In a May memorandum, GSA announced that beginning June 8, the agency would start collecting information for new contracts of all sizes — including “micropurchases” — from software offerers and contractors. That information would attest to government-specified secure software development practices.

Nick Mistry, the chief information security officer for Lineaje, a software supply chain security management company, said in an interview with FedScoop that he believes GSA’s June 8 start for the new guidance is “a really good thing for both the industry and government.”

The self-attestation requirements “will obviously add another step in the process, but it’s a very necessary step,” Mistry said. “Will there be a period of confusion where people don’t know exactly what’s required, both on the government side as well as industry side? But I think those things will just shake out over time. I think the net benefit is all positive.”

A GSA spokesperson said in an email to FedScoop that the agency “held multiple industry listening sessions before crafting our implementation of OMB memos M-22-18 and M-23-16. GSA took feedback from these sessions into consideration while also ensuring we met the deadlines in the OMB memoranda.”

The spokesperson noted that the agency “met the deadline for implementation to best support our customer agencies” and integrated the self-attestation form into its existing IT standards process to make attesting “as frictionless as possible” for the GSA’s vendors. 

The GSA  is encouraging software vendors to create an account on the Cybersecurity and Infrastructure Security Agency’s repository website, the spokesperson added.

In March, CISA released the Secure Software Development Attestation Form, which required the companies that manufacture software used by the federal government to “attest to the adoption of secure development practices.” That form could either be submitted to a repository or emailed to the relevant agency. 

GSA noted in its May memorandum that while the agency already had a requirement for its IT department to “approve software before it could be acquired and used,” the OMB memo mandated the department to update “how it collects, reviews, retains and monitors industry attestation information.”

The post For GSA, a new step to secure the software acquisition process begins appeared first on FedScoop.

The CISA Securing AI Task Force Act, introduced Tuesday by Reps. Troy Carter, D-La., and Bennie Thompson, D-Miss., would require the agency’s director to assemble an AI-focused task force, made up of personnel across CISA’s offices and divisions, within one year of the bill’s enactment. 

That task force would be charged with coordinating CISA directives called out in President Joe Biden’s AI executive order governing use of the technology. The EO has a specific note for CISA to coordinate with federal agencies on red-teaming for generative AI.

“This Task Force will enhance the safe and secure design, development, adoption, and deployment of AI across critical sectors by bringing together diverse expertise within CISA,” Reps. Carter and Thompson said in a statement. 

Following the formation of the CISA AI group, members would be tasked with evaluating agency security initiatives, guidance and programs dealing with the technology, providing recommendations for changes as necessary.

The task force would also advise stakeholders on cyber risks tied to AI-based software and coordinate the implementation of secure AI products. Recommendations to CISA’s director on related initiatives would also be expected from the task force, as would support for the publication of the agency’s AI use case inventory. 

Carter, a member of the Cybersecurity and Infrastructure Protection Subcommittee, and Thompson, ranking member on the House Homeland Security Committee, said that as AI evolves and is increasingly integrated into the everyday lives of Americans, this bill underlines a “commitment to proactive risk mitigation and preparedness.” 

“The CISA Securing AI Task Force Act will strengthen America’s cybersecurity framework, safeguarding against emerging threats and ensuring the responsible advancement of AI technologies,” the lawmakers said.

The legislation comes months ahead of the November presidential election, which could have substantial implications on the cyber agency. In a February interview with Politico, Thompson expressed concern about CISA’s future in the event of a second term for Donald Trump, saying that the former president “politicized the national security apparatus” and represents “a threat to CISA” and to democracy. 

The post House bill calls on CISA to form AI task force appeared first on FedScoop.

The Secure AI Act of 2024, introduced by Sens. Mark Warner, D-Va., and Thom Tillis, R-N.C., requires the National Institute of Standards and Technology to update the National Vulnerability Database (NVD) and the Cybersecurity and Infrastructure Security Agency to update the Common Vulnerabilities and Exposure (CVE) program, or create a new process, according to a summary of the bill. 

Additionally, the bill would charge the National Security Agency with establishing an AI Security Center that would provide an AI test-bed for research for private-sector and academic researchers, and develop guidance to prevent or mitigate “counter AI-techniques.”

“Safeguarding organizations from cybersecurity risks involving AI requires collaboration and innovation from both the private and public sector,” Tillis said in a press release. “This commonsense legislation creates a voluntary database for reporting AI security and safety incidents and promotes best practices to mitigate AI risks.” 

Under the legislation, CISA and NIST would have one year to develop and implement a voluntary database for tracking AI security and safety incidents, which would be available to the public. 

Similarly, NIST would only have 30 days after the enactment of this legislation to initiate a “multi-stakeholder process” to evaluate if the consensus standards for vulnerability reporting accommodate AI security vulnerabilities. After establishing this process, NIST would have 180 days to submit a report to Congress about the sufficiency of reporting processes. 

“By ensuring that public-private communications remain open and up-to-date on current threats facing our industry, we are taking the necessary steps to safeguard against this new generation of threats facing our infrastructure,” Warner said in the press release.

The post Bipartisan Senate bill on AI security would bolster voluntary cyber reporting processes appeared first on FedScoop.

The guidelines are meant to address both the opportunities made possible by artificial intelligence for critical infrastructure — which spans 16 sectors, including farming and information technology — and the ways it could be weaponized or misused. CISA instructs operators and owners of critical infrastructure to govern, map, measure, and manage their use of the technology, incorporating the National Institute of Standards and Technology’s AI risk management framework. 

“Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk,” CISA Director Jen Easterly in a statement. 

The guidelines emphasize a range of steps, including understanding the dependencies of AI vendors that operators might be working with and inventorying AI use cases. They also encourage critical infrastructure owners to create procedures for reporting AI security risks and continually testing AI systems for vulnerabilities. 

Opportunities related to AI span categories including operational awareness, customer service automation, physical security, and forecasting, according to the guidelines. At the same time, the new document also warns that AI risks to critical infrastructure could include attacks facilitated with AI, attacks aimed at AI systems, and “failures in AI design and implementation,” which could lead to potential malfunctions or other unintended consequences. 

“AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats,” Homeland Security Secretary Alejandro Mayorkas said in a statement. 

DHS has been especially active in recent months on artificial intelligence, most notably with the release of its AI roadmap in March. Earlier this month, the department announced that Office of Management and Budget alum Michael Boyce would lead its AI Corps, a group of 50 experts in the technology that the agency aims to hire through 2024. The department also brought on technology company executives — including Sam Altman of OpenAI and Sundar Pichai from Alphabet — to assist with its new board focused on AI and critical infrastructure. 

The post CISA unveils guidelines for AI and critical infrastructure appeared first on FedScoop.

“Bias means different things for different agencies,” Werntz said during a virtual agency event Tuesday. Bias that “deals with people and rights” will be relevant for many agencies, he added, but for CISA, the questions become: “Did I collect data from a number of large federal agencies versus a small federal agency [and] did I collect a lot of data in one critical infrastructure sector versus in another?”

Internal gut checks of this kind are likely to become increasingly important for chief data officers across the federal government. CDO Council callouts in President Joe Biden’s AI executive order cover everything from the hiring of data scientists to the development of guidelines for performing security reviews.

For Werntz, those added AI-related responsibilities come with an acknowledgment that “bias-free data might be a place we don’t get to,” making it all the more important for CISA to “have that conversation with the vendors internally about … where that bias is.”

“I might have a large dataset that I think is enough to train a model,” Werntz said. “But if I realize that data is skewed in some way and there’s some bias … I might have to go out and get other datasets that help fill in some of the gaps.”

Given the high-profile nature of agency AI use cases — and critiques that inventories are not fully comprehensive or accurate — Werntz said there’s an expectation of additional scrutiny on data asset purchases and AI procurement. As CISA acquires more data to train AI models, that will have to be “tracked properly” in the agency’s inventory so IT officials “know which models have been trained by which data assets.” 

Adopting “data best practices and fundamentals” and monitoring for model drift and other potentially problematic AI concepts is also top of mind for Werntz, who emphasized the importance of performance security logging. That comes back to having an awareness of AI models’ “data lineage,” especially as data is “handed off between systems.” 

Beyond CISA’s walls, Werntz said he’s focused on sharing lessons learned with other agencies, especially when it comes to how they acquire, consume, deploy and maintain AI tools. He’s also keeping an eye out for technologies that will support data-specific efforts, including those involving tagging, categorization and lineage.

“There’s a lot of onus on humans to do this kind of work,” he said. “I think there’s a lot of AI technologies that can help us with the volume of data we’ve got.” CISA wants “to be better about open data,” Werntz added, making more of it available to security researchers and the general public. 

The agency also wants its workforce to be trained on commercial generative AI tools, with some guardrails in place. As AI “becomes more prolific,” Werntz said internal trainings are all about “changing the culture” at CISA to instill more comfort in working with the technology.

“We want to adopt this. We want to embrace this,” Werntz said. “We just need to make sure we do it in a secure, smart way where we’re not introducing privacy and safety and ethical kinds of concerns.” 

The post CISA’s chief data officer: Bias in AI models won’t be the same for every agency appeared first on FedScoop.

Between the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and the Office of Management and Budget, 49 of the 55 requirements in President Joe Biden’s order aimed at safeguarding federal IT systems from cyberattacks have been fully completed. Another five have been partially finished and one was deemed to be “not applicable” because of “its timing with respect to other requirements,” per the GAO.

“Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected,” the GAO stated. 

Under the order’s section on “removing barriers to threat information,” OMB only partially incorporated into its annual budget process a required cost analysis.

“OMB could not demonstrate that its communications with pertinent federal agencies included a cost analysis for implementation of recommendations made by CISA related to the sharing of cyber threat information,” the GAO said. “Documenting the results of communications between federal agencies and OMB would increase the likelihood that agency budgets are sufficient to implement these recommendations.”

OMB also was unable to demonstrate to GAO that it had “worked with agencies to ensure they had adequate resources to implement” approaches for the deployment of endpoint detection and response, an initiative to proactively detect cyber incidents within federal infrastructure. 

“An OMB staff member stated that, due to the large number of and decentralized nature of the conversations involved, it would not have been feasible for OMB to document the results of all EDR-related communications with agencies,” the GAO said.

OMB still has work to do on logging as well. The agency shared guidance with other agencies on how best to improve log retention, log management practices and logging capabilities but did not demonstrate to the GAO that agencies had proper resources for implementation. 

CISA, meanwhile, has fallen a bit short on identifying and making available to agencies a list of “critical software” in use or in the acquisition process. OMB and NIST fully completed that requirement, but a CISA official told the GAO that the agency “was concerned about how agencies and private industry would interpret the list and planned to review existing criteria needed to validate categories of software.” A new version of the category list and a companion document with clearer explanations is forthcoming, the official added. 

CISA also has some work to do concerning the Cyber Safety Review Board. The multi-agency board, made up of representatives from the public and private sectors, has felt the heat from members of Congress and industry leaders over what they say is a lack of authority and independence. According to the GAO, CISA hasn’t fully taken steps to implement recommendations on how to improve the board’s operations. 

“CISA officials stated that it has made progress in implementing the board’s recommendations and is planning further steps to improve the board’s operational policies and procedures,” the GAO wrote. “However, CISA has not provided evidence that it is implementing these recommendations. Without CISA’s implementation of the board’s recommendations, the board may be at risk of not effectively conducting its future incident reviews.”

Federal agencies have, however, checked off the vast majority of boxes in the EO’s list. “For example, they have developed procedures for improving the sharing of cyber threat information, guidance on security measures for critical software, and a playbook for conducting incident response,” the GAO wrote. Additionally, the Office of the National Cyber Director, “in its role as overall coordinator of the order, collaborated with agencies regarding specific implementations and tracked implementation of the order.”

The GAO issued two recommendations to the Department of Homeland Security, CISA’s parent agency, and three to OMB on full implementation of the EO’s requirements. OMB did not respond with comments, while DHS agreed with GAO recommendations on defining critical software and improving the Cyber Safety Review Board’s operations.

The post Cybersecurity executive order requirements are nearly complete, GAO says appeared first on FedScoop.

Key points include a forthcoming DHS-wide policy directive on artificial intelligence, new guidance from the Cybersecurity and Infrastructure Security Agency focused on AI security, and an expected report from the Countering Weapons of Mass Destruction Office focused on the technology’s risks. The roadmap also highlights several ways the agency plans to use or is already using artificial intelligence, including for tracking suspicious vehicle patterns at the border and assessing damage to buildings after disasters. 

“The unprecedented speed and potential of AI’s development and adoption presents both enormous opportunities to advance our mission and risks we must mitigate,” DHS Secretary Alejandro N. Mayorkas said in a press release. 

Several DHS applications focus on generative AI or language models, including building an AI sandbox to experiment with large language models. The document says U.S. Citizenship and Immigration Services is considering using LLMs to train officers working with refugee and asylum applicants, while Homeland Security Investigations, the agency’s investigative arm, is looking at using the technology to look for patterns in documents being analyzed as part of investigations. The Federal Emergency Management Agency, meanwhile, is planning to use generative AI to help with creating mitigation plans required for certain community resilience grants.   

The document also highlights other goals, including a new working group based in the Science and Technology Directorate that will eventually produce an action plan meant to address topics like algorithm training, pilots, and AI-enabled adversaries. The directorate will also create a testbed that will provide independent assessment services.

The roadmap comes as the agency ramps up its work on artificial intelligence. Last month, DHS announced it would hire 50 new AI experts for its AI Corps. Last year, the agency established an AI task force and released guidance meant to direct how employees use tools like ChatGPT and Dall-E.

DHS, per previous FedScoop reporting, has repeatedly updated its AI inventory, a public list of use cases required by a Trump-era executive order. That inventory has also been criticized by the Government Accountability Office for including a non-AI use case.

The post Department of Homeland Security lays out AI plans in new roadmap appeared first on FedScoop.

The Biden administration’s secure software development attestation form comes following “extensive stakeholder and industry engagement” intended to ensure that “the software producers who partner with the federal government leverage minimum secure development techniques and toolsets,” per a statement from the agencies.

In a blog post, Chris DeRusha, the federal chief information security officer and deputy national cyber director, and Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that the release of the form builds on the administration’s national cybersecurity strategy and on President Joe Biden’s 2021 executive order on improving the nation’s cybersecurity. 

“By ensuring our Government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the Federal Government, but drive improvements for customers across the globe,” DeRusha and Goldstein wrote. “We envision a software ecosystem where our partners in state and local government, as well as in the private sector, also seek these assurances and leverage software that is built to be secure by design.”

DeRusha and Goldstein noted that the new form reinforces CISA’s secure-by-design principles. Those principles, which are also followed by federal government partners and international allies, put the security onus on the software producer rather than the customer. Software should be developed with “radical transparency and accountability” by makers that have organizational structure and leadership aligned with those goals.

Speaking Wednesday at the Elastic Public Sector Summit, produced by FedScoop, Goldstein called CISA’s work to promote secure-by-design software one of the agency’s most important goals “for scale.”

“The most effective way to drive the security and scale of every enterprise is to actually use products that are … verifiably secure by design,” he said, adding that CISA “can’t do it without all of your help, referring to those from industry in attendance.

Specifically, the form’s checklist has callouts on secure principles, including: logging, monitoring and auditing of trusted relationships used for authorization and access; employing multi-factor authentication; encrypting sensitive data, like credentials; using automated tools to check for vulnerabilities; and maintaining trusted source code supply chains, among several others.

The form release comes a little less than a month after the public comment period closed for CISA’s request for feedback on its “secure by design” white paper, which pushed software manufacturers to adopt tougher security standards. 

The post CISA, OMB release secure software development attestation form appeared first on FedScoop.

The FHWA’s proposal to adopt CISA’s Cyber Security Evaluation Tool — which “authorities can use to assist in identifying, detecting, protecting against, responding to, and recovering from cyber incidents,” per a Federal Register posting — would meet a requirement called out in the bipartisan infrastructure law of 2021.   

The agency said in the posting that it “thinks it is appropriate to leverage CISA’s expertise instead of attempting to create a separate and potentially duplicative tool.” CSET, which is available for public download, provides modules and questionnaires tailored to specific critical infrastructure sectors. The voluntary software tool takes “a systematic approach to assess cybersecurity controls and processes.” 

FHWA’s decision to use CSET was made following coordination with CISA and the Transportation Security Administration, as well as consultation with various stakeholders on the efficacy of the tool. The FHWA noted that many state agencies use CSET, “while others customize alternative cybersecurity solutions to align with their distinct mission requirements.”

The FHWA said it will continue to partner with other federal agencies charged with the development of cybersecurity tools so that it can “ensure highway-related equities are considered and incorporated appropriately.”

The deadline to submit comments on the FHWA’s proposal is April 19, though late submissions “will be considered to the extent practicable.”

The post Federal Highway Administration wants feedback on proposal to use cyber tool appeared first on FedScoop.

Speaking Thursday at CyberScoop’s Zero Trust Summit, Sean Connelly, CISA’s senior cybersecurity architect and trusted internet connections program manager, said the agency’s Zero Trust Initiative Office is intended to provide federal agencies with more comprehensive trainings and resources. 

“We’re working with various organizations to support broad training,” Connelly said. “We also have some in-house training we’ve done with a number of agencies [and have made available] playbooks and guidance [for] agencies that want to know how to move toward zero trust.”

The new office will offer expanded training on zero trust principles and will also include an effort to better identify the skills and knowledge needed for successful implementations of the architecture. The office’s playbooks will build on current CISA resources, specifically the agency’s Zero Trust Maturity Model and Trusted Internet Connections 3.0. 

Connelly said the office will also focus on community building and collaboration, some of which will come in the form of expanded relationships with interagency partners and the broader IT community. A slide deck presented by Connelly highlighted the creation of two zero trust interagency working groups centered on practitioners and network modernization.

Finally, the office will be tasked with assessing agencies’ zero trust maturity. Connelly said the agency is working with the Office of Management and Budget about how agencies can “move forward” through the stages laid out in CISA’s model. CISA, OMB and others will work together to develop metrics and benchmarks that track agencies’ progress toward maturity.

The establishment of CISA’s new zero trust-focused office builds upon the principles laid out in the National Institute of Standards and Technology’s “Zero Trust Architecture” publication, the strategies detailed in OMB’s zero trust strategy and a 2021 executive order focused on cybersecurity.

The post CISA establishing new office focused on zero trust appeared first on FedScoop.