News & Updates

Agencies Fall Short on IoT Cyber Deadlines, GAO Warns

The Government Accountability Office (GAO) reported that several federal agencies failed to meet deadlines for IoT cybersecurity requirements under the IoT Cybersecurity Improvement Act of 2020. The act requires agencies to inventory IoT devices and enforce security measures to mitigate vulnerabilities like malware and botnet attacks. While some agencies, including the State and Treasury Departments, have completed inventories, others are behind schedule or lack timelines. GAO criticized the Office of Management and Budget (OMB) for inadequate oversight and provided 11 recommendations, including improved verification of waivers and stricter adherence to deadlines for inventory completion to bolster IoT security across agencies.

* IoT Cybersecurity Act: The act mandates federal agencies to inventory IoT devices and implement security measures to address risks such as botnet and malware attacks. * Agency Delays: Three agencies missed deadlines, six lacked timelines, and only a few agencies, like State and Treasury, have completed inventories. * OMB Oversight Issues: Waivers were inconsistently reported, and OMB failed to verify their accuracy before submitting them to Congress. * GAO Recommendations: Includes verifying waiver submissions, developing plans for inventory completion, and enforcing stricter deadlines. * High Stakes: IoT devices are integral to federal operations, making robust cybersecurity vital to protect systems, infrastructure, and national security.

Agency Intel Officials Tackling Complex Implications of AI

As AI becomes more integrated into U.S. intelligence operations, officials face challenges balancing its benefits in data analysis with concerns about privacy, civil liberties, and potential misuse by adversaries. During a webinar, intelligence officials discussed AI's role in improving data analysis and pattern recognition, highlighting the need for careful strategy and privacy safeguards. The Department of Homeland Security and other agencies are actively developing policies to ensure AI is used responsibly and effectively.

* Enhanced Data Analysis: AI tools help intelligence agencies quickly analyze large datasets and improve pattern recognition. * Privacy Concerns: Agencies must ensure AI use complies with privacy and civil liberties protections. * Potential Misuse: There is a risk of adversaries misusing AI technologies. * Policy Development: Departments are creating guidelines to regulate AI use, balancing effectiveness and ethical considerations.

Agency IT Grades Soar on Latest FITARA Scorecard

The 18th edition of the FITARA Scorecard, released by Rep. Gerry Connolly, shows significant improvements in federal agency IT performance, with 18 of 24 agencies increasing their grades. The scorecard, which tracks IT progress across categories such as cloud computing, cybersecurity, and modernization, has led to billions in savings for the government. Notably, 13 agencies earned A grades, a sharp rise from the previous edition, which only had one A.

* 18 out of 24 agencies improved their FITARA grades; 13 now hold A grades. * Grading tracks areas like cloud adoption, cybersecurity, and IT modernization. * No agency received a lower grade, and several advanced from C or D to A. * The scorecard has driven significant cost savings and improved IT governance.

Ahead of mandatory rules, CISA unveils new cyber incident reporting portal

The Cybersecurity and Infrastructure Security Agency (CISA) launched the “CISA Services Portal” to simplify cyber incident reporting, integrating features like Login.gov credentials, report management, and informal chats with officials. This rollout precedes the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), requiring organizations to report serious cyber incidents within 72 hours and ransomware attacks within 24 hours. CISA expects over 25,000 reports annually once the law takes effect. To manage this, CISA plans to hire more staff, upgrade technology, and align CIRCIA with existing sector-specific reporting rules to minimize burdens on the private sector.

* CISA launched a new CISA Services Portal for streamlined cyber incident reporting. * The portal includes enhanced features like Login.gov integration and report management. * CIRCIA will mandate cyber incident reporting within specific timeframes starting next year. * CISA anticipates at least 25,000 incident reports annually under the new rules. * Efforts are underway to harmonize CIRCIA with existing reporting regulations and reduce private sector burdens.

AI can improve how federal employees do their jobs, but training and resources need to be a priority

Federal officials stress the urgent need for congressional funding of workforce development programs to equip employees with skills, particularly in AI, to meet emerging challenges. During a panel at SAP’s Federal Forum, IRS and Commerce Department leaders highlighted the critical role of training, often sidelined during budget cuts, and emphasized the importance of AI education for current employees. The federal shift towards skills-based hiring, prioritizing competencies over formal education, is expected to continue, recognizing diverse skill acquisition through trade schools, military experience, and apprenticeships.

* Workforce Development Funding: Essential for federal employees to address challenges, especially in AI. * Training as a Priority: Training must be maintained despite budget constraints. * AI Education for Federal Employees: Equally important as recruitment for AI readiness. * Shift to Skills-Based Hiring: Focus on competencies rather than traditional educational paths. * Diverse Skill Acquisition: Valuing trade schools, military experience, and apprenticeships.

AI-enabled digital twins are transforming government critical infrastructure

Digital twins are increasingly utilized in public and private sectors for creating virtual models of physical objects or spaces, enhancing decision-making, reducing costs, and increasing safety and efficiency. These models, especially when AI-enabled, address key challenges in government critical infrastructure by providing dynamic, real-time data inputs to monitor and optimize processes, ensuring high reliability and minimum downtime. Digital twins are essential for operations in sectors like defense, energy, and public health, allowing for continuous improvement and proactive maintenance.

* Dynamic Modeling: Digital twins allow real-time monitoring and optimization of processes, making them crucial for critical infrastructure. * AI-Enabled Benefits: AI enhances digital twins by enabling predictive capabilities, autonomous actions, and more efficient operations. * Types of Digital Twins: There are descriptive, informative, and predictive/autonomous twins, each serving different operational needs. * Implementation Priorities: Key priorities include data accuracy, security, robust authentication protocols, and integration with existing systems to ensure smooth and secure deployment.

AI Experts Recommend Structured Data, Strong Leadership for Fed AI Efforts

At a GovLoop-organized AI event, experts recommended that federal leaders prioritize good data structure and governance as they implement AI technologies. Effective data organization and governance are essential for successful AI integration in government. Key recommendations include managing data outside administrative files, ensuring strong leadership, and leveraging AI for various administrative and departmental tasks. Challenges such as storing massive data sets generated by AI and choosing appropriate data management strategies were highlighted. Integration approaches and patient, collaborative development of domain-specific AI tools were also discussed.

* Prioritize comprehensive data governance and organization. * Manage data outside of administrative files like PDFs. * Ensure strong leadership and expertise sharing within AI and government communities. * Address challenges in storing large data sets generated by AI. * Utilize both top-down and bottom-up approaches for AI integration.

Army wants more agile approach to software, including how it buys it

The U.S. Army is modernizing its software development processes, emphasizing agile methodologies and adapting its procurement strategies accordingly. A new directive promotes agile development, continuous collaboration between users and developers, and a flexible acquisition framework. The Army is working on a $1 billion, 10-year software contract, featuring an innovative indefinite-delivery/indefinite-quantity (IDIQ) structure with flexible contract types at the task order level. Industry feedback on this hybrid approach is mixed. Internally, the Army is transitioning to agile frameworks like SAFe, aiming to fully implement DevSecOps with automated processes.

* The Army is modernizing software development with agile methodologies and flexible procurement contracts. * A $1 billion, 10-year IDIQ contract will allow flexibility in contract types at the task order level. * Industry feedback is mixed on the hybrid contract approach, but 93% agree with the overall scope. * Agile transformation efforts within the Army include using SAFe frameworks and transitioning to DevSecOps. * Continuous feedback from industry is shaping the Army’s approach to software procurement.

Ascend Updates

The General Services Administration (GSA) is addressing government cloud technology adoption challenges with the Ascend Blanket Purchase Agreement (BPA). This initiative aims to simplify cloud procurement and enhance security, compliance, and data management. Ascend will provide standardized, FedRAMP and Department of Defense-compliant cloud solutions, emphasizing cybersecurity, data ownership, and portability. Based on industry feedback, GSA adjusted requirements related to catalog management, cybersecurity logging, and FinOps monitoring, among others. The final solicitation for Ascend's first pool, covering Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), is nearing completion.

* Ascend BPA simplifies cloud procurement for federal, state, local, and tribal governments. * Focus on security: Incorporates FedRAMP and DoD cloud authorizations, with a focus on cybersecurity and supply chain risk management. * Data control: Agencies retain ownership of their data, with provisions for data portability. * FinOps monitoring: Contractors must enable usage tracking and automatic suspension when thresholds are met. * Industry feedback: GSA incorporated feedback, adjusting catalog and incident reporting requirements for flexibility.

Breaking down government hacks: The rise of the modern kill chain

Cyberattacks on public sector organizations are increasingly targeting mobile devices and using phishing as a key attack vector. The 2024 Verizon Data Breach Investigations Report highlights that phishing accounted for 66% of breaches in the public sector, with attackers focusing on social engineering through mobile devices. The rise of BYOD policies and cloud dependence has introduced new vulnerabilities, making mobile security critical. To defend against these threats, organizations must implement advanced mobile security, test defenses, and prioritize strong identity and data protection protocols to safeguard sensitive information from modern cyber kill chains.

* Phishing caused 66% of public sector breaches in 2023. * Mobile devices are often used in social engineering and MFA-targeted attacks. * Government organizations are prime targets for financially motivated cyberattacks. * Advanced mobile security, detection, and threat response are essential to protecting against modern kill chain attacks.

CISA details software security keys in new guide for acquisition pros

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new Software Acquisition Guide for Government Enterprise Consumers to help federal acquisition professionals assess the security of software they purchase. Developed by the Information and Communications Technology Supply Chain Risk Management Task Force, the guide includes key principles like CISA's Secure by Design and provides questions to evaluate software security, aligning with ongoing efforts such as the secure software attestation form. This initiative is part of broader efforts, including an upcoming Federal Acquisition Regulatory (FAR) rule, to strengthen the government's software supply chain security. Additionally, CISA has appointed Lisa Einstein as its first Chief Artificial Intelligence Officer to oversee AI-related risks in critical infrastructure.

* CISA released a guide to help federal acquisition professionals assess software security. * The guide aligns with existing security efforts like the secure software attestation form. * The guide provides questions for evaluating software supply chain security and practices. * CISA’s efforts are part of broader initiatives, including a pending FAR rule on secure software development. * Lisa Einstein has been named CISA’s first Chief Artificial Intelligence Officer to lead AI risk evaluation in critical infrastructure.

CISA issues guide to help federal agencies set cybersecurity priorities

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Civilian Executive Branch Operational Cybersecurity Alignment plan to help civilian agencies strengthen their cybersecurity capabilities. The plan focuses on improving asset management, vulnerability management, defensible architecture, supply chain resilience, and incident detection and response. This guidance is part of broader efforts to bolster federal defenses against rising cyber threats. Agencies are working towards the September 30 zero trust architecture deadline, aiming to enhance overall security and prevent future cyberattacks targeting sensitive federal data.

* CISA’s cybersecurity plan focuses on asset management, vulnerability management, and incident detection. * The goal is to create synchronized, robust cyber defenses across civilian agencies. * Government agencies are prime targets for cyberattacks due to sensitive data storage. * Agencies are working to meet the zero trust architecture deadline by September 30. * Strengthening federal cybersecurity is critical following recent cyberattacks on government systems.

CISA, NCA Kick Off Cybersecurity Awareness Month

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance have launched the 21st annual Cybersecurity Awareness Month, focusing on the theme Secure Our World. Throughout October, the campaign will promote online safety through public education and outreach, including public service announcements and resources. CISA Director Jen Easterly emphasized simple steps like using strong passwords and multi-factor authentication. CISA Deputy Director Nitin Natarajan highlighted the need for action in improving cyber preparedness, while Harry Wingo from the White House promoted cybersecurity careers through the Service for America hiring sprint.

* The theme of Cybersecurity Awareness Month is Secure Our World. * CISA and its partners are promoting online safety through public education. * Four key safety tips: strong passwords, multi-factor authentication, phishing awareness, and software updates. * There are 500,000 open jobs in cybersecurity, with a hiring sprint to encourage more applicants. * The campaign includes public service announcements and resources to raise awareness and preparedness.

CISA Official Urges Greater Focus on OT Systems Security

CISA Deputy Director Nitin Natarajan emphasized the need to address the growing risks of legacy operational technology (OT) systems in critical infrastructure sectors. Unlike legacy IT systems, OT systems are harder to replace and essential for industries like energy and manufacturing. Natarajan highlighted workforce gaps, lack of investment, and evolving adversarial tactics as key challenges. He called for stronger partnerships between public and private sectors and international collaboration to safeguard these systems. Natarajan also stressed the importance of bridging knowledge gaps and enabling organizations, particularly smaller ones, to engage with federal resources like CISA and the FBI.

* Legacy OT Risks: Legacy OT systems are harder to replace and critical for industries such as energy and transportation, making them a unique challenge compared to IT systems. * Workforce Gaps: Insufficient workforce knowledge transfer and lack of investment have left systems vulnerable, especially for smaller organizations. * Evolving Threats: Adversaries are increasingly targeting vulnerable high-value environments, like schools and hospitals, previously considered off-limits. * Public-Private Collaboration: Strengthening engagement between organizations, federal resources (CISA, FBI), and global partners is vital for addressing these risks. * Call for Action: Open dialogue and proactive partnerships are essential to safeguarding critical infrastructure nationwide.

CISA orders federal agencies to secure their cloud environments

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive requiring federal agencies to adhere to cloud security standards under the Secure Cloud Business Applications (SCuBA) project. This directive, prompted by lessons from the 2020 SolarWinds Orion hack, aims to enhance federal cloud security and reduce vulnerabilities to cyberattacks. Agencies must meet reporting, monitoring, and compliance deadlines between February and June 2025. Although the directive applies to federal civilian agencies, CISA encourages all organizations to adopt the guidance to bolster cloud security across sectors.

* SCuBA Standards: Federal agencies must comply with cloud security standards outlined by the SCuBA project. * Motivations: The directive stems from the SolarWinds Orion incident and broader concerns about cloud vulnerabilities. * Scope: While focused on federal civilian agencies, CISA urges organizations across all sectors to adopt these cloud security measures. * Toolkits: Microsoft and Google provide SCuBA developer toolkits to support implementation.

CISA rolls out integrated cyber education platform

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new education platform, CISA Learning, to provide modern cybersecurity training for federal employees, veterans, and other users. Replacing the Federal Virtual Training Environment (FedVTE), the platform offers courses on topics like cloud security, ethical hacking, and malware analysis. CISA Learning integrates user data for over 500,000 individuals and aims to enhance the user experience through personalized course recommendations and progress tracking. The platform also enables detailed metrics reporting and includes training resources from partners like NIST and GSA, with an emphasis on emerging technologies such as artificial intelligence.

* Modern Training Platform: CISA Learning replaces older systems to deliver a unified, integrated learning environment. * Wide Reach: Over 500,000 users, including federal employees, veterans, and external partners, are migrating to the platform. * Course Offerings: Includes topics like cloud security, risk management, AI, and ethical hacking, with a mix of online and in-person options. * Enhanced User Experience: Features personalized course recommendations, progress tracking, and improved search capabilities. * Collaborative Efforts: Partners with organizations like NIST and GSA to incorporate cutting-edge training resources.

Commerce guidance aims to improve how generative AI uses its data

The Department of Commerce released guidance to ensure public data is AI-ready, focusing on improving AI accuracy and prioritizing authoritative data over unreliable sources. The guidance addresses documentation, data formats, storage, licensing, and quality to make data not just machine-readable but machine-understandable. This effort, led by the AI and Open Government Data Assets Working Group, aims to enhance public data’s utility for AI tools like large language models (LLMs). Commerce’s steps could significantly impact AI implementation across federal, academic, and private sectors by setting standards for structuring and disseminating data for AI-driven innovation.

* Guidance ensures public data is optimized for generative AI by improving accuracy and prioritizing authoritative sources. * Key focus areas include documentation, data formats, storage, licensing, and quality. * Commerce’s guidance emphasizes machine-understandable data to enhance AI interactions. * Efforts are led by the AI and Open Government Data Assets Working Group under the Data Governance Board. * The initiative aims to guide Commerce and other sectors in preparing data for LLMs and AI systems.

Critical infrastructure group launches effort to aid federal agencies’ cyber defenses

The Institute for Critical Infrastructure Technology launched the Center for Federal Civilian Executive Branch Resilience to improve cyber defenses for federal agencies. This initiative focuses on updating standards and procedures, particularly in response to significant cyber incidents like the SolarWinds hack. The center will educate leaders, develop policy recommendations, and prioritize identifying critical cyber issues.

* Initiative launched to enhance federal cyber defenses. * Response to major cyber incidents, including SolarWinds. * Focus on educating leaders and policy recommendations. * Prioritizing zero trust architecture implementation. * Identifying critical cyber issues for federal agencies.

Demystifying AI for the public sector

Government agencies are turning to the private sector for guidance on artificial intelligence (AI), but they face unique challenges compared to businesses. While private sector mistakes may result in profit loss or unsatisfied customers, AI failures in the public sector could disrupt critical services, even affecting lives. Thus, government agencies approach AI more cautiously, often exploring low-risk internal applications before scaling up. Though there are opportunities, agencies must address challenges like ethics, data management, and infrastructure. AI, particularly generative AI (GenAI), can enhance back-office processes but will not replace employees, only augment their productivity.

* Government AI mistakes carry higher risks compared to the private sector. * Agencies are encouraged to begin with internal, low-risk AI applications. * AI can automate back-office tasks, improving efficiency without replacing employees. * Ethical concerns, data organization, and infrastructure gaps are major challenges. * Effective data management is crucial for leveraging AI in public services.

DHS unveils practical AI responsibilities for critical infrastructure

The Department of Homeland Security (DHS) unveiled the: Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure, offering voluntary guidelines for safe AI use across 16 critical infrastructure sectors. Developed with the AI Safety and Security Board, the framework addresses AI-related risks, including attacks and design flaws, while proposing roles for cloud providers, AI developers, public sector entities, and others. DHS also highlighted successful AI pilot projects, such as using generative AI for officer training, investigative summaries, and community resilience planning. While future federal adoption may face uncertainty under the incoming Trump administration, the framework aims to endure.

* Framework Introduction: DHS launched voluntary AI guidelines for 16 critical infrastructure sectors to ensure safety and security. * Collaborative Development: The AI Safety and Security Board, including industry and government leaders, helped craft the framework. * Focus Areas: Covers risks like AI misuse, attacks, and design flaws; emphasizes data governance, deployment, and monitoring. * AI Pilot Projects: DHS tested GenAI tools for officer training, investigative summaries, and community resilience planning. * Public Sector Guidance: Encourages responsible AI use, avoiding discriminatory outcomes, and advancing innovation through regulation.

DoD considers faster acquisition pathway for AI

The Defense Department’s software acquisition pathway, designed to streamline software development, has seen slow adoption, with only 50 programs utilizing it. The Army, in particular, is considering creating a sub-path within the software pathway specifically for artificial intelligence (AI) to accelerate AI development and deployment. Young Bang, the Army’s principal deputy assistant secretary for acquisition, logistics, and technology, highlights the need for a faster path for AI, given the rapid cycles required for algorithm development. The Army is working with the Office of the Secretary of Defense to explore this faster process, potentially incorporating AI into the existing software acquisition framework.

* The Army is considering a separate AI-specific sub-path within the software pathway. * AI development requires faster cycles than the current minimum viable capability release (MVCR) timeline of one year. * The software pathway offers flexibility, but AI requires shorter development timelines for faster deployment. * Army leadership is collaborating with the Office of the Secretary of Defense to develop a more agile AI acquisition process.

DoD to add more providers, streamline contracting for JWCC

The Defense Department (DoD) is advancing the Joint Warfighting Cloud Capability (JWCC) initiative by streamlining contracting processes and incorporating more cloud service providers. Over $1 billion in task orders have been issued under JWCC, with the potential for the contract to reach $9 billion over 10 years. The DoD is now preparing for the next phase by identifying new requirements and learning from past experiences with previous contracts like the Joint Enterprise Defense Infrastructure (JEDI). The contract supports various missions, including the Combined Joint All Domain Command and Control (CJADC2), with an average task order lead time of 25 days.

* DoD is expanding JWCC by streamlining contracts and adding more cloud service providers. * $1 billion in task orders have been issued, with a potential $9 billion contract value. * The next phase will incorporate lessons learned and new requirements. * JWCC supports a range of missions, including CJADC2. * The average lead time for task orders is 25 days.

Empowering responsible AI: How expanded AI training is preparing the government workforce

Over the past decade, the government has embraced user-friendly technology to enhance digital services. The GSA’s AI Community of Practice partnered with OMB to offer the 2024 AI Training Series, expanding on the previous year’s success to train over 14,000 participants from nearly 200 government organizations. The training emphasized responsible AI use and offered three specialized tracks—Acquisitions, Leadership and Policy, and Technical—delivered by leading academic institutions. Grounded in principles of AI safety, transparency, and trust, the program supports government employees in responsibly adopting AI to streamline services and optimize operations. Recordings are now available for broader access.

* Expanded AI Training: The 2024 AI Training Series trained 14,000+ participants across three tailored tracks: Acquisitions, Leadership, and Technical. * High Engagement: Participants reported a 92% satisfaction rate, with positive feedback on content relevance and presentation quality. * AI Safety Principles: Training emphasized safety, transparency, and trustworthiness, in alignment with federal AI directives and policies. * Broad Access: Recordings from the sessions are now available online, with modules to be added to agency learning systems by FY25 Q2. * Continuous Learning: Federal employees can earn Continuous Learning Points and access past recordings via the AI CoP Community Connect page.

Ensuring the Nation’s Cybersecurity Is a Whole-of-Government Effort

The nation's growing reliance on the internet has increased vulnerability to cyberattacks, emphasizing the need for robust cybersecurity. The Software Assurance Community of Practice (SwA CoP), an interagency group founded in 2012, plays a crucial role in enhancing software assurance (SwA) for critical infrastructure and defense systems. Comprising over 300 members from various federal agencies, the SwA CoP develops best practices, shares research, and guides strategies on emerging technologies and threats, including AI and open-source software. Key working groups focus on SBOMs, binary analysis, and workforce development, contributing to national cybersecurity efforts.

* SwA CoP Role: Enhances cybersecurity through interagency collaboration on SwA best practices and strategies. * Focus Areas: AI, open-source software, and mitigating novel security risks in critical infrastructure. * Active Working Groups: Address SBOMs, binary analysis, and SwA education and workforce development. * HSQA Research: Measures source code quality and security in critical infrastructure.

FDA’s Digital Transformation Mantra: Buy vs. Build

FDA CTO Mohammed Sohail Chaudhry emphasized the pivotal role of cloud technology in the FDA’s digital transformation, aligning with the agency's Buy vs. Build approach. Speaking at the Cloud Summit, he highlighted cloud’s contributions to innovation, scalability, cost-effectiveness, and collaboration. The FDA is developing a OneFDA Ecosystem to unify its applications and systems, enhancing efficiency and innovation. The FDA also promotes transparency and communication through its annual IT operating plan and events like the upcoming Scientific Computing and Digital Transformation Symposium.

* Cloud Technology in FDA: Central to innovation, scalability, cost-effectiveness, and reducing IT overhead. * Buy vs. Build Mantra: Focus on adopting cloud solutions over custom on-premise systems. * OneFDA Ecosystem: A unified system to streamline operations and foster collaboration. * Transparency and Communication: Emphasized through annual IT plans and strategic events.

Federal government discloses more than 1,700 AI use cases

The White House released its 2024 consolidated inventory of federal AI use cases, documenting 1,757 uses across 37 federal agencies—more than double last year’s 710 cases. The inventory, available on OMB’s GitHub, categorizes uses as mission-enabling, health and medical, and government services. This year, disclosures include rights- and safety-impacting uses, requiring enhanced risk management practices. While some agencies received extensions to meet these requirements, others missed the deadline. The Department of Health and Human Services reported the most cases (271), and significant growth was seen across agencies like DHS and HHS. Some classified uses remain aggregated but undisclosed.

* Growth in AI Use: 1,757 AI use cases reported in 2024, up from 710 in 2023, spanning 37 federal agencies. * Top Use Categories: Mission-enabling, health and medical, and government services were the leading categories. * Rights and Safety: 227 use cases impacted rights and safety, requiring risk management; 145 of these were from the Department of Veterans Affairs. * Agency Highlights: HHS reported the highest number of cases (271), and DHS saw a 136% increase, introducing its DHSChat chatbot. * Inventory Limitations: Classified and sensitive uses remain undisclosed, with aggregate metrics required but not yet published. Several agencies missed the reporting deadline or are delayed.

FedRAMP’s new director has big plans for the cloud compliance program

Pete Waterman, the new FedRAMP director, is spearheading significant changes to the cloud services compliance program. His focus is on speeding up authorizations, improving quality, and increasing transparency and collaboration with industry. Waterman plans to introduce a new FedRAMP roadmap within two months and implement a minimum viable program authorization by fiscal year 2025. He emphasizes making the process more efficient, repeatable, and defensible, with a goal of lowering risk, complexity, and costs for both government and cloud service providers.

* New FedRAMP roadmap and minimum viable program authorization planned for FY25. * Waterman aims to reduce current application review times of 20+ weeks. * Focus on making authorization processes more efficient, transparent, and defensible. * Prioritizes industry collaboration and public engagement for long-term program improvements. * Goal is to reduce risk and complexity for government cloud adoption.

Feds Beware: NSA Details how China-Based Attacks Unfold

The National Security Agency (NSA), in collaboration with the Australian Signals Directorate (ASD) and other agencies, has released a cybersecurity advisory detailing the tactics of a Chinese state-sponsored cyber group, APT40. Known for targeting organizations in the U.S. and Australia since 2017, APT40 exploits vulnerabilities in widely used software and uses compromised devices, including home office devices, for its operations. The advisory outlines how APT40 quickly exploits new public vulnerabilities, such as those in Log4J and Microsoft Exchange, and provides mitigation strategies for network defenders.

* APT40 Overview: The group, linked to the PRC Ministry of State Security, targets government networks using advanced cyber espionage techniques. * Exploitation Tactics: APT40 focuses on exploiting public-facing infrastructure vulnerabilities rather than user-initiated actions like phishing. * Compromised Devices: The group uses end-of-life or unpatched small-office/home-office (SOHO) devices for attacks, blending in with normal network traffic. * Mitigation Strategies: The advisory recommends comprehensive logging, prompt patching, network segmentation, close monitoring of services, and disabling unused network services.

GAO pushes forward on intelligent automation to improve cybersecurity, CX

The Government Accountability Office (GAO) is leveraging intelligent automation to improve cybersecurity, operational efficiency, and customer experience. This approach enhances GAO’s proactive cyber defense, automating processes to prevent data exposure and secure sensitive information. GAO's upcoming IT strategic plan (2025-2027) focuses on automation for cybersecurity, legislative mandate tracking, and improved customer experience. Tools like chatbots and AI-driven editors help streamline workflows, reduce manual effort, and boost employee self-service. The goal is to make technology intuitive, enabling employees to focus on core tasks while improving both customer satisfaction and efficiency.

* GAO is using intelligent automation to enhance proactive cybersecurity and prevent data breaches. * The 2025-2027 IT strategic plan focuses on automation for cybersecurity and legislative tracking. * Automation helps manage thousands of devices while complying with cybersecurity mandates. * GAO aims to improve the customer experience through user-centric, automated systems. * The agency is measuring and working to reduce customer effort to improve mission outcomes.

GSA AI-themed hackathon reimagines user experience for federal websites

On July 31, the GSA, alongside industry and federal agency sponsors, hosted the Federal AI Hackathon to enhance government websites and digital services using AI. Over 250 participants across Washington, Atlanta, and New York City collaborated to optimize government services by writing code, proposing development standards, and improving AI reliability. GSA Administrator Robin Carnahan emphasized that leveraging AI is crucial for improving public trust and government efficiency, aligning with the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The event aimed to shape the future of digital government, with solutions judged and rewarded from five federal websites.

* Federal AI Hackathon focused on improving government digital services using AI. * Over 250 participants across three cities collaborated on optimizing government services. * GSA Administrator Carnahan highlighted the importance of AI in building public trust and efficiency. * Participants developed AI-powered solutions for five federal websites, with four teams winning cash prizes.

GSA awards 102 small businesses spots on Polaris governmentwide IT services contract

The General Services Administration (GSA) has awarded its Polaris small business governmentwide acquisition contract (GWAC) for IT services to 102 vendors. Polaris replaces the $15 billion Alliant 2 Small Business Contract but has no award ceiling, focusing on IT services such as artificial intelligence, automation, and immersive technology. Awards for Women-Owned, HUBZone, and Service-Disabled Veteran-Owned Small Businesses are expected later this fiscal year. GSA received 569 proposals and increased the award count from 100 to 102 due to a tie. Polaris aims to support federal IT needs while advancing small business opportunities and socioeconomic goals.

* Polaris GWAC Awards: 102 vendors awarded for IT services, replacing the Alliant 2 Small Business Contract. * Focus Areas: Services include AI, automation, and immersive technology, with no contract award ceiling. * Small Business Support: Additional awards for specific small business categories are planned later this fiscal year. * Proposals Received: GSA reviewed 569 proposals, increasing awards from 100 to 102 due to a tie. * Agency Goals: Polaris helps agencies achieve socioeconomic objectives and comply with federal IT security and compliance standards.

GSA begins FedRAMP pilot to change request process

The General Services Administration (GSA) has announced a new FedRAMP pilot program utilizing a non-blocking process to review significant changes to the governmentwide compliance program for cloud services. The Agile Delivery pilot aims to replace the current significant change request process with a more streamlined approach, removing the need for advanced approval for each change. Cloud service providers are invited to apply, with the GSA emphasizing the importance of continuous assessment rather than point-in-time evaluations to enhance security and efficiency.

* Non-Blocking Process: The pilot will remove the requirement for advanced approval for each change, allowing cloud service providers to move through the process more smoothly. * Focus on New Features: The pilot will concentrate on adding new features to existing cloud service offerings, addressing a significant pain point in the current FedRAMP process. * Application and Timeline: Applications are open until July 26, with selections expected by August 16. Providers planning to release new features by the end of the year are encouraged to apply. * Continuous Assessment: The long-term goal is to shift towards a continuous assessment model, ensuring ongoing confidence in security without the delays associated with the current process. * Stakeholder Impact: The pilot may initially result in delays for agencies, and cloud providers might create government-specific offerings that lag behind commercial ones to avoid development delays.

GSA chief advocates for simplified cloud buying, ‘best value’ contracting as Congress considers legislation

Robin Carnahan, head of the General Services Administration (GSA), is optimistic about legislative efforts to modernize federal procurement policies for cloud services and adopt a best value approach rather than prioritizing the lowest cost. Speaking at the Imagine Nation ELC 2024 conference, she highlighted the Federal Improvement in Technology Procurement Act and the Value Over Cost Act, which aim to streamline procurement and enhance value. Both bills have passed the House Oversight Committee, but Congress faces a tight deadline to act before its term ends in January 2025.

* Legislation for Modern Procurement: Two bills aim to update federal procurement policies for the digital age. * Cloud Services Subscription Model: The Federal Improvement in Technology Procurement Act promotes a subscription-based model for cloud services. * Best Value Over Lowest Cost: The Value Over Cost Act allows awarding contracts based on best value rather than the lowest cost. * Bipartisan Support: Both bills passed the House Oversight Committee unanimously.

GSA closes in on enterprisewide software deal with Microsoft

The General Services Administration (GSA) is nearing completion of a governmentwide framework for standardized software contract terms with Microsoft, addressing challenges identified by the Office of Federal Procurement Policy (OFPP) under its Better Contracting Initiative (BCI). This effort aims to streamline software procurement, reduce pricing disparities, and enhance federal cybersecurity. The initiative involves 24 key terms and conditions, based on extensive analysis of contracts from the 24 CFO Act agencies. GSA's optimism stems from collaboration with agencies and lessons from past initiatives. While Microsoft is the first focus, similar agreements with other major vendors are anticipated.

* Standardized Terms: GSA is finalizing 24 standardized contract terms for Microsoft software to streamline agency contracts. * Cost and Efficiency Gains: Aims to reduce up to 20% price variance, secure favorable terms, and capture 25% efficiency gains. * Collaborative Approach: Developed through interagency collaboration, workshops, and lessons from past software initiatives. * Focus on Major Vendors: Microsoft is the first target, with plans to expand to other OEMs. * Impact: Expected to enhance cybersecurity and reduce duplicative or unnecessary license purchases.

GSA Extends Alliant 3 Contract Deadline to January

The General Services Administration (GSA) extended the deadline for the Alliant 3 Governmentwide Acquisition Contract (GWAC) proposals from October 28, 2024, to January 10, 2025, to allow time for reviewing public questions and ensuring high-quality submissions. GSA aims to provide clarity to vendors by releasing government responses and amendments until October 25. The Alliant 3 contract, covering a broad range of IT services with no maximum ceiling, was released in June 2024 after a draft in October 2022. A pre-recorded conference for vendors will be available around November 8, 2024.

* Proposal deadline for Alliant 3 extended to January 10, 2025. * Extension allows time for reviewing public questions and amendments. * Alliant 3 contract covers extensive IT services with no maximum ceiling. * First set of government responses to vendor questions has been released. * GSA plans a pre-recorded conference for vendors around November 8, 2024.

GSA recruits diverse tech talent to drive innovation across the federal government

GSA is recruiting diverse tech talent through the U.S. Digital Corps (USDC) and Presidential Innovation Fellows (PIF) programs to drive federal innovation. These programs are bringing in technologists with skills in AI, data strategy, and digital transformation to address critical challenges. In 2024, the aim is to hire over 100 technologists, focusing on areas like AI's responsible use in energy, healthcare, and mortgage lending.

* GSA is using USDC and PIF programs to recruit diverse tech talent. * Over 100 technologists are being hired in 2024. * Focus areas include AI, data strategy, and digital transformation. * PIF is a one-year program for mid-to-senior level leaders, while USDC is a two-year fellowship for early-career technologists.

GSA secures landmark agreement with Microsoft to enhance federal IT acquisition

The U.S. General Services Administration (GSA) and Microsoft, in partnership with the IT Vendor Management Office (ITVMO), have finalized an Agreement in Principle under the Governmentwide Microsoft Acquisition Strategy (GMAS). This initiative unifies federal IT acquisition processes, enhances cybersecurity, and reduces costs across agencies. GMAS facilitates standardized terms, improved cost management, and multi-agency collaboration through workshops and resources provided by Microsoft and the ITVMO. These efforts strengthen IT ecosystems while ensuring value for taxpayers. The agreement highlights the importance of public-private partnerships in achieving efficient, secure, and innovative government technology solutions.

* GSA and Microsoft finalize a significant agreement under GMAS, promoting IT efficiency and security. * GMAS supports standardized terms, cost reduction, and enhanced cybersecurity for federal agencies. * Microsoft will offer workshops on cost management, governance, and security to improve collaboration and agency capabilities. * ITVMO will provide guides, training, and direct support for implementing the agreement. * The partnership underscores the importance of collaboration between government and industry leaders like Microsoft.

Harnessing AI innovation across federal agencies

Federal agencies are increasingly adopting AI to improve mission effectiveness, security, and operational efficiency, as highlighted in a recent FedScoop video series. AI is enhancing decision-making in battlefield applications, disaster management, and cybersecurity while also supporting space exploration and IRS operations. Key challenges include building flexible AI infrastructure, ensuring responsible AI use, and upskilling personnel.

* AI supports critical battlefield, disaster management, and cybersecurity operations. * Federal agencies are investing in flexible AI infrastructure and workforce upskilling. * NASA and IRS use AI to optimize operations and improve efficiency. * Challenges include ensuring data privacy, responsible AI use, and managing costs. * Broadcom’s “private AI” solutions offer scalable AI while maintaining security and compliance.

HHS Creates new Office to Oversee Cyber, AI; Seeks to Fill key Tech Roles

The Department of Health and Human Services (HHS) announced a reorganization to streamline and enhance its technology, cybersecurity, data, and AI strategy and policy functions. This includes establishing a new office, renaming ONC to the Assistant Secretary for Technology Policy and ONC (ASTP/ONC), and consolidating oversight of technology-related roles. The reorganization aims to bolster HHS’s capabilities in addressing pressing issues in healthcare technology.

* HHS has created a new office, ASTP/ONC, to consolidate technology, data, and AI strategy and policy. * The search for permanent positions of CTO, CDO, and CAIO has begun. * Oversight of technology, data, and AI policy will move from ASA to ASTP/ONC. * National Coordinator Micky Tripathi will serve as the assistant secretary for technology policy and acting CAIO. * The public-private cybersecurity efforts will transfer from ASA to ASPR to enhance healthcare cybersecurity.

House AI task force releases final report

A congressional task force has released a nearly 300-page report recommending strategies for federal AI adoption. It addresses governance, workforce development, and the government’s use of AI. Task force members are coordinating with the incoming Trump administration, which has appointed an AI czar and favors an industry-driven approach. Key recommendations include transparent AI policies, an AI scholarship-for-service program, and avoiding inefficiencies in existing federal IT laws. The report emphasizes bipartisan collaboration and prioritizes human oversight in AI applications. Task force members view the report as a foundation for future legislative action and interbranch cooperation.

* Comprehensive Report: The task force's report outlines recommendations on AI governance, workforce development, and transparent AI usage within federal agencies. * Coordination with Trump Administration: Discussions are ongoing about aligning legislative and executive efforts, with the administration favoring an industry-driven approach. * Workforce Incentives: Recommendations include creating an AI scholarship-for-service program and developing AI roles in federal agencies to attract talent. * Human Oversight: Emphasis on maintaining strong human involvement in AI applications, particularly in consumer-facing operations. * Bipartisan Approach: The report identifies areas of common ground for bipartisan action, including reducing inefficiencies in federal IT policies and AI frameworks.

How AI, intelligent automation can revolutionize operations for federal agencies

AI and intelligent automation are transforming data management practices across federal agencies, including the Library of Congress. Suman Shukla, head of data management at the Library, leads efforts to digitize and govern vast historical records. By establishing a centralized data warehouse and fostering data literacy, Shukla aims to modernize operations and leverage AI for efficiency. Other agencies, like the VA, are focused on AI-driven collaboration, with initiatives like Aspire enhancing workforce training. Despite AI’s potential, challenges like digitizing legacy data remain.

* AI and automation are critical to modernizing data management in federal agencies. * Suman Shukla is driving data governance and literacy at the Library of Congress. * AI tools, such as BI systems, drastically improve efficiency in reporting processes. * Cross-agency AI collaboration, especially at the VA, is crucial for innovation and training.\ * Challenges like digitizing handwritten records persist, requiring advanced technologies.

How GSA is delivering new IT capabilities faster than ever

The General Services Administration (GSA) is evolving its technology approach, focusing on human-centered design, rapid delivery, and data-driven innovation. By leveraging low-code/no-code platforms, GSA now delivers new tools in an average of 14 days, tailoring solutions to real-time and anticipated needs. GSA’s emphasis on customer and user experience has driven continuous improvements, such as refining SAM.gov through iterative feedback. For 2025, GSA prioritizes enterprise data management to ensure AI outcomes are reliable and ethical. To govern AI effectively, GSA established oversight boards for privacy, security, and safety, with plans to unify them for comprehensive management of this transformative technology.

* Rapid Delivery: GSA delivers new business tools in 14 days on average using low-code/no-code platforms. * Customer-Centric Approach: GSA emphasizes human-centered design and has iteratively improved systems like SAM.gov based on user feedback. * 2025 Priorities: Focused on enterprise data management to enhance AI reliability and address ethical computing challenges. * AI Oversight Boards: Established boards for privacy, security, and safety of AI tools, with plans to unify them for comprehensive governance. * Technology Leadership: GSA continues to lead in customer and user experience while advancing agile and responsive technology capabilities.

How the State Department is leaning into AI, modernization efforts to support federal workers

As technology evolves, the federal workforce must adopt innovative technologies to enhance productivity and efficiency. Don Bauer, CTO for global talent management at the Department of State, emphasizes the importance of integrating technology to support a global workforce. Challenges include data integration and maintaining control over corporate IP. Modernization efforts, including implementing trustworthy AI like state chat, are crucial. AI can help streamline recruitment and onboarding processes, while reducing overhead and vulnerabilities. Bauer highlights the importance of connectivity and integration for a modern user experience.

* Technology Integration: Essential for supporting a global workforce. * Data Control: Importance of keeping corporate IP within the department. * Modernization Challenges: Balancing ongoing operations with modernization. * Connectivity: Reducing overhead and vulnerabilities through integration.

Informatica's Data in Action Summit: A Comprehensive Overview

On December 6th, 2023 the governmentwide ITVMO attended the Data in Action Summit by Informatica. As more government agencies evolve their citizen services into efficient platforms, leaders are increasingly relying on data as a key indicator of success and a means to drive change. Data, once a helpful resource, has now become crucial in the intricate modernization journey. IT officials find data and its analytical tools indispensable for building a government that is not only effective but also transparent, allowing them to witness their efforts in real time.

Innovation in Supply Chain: Managing Risk With Advanced Technology

The U.S. government faces significant challenges in its logistics missions due to global supply chain disruptions and geopolitical tensions. Agencies like GDIT are focusing on sophisticated supply chain risk management, incorporating AI and emerging technologies to mitigate risks such as cyber threats and counterfeit products. Efforts include pre-positioning stock, leveraging advanced data analytics, and empowering personnel to make critical decisions. The government aims to ensure resilient and reliable supply chains by adapting processes and improving coordination among federal agencies.

* Global disruptions and geopolitical tensions impact U.S. supply chains. * Agencies use AI and advanced technologies for supply chain risk management. * Strategies include pre-positioning stock and tracking multiple risk factors. * Empowering personnel and data-driven decision-making are critical. * Focus on resilience and reliability in supply chain operations.

JWCC Surpasses $1B Mark, Over 65 Task Orders Awarded

The Department of Defense (DoD) has surpassed $1 billion in spending on its $9 billion Joint Warfighting Cloud Capability (JWCC) contract, distributing over 65 task orders to various U.S. defense organizations. The JWCC, involving Google, Oracle, Amazon Web Services, and Microsoft, replaced the canceled $10 billion JEDI project. Task orders, which focus on areas like the Combined Joint All Domain Command and Control (CJADC2) initiative, vary in classification and capability. The average lead time for a task order is 25 days, though this can vary. The DoD aims to enhance cloud integration with partners and allies.

* DoD exceeded $1 billion in spending on the JWCC contract. * Over 65 task orders distributed to various U.S. defense organizations. * JWCC involves Google, Oracle, Amazon Web Services, and Microsoft. * Task orders focus on diverse areas, including the CJADC2 initiative. * Average lead time for task orders is 25 days, with variation based on size and competition.

MITRE’s Federal AI Sandbox will focus on critical infrastructure, weather modeling, social services

MITRE announced plans to train three new AI foundation models focused on critical infrastructure, weather modeling, and sustainable social services using its Federal AI Sandbox, a supercomputer designed for large-scale AI model training. This AI initiative aims to enhance cybersecurity, improve weather predictions, and streamline government workflows. Agencies can access the sandbox through existing MITRE contracts, with the sandbox expected to be available by the end of 2024. The White House emphasizes the importance of strong federal R&D funding to ensure the success of AI and other transformative technologies in addressing national challenges.

* MITRE will train AI models focused on critical infrastructure, weather, and social services. * The Federal AI Sandbox will support generative AI, multimodal perception, and reinforcement learning. * The AI models aim to improve cybersecurity, weather forecasting, and government workflows. * Agencies can access the AI sandbox through MITRE's federally funded R&D centers. * The White House calls for robust funding for R&D to support national technology goals.

More agencies turn to AI to fix website accessibility issues

Federal agencies are increasingly leveraging AI to enhance the accessibility of their digital services, ensuring compliance with government standards like Section 508. AI tools are being used to flag and address accessibility issues on government websites more effectively. Key figures like Betsy Sirk from NASA and Joe Carter from HUD emphasize the potential of AI to improve user experience, particularly for individuals with disabilities. Agencies are focusing on co-designing digital platforms with inclusivity in mind, driven by the belief that accessible services not only comply with regulations but also build public trust and enhance overall service delivery.

* Federal agencies are using AI tools to improve compliance with accessibility standards on their websites. * AI can enhance digital accessibility by creating more adaptive user interfaces and flagging accessibility issues more efficiently. * HUD is focusing on co-designing accessible digital platforms with input from users, including those with disabilities. * The General Services Administration hosted an AI hackathon to improve user experience across federal websites. * Enhancing digital accessibility is seen as crucial for building public trust and improving service delivery for all users.

Nearly 200 firms have signed pledge to build more secure software, top cyber official says

Nearly 200 tech and cybersecurity companies have signed the U.S.-led Secure by Design pledge, which commits them to incorporating default secure features in their products, particularly for enterprise customers and retail sales. The Cybersecurity and Infrastructure Security Agency (CISA) initiated this pledge to address ongoing software quality issues, emphasizing the need for secure products rather than additional security tools. The pledge, first introduced at the RSA Conference, includes measures such as managing vulnerability disclosure programs and reducing default passwords. Legal experts argue that the software market lacks incentives for secure development, leaving customers vulnerable to cyber exploitation.

* Nearly 200 companies signed the Secure by Design pledge led by CISA. * The pledge emphasizes building default secure features in tech products. * CISA's initiative addresses software quality issues rather than adding more security products. * The pledge includes managing vulnerability disclosures and reducing default passwords.

New US cyber official wants ‘brutal honesty’ on industry collaboration efforts

The new U.S. Cybersecurity official is advocating for brutal honesty in collaboration efforts with the industry. This approach emphasizes transparent communication about vulnerabilities and challenges to improve the overall cybersecurity posture. The official aims to foster a cooperative environment where industry and government can work together to address pressing cyber threats, particularly those targeting critical infrastructure. This initiative is part of broader efforts to enhance resilience against cyber incidents and advance secure technology practices.

* Brutal Honesty: Advocating for transparent communication about vulnerabilities and challenges. * Industry Collaboration: Strengthening partnerships between government and private sector. * Critical Infrastructure: Focus on protecting key infrastructure from cyber threats. * Enhanced Cybersecurity: Improving overall cybersecurity posture through cooperation. * Resilience: Building a more resilient cybersecurity framework against potential incidents.

NIST Wants Feedback on Zero Trust Architecture Guide

NIST's National Cybersecurity Center of Excellence (NCCoE) has released a draft practice guide, Implementing a Zero Trust Architecture (ZTA), for public feedback. The guide simplifies the process of adopting ZTA by showcasing 19 example implementations created with 24 technology providers. These implementations include detailed instructions, models, and resources for IT professionals to replicate or adapt based on their needs. Organizations can choose from approaches like enhanced identity governance (EIG), software-defined perimeter (SDP), microsegmentation, or secure access service edge (SASE). Public feedback on the draft is open until Jan. 31, 2025, before finalization.

* Purpose: The guide demystifies zero trust architecture (ZTA) implementation and offers a gradual approach for organizations. * Example Implementations: Features 19 builds developed in collaboration with 24 technology providers, including diagrams, technologies, and instructions. * Customization: Organizations can select relevant ZTA approaches like EIG, SDP, microsegmentation, or SASE and adapt builds accordingly. * Final Feedback: Public comments on the draft guide are accepted until Jan. 31, 2025. * Practical Focus: Designed to save time and resources for IT professionals through detailed, replicable models.

OpenAI, Anthropic enter AI agreements with US AI Safety Institute

Anthropic and OpenAI, have signed memorandums of understanding with the U.S. AI Safety Institute to collaborate on research, testing, and evaluation of their AI models. Announced as first-of-their-kind agreements, these partnerships allow the institute access to new models before and after public release to enhance safety and risk mitigation. The collaboration includes the U.K. AI Safety Institute to align research and create a unified approach to AI system testing. These agreements build on previous voluntary commitments with the U.S. government, advancing responsible AI development and establishing new standards for safety.

* Anthropic and OpenAI signed agreements with the U.S. AI Safety Institute for AI model testing and evaluation. * The government-industry collaboration is aimed at enhancing AI safety. * The U.S. AI Safety Institute will access models before and after public release for safety evaluation. * Collaboration extends to the U.K. AI Safety Institute for a unified AI safety approach. * The agreements build on previous voluntary commitments, advancing responsible AI development.

OPM will use AI to modernize legacy IT system over a two-year period

The Office of Personnel Management (OPM) will utilize artificial intelligence (AI) as part of a Technology Modernization Fund (TMF) award to update its legacy retirement system. The project will rehost legacy systems in the cloud and use AI to rewrite COBOL code, significantly accelerating modernization compared to traditional methods. The initiative, which is expected to take two years, aims to improve system transparency, usability, and efficiency. While AI will handle code rewriting, human developers will ensure quality control. The project is part of OPM’s broader modernization roadmap, informed by extensive analysis of legacy systems and millions of lines of code.

* Modernization Goal: Update OPM's retirement systems for improved transparency, efficiency, and user-friendliness through TMF funding. * AI-Driven Approach: Use generative AI to rewrite COBOL code, significantly reducing development time from five years to two. * Cloud Transition: Legacy systems will be rehosted in the cloud as part of the project. * Human Oversight: Developers, testers, and quality control staff will validate AI-rewritten code. * Extensive Preparation: Analysis of millions of lines of legacy code informed the decision to leverage AI for modernization.

Pentagon releases key CMMC contracting rules

The Defense Department has proposed a rule to incorporate Cybersecurity Maturity Model Certification (CMMC) into contracts, requiring defense contractors to meet specific cybersecurity standards. The rule, part of the Defense Acquisition Regulations Supplement (DFARS), outlines a phased rollout over three years, starting around mid-2025. Contractors must either self-assess or obtain third-party certification, depending on data sensitivity. The comment period for the proposed rule closes on October 14.

* New rule integrates CMMC into contracts for cybersecurity. * Phased rollout to minimize impacts on contractors. * Certification levels vary by contract type and data sensitivity. * Comment period ends on October 14, 2024.

Rethinking continuous risk metrics to fortify federal cybersecurity

Building cyber resilience is essential for effective disaster response and recovery. Real-time assessments of cyber resilience are necessary, requiring clear metrics to measure risks and progress. Key metrics include tracking identified risks, incidents, monitoring efforts, and mitigation success. Addressing data collection challenges is crucial to developing these metrics. Aligning cybersecurity efforts with frameworks like NIST's Cybersecurity Framework 2.0 enhances resilience, while collaboration between public and private sectors strengthens national cybersecurity defenses.

* Complex Threats: Natural disasters combined with cyberattacks strain critical infrastructure and public trust. * Importance of Cyber Resilience: Essential for effective disaster response and recovery. * Key Risk Metrics: Tracking risks, incidents, monitoring, and mitigation is crucial for resilience. * Data Collection Challenges: Clear ownership and consistent data quality are needed for effective risk metrics. * Public-Private Collaboration: Sharing insights and aligning with frameworks like NIST enhances national cyber resilience.

Rethinking cybersecurity in government: Prioritizing recovery and resilience

Despite significant investments in cybersecurity, cyberattacks on government IT systems are rising, exposing the limitations of prevention-focused strategies. Agencies must prioritize cyber recovery, recognizing breaches as inevitable and focusing on rapid, effective recovery to minimize impact. Current recovery infrastructures, often outdated and vulnerable, need upgrades like integrated backup and storage solutions with built-in security features. Innovations like Rubrik Security Cloud – Government offer immutability, air-gapping, and zero-trust capabilities, enabling faster recovery and malware-free backups. Consolidating recovery tools can reduce costs, simplify operations, and enhance resilience, making cyber recovery a critical element of modern cybersecurity strategies.

* Cyberattack sophistication necessitates shifting focus from prevention to recovery. * Traditional recovery systems are outdated and vulnerable, often targeted in over 90% of attacks. * Solutions like Rubrik Security Cloud integrate backup and security to ensure fast, secure recovery. * Consolidating recovery tools reduces complexity and costs while improving resilience. * Cyber recovery is essential for minimizing downtime and ensuring mission-critical data integrity.

Rethinking Federal Network Modernization

Federal agencies must modernize their networks to support AI-driven operations, data-centric services, and edge computing. Legacy networks struggle to handle increasing data demands and the growing number of connected devices. Modernized networks are critical for cybersecurity and AI adoption. However, challenges remain in aligning procurement, budgets, and infrastructure upgrades to meet mission-critical demands effectively.

* Data Challenges: Agencies struggle with legacy networks that can’t manage massive data volumes or support modern AI-driven workloads. * Edge Computing Focus: Shifting AI and data processing to the edge reduces latency, improves bandwidth, and streamlines operations. * Open Networking: Non-proprietary, interoperable solutions enhance scalability, cost-efficiency, and innovation. * Modernization for AI & Cybersecurity: Upgraded networks are essential for robust cybersecurity and maximizing AI’s potential.

SBA initiates seismic shift in small business contracting

The Small Business Administration (SBA) proposed a rule on October 25 to expand the rule of two to task and delivery orders under multiple award contracts (MACs). Agencies must set aside such contracts for small businesses if two qualified small firms can compete, except in limited cases like GSA schedule contracts. This marks a significant shift in small business contracting, potentially redistributing up to $6.1 billion annually to small firms. While proponents see the rule as a way to combat declining small business participation in federal contracting, critics argue it could disrupt the efficiency of MACs and harm small firms long-term.

* Proposed Rule Overview: SBA’s rule extends the rule of two to MACs and GWACs, mandating small business set-asides where applicable. * Economic Impact: SBA estimates $6.1 billion in missed small business awards could be addressed by applying the rule of two. * Diverging Opinions: Critics fear disruptions to MACs may harm small businesses, while proponents see it as reversing declining small business participation. * Small Business Trends: Federal small business contracting hit $178.6 billion in 2023, but prime contractors have declined by 40% since 2010.

State Dept. INR CIO Keys on Modernization, Cyber for FY25

Jimmy Hall, CIO of the State Department’s Bureau of Intelligence and Research (INR), outlined his FY 2025 priorities: IT modernization, cybersecurity, and IT expansion. At the Cloud Summit, Hall emphasized the integration of these priorities with INR’s goals, particularly through cloud expansion and the adoption of AI for improved threat detection and traffic analysis. Although progress has been made, including establishing a Top Secret (TS) cloud presence, Hall acknowledged the need for further advancements in cybersecurity and AI utilization. These priorities align with broader federal trends in cybersecurity, AI, and digital transformation.

* IT Modernization: Focused on aligning INR’s IT ecosystem with digital transformation goals. * Cybersecurity Enhancement: Strengthening cybersecurity through AI and improved log analysis. * IT Expansion: Expanding cloud capabilities, including a new TS cloud presence. * AI Integration: Leveraging AI for threat detection, traffic analysis, and cybersecurity improvements. * Federal Alignment: Priorities mirror broader federal trends in cybersecurity, AI, and digital services.

Tech Trends: Federal Agencies Adopt AI Capabilities for Threat Detection

Peter Dunn, CDW Government Federal CTO, emphasizes the potential of AI to enhance federal cybersecurity by handling repetitive tasks and detecting threats, but he highlights significant challenges. Agencies must first master data management to fully capitalize on AI's potential, particularly for threat response, as trust in automated actions remains limited. AI tools, like spam filters, improve efficiency, but agencies must invest in upskilling employees and fostering interagency collaboration to maximize AI's benefits. Interagency efforts, including the synchronization of AI leadership roles, can address fragmented implementations and ensure cohesive AI adoption across the federal government.

* AI enhances cybersecurity by handling repetitive tasks, like scanning databases, and detecting threats efficiently. * Agencies need robust data management before leveraging AI for automated threat responses due to trust concerns. * AI tools, such as spam filters, demonstrate current successes in improving email security and reducing false positives. * Upskilling employees in AI and fostering interagency collaboration are crucial for maximizing AI’s potential. * Synchronizing AI leadership roles across agencies can streamline priorities and unify federal AI applications.

The Department of State’s pilot project approach to AI adoption

The Department of State, through a partnership between three offices, is leveraging AI to streamline the declassification process of 25-year-old classified documents, addressing the growing volume of electronic records that require review. The pilot project successfully trained a model using previous declassification decisions, achieving a 97% accuracy rate and reducing the manual workload by over 65%. This AI-assisted approach will not replace jobs but will work alongside human reviewers to ensure accuracy and adapt to changing contexts. The initiative is expected to save millions of dollars in labor costs and serve as a model for future AI applications in government.

* AI for Declassification: The State Department is using AI to automate the review of classified documents, significantly reducing manual effort. * High Accuracy: The pilot achieved a 97% match with human decisions, showing AI's effectiveness in this role. * Cost Savings: The initiative could save up to $8 million in labor costs over the next decade. * Human-AI Collaboration: AI assists rather than replaces human reviewers, ensuring continued oversight and adaptability. * Broader Implications: The project highlights how AI can enhance government efficiency and transparency, with potential applications across other federal programs.

The federal government wants to teach workers about AI prompt engineering

The Federal Acquisition Institute, part of the General Services Administration (GSA), recently introduced an AI Prompt Engineering Credential to help federal acquisition staff effectively evaluate and utilize large language models, such as those developed by OpenAI. This credential focuses on practical techniques for crafting prompts, optimizing AI use, and maintaining ethical standards. The initiative highlights the growing federal interest in AI technology, though GSA currently has no plans for additional AI credentials. Efforts to enhance AI skills within the federal workforce continue, despite ongoing challenges in talent acquisition.

* AI Prompt Engineering Credential: Designed for federal acquisition staff to improve prompt crafting and AI optimization. * Focus on Large Language Models: Specifically aids in evaluating technologies like ChatGPT. * Ethical Standards: Credential emphasizes adherence to ethical practices in AI use. * Federal AI Training: Part of broader efforts to bolster AI skills across the government. * Talent Acquisition Challenges: Recruiting skilled personnel remains a hurdle in advancing federal AI capabilities.

The US government must keep pace with serving an AI-empowered citizenry

The rapid evolution of AI is transforming industries and everyday life, presenting a stark contrast to the slower adoption within government services. As companies like OpenAI, Apple, and Google revolutionize AI integration, the U.S. government faces the challenge of modernizing critical services like tax filing, healthcare, and security. While past successes, such as the adoption of social media and emergency communication systems, show the government’s adaptability, AI demands unprecedented speed. To stay globally competitive, the government must balance innovation with responsibility, invest in AI infrastructure, and attract top talent, ensuring trust and competence in an AI-driven future.

* AI is rapidly transforming industries, creating a stark gap with slower government adoption. * Modernizing services like tax filing, healthcare, and security is critical for global competitiveness. * Past successes, including social media use and emergency systems, show the government can adapt. * Balancing rapid innovation with responsible AI deployment is essential. * Investments in AI infrastructure and talent are crucial for maintaining trust and relevance.

The US intelligence community is embracing generative AI

The U.S. intelligence community is increasingly adopting generative AI to enhance its capabilities. This technology aids in data analysis, operational efficiency, and decision-making while ensuring responsible use to maintain public trust. The focus is on leveraging AI for tasks such as research, queries, and coding to improve overall operations. However, there are challenges, including ensuring data quality, addressing potential risks like bias and misinformation, and training the workforce.

* Adoption of generative AI for data analysis and operational efficiency. * Emphasis on responsible AI use to maintain public trust. * Challenges include data quality and mitigating risks of bias and misinformation. * Need for workforce training and upskilling. * Importance of a robust data strategy for AI success.

Top Priorities for DoD CISO: CM, Zero Trust, DIB Cybersecurity

DoD CISO David McKeown outlined the department's top cyber priorities, focusing on cryptographic modernization (CM), zero trust, and defense industrial base (DIB) cybersecurity. At the AFCEA Tech Summit, McKeown emphasized the importance of CM in safeguarding sensitive information, with a focus on developing quantum-resistant solutions. He also highlighted progress towards achieving the DoD’s FY 2027 zero trust goal, with the Navy leading the way. The DIB cybersecurity strategy aims to secure and enhance the resilience of defense industrial networks, with an official implementation plan soon to be unveiled.

* Cryptographic Modernization (CM): A top priority, focusing on developing quantum-resistant cryptographic solutions. * Zero Trust: The DoD aims to meet its zero trust goal by FY 2027, with significant progress already made. * Defense Industrial Base (DIB) Cybersecurity: Efforts include a new cybersecurity strategy with an implementation plan forthcoming. * Quantum Computing Mitigation: CM efforts are geared towards staying ahead of emerging quantum threats.

U.S. Cyber Command Unveils AI Roadmap

U.S. Cyber Command (USCYBERCOM) has unveiled a five-year AI roadmap to enhance its analytic capabilities, scale operations, and improve adversary disruption. The strategy outlines over 100 activities across key mission areas, including security and national defense, with a focus on integrating AI into all operations. Led by a new task force, the initiative includes over 60 pilot projects and partnerships with the NSA and industry to address challenges such as talent acquisition and infrastructure development. USCYBERCOM aims to position itself at the forefront of technological innovation and cyber defense.

* USCYBERCOM’s AI roadmap outlines over 100 activities, focusing on security and defense. * A new task force will lead the roadmap’s implementation, addressing talent and infrastructure challenges. * Over 60 pilot projects and partnerships with the NSA and industry will drive AI integration. * The roadmap emphasizes the need for analytic superiority and rapid adversary disruption. * The five-year plan positions USCYBERCOM as a leader in AI-driven cyber defense.

Update to Better Contracting Initiative 2

The Governmentwide Microsoft Acquisition Strategy (GMAS) is a groundbreaking initiative by the IT Vendor Management Office (ITVMO) to standardize contract terms and pricing for Microsoft products across federal agencies. Launched under the Better Contracting Initiative (BCI), GMAS seeks to consolidate best-in-class terms into a universal framework, ensuring agencies benefit from collective efficiencies, cost savings, and enhanced cybersecurity. The effort, involving comprehensive analysis and collaboration with Microsoft and federal stakeholders, aims to position the government as a unified customer. Following GMAS, ITVMO plans to extend similar strategies to other major IT Original Equipment Manufacturers (OEMs) in fiscal year 2025.

* Standardization Effort: GMAS standardizes 24 contract terms for Microsoft products, benefitting all federal agencies. * Cost and Efficiency Gains: Addresses pricing inconsistencies, achieving savings and avoiding repetitive negotiations. * Collaborative Approach: Developed with input from Microsoft, federal agencies, and cybersecurity stakeholders like CISA. * Enhanced Cybersecurity: Focuses on integrating critical cybersecurity standards into contracts. * Future Plans: ITVMO plans to expand the model to other major IT OEMs in FY25.

USACE data scientists enabling AI, analytics across Army

Federal agencies are exploring how to integrate generative AI into their operations, with the U.S. Army Corps of Engineers' Engineer Research and Development Center (ERDC) playing a significant role. ERDC is optimizing large language models (LLMs) by embedding domain-specific data to support various military and civil tasks. This includes document summarization, knowledge generation, and predictive maintenance. ERDC focuses on the front end of the data science lifecycle, providing the necessary tools and infrastructure while enabling customers to handle analytics and visualizations independently

* ERDC is optimizing LLMs with domain-specific data for Army use. * AI is used for tasks like document summarization and knowledge generation. * ERDC focuses on infrastructure, allowing customers to manage analytics. * Predictive maintenance models are enhanced using AI-driven vector databases. * Versatility in data handling allows for application across multiple domains.

Wales optimism about federal cyber is stronger than ever

Brandon Wales, former executive director of the Cybersecurity and Infrastructure Security Agency (CISA), remains highly optimistic about the future of federal cybersecurity, crediting significant advancements made during his tenure. Despite challenges like the SolarWinds compromise, Wales believes that these incidents have led to a stronger and more resilient federal cybersecurity framework. He highlights the importance of binding operational directives and emergency directives in driving cultural change and prioritizing cybersecurity efforts across federal agencies. Under his leadership, CISA's initiatives have transformed federal IT into a more security-focused environment.

* Optimism for Federal Cybersecurity: Wales sees significant progress in federal cybersecurity, despite past challenges. * Impact of SolarWinds Compromise: The incident led to fundamental changes, strengthening federal cybersecurity. * Cultural Shift: A security-focused culture has been established across federal IT. * Binding Operational Directives: These tools have been crucial in driving cybersecurity improvements and resource allocation. * CISA's Role: Wales credits CISA's flexibility and strategic use of directives for the advancements in federal cybersecurity.

Zero Trust 101: How TMF is revolutionizing federal cybersecurity

The Technology Modernization Fund (TMF) is driving the adoption of zero trust architecture across federal agencies, emphasizing enhanced cybersecurity in the face of growing cyber threats and a more distributed workforce. Zero trust operates on the principle that no user or device is inherently trusted, requiring continuous authentication and authorization for access. TMF's financial support, such as the $20 million for the Department of Education’s zero-trust project, is crucial in overcoming resource and technical challenges, leading to a more secure federal IT infrastructure.

* Zero Trust Overview: No default trust; every access request must be authenticated and authorized. * TMF Support: Provides financial and technical resources for agencies to implement zero trust. * Examples: Two-factor authentication and biometric identification are common zero trust practices. * Department of Education Project: $20 million TMF investment for secure student aid services. * Future Impact: TMF's investment fosters a more secure and resilient federal IT landscape.

Zero Trust and Improving the Nation's Cybersecurity

In May 2021, the Biden Administration issued Executive Order 14028, revolutionizing U.S. federal cybersecurity with a focus on Zero Trust security. This model, based on "Never trust, always verify," mandates stringent verification for all access attempts within government networks, regardless of origin. Emphasizing a continuous, multifaceted approach, Zero Trust requires a blend of technologies and practices, marking a significant departure from traditional cybersecurity strategies towards a more secure, resilient governmental infrastructure.