The legislation, among other things, would establish pilot programs to try out “more flexible, competitive purchasing practices” and require that government contracts for AI “to include safety and security terms for data ownership, civil rights, civil liberties and privacy, adverse incident reporting and other key areas,” according to a release.

“Artificial intelligence has the power to reshape how the federal government provides services to the American people for the better, but if left unchecked, it can pose serious risks,” Sen. Gary Peters, D-Mich., who sponsors the bill with Sen. Thom Tillis, R-N.C., said in a statement. “These guardrails will help guide federal agencies’ responsible adoption and use of AI tools, and ensure that systems paid for by taxpayers are being used safely and securely.”

According to the release, the Promoting Responsible Evaluation and Procurement to Advance Readiness for Enterprise-wide Deployment (PREPARED) for AI Act builds on a law passed in 2022 that required agencies to protect privacy and civil rights when purchasing AI. That legislation was also sponsored by Peters. President Joe Biden cited that law in a section of his executive order on AI that directed the Office of Management and Budget to take action on addressing federal AI acquisition. 

The OMB in March asked for input on AI procurement, including how the administration can promote competition and protect the government’s rights to access its data in those contracts. The administration has said it plans to take action on AI procurement later this year.

“As the role of artificial intelligence in the public and private sectors continues to grow, it is crucial federal agencies have a robust framework for procuring and implementing AI safely and effectively,” Tillis said in the release. 

A Senate Homeland Security and Governmental Affairs Committee aide told FedScoop that Peters, who chairs the panel, plans a markup for the bill this summer. Once it’s passed by the panel, the aide said Peters “will keep all options on the table and pursue any path forward, whether that’s advancing the bill as a standalone or as part of a larger vehicle.” 

The bill has the support of Center for Democracy and Technology, Transparency Coalition, the AI Procurement Lab, and the Institute of Electrical and Electronics Engineers (IEEE), according to the release.

The post Bipartisan Senate bill would establish federal AI acquisition guardrails appeared first on FedScoop.

The “AI and Critical Technology Workforce Framework Act,” introduced by Sens. Gary Peters, D-Mich., and Eric Schmitt, R-Mo., would direct NIST to create a workforce framework for AI and assess whether other critical or emerging technology areas might also benefit from frameworks, according to bill text and a release provided to FedScoop.

“As artificial intelligence continues to play a bigger role in our society, it’s critical the future of this groundbreaking technology is formed in the United States. The way to ensure that happens is by building a workforce engaged in these new technologies,” Peters, chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a written statement.

The bill is intended to build upon NIST’s existing National Initiative for Cybersecurity Education (NICE) framework — which outlines cybersecurity roles in an effort to help employers build their cyber workforces — as AI is poised to reshuffle the workforce.

Over the next five years, demand for AI and machine learning specialists is expected to increase by 40%, according to a 2023 World Economic Forum report on workforce trends across the world. 

“This bill will ensure that America continues to have a strong and increasingly skilled workforce, will utilize AI to bolster American industry, and will incentivize companies to keep their jobs in the United States rather than outsourcing them overseas,” Schmitt said in a written statement. “Additionally, this bill’s potential to benefit our defense capabilities is endless.”

Under the bill, NIST would be required to report to Congress about other critical and emerging technology areas it finds could benefit from a workforce framework. It would also direct NIST to update the NICE framework to reflect changes in the cybersecurity field and “encourage” the agency to provide resources and guidance on cybersecurity careers to students and adults, according to the release.

The post Bipartisan Senate proposal calls for AI workforce framework from NIST appeared first on FedScoop.

The Improving Government Services Act, sponsored by Sens. Gary Peters, D-Mich., James Lankford, R-Okla., and John Cornyn, R-Texas, would require certain agencies to develop an “annual customer experience action plan” within a year of enactment of the bill, providing details on how to offer a better and more secure experience for taxpayers by adopting best customer service practices from the private sector.

“Taxpayers must be able to easily and efficiently reach federal agencies when they have questions about services or benefits,” Peters, chairman of the Senate Committee on Homeland Security and Governmental Affairs, said in a statement. “My commonsense bipartisan bill would require agencies to adopt customer service best practices that limit wait times and use callbacks to ensure taxpayers receive support in a timely manner.”

The bill, which will get a committee vote next week, would require federal agencies to develop a written strategy to improve customer experience. That strategy would include a plan to adopt customer service practices such as online services, improved protections for personally identifiable information, telephone call back services and employee training programs. 

The legislation would direct the White House’s Office of Management and Budget to designate certain federal agencies as “high-impact service providers,” such as those that deliver key services to the public or fund state-based programs. 

Federal agencies that deal with health care, public lands, loan programs, passport renewal, tax filing, customs declarations and other such key programs are likely to be designated as high impact.

“Some agencies have already successfully implemented private-sector best practices, but we need them governmentwide,” Lankford said. “Providing good customer service doesn’t have to be difficult. Let’s get this nonpartisan bill to the finish line so interacting with the federal government is less frustrating for the public.”

The bill also references the 21st Century Integrated Digital Experience Act, also known as the IDEA Act, and its push for the expansion of easy-to-use digital services through which Americans can communicate with federal agencies and programs while also maintaining in-person, telephone, postal mail and other contact options.

Nearly five years after the IDEA Act was first signed into law in 2018, OMB last month issued guidance for agencies to deliver on implementation of the legislation.

The new legislation is scheduled for a markup and vote in the Senate Homeland Security and Government Affairs Committee on Oct. 25.

The post Senators introduce bipartisan bill to improve federal agencies’ customer service appeared first on FedScoop.

Sponsored by Sens. Gary Peters, D-Mich., and Bill Cassidy, R-La., the bill is intended to give the White House and the General Service Administration additional powers to oversee federal technology spending.

A companion bill to the legislation has been introduced in the House of Representatives, which is sponsored by Rep. Cartwright, D-PA, and a bipartisan group of 10 other members.

It replicates the Strengthening Agency Management and Oversight of Software Assets Act (SAMOSAA), which was introduced by the same lawmakers in September but wasn’t passed before the last session of Congress ended. Details of SAMOSAA proposals were first revealed by FedScoop.

If it progresses, the latest proposed legislation would build on the Megabyte Act, which was enacted in 2016 and compelled agencies to report licensing information on software contracts struck with technology companies. Since it passed into law, that legislation to a degree has increased lawmakers’ visibility of what IT services federal agencies are using.

Commenting on the latest proposed bill, Sen. Peters said: “Improving how the government manages something as simple as the software they buy can help save taxpayers in the long run.”

“Taxpayers expect us to be responsible with their money,” he added. “The government should not be overpaying for software when the same product is available for less.”

Sen. Cassidy said: “Taxpayers expect us to be responsible with their money. The government should not be overpaying for software when the same product is available for less … [t]his bill requires agencies to spend their money as if a taxpayer was spending their own money—wisely.”

The legislation is supported by several technology industry trade groups including the Computer and Communications Industry Association, the Alliance for Digital Innovation, the Coalition for Fair Software Licensing and NetChoice.

The trade groups sent a letter to the majority and minority leaders of both chambers, calling on them to progress the legislation.

Editor’s note: This story was updated to include details of the House companion bill and the letter from tech industry groups.

The post Lawmakers reintroduce legislation to consolidate agency software procurement appeared first on FedScoop.

Agencies would use the framework to mitigate risks in systems reliant on open source code, and CISA would determine if critical infrastructure owners and operators could use it voluntarily as well.

Most systems rely on freely available open source code maintained by communities for creating websites and applications, and the federal government is one of the largest users. Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio — the chairman and ranking member of the Homeland Security Committee, respectively — proposed the legislation after holding a hearing in response to the discovery of a severe, widespread Log4j vulnerability in open source code affecting federal systems and millions of others worldwide.

“This incident presented a serious threat to federal systems and critical infrastructure companies — including banks, hospitals and utilities — that Americans rely on each and every day for essential services,” Peters said in the announcement. “This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

The Securing Open Source Software Act would further have CISA hire open source software experts to help address cyber incidents, require the Office of Management and Budget to issue guidance for agencies on securing open source software, and establish a software security subcommittee of the CISA Cybersecurity Advisory Committee.

Peters and Portman previously saw bills signed into law requiring critical infrastructure owners and operators to report substantial cyberattacks and ransomware payments to CISA and bolstering state and local governments’ cyber, while the Senate unanimously passed their bills protecting federal networks and encouraging safe adoption of cloud technology.

“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council‘s Scowcroft Center for Strategy and Security, in a statement. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software.”

Details of the proposed legislation were first reported by The Washington Post.

The post Senators propose open source software risk framework in new bill appeared first on FedScoop.

Sens. Rob Portman, R-Ohio, and Gary Peters, D-Mich., introduced the new Strengthening American Cybersecurity Act, intended to improve the likelihood of passing into law by marrying aspects of the previously proposed Cyber Incident Reporting Act, Federal Information Security Modernization Act of 2021 and the Federal Secure Cloud Improvement and Jobs Act.

If it passes, it will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack.

In addition, it would mandate the reporting of all ransomware payments to CISA and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies fast-track the adoption of cloud technologies.

The latest attempt to pass legislation that would mandate cyber incident reporting comes after a compromise version of the fiscal 2022 National Defense Authorization Act in December left out language that would set timeframes within which critical infrastructure owners and operators must report major incidents.

Lawmakers working with Peters and Portman on the new legislative proposals include Reps. Yvette Clarke, D-N.Y., John Katko R-N.Y., Carolyn Maloney D-N.Y., James Comer R-Ky., Gerry Connelly, D-Va. and Jody Hice, R-Ga.

“It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government,” Peters said.

Portman added: “This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

The new bill would substantially boost the role of CISA as the federal agency responsible for overseeing and enforcing cybersecurity standards across the federal government and also the private sector.

It comes amid wide-ranging debate over the role and funding given to the four-year-old agency.

Writing in Foreign Affairs last month, former Principal Deputy Director of National Intelligence Sue Gordon and former Assistant Secretary of Defense for Homeland Defense and Global Security Eric Rosenbach argued that CISA’s $3 billion annual budget should be tripled over the next four years.

The post Senate lawmakers propose combining cyber incident reporting, FedRAMP and FISMA legislation appeared first on FedScoop.

The Federal Secure Cloud Improvement and Jobs Act would further require the General Services Administration (GSA) to begin automating FedRAMP security assessments and reviews within a year and continuously monitor cloud computing products and services.

The legislation is similar to the FedRAMP Authorization Act proposed by Rep. Gerry Connolly, D-Va., which passed the House for the fourth time in January but has sat in the Senate Homeland Security Committee since.

Legislators proposed the Senate bill on the heels of Microsoft, which provides cloud services to multiple federal agencies, announcing that Russia-backed hackers have relentlessly targeted cloud service providers (CSPs) and others this summer.

“Cloud-based systems have already shown they can greatly improve government efficiency and save taxpayer dollars, but we must ensure that the technology is safe from relentless cyberattacks,” said Sen. Gary Peters, D-Mich., one of the legislation’s four sponsors. “This important bipartisan bill will make sure that agencies can procure cloud-based technology quickly while ensuring these systems, and the information they store, are secure.”

Both bills would see the FedRAMP Program Management Office (PMO) establish and track metrics gauging the time and quality of its assessments, as well as fund the program to the tune of $20 million annually. Both would also establish a board prioritizing security assessments of cloud services, but the FedRAMP Board proposed in the new legislation would have more of an advisory role than the existing Joint Authorization Board (JAB) codified in Connolly’s.

The former would consist of cloud computing, cybersecurity, privacy and risk management experts from GSA and the Defense and Homeland Security departments, whereas the JAB would consist solely of cloud computing experts from those agencies.

Both bills would also establish a Federal Secure Cloud Advisory Committee to improve communication between agencies and CSPs, but the new legislation requires it to be filled within 90 days — as opposed to 30 days in Connolly’s.

“This bipartisan legislation follows our House-passed FedRAMP Authorization Act and brings us one step closer to reforming, streamlining and codifying this critical cybersecurity regime for federal cloud technologies,” Connolly told FedScoop. “I thank Chairman Peters for his commitment and collaboration on this issue.”

The language of the new bill is consistent with that offered by the House in an amendment to the National Defense Authorization Act that would codify FedRAMP and would still allow the FedRAMP Board to grant provisional authorizations like the JAB, according to a Peters aide.

By codifying FedRAMP lawmakers hope to reduce program costs, improve reuse of program authorities to operate (ATOs), strengthen cybersecurity and create more jobs at CSPs, the aide said.

Reps. Josh Hawley, R-Mo., Maggie Hassan, D-N.H., and Steve Daines, R-Mont., also sponsored the legislation.

“It’s critical that federal agencies have access to the safest and newest cloud-based technology to ensure the government is functioning efficiently and that important information is kept secure,” Hawley said in a statement. “This legislation accomplishes those crucial tasks while also creating good-paying private sector jobs.”

The post Lawmakers introduce bill to support adoption of secure cloud tech at federal agencies appeared first on FedScoop.

If enacted, the new bill would require the director of the Office of Management and Budget to establish and consult with an AI hygiene working group, which would be tasked with ensuring government contracts for AI services require data and systems to be secure.

The legislative proposal comes as federal agencies and lawmakers face pressure to improve oversight of how artificial intelligence systems are used within government and to increase scrutiny of private sector contracts that use biometric datasets and facial recognition.

In a request for information issued last week, the White House said it plans to develop a bill of rights that data-driven technologies like facial recognition must respect. The new document will be in part based on input from government agencies, academia and industry.

In September, Commerce Secretary Gina Raimondo announced that the department had set up a committee to advise the president and other federal agencies on AI issues.

The proposed AI hygiene working group would be responsible for safeguarding the civil rights and liberties of Americans, and for making clear that the federal government is the ultimate owner of the collected information so that it cannot be appropriated by contractors or publicly posted, sold or misused by organizations.

The proposed legislation was introduced in the Senate and is called the Government Ownership and Oversight of Data in Artificial Intelligence (GOOD AI) Act.

Commenting on the bill, Sen. Peters said: “This bipartisan bill will help ensure that federal contractors are using artificial intelligence properly and for the benefit of the country – and that the information collected through these technologies is not misused.”

Sen. Portman added: “The bipartisan GOOD AI Act helps strengthen the accountability and security of federal AI systems and I urge my colleagues to join us in supporting this common-sense legislation.”

In August, a report by the Government Accountability Office found that at least 10 U.S. government agencies are undertaking research and development into facial recognition technology. Out of 24 agencies surveyed, 19 reported using facial recognition technology, with the most common uses being for digital access and domestic law enforcement.

The post Lawmakers introduce bill to increase oversight of federal contractors’ use of AI appeared first on FedScoop.

A substitute amendment changing the notification timeframe was adopted during a Senate committee markup Wednesday following criticism and debate over the initial five-day notification requirement.

The original notification period was part of the Federal Information Security Modernization Act of 2021 issued by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, on Monday.

Speaking during the markup hearing, Sen. James Lankford, R-Okla., described the five-day period as “inconsistent” with private sector breach notification requirements. Private sector cybersecurity experts also told FedScoop they were puzzled by requirements in the initial draft legislation that contrasted with requirements that private sector companies disclose breaches within 24 to 72 hours.

The FISMA reform legislation progressed from the committee stage and will now be debated on the floor of the Senate.

The bill is being considered alongside new cyber incident reporting legislation, which has also been proposed by Peters and Portman, that would introduce new legal requirements for the private sector to report cyber breaches. This legislation is intended to improve the ability of law enforcement agencies to respond to ransomware attacks.

Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.

If enacted, the new proposals will also require CISA to appoint a specific cybersecurity adviser from the agency to work with the chief information officer of each government agency.

Existing guidance from the Office of Management and Budget imposes strict breach reporting requirements on agency IT leaders — but these are not supported by legislation.

Memo M-20-04, issued by OMB in November 2019,  introduced a 72-hour time limit on the reporting of events to the Department of Homeland Security and OMB — whether or not a root cause is identified — and required that major incidents be reported within one hour.

Notification from agencies of a major incident can trigger a range of events including the convening of a Cyber Unified Command Group — which is an interagency action coorindated by DHS and others. Under memo M-20-04 agencies must also report a major incident to their office of inspector general and Congress within a seven-day period.

The post FISMA reform bill amendment cuts agency breach notification period to 72 hours appeared first on FedScoop.

The proposal is part of wide-ranging proposed legislation issued Monday by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio.

Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.

Action to reform FISMA comes amid pressure from the White House for departments to improve their cybersecurity systems and to move towards a cloud-based zero-trust architecture. In recent weeks, government technology sources speaking to FedScoop have described FISMA reform as key to clarifying the degree of urgency with which senior leaders at government departments must address cyber concerns, as well as the chain of command when a breach occurs.

Lawmakers through the draft legislation also are seeking to impose new reporting responsibilities for federal government technology contractors, which would force them to notify agencies faster when a breach occurs. The reform would also introduce new cybersecurity training requirements for staff and enhance requirements over how cyber incidents are logged.

In addition, Cybersecurity and Infrastructure Security Agency features heavily in the reform proposals. If enacted, the bill would boost the enforcement powers of the agency’s director and require the agency to establish new quantitative cyber metrics. Director Jen Easterly, along with the director of the Office of Management and Budget, must also come up with a new definition of what constitutes a major cyber incident, under the draft legislation.

Commenting on the proposals, Sen. Peters said: “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”

Portman added: “This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

The post FISMA reform bill would require agencies to notify Congress of cyber breaches within 5 days appeared first on FedScoop.