reauthorize the TMF through 2030 and authorize the addition of $50 million to the fund, according to the bill’s text. Under the original law, the fund is set to sunset in 2025.

The bill also looks to increase the effectiveness of TMF by creating new reporting requirements for the Federal CIO and agency CIOs, namely requiring them to create inventories of high-risk IT systems used across the government. The Federal CIO would be required to use those to create a priority list of systems most needed in modernization and report them to Congress.

Connolly said in an emailed comment that the bill is a “welcomed” demonstration of support for the Modernizing Government Technology (MGT) Act and the fund.

“It follows the critical $1 billion appropriation Congress provided the TMF as part of the American Rescue Plan, which I was proud to fight for,” Connolly said. 

The Committee on Oversight and Accountability is expected to meet Wednesday morning for a markup of the bill.

The post Bill revising Technology Modernization Fund would extend program through 2030 appeared first on FedScoop.

The course was designed to educate congressional staff on federal data policy, how to better work with government data, and to modernize government data via new policy ideas.

Staff and policy aides from the offices of Sen. Tim Scott, R-S.C., and Reps. Derek Kilmer, D-Wash., Gerry Connolly, D-Va., and Mark Takano, D-Calif., among others, took part in the program run by the University of California at Berkeley and USAFacts, a nonprofit and nonpartisan civic initiative focused on making government data more accessible. The cohort was 60% Democrats, 20% Republicans and 20% nonpartisan, according to organizers.

Forty-two staffers enrolled in the program, which began in February and will conclude this month. The program included eight classroom sessions held remotely with a mix of live and recorded lectures and opportunities for in-person meetings in D.C.

“The Data Skills for Congress program, launched in 2023, equips member and professional staff with skills to use data in policy-making and constituent services, and write legislation to improve public data,” USAFacts said in a blog post last week.

“This free program isn’t just an education in data literacy in order to shape policies that ensure accurate, usable data flows within government. It’s a catalyst for congressional modernization and a rallying cry for greater data use across Congress,” the group added.

The Data Skills for Congress class is the first program of its kind approved by the House and Senate Ethics Committees and is intended to be a first step toward providing skills and context for data policy and practices.

Some members of Congress, like Kilmer, are pushing for greater data-driven decision-making in Congress through recently introduced bipartisan legislation that would create a commission on “evidence-based policymaking” within Congress to ensure policymaking is based more on federal data and facts rather than opinions. The bill would also push for the creation of a chief data office responsible for cultivating congressional data strategies.

The Data Skills for Congress organizers say they exceeded enrollment goals in this first program by 66% and 87% of participants reported they would recommend the program to their peers. 

“I learned a lot and I think these are basic skills all congressional staff should have,” one congressional participant said, according to USAFacts.

The pilot program was focused on five key objectives related to U.S. open data topics:

• Educate participants on existing U.S. data policies through seminars led by data policy experts;
• Develop an understanding of open data challenges and technologies common in the U.S.;
• Build basic skills in data collection and visualization;
• Apply new open data knowledge to produce reports based on publicly available data or draft policy to improve government data; and
• Create relationships with other congressional staff who share an interest in open data and its use in Congress.

The post Hill staffers participate in first-ever Data Skills for Congress program appeared first on FedScoop.

Despite the decade-old mandate that agencies use FedRAMP to ensure services meet federal cloud security standards, the four departments — Treasury, Labor, Homeland Security and Agriculture — inconsistently implemented the program’s requirements, the GAO report on cloud security details.

All 15 of the systems that the GAO audited among the departments — which included a variety of infrastructure-, platform- and software-as-a-service instances — had been FedRAMP authorized at some point in time. But in the specific contracts with the departments for the systems at hands, just four of the 15 completely met the requirements of FedRAMP.

The rest were a mixed bag, in some cases failing to document the authorization of the system and cloud service in use, provide an authorization letter to the FedRAMP program office, or hold the provider to comply with FedRAMP requirements.

Again, all of the systems used cloud services that had been deemed at one point in time to be secure and authorized for federal use by the FedRAMP program. But, as the report explains: “Until the agencies fully implement each of the FedRAMP requirements, they will likely not fully identify the security risk of the system, and ensure they are notified by FedRAMP of any changes to the authorization of the CSP. In addition, there is an increased risk that the CSPs used by the agencies will not fully implement FedRAMP requirements.”

The results of the audit come just after last year’s passage of the FedRAMP Authorization Act, which codified the program as the federal standard for authorizing cloud services.

The report also highlighted similar inconsistencies by the departments to implement continuous monitoring plans for the cloud service contracts.

Rep. Gerry Connolly, D-Va., who keeps a close eye on federal IT and was the author of the recent FedRAMP legislation, pushed for agencies to “bake” security measures into their cloud efforts.

“Increased cloud computing adoption opens the door for the federal government to provide higher quality services at lower costs. But any successful modernization strategy must also have security measures baked throughout. Embracing new technologies cannot sacrifice product quality, cost, or cybersecurity,” Connolly said in a statement.

He added: “GAO’s recent cloud security report rightly pushes agencies to bolster their continuous monitoring efforts. As the author of the FedRAMP Authorization Act and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, I encourage all agencies to fully address their FedRAMP requirements.”

The post Agencies fall short implementing FedRAMP requirements for cloud vendors, GAO finds appeared first on FedScoop.

The responsibilities of the House Oversight Committee’s Government Operations subcommittee will now be undertaken by two separate subcommittees: one will focus on IT, cybersecurity and procurement, while the other will focus on the federal workforce, according to a Hill staffer familiar with the matter.

Details of the new subcommittee structure have yet to be finalized, and a vote on the change is expected to take place in the coming weeks.

The changes in the subcommittees come after Republican leaders including Majority Leader Kevin McCarthy and Comer changed the name of the full committee from the Oversight and Reform Committee to its current title to highlight its focus on oversight and accountability. The full oversight committee is led by Rep. James Comer, R-KY.

Since the 2022 midterm elections, which flipped control of the House of Representatives from Democrats to Republicans, the GOP has been vocal about increased oversight of IT and cybersecurity spending at federal agencies including the IRS, DHS and FTC.

The party has also stressed that it intends to redouble its focus on agency record-keeping and spending on disinformation programs that Republican lawmakers view as potentially curtailing free speech. 

The former chair of the House Oversight Government Operations subcommittee, Rep. Gerry Connolly, D-V.A., had in 2019 consolidated the previous two subcommittees of IT spending and federal workforce under the government operations subcommittee. 

This was due to his focus on both issues as a Virginia congressman with a large number of constituents in the federal government.

Details of the anticipated subcommittee structure were first reported by Federal News Network.

The post House Oversight expected to create new IT and cybersecurity subcommittee appeared first on FedScoop.