• Digital transformation at FEMA
• Shifting FEMA to the cloud
• Edge computing for the future
• Employing artificial intelligence
• Industry analysis

The post Ask the CIO: Federal Emergency Management Agency first appeared on Federal News Network.

Twelve members of Congress shave been appointed to a new commission to lead the House’s exploration of AI’s transformational opportunities and potential challenges. Their mission? To create guiding principles, recommendations and bipartisan policy proposals for the regulation of AI. One of those members joined Federal News Network’s Eric White on The Federal Drive with Tom Temin to discuss the task ahead: Rep. Don Beyer (D-Va.)

Interview Transcript:  

Eric White We have been bombarded with hearing about the potentials of AI. And so I’m sure that as a member of Congress, you’re hearing from your constituents as well as their concerns and things that might be brought up if it is implemented fully. So how did this task force on AI all come together?

Don Beyer Eric, for a few years, there’s been an artificial intelligence caucus. Democrats and Republicans coming together once a month to just talk about AI, but no legislation was really moving. It wasn’t clear which committees had jurisdiction, wasn’t clear where there was really momentum behind specific pieces of legislation. So Kevin McCarthy (R-Calif.), back before the infamous vacation of the chair, had talked about forming a task force, never happened. And eventually, just a few weeks ago, speaker Mike Johnson (R-La.) And Democratic Leader Hakeem Jeffries (D-N.Y.) appointed these members very bipartisan, an even number of Democrats or Republicans. And we’ve met a couple of times already. Were now meeting every fly out morning at 9:00. And the goal is by the end of the year to present a completely written up report on AI and what Congress should be doing. And hopefully, Eric, on the way, we’ll also actually pass four or five or six foundational bills. Bills we can build upon in the years to come.

Eric White Yeah. What can you tell me about the discussions that you just mentioned? Everybody loves to talk about the divisions in Congress and everything. But this issue, you might have a luxury of everybody generally wants a safe thing, a safe, efficient way for AI to be implemented into everyday life. What are you all mostly discussing when you have those conversations?

Don Beyer Eric, it’s been interesting. In the first couple of meetings, I spent a lot of going around the room saying, what are your priorities? And they’re all over the place. For example, one Democratic member from New York had been very concerned about the use of AI delivering porn, especially with child sexual images. Where instead of the old terrible way of kidnaping children and forcing the reform porn in some garage, they actually generate it using large language models and stuff. It’s just as evil, but without an actual child in play. So you can get a lot more of it a lot faster, which is even sadder. On the other hand, you get people that are really concerned about deepfakes and what it will mean for elections this year. We all know that more people will vote in 2024 than in any year in the history of mankind. Oh, all over the world and very big elections here in the United States. So it varies, but you could boil it down into 12 main topics. And then the notion is how do you address each one of them? What role does Congress really have or federal government have in these 12 different areas?

Eric White And that’s a perfect segue into my next question of what is Congress’ role in this? Obviously, you have a vested interest in stopping some of the terrible things that can come from AI that you just mentioned. But as far as getting ahead of it and coming out with some overarching principles, is that where you see Congress’ enacting a role in working with other branches of government?

Don Beyer Yeah, very much so. So far, we’ve been really thrilled that there’s been little partizan bickering, very little partizan divide. There’s nothing like the divide we have on guns or on the right to reproductive freedom, things like that. So I’m optimistic about us being able to move forward. And on the role, it’s interesting the Europeans who the European Union have recently passed their EU Artificial Intelligence Act, the EU AI act. And they were, I heard it referred to recently, is that they are super regulatory power. They really like regulation. Our tendency, both Democratic and Republican, is to focus on innovation and creation and new uses that can change the way our lives unfold. So almost all of us, across party lines, want to have a relatively light touch from a regulation perspective, unlike the Europeans.

Eric White It’s interesting. Usually we’re trying to find ways to reduce red tape, and the Europeans tend to say, no, we need more red tape here. We’re speaking with Virginia Congressman Don Beyer. Congress has always been a punching bag for the American public. And they’re seen as sometimes being a little bit behind on when new technologies come in. And there are those viral clips of some of your fellow congressmen describing some things that maybe are off the cuff or out there. Where do you see as this is improving Congress’ understanding of AI? Because it’s a new technology and not too many people actually get with the facts of what it actually takes to create those deep fakes or actually have technology that will change Americans lives.

Don Beyer Well, the good part, Eric, is that while there are only a handful of actual technologists who serve in Congress, the 24 people on this task force, almost all of them are pretty sophisticated about AI across the political landscape. So I’m really encouraged by that. When Speaker Johnson and Leader Jeffries pointed, they were looking for people who already had expressed a deep interest in artificial intelligence and done a lot of reading and a lot of visiting, a lot of experimenting. So that’s a really good piece of it. And I also think while Congress always lags the American public, that’s because that’s the way our founding mothers and fathers set it up. It’s two different entities, the House and the Senate. There’s a filibuster in the Senate. You really have to spend a lot of time to get to a middle ground before something actually becomes law. And sometimes that slowness frustrates us. But it also can often be wise, because we’re not overreacting or doing something quickly and hastily that we later need to reverse.

Eric White Let’s talk about you yourself. You got appointed to this mostly because we’ve interviewed you before. You’ve taken a deep interest in AI, and even have taken some classes in learning more about the technology. What can you tell me of where you stand personally in your understanding of it?

Don Beyer I’m learning very quickly. I just came back from a four day AI conference with some of the smartest people I’ve ever met, and I had lots and lots of questions. And with every exposure, I learn a little bit more. By the way, having my coding background now, just in Python three and in Java, is also helping. No, I can’t be a huge AI scientist right now. I’m years away from doing that, but I have a good inkling about how they’re going about it and why, which helps. Although, ultimately, here in Congress in this task force, we’re not going to be writing any code. We’re going to be trying to come up with the right sets of policies for things like the democratization of artificial intelligence. We don’t want to just to be owned by the big four. By ChatGPT, by OpenAI and Microsoft and Google. We want to make sure that people like you and me also have access to it. The small businesses and medium sized businesses do it, and researchers everywhere. So the democratization is a big piece of it. And I also think that we have to look really deeply at the potential downsides. How many AI optimists? I think it’s could do much more good than harm. But as members of Congress, our job is to protect the American people. So thinking about the potential downsides is very important to you.

Eric White Providing me an opening to ask about those big four and the plethora of famous technologists that we’ve seen making the rounds on news programs, talking about it. Are you bringing in any sort of experts during these conversations with your task force, or are you just kind of reaching out on your own accord and then coming back and reporting to the task force?

Don Beyer It’s a really good question here, because it’s sort of in between. We have had, from Jay Obernolte (R-Calif.), who chairs the overall conference with Ted Lieu (D-Calif.). I think he’s been deluged with different people who want to come present to the task force, enough so that they can take up the next three or four years just listening to people tell us their ideas. So he’s going to be judicious in terms of the people we bring before us. But so far, it’s been the leaders of the big four, but also people like Dario Gil, who’s head of research at debt, at IBM. So some of the really great intellectuals and founders of this field are talking to us both in small groups and of big groups. Mark Andreasen, who is an early major technologist, has already come to talk to us. But we’re also hearing interesting, Eric, from not just the technologist, but people who’ve been affected by it. For example, we had one fascinating meeting with the folks that do photography and illustrations, and who write music and who published books, who are seeing artificial intelligence as perhaps taking all of their creative work and making it for free on the internet through the large language models. So what’s the business model that allows a photographer still makes a living other than at weddings?

The post New Congressional task force looks to make sure it’s not left behind by AI advancements first appeared on Federal News Network.

• The Navy has a new strategy for science and technology. Navy leaders have branded it a “call to service” for scientists and engineers from across the country to help solve military problems. The focus areas include autonomy and artificial intelligence, power and energy, manufacturing, and a host of other issues. The plan does not spell out how the Navy will make progress on those objectives, but Navy Secretary Carlos del Toro said the new work will involve partnerships with the Office of Naval Research, the Naval Postgraduate School, the U.S Naval Academy and the Naval War College.
  (SECNAV Delivers Keynote at Sea Air Space Luncheon - U.S. Navy)
• An Air Force legislative proposal to transfer National Guard space units to the Space Force is sparking a backlash among state governors. The National Governors Association has called for the immediate withdrawal of the proposed legislation to eliminate governors’ authority over their National Guard units. Utah Gov. Spencer Cox and Colorado Gov. Jared Polis said reducing governors’ authority over their National Guard personnel will affect military readiness, recruitment, retention and the National Guard infrastructure across the country. Air Force officials proposed legislation to bypass governors in seven states and move 14 Guard units with space missions to the Space Force.
  (Air Force’s proposal to move Guard units causes backlash - National Governors Association)
• Two agencies have obtained extra money for IT modernization projects. NASA won its first award from the Technology Modernization Fund. The Labor Department garnered its sixth in almost six years. These are the fourth and fifth awards the board has made since January 1 and continues its focus on cybersecurity and application modernization. The space agency is receiving $5.8 million to accelerate cybersecurity and operational upgrades to its network. Labor is getting $42 million for the Office of Workers’ Compensation Programs to replace its outdated Integrated Federal Employee Compensation System. The TMF board now has invested in 43 projects since receiving the $1 billion appropriation in the American Rescue Plan Act in 2021.
  (NASA, Labor receive extra funding for IT modernization - Federal News Network)
• U.S. Cyber Command (CYBERCOM) is considering the best way to build its forces in the future, by conducting a study on future force generation models. The command has typically relied on the military services to train and equip its digital warriors. But leaders have pushed to embrace a more independent U.S. Special Operations Command-type model in recent years. And others have called for the Defense Department to establish an independent cyber service. CYBERCOM is slated to brief Pentagon leadership on the results of the study this summer.
  (CYBERCOM considers options for future force generation model - Federal News Network)
• Chandra Donelson is the Department of the Air Force's new acting chief data and artificial intelligence officer. In her new role, Donelson will be responsible for implementing the department’s data management and analytics, as well as AI strategy and policies. Donelson previously served as the space data and artificial intelligence officer for the Space Force, a role she will continue to hold. Her fiscal 2024 goals include integrating data and AI ethics into the department’s mission systems and programs.
  (Air Force appoints acting chief data and artificial intelligence officer - USAF)
• The Postal Service is looking to raise prices on its monopoly mail products for the sixth time since 2020, when it gets approval from its regulator to set mail prices higher than the rate of inflation. USPS is planning to raise the price of a first-class Forever stamp from 68 to 73 cents. If approved by the regulator, these new USPS prices would go into effect on July 14. A recent study warned that USPS price increases are driving away more customers than the agency anticipated. But USPS said the data behind the study is “deeply flawed.”
  (USPS Recommends New Prices for July 2024 - Postal Service)
• The Department of Veterans Affairs is reviewing more than 4,000 positions that are at risk of a downgrade in their respective pay scales. The six VA positions under review include a mix of white-collar General Schedule (GS) and blue-collar Wage Grade (WG) positions. They include housekeeping aides, file clerks and boiler-plant operators. The VA expects to complete its review of these positions by the end of May. The American Federation of Government Employees said affected employees have received notices in the mail. But, the union said, it has not received notice from the VA about any imminent downgrades.
  (VA reviewing 4,000 employee positions at risk of downgrade in pay scale - Federal News Network)
• With cyber attacks on the rise, incident response is a big part of managing security risks. Now the National Institute of Standards and Technology is seeking feedback on new recommendations for cyber incident response. The draft guidance is tied to NIST’s recently issued Cybersecurity Framework 2.0. The revised publication layout is a new, more integrated model for organizations responding to a cyber attack or other network security incident. Comments on the draft publication are due to NIST by May 20.
  (Incident response recommendations and considerations for cybersecurity risk management: a CSF 2.0 community profile - NIST)

The post Navy unveils new strategy for science, technology first appeared on Federal News Network.

Gen. Timothy Haugh, in his first public remarks since taking over as head of CYBERCOM and the National Security Agency in early February, said the force generation study is due to the secretary of defense this summer.

CYBERCOM has traditionally relied on the military services to train cyber warriors for the Cyber Mission Force. With that leading to readiness issues, officials have also looked to adopt more of a U.S. Special Operations-command type model. And some have called on the Defense Department to establish an independent cyber force.

“We’re doing a study right now that will evaluate, and we brought in an outside think tank to help us look at this, what are the spectrum of options?” Haugh said at the CYBERCOM Legal Conference today. “There are also a number of things in between there that we should consider, and also whether or not any of that menu should be applied together. So we’re evaluating that.”

Last year, Congress tasked CYBERCOM with evaluating the readiness of the military services in their ability to provide forces to the command. Haugh said the study identified five specific things the services could improve upon.

“Most of those things were areas that had previously been tackled by SOCOM, as it looks at how the Special Operations Forces are managed,” Haugh said. “And it was around personnel policies. It was in how the services leverage tools that Congress had given for retention to each of the services, and it was about assignment policies.”

In the year since that study, Haugh said each of the services have taken individual actions to improve readiness. He pointed to the Army’s new incentive pay for cyber personnel; the Air Force’s new tech track pilot for extending an individual’s service in the cyber field; and the Navy’s new cyber rating, as well the Marine Corps’ new eight-year initial enrollment for a cyber officer.

“Those are all really good examples of something each service has done,” Haugh said. “We would like to see them all raise that floor farther.”

Retired Gen. Paul Nakasone, the former head of CYBERCOM and the NSA, said he wanted to see a “bold move forward” with what’s been dubbed CYBERCOM 2.0

The command is better positioned to control its future thanks to a new provision in law. The fiscal 2024 appropriations bill passed by Congress last month gave CYBERCOM new programming and budgeting authorities. Referred to as “enhanced budget control” by Haugh, the authorities gives the head of CYBERCOM direct control over the planning, programming, budgeting and execution of resources for the Cyber Mission Force.

“We now have the budget responsibility for equipping the offensive and defensive cyberspace force for the Department of Defense, that force that we operate,” Haugh said. “So now we have the ability to be able to validate a requirement under our authorities that we’ve been given. We can allocate the resources against whatever that need is. And then we will be able to acquire that under our own authorities, either inside U.S. Cyber Command or in partnership with the services, where we drive the requirement, we have the resources, and now we’re going to be able to produce the capability that we need for our forces. That’s a pretty radical change from where we started.”

Integral to the conversations around the future of CYBERCOM is a new assistant secretary of defense for cyber policy position announced by DoD last month. The job serves as the secretary of defense’s top advisor on matters related to military cyber force and activities.

Secretary of Defense Lloyd Austin nominated the Army’s principal cyber advisor, Michael Sulmeyer, to serve in the new role. While he awaits confirmation, Ashley Manning is serving as acting ASD for cyber policy.

Manning and Haugh are set to testify before the House Armed Services Committee’s cyber, information technology and innovation subcommittee on Wednesday.

“It’ll be our opportunity to talk about what we see this looking like,” Haugh said of the new partnership.

The post CYBERCOM considers options for future force generation model first appeared on Federal News Network.

These are the fourth and fifth awards since Jan. 1 and continues the board’s focus on cybersecurity and application modernization.

“It is our responsibility to protect high-priority systems and enable our federal workforce to deliver on their agency’s mission seamlessly and securely,” said Clare Martorana, federal chief information officer and TMF Board chairwoman in a release. “These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public – from strengthening NASA spacecraft control to supporting injured and ill workers through DOL’s Office of Workers’ Compensation Programs.”

Labor’s award from the TMF of $42 million is among the larger investments over the last few years.

Labor’s Office of Workers’ Compensation Programs (OWCP) will use the money to accelerate the replacement of its outdated Integrated Federal Employee Compensation System (iFECS).

Currently iFECS is built on technology from 20 years ago and runs 98 different applications with what it calls “elaborate and archaic workflows,” according to the TMF website. “This adds significant friction to case management which can overwhelm claims examiners, delay processing and interrupt tasks.”

In fiscal 2023, the system provided services to more than 2.5 million workers, with over 200,000 new cases processed.

“This initiative aims to revolutionize services and benefits for injured and ill workers, making processes faster, more efficient, and less prone to cybersecurity, operational, and financial risk,” the release from the TMF Board stated. “TMF has allocated $42 million to support this endeavor and aims to overhaul iFECS by transitioning to a modern, cloud-based architecture and leveraging automation technologies. This shift promises to reduce claim adjudication times, enhance customer interactions and bolster data security, particularly crucial given the sensitive nature of federal employee health records and annual claims.”

Labor’s sixth TMF award since 2018

“IFECS services the entire federal government as the processor of all workers’ compensation claims filed by federal workers,” said Nancy Griswold, the deputy director of OWCP, in the release. “As such, improvements in iFECS that will allow for the faster processing of claims will have an impact not only on the claimants themselves, but also their federal employers, as studies have shown that faster payment of claims results in a faster return to work for many claimants.”

Labor’s first award came in 2018 and the department has won a total of more than $77.3 million from the TMF over the last six years.

NASA’s first award is for $5.8 million that will accelerate cybersecurity and operational upgrades to its network. The board said the money will be used for specific initiatives including automating network management, modernizing legacy infrastructure, standardizing network configurations across all NASA locations and collecting additional telemetry data to align with federal cybersecurity mandates.

“NASA’s IT infrastructure plays a critical role in every aspect of NASA’s mission, from enabling collaboration to controlling spacecraft to processing scientific data. Therefore, protecting and effectively evolving NASA’s information technology infrastructure remains a top agency priority,” said Jeff Seaton, the NASA CIO, in the release. “This TMF funding will help the agency to accelerate critical cybersecurity and operational upgrades two years earlier than originally planned.”

NASA’s inspector general highlighted the space agency’s need for additional attention around cybersecurity in its August report on compliance with the Federal Information Security Modernization Act (FISMA).

Auditors said “NASA’s information security program and practices were not effective” in fiscal 2023. The IG made 27 recommendations across the five functional areas: identify, protect, detect, respond and recover. NASA’s overall maturity came in at 2.48 out of 5 for its maturity across the core FISMA metrics and 2.86 out of 5 across the 2023 supplemental metrics.

TMF board has less money in 2024

Along with the awards to Labor and NASA in calendar year 2024, the board made three investments in January worth $70 million for modernization projects at the Justice Department, the General Services Administration and the Armed Forces Retirement Home.

The board continues to allocate funding from the $1 billion it received in the American Rescue Plan Act in 2021. Since that appropriation, the board said it has used that funding to invest in now 43 projects.

It’s unclear how much of the $1 billion the TMF received from the American Rescue Plan Act remains. President Joe Biden’s fiscal 2025 budget request shows about $790 million left in the TMF that is unobligated for 2024, but that also includes money awarded to agencies, but not yet sent out the door.

But going forward, the board faces less available funding as the Senate in the 2024 appropriations rescinded $100 million from the ARPA windfall.

The post NASA, Labor receive extra funding for IT modernization first appeared on Federal News Network.

The following will be a summary of insights that are particularly pertinent for federal agencies, which face a unique set of challenges due to the nature and scale of their digital operations. In this dynamic cybersecurity landscape, learning from such incidents is crucial for adapting and enhancing security measures to protect against the sophisticated threats of the digital age.

The relevance of current cybersecurity policies and regulations to the attack

Federal agencies are bound by stringent cybersecurity regulations, notably Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in May 2021, this order mandates agencies to enhance cybersecurity and software supply chain integrity, adopt secure cloud services and zero-trust architecture, and deploy multifactor authentication and encryption within a specific timeframe​​. These requirements align closely with the vulnerabilities exposed in the Okta breach.

Furthermore, the federal government’s latest identity, credentialing and access management (ICAM) policy, as outlined in the OMB M-19-17 memorandum, sets forth comprehensive guidelines for managing, monitoring and securing access to protected resources. This policy emphasizes identity proofing, establishing enterprise digital identities, and adopting effective authentication and access control processes​​. These elements are crucial in preventing incidents like the Okta breach, where weaknesses in identity and access management were exploited.

The Okta breach analysis underscores the need for a shift in cybersecurity focus from traditional perimeter defense to identity-centric strategies. This shift is vital for federal agencies whose operations often span multiple networks and cloud environments. Understanding the attacker’s perspective is essential for federal agencies as they prioritize the security of identity management systems and adopt robust privileged access management (PAM) practices.

Key lessons from the Okta breach relevant to federal agencies

1. Identity is at the core of cybersecurity:

The breach reinforces the concept of identity as the new security perimeter. Federal agencies must ensure that identity management systems are robust and capable of thwarting similar exploits.

2. The importance of privileged access management:

PAM is essential to protecting sensitive information, assets and systems. Implementing strong PAM solutions is a key step for agencies to safeguard against vulnerabilities. The integration of PAM into federal cybersecurity strategies is not just about mitigating risks; it’s also about enabling secure and efficient operations. By balancing security with operational functionality, PAM solutions help federal agencies maintain a high level of agility and responsiveness, which is essential in today’s fast-paced, digitally driven world.

3. Agencies need to adapt to evolving cyber threats:

The breach exemplifies the dynamic nature of cyber threats. Federal agencies need to continuously update their cybersecurity strategies, incorporating lessons from incidents like the Okta breach into their protocols, staying informed about emerging threats, and integrating advanced technologies and methodologies. Incorporating lessons from incidents like the Okta breach is essential, ensuring that strategies remain effective against increasingly sophisticated attacks. It’s a continuous cycle of assessment, adaptation and enhancement, crucial for maintaining the security and integrity of federal digital infrastructure.

A defense-in-depth approach is critical

As threat actors focus more on exploiting identities, agencies need tools that can help provide visibility and control of identities and privileges, reduce risk, and detect threats. Good specific policies and internal controls are necessary, but PAM can help provide a defense-in-depth approach, where multiple layers of controls and identity security monitoring capabilities can help prevent the failure of a single control or process from resulting in a breach.

The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture. By aligning with federal regulations and adopting a proactive approach to identity security, agencies can significantly enhance their defense against sophisticated cyber threats. Implementing lessons learned from such breaches is a critical step in fortifying the digital infrastructure that underpins national security and public service delivery.

Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

During this webinar, you will gain the unique perspective of top government cybersecurity experts:

• Sean Connelly, Federal Zero Trust Technical Architect, Cybersecurity and Infrastructure Security Agency
• Roy Luongo, CISO, US Secret Service, Department of Homeland Security
• Louis Eichenbaum, Zero Trust Program Manager, Department of the Interior
• Chris Roberts, Director, Federal Sales Engineering, Public Sector, Quest Software
• Steve Faehl, Federal Chief Technology Officer, Microsoft
• Wes Withrow, Senior Client Executive, Cybersecurity, Verizon
• Moderator: Luke McCormack, Host of the Federal Executive Forum

Panelists also will share lessons learned, challenges and solutions, and a vision for the future.

The post Federal Executive Forum Zero Trust Strategies in Government Progress and Best Practices 2024 first appeared on Federal News Network.

A newly proposed rule by the Cybersecurity and Infrastructure Security Agency, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours and to report ransom payments within 24 hours of making a payment. These new requirements would significantly lengthen the To-Do List of these entities. For analysis on what the impact could be, Federal News Network’s Eric White spoke to Beth Waller on the Federal Drive with Tom Temin, Principal at the law firm Woods Rogers Vandeventer Black.

Interview Transcript: 

Eric White So 1,000 foot view. What are the major changes here and what is going to be the impact on these critical sector entities?

Beth Waller I think 40,000 foot view. Everyone was expecting the director of CISA to come out with these proposed rules. The big earth shattering component of it is really the definition of covered entity who falls within the orbit of needing to report. And so really, the proposed rule really kind of breaks it into two different sections. We have really those who have to report based on their size, how large they are, and those that have to report based on their sector. I think most folks who are watching for this proposed rule were really expecting the sector side of the house. We weren’t really expecting the size side of the house. And so from a 40,000 foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.

Eric White Yeah. Is there anything in place to notify a company that, hey, by the way, this new rule, it applies to you.

Beth Waller I really think that CISA is going to need to do a good job of educating the public to let them know that, hey, you may fall within this, because again, when we look at the proposed definition of covered entity, for example, when it talks about size, it refers to an entity that exceeds the small business size standards specified by the applicable North American Industry Classification System Code and the US Small Business Administration Small Business Size regulations.

Eric White I read those yesterday.

Beth Waller That’s right. So if you look at those, as I think many of us did, went with bated breath to see, well, wait a minute. What does this mean? We start to see that, well, it really means anybody who has more than 500 employees and certain sectors, and with average annual receipts, over 7.5 million would qualify as somebody who would be needing to report. Now, there are certain exceptions by industry under the SBA regulations. But I think that really what is surprising for me, as somebody who really focuses in on critical infrastructure incident response, says, now we’re going to be really looking those SBA requirements and doing that math in the midst of an incident. And what I can’t really emphasize enough is the fact that we need to remember that this isn’t sitting at home twiddling your thumbs or the quiet of a Tuesday morning or whatever the case may be. You’re in the midst of a ransomware incident and your organization is down and you’ve been essentially taken hostage. And what you’re trying to do is within those first 72 hours, do this math and start figuring out, do I qualify, do I need to report? And so the proposed rule really focuses in on that size. Are we big enough to have to report and then the sector. And then of course sector, size doesn’t matter. It really is whether you fall within these different buckets. And the buckets are what you would somewhat expect. Nuclear reactors, energy, things like that. But then there are some areas that you might not expect, for example, in the health care and public health sector, for example, the proposed rules says that those that operate a hospital with 100 or more beds or are critical access hospitals. Well guess what, you’re dragged into that dragnet. So if I’m a small hospital in a rural location, I might not have 100 beds, but I might be considered critical access, and I would therefore be obligated to report a ransomware incident within 72 hours of finding it out.

Beth Waller Similarly, you have information technology, any entity that provides IT software, hardware, system or services to the federal government. So if you’re a teeny tiny software company, but you provide or have a contract with the federal government, well guess what, you’re grabbed into this. Similarly, if you are considered an original equipment manufacturer or a vendor or integrator of OT hardware, that’s operational technology, hardware or software, or those that perform functions related to DNS operations, guess what? You’re grabbed in. So again, you have some things that are kind of what you would expect chemical facilities, water, wastewater treatment systems, transportation systems. But then you have some unusual things including communications. So for example, wire radio communication services. So if FNN had an incident, you’d be doing that kind of analysis as to whether or not you needed to report within 72 hours as well. The other little tidbit I would say is that it’s not cut and dry the way the proposed rule is set up. I really think of it like it’s going to be a flow chart or a choose your own adventure type situation, because even with water and wastewater systems, for example, it breaks it down to say, is it a community water system? Publicly owned treatment works that serve more than 3,300 people? Well, that’s a random number to be trying to remember in the middle of an incident response do I qualify? Do I not qualify? Similarly with education. You’re looking at populations of 50,000 or more. We’re in the education sector. More than a thousand students. Or any institute of higher education that receives funding under title nine. And then finally, folks like the defense industrial based sector. Many of those folks, again, many of my clients in that space are very used to doing reporting to the DoD. Well guess what, that doesn’t necessarily get us out of jail free. We may also be having to do the same kind of report to CISA. And so those are the big kind of surprises in some ways, is that the sector really start getting into a lot of nuance and detail. And then of course, that size component. And again, if you qualify under one bucket, you’re just in. So if you got more than 500 employees and you’re manufacturing space, it doesn’t matter that you’re in the defense industrial base sector, you’re going to be in regardless. And so I think that a lot of folks are going to be gobbled up by this, because CISA wants as much information as possible to start really looking at these trends nationally of the types of incidents so that we as a nation are facing.

Eric White We’re speaking with Beth Waller, who is a cybersecurity attorney at Woods Rogers Vandeventer Black. And so it’s the people on that one end of the spectrum that the smaller entities that you mentioned. How big of a burden is this actually going to be on them? I imagine that for the bigger folks that are used to this, they’ve got maybe a whole team that’s assigned just to making sure they’re compliant. But there are probably some folks in rural hospitals who have never even heard of this process.

Beth Waller That’s right. And I really think that for those of us, again, I’m a cybersecurity data privacy attorney. And what I do is respond to these types of incidents and get signed in to these types of incidents. I think it’s going to really fall a lot on the legal profession to try to educate folks. Those of us that are called in to do breach response work, number one. But I would also say, I would argue that it’s not just onerous on the small businesses. It’s going to be really a huge task for the big businesses. And I would say that because the report itself is very detailed, it’s more detailed than the report that I would be giving, for example, if I was just in the defense industrial sector under the DFARS 7012,  filing on the DIDNet, those types of things. We’re used to doing that in this space. The report to CISA requires us to identify the covered entity. So the entity making the report. But in order to do that, what CISA is proposing is that I need to know the state of incorporation, trade names, legal names, the DUN number, tax ID, the EPA numbers, all this kind of stuff. Again, I go back to, think about what we’re in the midst of. We’re in the midst of a ransomware incident, highly unlikely that I have access to my work device. And so those first 72 hours, I can guarantee you you’re not getting access to a device that’s from your company. So you’re going to need to be able to pull this information together rapidly. It’s one thing if I’m a smaller defense contractor or a smaller contractor, to be able to know my state of incorporation. It’s another thing if I’m a mega corporation and I’ve made up a bunch of different LLCs or a bunch of different entities, or I have trade names, those types of issues. Pulling that kind of information together can be very challenging. And so I would argue that it’s going to be a burden to almost any entity that is going to be reporting to try to pull these things together.

Beth Waller In addition to that, the type of information about the incident that CISA is requesting, again, from somebody who has experienced an incident response, what they want to know within the first 72 hours is pretty broad. So, for example, they want a description of the covered incident with identification of affected information systems, including the physical locations of the impacted systems, networks and or devices. If I am a mega company, for example, and I have, 50,000 employees across the United States talking about the physical location of those impacted systems or networks. If I’m a manufacturer, it could be quite challenging in the midst of that first 72 hours, keeping in mind that the people who are needing to answer this are also potentially two people trying to come back online, getting things together, managing the incident response team. In addition to that, they want to know things like IOCs, which in the industry is indicators of compromise. They want to know the bad guys. What’s the telephone number, the IP address that they called from. They want to copy the malicious code and they want to know, for example, if you’re paying the ransom, which is another separate reporting requirement, they want to know exactly what your instructions were for payment of the ransom and things like that. I will say the good news is, thankfully there’s going to be a dropdown box for unknown at this time type answers given that this is the first 72 hours, but there is a requirement for supplemental reporting, and that supplemental reporting requires a report to be given every time there’s substantially new or different information becoming available. Again, if I’m in the midst of this incident, that is a very hefty burden to be thinking about.

Eric White Yeah, obviously this would be a substantial task order for, as you mentioned, somebody going through a cyber incident like this. But coming from CISA’s standpoint, this is pretty important information. A lot of people’s lives rely on these companies and obviously the critical infrastructure sector that runs the country basically. So, coming from them, why is this information so critical for an agency like CISA in the fight in ensuring that a lot of our big companies and critical infrastructure sectors are cyber secure.

Beth Waller Well, I think that what it does, it does create this dragnet of information to be able to really look at our adversaries and to be able to say, okay. Because a lot of times in the ransomware world, they have almost nonsense names. You’ve got Lockbit, Alphv/BackCat. You’ve got all royal, you’ve got, you know, all the different types of ransomware that are out there. And I tell folks, it’s kind of like their gangs, like off of The Sopranos or The Godfather movies. They’re just cyber gangs. And so being able to track the information of being able to say, okay, well, this is associated with this nation state or it’s not is really incredibly important to CISA. And again, as someone who is a federal partner in the midst of these incidents, because I do critical infrastructure incident reporting. So again, when you’re representing a state agency or a local government, you are already acting as a partner to your federal partners and providing information. So I think that there are big benefits to working with CISA and currently reporting to CISA as we do. But I think that with regards to the kind of nuances that are being asked for in this reporting, it’s going to create a lot of headaches. And keep in mind, many of these businesses are folks that are operating under multiple regimes. So for example, the financial sector is one of these that is considered critical infrastructure here. Well, if you’re already a bank, you’re reporting to the office of the Comptroller of the Treasury at the same time or reporting to CISA. If you are, for example, a manufacturer that is global, as many of our manufacturing Fortune 500 may be, you are also dealing with the laws in Europe. So GPR related laws, you’re also probably publicly traded. And so now you have the new Securities Exchange Commission rules and regulations about getting a notice out to your shareholders within four days of determining materiality. It’s really a very complex arena that CISA is coming into already from a regulatory standpoint.

Beth Waller I will say that the proposed rule says if CISA has an information sharing agreement in place with one of these other agencies that was receiving the report, that is potentially a get out of jail for a duplicate report filing, but it’s unclear at this time where CISA has that information sharing already. And I think that puts a lot of burden on the victim to try to figure that out. So hopefully Department of Defense, for example, creates an information sharing system with CISA where if you’re already again reporting to the DIDNet and going through that side of the process, you wouldn’t have to necessarily do it again here. Again, those clocks also start not on a Tuesday morning at 9:00 a.m. they often start at 1:00 am on Saturday morning whenever that network engineer figures us out. So a lot of times the folks that would be filling this out are not necessarily aware of it until, let’s say, 36 hours into an incident, depending on how large the organization is. So my argument would be to many businesses, look at your incident response plan. If these proposed rules come in to a final rule in the same manner that they’re currently looking at like right now, we’re going to want to make sure your incident response plan has a lot of this information gathered already, because, for example, maybe you could create something off line that says, this is our state of incorporation,  those types of things, so you’ve got that at the ready. Because again, keep in mind, most the time we’re dealing with something like ransomware where the entire network is encrypted. So how are we going to get at this information even if we wanted to, unless you just know it?

The post Facing cyber attacks, critical infrastructure gets new reporting requirements first appeared on Federal News Network.

• After a scorching report, one Senator wants to see the federal government overhaul its cybersecurity practices. Sen. Ron Wyden (D-Ore) on Monday released draft legislation to set minimum federal cyber standards for collaboration technologies, like Slack and Teams. Under the bill, the National Institute of Standards and Technology would establish interoperable standards for those technologies. The legislation would also require the use of end-to-end encryption. The bill comes after a Cyber Safety Review Board report blamed Microsoft's inadequate cybersecurity culture for multiple federal hacks. Wyden argued that interoperable standards would reduce the federal government's reliance on Microsoft.
  (Wyden releases draft legislation to end federal dependence on insecure, proprietary software in response to repeated damaging breaches of government systems - Sen. Ron Wyden (D-Ore.))
• Radha Plumb has officially assumed the role of the Defense Department’s Chief Digital and Artificial Intelligence Officer. Prior to her new role, Plumb served as the deputy under secretary of Defense for acquisition and sustainment. Deborah Rosenblum, the assistant secretary of Defense for nuclear, chemical and biological defense programs will take over Plumb’s previous role starting April 8. Plumb will replace Craig Martell, who became the Pentagon’s first permanent chief digital and artificial intelligence officer in 2022.
  (Plumb officially assumes CDAO role - Defense Department )
• Underutilized federal buildings could turn into affordable housing if a House bill makes it through Congress. The Government Facilities to Affordable Housing Conversion Act would require agencies to identify vacant and underutilized buildings that would be suitable for converting into residential use. The bill provides funding to study the effectiveness of converting office space into housing and also creates a grant program for state and local governments to undergo these conversion efforts. Reps. Adam Schiff (D-Calif.) and Jimmy Gomez (D-Calif.) are leading the bill.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Some new recommendations aim to kick-start federal shared services. In the five years since the Office of Management and Budget relaunched the federal shared services initiative, experts said progress has languished. The Shared Services Leadership Coalition (SSLC) said in a new report that agencies have not achieved any of the goals outlined in the 2019 memo and federal shared services remain resource starved. The good-government group outlined four legislative and regulatory policy recommendations to get agencies moving in the right direction. SSLC's recommendations include mandating shared services as a required business blueprint and creating a new Senate-confirmed position called, "The Commissioner of Government Operations" at the General Services Administration.
  (4 policy recommendations to kick-start shared services - Shared Services)
• The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is reminding employees of their whistleblower rights after being called out by a lawmaker. Sen. Chuck Grassley (R-Iowa) said an ATF memo, issued late last fall, chilled lawful whistleblowing. It warned employees against disclosing unclassified information without prior authorization. But it contained no references to lawful disclosures to Congress or federal watchdogs. After Grassley pressed the agency on the memo earlier this year, ATF recently issued an update with repeated references to the Whistleblower Protection Act and other disclosure rights.
  (Grassley successfully ensures ATF employees know their whistleblower rights - Sen. Chuck Grassley (R-Iowa))
• Over the next five years, the General Services Administration (GSA) will eliminate the use of PFAS, known as "forever chemicals," in the cleaning of federal buildings. GSA is requiring government contractors to purchase cleaning products that are free of the toxic chemicals. Instead, contractors will be required to use alternative products, certified to ecolabels such as EPA’s Safer Choice and certain Green Seal® certifications. GSA’s Public Building Service has more than 600 contracts for custodial services at more than 1,500 government-owned buildings at a cost of more than $400 million per year. GSA expects that most of these contracts will include the new and safer specifications within five years.
  (GSA, EPA team up to eliminate 'forever chemicals' from federal buildings - General Services Administration)
• James Lee, who led the IRS-Criminal Investigations office for the last three years and served 29 years in the federal government, retired on March 31. He has joined Chainalysis as its global head of capacity building. Lee said his initial focus will be helping international law enforcement agencies develop solutions against cryptocurrency-based crime. During his time at the IRS, Lee led IRS and federal law enforcement efforts to shut down Hydra, the world’s largest darknet market. He also conducted the largest crypto-seizure connected to terrorism financing and rescued 23 children and arrested 337 child abusers around the globe after taking down Welcome to Video, the world's largest distributor of child sexual abuse material.
  (Former IRS-Criminal Investigations chief lands new role in industry - Chailalysis)
• The office of the Air Force chief information officer just got a new director of the enterprise information technology directorate. Keith Hardiman will oversee the management, planning, governance and resource allocation for the department's information and cyber enterprise, which has a budget of nearly $7 billion. Prior to his new role, Hardiman served as the director of the Air Force's information management and chief information office, where he led the Air Force's declassification and publications distribution offices.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Leaders of the Senate Veterans Affairs Committee are pushing for a higher cost-of-living increase for veterans and their surviving family members. The higher COLA would impact disability payments, clothing allowances, and compensation for surviving spouses and children of veterans. The cost-of-living adjustment would be determined by the annual COLA adjustment set by the Social Security Administration, and would go into effect December 1, 2024. Committee Chairman Jon Tester (D-Mont.) and Ranking Member Jerry Moran (R-Kan.) are leading the bill.
  (Tester, Moran push for cost-of-living increase for veterans - Senate Veterans Affairs Committee)

The post Oregon Senator fed up with data breaches, blasts Big Tech, demands mandatory standards first appeared on Federal News Network.

Earlier this spring, several House lawmakers introduced a new bill to address a burgeoning post-pandemic trend: the use of employee monitoring technologies.

The “Stop Spying Bosses Act” would create new rules around the use of worker surveillance technologies. It would also establish a new division at the Labor Department to regulate workplace surveillance.

The legislation comes in response to an explosion in the use of everything from video surveillance to keylogging software to keep tabs on employees. A 2023 survey of 1,000 companies with remote or hybrid workforces found the vast majority use some form of employee monitoring. There’s even a new term for tech that enables this kind of continuous activity tracking: “bossware.”

As the country’s largest employer, where does the federal government stand? To date, there’s little evidence that federal agencies and their managers are taking up the more intrusive employee monitoring practices being embraced in the private sector.

But the unions that represent feds are also guarding against the potential as the technology evolves. National Federation of Federal Employees Executive Director Steve Lenkart said the issue is intertwined with the evolution of telework.

“As our technology improves, and we have more capabilities for people not to be in a centralized place, we’re going to have to invest in technologies that make it easier for that employee to function,” Lenkart said in an interview. “And there’s always going to be questions of supervision. And then it leads to questions of surveillance.”

SSA watchdog monitors employee computers

There is at least one instance where federal employees working remotely have had their computers monitored for performance.

In 2021, employees at the Social Security Administration’s Office of the Inspector General were subject to a survey of computer logs and telephone records to measure time online. Some employees were subject to disciplinary action or terminated.

While the Federal Law Enforcement Officers Association (FLEOA) — which represents more than 90% of SSA OIG agents – pushed back on that practice, SSA Inspector General Gale Ennis argued it was necessary “as stewards of taxpayer dollars, to hold employees accountable, when appropriate.”

“Failing to do so would be detrimental to public service, the OIG mission, and the morale of the many employees who go above and beyond in their contributions every day,” Ennis wrote in a September 2021 letter to the union.

Later that month, the FLEOA took a vote in which 98% of responding employees said they had “no confidence” in Ennis’s leadership. The use of computer logs for employee monitoring was among the issues cited by the union in its statement on the vote.

More than two years later, an FLEOA spokeswoman said the issue around the computer monitoring has yet to be resolved. “To our knowledge, the data analytics from employee monitoring are not being used for disciplinary actions as they were before, but they could be using it for other reasons,” the spokeswoman told Federal News Network.

In a statement for this story, FLEOA President Mat Silverman said SSA OIG employees were terminated “based on computer logs often without any corroborating or mitigating evidence from an employee’s immediate supervisor, raising serious doubts about the legitimacy of the terminations.”

“As agencies become increasingly skeptical about the benefits of remote work, we do fear the trend of remote monitoring will continue; however, we hope the strong criticism, high attrition, and decreased morale SSA OIG experienced will send a strong message to other agencies that this is neither an effective nor appropriate workplace policy,” Silverman said. “Ultimately, a workplace is successful when there is mutual trust, transparency, and confidence between employees and their leadership. Conversely, remote monitoring is demeaning to employees and undermines these important workplace values.”

In response to questions about the use of computer monitoring, an SSA OIG spokeswoman said, “Social Security Administration Office of the Inspector General supervisors measure productivity and performance of their employees using performance plans.”

‘No rulebook’ on employee monitoring

As the telework era continues to evolve, Lenkart said it will take time to strike the balance between supervision and surveillance.

“I think there’s going to be a little bit of operational uncomfortableness,” he said. “If you don’t trust your employee enough where you have to watch them minute-by-minute, then that’s probably not a good candidate to be working home or the supervisor has trust issues that need to be addressed. There’s no rulebook written on this yet.”

While workplace collaboration technologies, like Microsoft Teams and Zoom, are key to remote work, some unions are keeping a close eye on how those technologies are used by management. The National Treasury Employees Union, for instance, said it “opposes the use of technology for anything other than its intended purpose.”

In a statement, NTEU National President Doreen Greenwald said the union negotiates language in contracts that any “new or upgraded workplace technology cannot be used to track and monitor employees, measure productivity or replace existing official methods for tracking time and attendance.”

“For example, monitoring an employee’s colored-dot status on Microsoft Teams is not an indicator of productivity or attendance, and we would enforce our contracts to contest agency managers trying to use it as the basis of discipline or an adverse action against an employee,” Greenwald continued.

On its “Telework FAQ” page, the Office of Personnel Management encourages supervisors to focus on what an employee is accomplishing, rather than what it “looks like” an individual is doing.

“By focusing on the work product instead of the work activity, many supervisors find they are better able to communicate clear expectations to their employees,” OPM writes. “The resulting agreement on job expectations often leads to increases in employee productivity and job satisfaction.”

OPM did not respond to questions about the potential use of employee monitoring technology within the federal government.

In a 2021 blog, the Government Accountability Office underlined how first-line supervisors are key to reporting whether they think an employee is abusing time and attendance requirements. While agencies are increasingly using automated timekeeping systems and other internal controls to detect misconduct, managers are “still the most important internal control for managing time and attendance,” GAO wrote.

That’s a sentiment Lenkart reiterated in highlighting the disparate nature of many federal jobs and the difficulty of measuring performance from time spent on a computer.

“In the end, it’s always going to come back to the local supervisor to determine whether you have a good employee or not,” he said.

Nearly Useless Factoid

By: Derace Lauderdale

Close to 80% of employers use monitoring software to track employee performance and online activity.

Source: CNBC

The post With ‘spying bosses’ on the rise, where do federal agencies stand on employee monitoring? first appeared on Federal News Network.

Contractors and federal managers agree: It is difficult to keep up with all of the cybersecurity rules and regulations. The parade of new proposals never ends. American University has a program that might help. It is a series of online discussions with people who know policy. For more, the Federal Drive with Tom Temin spoke with American University senior lecturer Dr. Sasha Cohen O’Connell.

Interview Transcript: 

Tom Temin I should say you’re not just a lecturer there, but you host podcasts that talk about cyber security policy. How do you keep people awake through that?

Sasha O’Connell Oh, it’s more exciting than you might think. Of course. Yes. A brand-new podcast series in partnership with our colleagues both at CrowdStrike and Wylie Ryan.

Tom Temin All right. And I guess the bigger question is what is going on that people need to go out of their way to get more understanding of cyber regulations just seem to be like tulips popping up everywhere.

Sasha O’Connell Absolutely. Even in my time, I’ve been back in American University full time for five years teaching U.S. cyber policy, and I was just saying to my class yesterday, the blooming, to keep your analogy in terms of activity with the government side around cyber policy is just an explosion is really impacted the way I teach. I think a couple of things drive that. One is, of course, the threat and the changing nature of the threat, both nation state actors and criminal actors. And that increased activity over time. Not new but continuing to increase. In addition, I think there’s a change in leadership in government over time, folks who are perhaps more up to speed on these issues and able to make decisions both in the executive and legislative branch. And then I think, frankly, some political will, right, given the nature of the attacks we’re seeing to act and to do think about it. So, we’re starting to see that across government. And that’s generating a lot of conversation and need for educational materials, which is what brought us to the podcast.

Tom Temin Plus the publications of regulations and policies themselves can be daunting. CISA, for example, just came out with a new rule on incident reporting for small businesses. Nobody knows who’s affected by this, but the rule was something like 500 pages. That’s a dense 500 pages. That’s part of the challenge, isn’t it?

Sasha O’Connell Absolutely. I think it’s in the 400, 447. In the most recent call for comment, the NPRM around CIRCIA at which I know you guys covered last week as well. Absolutely. It is daunting. This whole theme of incident reporting is actually our first topic of the podcast. And because whether it’s the new SEC rule or rules coming out of CISA on the heels of CIRCIA, we know that folks need some context, right? They need some history, some context, and some materials that sort of, we call it start here. Right. A place to start to understand the context of these issues before you start to dive into all the details. And we also know that there’s new people working in this space, or people for whom these topics are new, and they need some primers and access to that kind of information. And that’s, again, the impetus for this podcast. And incident reporting is exactly where we start.

Tom Temin And so much of the cybersecurity discussions, coverage, articles, media pieces and so forth concern cybersecurity practitioners and how to stay ahead of threats, understand the threat environment, responses, and all of these cyber operational things. So, do those people need to be better versed in policy, or who is it within an organization that should be versed in policy, even if they’re not coding the next counterattack type of thing?

Sasha O’Connell This is exactly one of the changes that’s happened at the moment, sort of in the last five years. It used to be the job for FBI, you know, the precursor to CISA and PPD, CISA folks who cyber was their day job. But now I like to say it’s truly cyber for all. Right. Certainly in government, if you work at HHS, as we saw with the most recent hack relevant to the health care system, if you work at EPA and you’re worried about clean water, as we’ve seen in recent mornings in that sector as well, there’s really no spot in government that doesn’t have a cyber policy component to what they do. At a minimum, they’re responsible for protecting their own data, right? The data internal to those departments and agencies or on the Hill, if you think about the data managed there. And then there’s that piece within. There’s the externally inter-agency, you know, bigger picture policy piece that focuses on the customers of these departments and agencies. Right. And there are equities and authorities across the board.

Tom Temin We’re speaking with Sasha O’Connell. She’s senior lecturer at American University and host of a podcast series on cyber security policy. And I wanted to ask you about, maybe based on your experience, we should note long term at the FBI before coming to academia and so forth, where you were involved with cybersecurity policy. Often the complaint comes especially from industry, but also from government practitioners that there seems to be, let’s say, a want of coordination of policy creation among the federal entities themselves. Is that an issue that you cover and. You feel that is an issue?

Sasha O’Connell Yes of course. Better coordination and deconfliction. It’s something that’s always being worked on. As you mentioned, I spent about 15 years at the FBI, and one of my last roles was to stand up and lead a new office that was facing the National Security Council to work with the White House on those policy issues where the FBI had equities. And through that NFB process that many of your listeners I’m sure are involved with, is that effort at coordination. You know, especially now in an area like cyber where there’s so much growth and population of use and the blooming of interest in regulation and legislation, convenings and voluntary standards, it is more important than ever through those processes that those things are being coordinated in cyber as well. We see a ton of activity at the state level. So, all 50 states have their own victim notification laws, for example. And that’s something that Washington and I know the Biden administration is super aware of and working hard, both here in the US and also relevant to our international partners, making sure that global companies have those kind of crosswalks and deconfliction information and where possible, that things are reconciled because it is a huge challenge.

Tom Temin And it’s also true that the number of agencies is kind of spreading. I mean, you’ve got DoD and many components there and a couple of different components of Homeland Security, Justice Department. But now the FTC, the SEC, the FCC, everybody seems to be maybe even the FAA jumping into cyber and cyber policy. So, it sounds like this is something that’s going to not go away, is it?

Sasha O’Connell No. Absolutely not. In my classroom, I use the bubble chart from the early 2000, which is maybe some of our listeners remember a PowerPoint that we used to walk around and show roles and responsibilities in cyber, and it had 4 or 5 agencies. And then there’s a great 2020 GAO report that shows a nice graphic of all the departments and agencies with cyber responsibility. And I think it’s about 25. Right. So, your point is super well-taken. And again, it really is cyber for all. And again, why we think this need to fill the gap in terms of foundational educational materials is so important, both for current leaders in government and for future leaders studying cyber now.

Tom Temin And what about the contractors? It would seem that they need to keep on top of this. I think they know they need to, because the implication is not simply that you will lose data or get hacked and all of this, but then you’ll get hit with False Claims act, for example, or in the case of the SEC, they would like to, you know, arrest you and pillory and find you and so on. I mean, its dangerous territory, isn’t it, for contractors, companies 100%.

Sasha O’Connell And it’s particularly relevant because one of the levers is, you know, that the executive branch has, in terms of being able to raise the bar in cybersecurity is, of course, through contracting. Right. And the standards they set through those opportunities. So, absolutely, this needs to be front of mind for all government contractors to keep an eye on that, because it is a place where there is a lot of activity and change going on. Absolutely.

Tom Temin And just quickly, from the standpoint of being at American University, is this an area that you see growth of interest in incoming students?

Sasha O’Connell 100%, so much so that in the last three years we have created a graduate certificate, a non-technical certificate, specifically in cyber policy and management. So, when you come perhaps for your master’s degree in public administration thinking you want to be maybe a city or town manager, we now have that opportunity. Right. Because if you don’t get a little something, the four corners on ransomware, for example, before you head out to lead, even at the state and local level, let alone the federal level, it’s really a huge gap, both in terms of getting jobs and being impactful when you get there. So yeah, we see the demand both at the undergraduate and graduate level. And again, at AU, we’re specifically focused on that policy piece, that intersection of the law with the technology, with the functionality of government.

The post Leading university offers way to keep up with cybersecurity policy first appeared on Federal News Network.

A few years ago, the Defense Department drafted a legislative proposal to get rid of principal cyber advisor positions across all services.

While this idea didn’t make it out of the Pentagon, three-plus years later, Chris Cleary, the former principal cyber advisor for the Department of the Navy, said that was a good thing.

Cleary, who left government recently and joined ManTech as its vice president of its global cyber practice, said the impact of the principal cyber advisor in the Navy is clear and lasting.

“This is challenging because all the services in the very, very beginning wanted to get rid of the principal cyber advisors. There was a legislative proposition that was trying to be submitted and Congress came over the top and said, ‘No, you’re going to do this,” Cleary said during an “exit” interview on Ask the CIO. “So year one in the job, I make the joke, I was just trying to avoid getting smothered by a pillow because no one wanted this position especially after we just stood up the re-empowered CIO office so what’s a PCA? And what’s this person going to do for the organization? I was very attuned to that and ready that if the decision is to push back on this creation, and maybe do away with the PCA job, I was just going to go back to being a chief information security officer. I was being a good sailor and focused on whatever are the best needs of the Navy. I was prepared to do that.”

The move to get rid of the principal cyber advisors never came to fruition and, instead, the Navy, and likely other military services, now see the value in the position.

Cyber advisor wields budget influence

Cleary said one way the principal cyber advisor continues to provide value is around budgeting for cybersecurity. He said each year his office submits a letter on the “budget adequacy” to the Defense Department’s planning process, called the Program Objective Memorandum (POM).

“I found that the PCA office really became the champion for advocating and supporting programs like More Situational Awareness for Industrial Control Systems (MOSAICS), which was a thing we were doing for operational technology systems ashore, and another product called Situational Awareness, Boundary Enforcement and Response (SABER), which was its cousin and for OT stuff afloat,” he said. “What you found is both of those programs are being championed by hardworking, honest Navy employees that just couldn’t break squelch to get a properly resourced or funded or programmed for. The PCA was able to champion these things within the E-Ring of the Pentagon. Things like MOSAICS, as an example, I am very proud of, we worked very closely with the Assistant Secretary of the Navy for Energy, Installations and Environment, Meredith Berger. She very quickly recognized the problem, most of this fell kind of within her sphere of influence as the person responsible for resourcing all of the Navy’s infrastructure. She very quickly embraced it, adopted it and hired an individual within the organization to look at this specifically.”

Cleary said over the course of the next few years, he worked with Berger’s team as well as other cyber experts in the Navy and across DoD to do deep dives into how to secure OT.

When the Defense Department rolled out its zero trust strategy in November 2022, the services faced more challenges around operational technology than typical IT. Cleary said the PCA helped the Navy better understand the OT stack was more complex and the tools used for IT wouldn’t necessarily work.

“The further you get down closer to an actual device or controller you can’t just roll a firewall out against that,” he said. “They have their own vulnerabilities and risks associated with them. But they’re things that we haven’t traditionally looked at when you when I’m talking about OT, like weapon systems, defense, critical infrastructure, these massive foundation of things that not only enable what we do from an enterprise IT standpoint,  but we’ve got to keep the lights on and the water flowing, and the Aegis weapon system has lots of computers with it, but that isn’t an enterprise IT system so who’s looking at those, who’s resourcing those, it’s only been the last decade or so that we’ve seen a lot of these is legitimate target areas.”

Champion of attention, resources

Cleary said his office helped get the Navy to spend more money and resources on protecting operational technology because it wasn’t always a top priority.

The OT example, Cleary said, is exactly why Congress created the PCA.

“We didn’t do any of the work to create these things. We just champion them appropriately and ensure they got the attention they deserved. And then ultimately, the resourcing required so they can be successful,” he said.

Cleary said it was clear that after three-plus years as the principal cyber advisor for the Navy, the benefits outweighed any concerns.

He said with the cyber world becoming more convoluted and complex, the position helps connect dots that were previously difficult to bring together.

“I think Congress would come and ask a question and they would get 10 different answers from 10 different people. I’m not saying we got there. But the idea of the PCA was to get those 10 different answers from 10 different people and then try to consolidate that answer into something that made sense that we could agree upon and present that answer back to Congress,” he said. “I’m not going to say we fully succeeded there because there are a lot of ways around the PCA and the PCA offices, but I think as the offices get more and more established, organizations like Fleet Cyber Command for the Navy, the Naval Information Forces and others were seeing the benefit of the PCA’s job to be the middleman and deal with the back and forth.”

Continue to create trust

Cleary said toward the end of his tenure, these and other offices, including the Marines cyber office, started to work even more closely with his office on these wide-ranging cyber challenges. He said the principal cyber advisor was slowly, but surely becoming the trusted cyber advisor initially imagined.

“I use the analogy of a fishing line, when you start pulling out a fishing line and you’re not sure what the weight of the fishing line is, but if you break the line, it’s over. So the trick was to pull on it with just the right amount of tension without risking or breaking it,” he said. “I knew the PCA office was something new and if the relationships with those organizations became tenuous, or were cut off because of the PCA coming in and say, ‘Hey, you shall do this or that,’ it wasn’t going to work. The way I envisioned the role of PCA was not to tell anybody inside the organization how to operationalize their own environments. My whole job was to go to them and understand what it is they needed, based on their experience and their expertise, and then get them that. The more that I could be seen as a value and not here to check their homework and poke them in the eye about their readiness, the more successful I’d be.”

Cleary said for the principal cyber advisor to continue to be successful, they have to continue to establish trust, understand their role is personality driven and focus on getting the commands the money and resources they need to continue to improve their cyber readiness.

The post Why the principal cyber advisor ended up being a good thing first appeared on Federal News Network.

I spent more than two decades holding numerous roles in the U.S. government, including helping to write the initial implementation of the CMMC framework. Now after seeing those rules in place, plus working on the other side of the fence helping enterprises scan for externally visible third-party cyber vulnerabilities, I see that the original CMMC framework did not go far enough when it came to validating the appropriate cyber defenses were in place, especially those deep in a contractor’s supply chain. The reliance on self-assessments allowed for critical gaps in compliance.

To fully understand the changes and their expected impacts, it’s important to first understand the threats that drove them into existence.

Over the past decade, cyber threat actors have increasingly turned to third-party and supply chain ecosystems to reach high-value targets. Alarmingly, recent research shows a 26% increase in reported negative impacts from supply chain cyber breaches, disrupting operations, and highlights the growing threat. Even more alarmingly, the U.S. government is no exception. In fact, U.S. critical infrastructure and the DIB are key target networks for both nation-state actors, as well as independent hackers or hacking groups.

Despite the severity of these threats, systemic issues of non-compliance with CMMC remain, largely due to organizations self-assessing. According to a recent OIG report, in many cases, proper security requirements were not in place, which left entire ecosystems completely vulnerable. The cost of this kind of oversight is extremely high as compromises related to the organizations could deliver a negative effect on national security.

Translation: We’re ripe for improvement.

While DIB members have long been anticipating “CMMC 2.0,” compliance with related regulations, mainly DFARS 252.204-7012 (DFARS 7012), has been mandatory since 2017. DFARS 7012 aligns with the existing accepted regulatory framework, the National Institute of Standards and Technology’s 800-171 Rev 2, a requirement also mirrored by CMMC Level 2. However, the recently proposed CMMC rule change introduces third-party assessments, differing from DFARS 7012’s self-attestation and unverified self-reported scores.

Even more encouraging, the proposed rule specifies the type of required CMMC assessment at every tier of a defense supply chain. While there had previously been some ambiguity around how these requirements would “flow down” from a prime contractor to their subcontractors, the new CMMC model has established clear accountability mechanisms for upstream and downstream supply chain cyber risk.

That said, any regulatory framework can only go so far. The path to cyber resilience is ultimately a shared burden between the Defense Department and its suppliers. Many of the critical vulnerabilities susceptible to attack are often hiding in plain sight; ensuring direct and swift communication between DoD and DIB security teams is often the hardest, but most important, operational hurdle to overcome.

The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously. There is a long road ahead, but with it comes meaningful improvement that will effectively reduce cybersecurity risk and increase industrial base resilience in the long term. Once the final CMMC rule is in effect, these changes will go a long way to make the DIB more secure.

Lorri Janssen-Anessi is director of external assessments at BlueVoyant.

The post The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that first appeared on Federal News Network.

Download this exclusive Federal News Network Expert Edition now!

The post Securing the Nation: Deep dive into federal SOCs first appeared on Federal News Network.

The Cybersecurity and Infrastructure Security Agency is readying the playing field for its major “Cyber Storm” exercise intended to simulate the response to a large-scale cyber incident on critical infrastructure.

The biannual exercise kicks off this month, as CISA rewrites the National Cyber Incident Response Plan for dealing with such an event. It also takes place as officials warn that real-world hackers are targeting, and sometimes successfully infiltrating, U.S. critical infrastructure networks.

More than 2,000 participants from government and industry will be involved in this year’s iteration of Cyber Storm, the ninth such exercise that’s taken place since it began in 2006.

Lisa Beury-Russo, the associated director for exercises at CISA, said the “players” come from sectors including chemical, communications, critical manufacturing, the defense industrial base, energy, financial services, food and agriculture, healthcare and public health, information technology, transportation systems, and water and wastewater systems.

“It’s a pretty big list, and we are hopeful that we’ll see a lot of really good cross sector interaction there,” Beury-Russo said in an interview.

Over the course of the one-week exercise, participants will receive “exercise injects” that describe how their organization is being affected by the incident. They will then have to respond using whatever policies and procedures are in place, Beury-Russo said.

CISA will also provide a “simulated world view” involving news feeds, videos and other simulations to help mimic the real world.

Beury-Russo declined to name the specific threats, technologies or scenarios the participants will encounter as part of this year’s Cyber Storm, citing operational security reasons, as well as to avoid tipping off the players. Previous exercises have folded in specific technologies, like industrial control systems.

But Beury-Russo said one of the overarching goals is to practice “information sharing” during a major cyber incident affecting multiple critical infrastructure sectors.

“Is information being shared across the player set, among government partners, from government to critical infrastructure owner operators, and within and between sectors,” she said. “Is the information shared actually useful? Are we sharing the right things? Are we sharing quickly enough to enable folks to take effective action?”

“We also look at whether and how plans are implemented,” she added.

The event comes as CISA rewrites the 2016 National Cyber Incident Response Plan at the direction of last year’s National Cyber Strategy. The plan lays out how both government and industry will respond to significant cyber incidents.

CISA plans to publish the updated plan by the end of this year.

Meanwhile, U.S. officials warned earlier this year that a China-linked hacking group, “Volt Typhoon,” has targeted multiple U.S. critical infrastructure networks. Agencies said the group’s activities had been found on some networks for upwards of the last five years.

Beury-Russo acknowledged Cyber Storm is happening “at an important time.” She said the exercise will help inform the rewrite of the National Cyber Incident Response Plan.

“One thing we found in prior exercises, is that often, our industry partners don’t really fully understand the actions and the processes included in the plan,” she said. “One thing we’re looking at is to make some of those things a little more clear in the rewrite. We’re talking very closely and working collaboratively with our team in CISA who is working on that to help share those findings, and see what kind of initial pieces of the update we can look at in this exercise.”

Ultimately, the goal of the exercise is to make sure when the incident response plan is needed in the real world, it won’t be the first time agencies and industry are going through the process.

“We don’t want to wait for a huge cyber incident data breach to happen,” Beury-Russo said. “We want to work in a safe environment in steady state operations to really stress test those plans and procedures and make sure we are ready because in cybersecurity, it’s not ‘if’ but ‘when’ there will be an incident. So we want to make sure we are taking these opportunities where we can to operate in a safe space and really figure out what’s working, what we can do better and tackle these problems as one cohesive community.”

The post CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan first appeared on Federal News Network.