Commentary - Federal News Network https://federalnewsnetwork.com Helping feds meet their mission. Wed, 10 Apr 2024 19:03:14 +0000 en-US hourly 1 https://federalnewsnetwork.com/wp-content/uploads/2017/12/cropped-icon-512x512-1-60x60.png Commentary - Federal News Network https://federalnewsnetwork.com 32 32 How federal workplaces can better prevent harassment and avoid risk https://federalnewsnetwork.com/commentary/2024/04/how-federal-workplaces-can-better-prevent-harassment-and-avoid-risk/ https://federalnewsnetwork.com/commentary/2024/04/how-federal-workplaces-can-better-prevent-harassment-and-avoid-risk/#respond Wed, 10 Apr 2024 19:03:14 +0000 https://federalnewsnetwork.com/?p=4957586 On February 26, the Government Accountability Office issued a report stating that training efforts to prevent sexual harassment in the federal workplace have been ineffective, and new measures are underway to address the issue. As…

The post How federal workplaces can better prevent harassment and avoid risk first appeared on Federal News Network.

]]>
On February 26, the Government Accountability Office issued a report stating that training efforts to prevent sexual harassment in the federal workplace have been ineffective, and new measures are underway to address the issue. As evidenced by a 2023 Equal Employment Opportunity Commission report showing that sexual harassment has been the most common form of discrimination reported by federal agencies since 2011, the GAO made 14 recommendations to the Defense Department and other federal agencies to develop and implement evaluations of existing training protocols.

As a former EEOC lawyer and later a partner in a management law firm, I’m highly familiar with the need to establish and maintain a compliant work environment free from harassment and discrimination. I’m also familiar with the difficulties of developing effective training programs that establish the behaviors needed to achieve a non-discriminatory workplace.

A common challenge with mandated workforce training is that it’s often treated like a necessary evil. The GAO pointed out several deficiencies in the current training protocols and after reviewing the specific recommendations, I agree with the requested efforts. They’re all in line with industry best practices for effective training. However, after decades in the training industry, I’ve learned that focusing just on training initiatives isn’t enough to ensure long-term behavioral change.

When it comes to sexual harassment and other forms of illegal and improper workplace behavior, the issue is seldom that the offender isn’t aware of the standards or rules. It’s because they believe they’re immune from repercussions, or that victims or bystanders don’t speak up or follow the established processes. Or worse yet, they follow the proper processes to address the situation, and those responsible for responding fail to take the necessary corrective action.

This type of phenomenon often speaks to a bigger issue, which is that the organization’s culture isn’t fully aligned with its values.

Most organization’s values include respect, fairness, teamwork, accountability and others. Sexual harassment, discrimination and other EEO concerns, along with most forms of uncivil behavior — rudeness, bullying, dismissiveness and bias — are in direct conflict with those values. Instilling core behavioral standards aligned with the organization’s values, along with the appropriate consequences for failing to meet them, will help ensure EEO compliance as well as support a healthy, productive workplace.

An expanded focus on instilling core behaviors that can help prevent an array of improper behaviors like harassment should be the real goal of such initiatives. And just like any other training, there’s no one-size-fits-all approach that works. There are some inherent best practices to include, as well as some pitfalls to avoid.

Navigating these factors is paramount to success, and as the GAO has discovered, some of these agencies have crucial work to do.

Dedicated content addressing your organization’s unique needs and tailored to your leaders is critical to establishing their unique role in establishing and reinforcing behavioral standards. Sessions should be highly interactive so that your leaders don’t just attend them; they experience the training. The material should be highly contextual to demonstrate the real-world implications, with examples that tie behaviors back to EEO compliance as well as your stated values.

Similarly, employee training should be highly engaging and instill the same core behavioral principles using relevant, real-world scenarios. To scale the efforts, sessions using in-person, virtual, and online presentations can be utilized, as long as the core materials are included, and interactivity is maintained. Content can be tailored to unique audiences to ensure applicability and impact.

To achieve the desired impact, “learning” shouldn’t end with once-a-year training sessions. Organizations should make an explicit effort to include practical tools that reinforce the core concepts of their training. Give your leaders tips on applying the learning in everyday situations and remind staff of their role in supporting these standards, directly and indirectly. If applicable, identify specific cohorts of stakeholders who are highly influential to performance (often middle managers) and provide additional learning experiences and tools they can use to optimize engagement with peers, direct reports and even upwards.

With all of these factors in play to reinforce the desired behaviors, they can become habits that others will soon recognize as the new normal.

Lastly, be sure to evaluate your training’s effectiveness to gauge how well it was received. Did participants find the content relevant to their daily jobs? Do they intend to apply what they learned? Would they recommend it to colleagues? If possible, commit to a long-term evaluation strategy going to Level 3 of the Kirkpatrick Measurement Model. Are leaders and team members actively applying the learning? Are they behaving differently as a result? Most importantly, do people understand and appreciate that they are supposed to report issues to leaders and others? Do they have confidence that when they report something, they will be listened to and not retaliated against in any way?

As the GAO report illustrates, sexual harassment is still a major issue, and without effective preventive measures, any organization — public or private — can be at risk for lawsuits, financial penalties and myriad other issues. For the named federal agencies and any others facing similar issues, training efforts and other purposeful measures that imprint the organization’s values into cultural norms should be viewed as strategic initiatives to support their success in the long run.

Stephen Paskoff is a former Equal Employment Opportunity Commission attorney and CEO of workplace training company Employment Learning Innovations (ELI).

The post How federal workplaces can better prevent harassment and avoid risk first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/how-federal-workplaces-can-better-prevent-harassment-and-avoid-risk/feed/ 0
Leveraging lessons from the Okta breach to enhance federal cybersecurity https://federalnewsnetwork.com/commentary/2024/04/leveraging-lessons-from-the-okta-breach-to-enhance-federal-cybersecurity/ https://federalnewsnetwork.com/commentary/2024/04/leveraging-lessons-from-the-okta-breach-to-enhance-federal-cybersecurity/#respond Tue, 09 Apr 2024 19:16:35 +0000 https://federalnewsnetwork.com/?p=4956072 The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

]]>
As we enter a new year, it’s an opportune moment for federal cybersecurity professionals to reflect on the past and strategize for the future. The realm of cybersecurity, ever-evolving and increasingly complex, demands constant vigilance and analysis of past events. Among these, the October 2023 Okta breach stands out as a significant event from the last year, offering profound insights into the vulnerabilities and dynamics of modern cyber threats. BeyondTrust’s security experts, through their detailed analysis of this breach, have unearthed lessons that are not only invaluable for understanding the incident itself but also for shaping robust cybersecurity strategies.

The following will be a summary of insights that are particularly pertinent for federal agencies, which face a unique set of challenges due to the nature and scale of their digital operations. In this dynamic cybersecurity landscape, learning from such incidents is crucial for adapting and enhancing security measures to protect against the sophisticated threats of the digital age.

The relevance of current cybersecurity policies and regulations to the attack

Federal agencies are bound by stringent cybersecurity regulations, notably Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in May 2021, this order mandates agencies to enhance cybersecurity and software supply chain integrity, adopt secure cloud services and zero-trust architecture, and deploy multifactor authentication and encryption within a specific timeframe​​. These requirements align closely with the vulnerabilities exposed in the Okta breach.

Furthermore, the federal government’s latest identity, credentialing and access management (ICAM) policy, as outlined in the OMB M-19-17 memorandum, sets forth comprehensive guidelines for managing, monitoring and securing access to protected resources. This policy emphasizes identity proofing, establishing enterprise digital identities, and adopting effective authentication and access control processes​​. These elements are crucial in preventing incidents like the Okta breach, where weaknesses in identity and access management were exploited.

The Okta breach analysis underscores the need for a shift in cybersecurity focus from traditional perimeter defense to identity-centric strategies. This shift is vital for federal agencies whose operations often span multiple networks and cloud environments. Understanding the attacker’s perspective is essential for federal agencies as they prioritize the security of identity management systems and adopt robust privileged access management (PAM) practices.

Key lessons from the Okta breach relevant to federal agencies

  1. Identity is at the core of cybersecurity:

The breach reinforces the concept of identity as the new security perimeter. Federal agencies must ensure that identity management systems are robust and capable of thwarting similar exploits.

  1. The importance of privileged access management:

PAM is essential to protecting sensitive information, assets and systems. Implementing strong PAM solutions is a key step for agencies to safeguard against vulnerabilities. The integration of PAM into federal cybersecurity strategies is not just about mitigating risks; it’s also about enabling secure and efficient operations. By balancing security with operational functionality, PAM solutions help federal agencies maintain a high level of agility and responsiveness, which is essential in today’s fast-paced, digitally driven world.

  1. Agencies need to adapt to evolving cyber threats:

The breach exemplifies the dynamic nature of cyber threats. Federal agencies need to continuously update their cybersecurity strategies, incorporating lessons from incidents like the Okta breach into their protocols, staying informed about emerging threats, and integrating advanced technologies and methodologies. Incorporating lessons from incidents like the Okta breach is essential, ensuring that strategies remain effective against increasingly sophisticated attacks. It’s a continuous cycle of assessment, adaptation and enhancement, crucial for maintaining the security and integrity of federal digital infrastructure.

A defense-in-depth approach is critical

As threat actors focus more on exploiting identities, agencies need tools that can help provide visibility and control of identities and privileges, reduce risk, and detect threats. Good specific policies and internal controls are necessary, but PAM can help provide a defense-in-depth approach, where multiple layers of controls and identity security monitoring capabilities can help prevent the failure of a single control or process from resulting in a breach.

The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture. By aligning with federal regulations and adopting a proactive approach to identity security, agencies can significantly enhance their defense against sophisticated cyber threats. Implementing lessons learned from such breaches is a critical step in fortifying the digital infrastructure that underpins national security and public service delivery.

Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/leveraging-lessons-from-the-okta-breach-to-enhance-federal-cybersecurity/feed/ 0
The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that https://federalnewsnetwork.com/commentary/2024/04/the-original-cmmc-program-was-missing-one-key-component-heres-how-the-newly-proposed-rule-should-fix-that/ https://federalnewsnetwork.com/commentary/2024/04/the-original-cmmc-program-was-missing-one-key-component-heres-how-the-newly-proposed-rule-should-fix-that/#respond Mon, 08 Apr 2024 11:52:38 +0000 https://federalnewsnetwork.com/?p=4954070 The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously.

The post The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that first appeared on Federal News Network.

]]>
The Cybersecurity Maturity Model Certification (CMMC) program, an information security standard for DoD contractors and subcontractors, has aimed to make the Defense Industrial Base (DIB) more resilient to a cyberattack, but as the adversarial threats in cyberspace evolve, so too should the underpinning regulatory framework.

I spent more than two decades holding numerous roles in the U.S. government, including helping to write the initial implementation of the CMMC framework. Now after seeing those rules in place, plus working on the other side of the fence helping enterprises scan for externally visible third-party cyber vulnerabilities, I see that the original CMMC framework did not go far enough when it came to validating the appropriate cyber defenses were in place, especially those deep in a contractor’s supply chain. The reliance on self-assessments allowed for critical gaps in compliance.

To fully understand the changes and their expected impacts, it’s important to first understand the threats that drove them into existence.

Over the past decade, cyber threat actors have increasingly turned to third-party and supply chain ecosystems to reach high-value targets. Alarmingly, recent research shows a 26% increase in reported negative impacts from supply chain cyber breaches, disrupting operations, and highlights the growing threat. Even more alarmingly, the U.S. government is no exception. In fact, U.S. critical infrastructure and the DIB are key target networks for both nation-state actors, as well as independent hackers or hacking groups.

Despite the severity of these threats, systemic issues of non-compliance with CMMC remain, largely due to organizations self-assessing. According to a recent OIG report, in many cases, proper security requirements were not in place, which left entire ecosystems completely vulnerable. The cost of this kind of oversight is extremely high as compromises related to the organizations could deliver a negative effect on national security.

Translation: We’re ripe for improvement.

While DIB members have long been anticipating “CMMC 2.0,” compliance with related regulations, mainly DFARS 252.204-7012 (DFARS 7012), has been mandatory since 2017. DFARS 7012 aligns with the existing accepted regulatory framework, the National Institute of Standards and Technology’s 800-171 Rev 2, a requirement also mirrored by CMMC Level 2. However, the recently proposed CMMC rule change introduces third-party assessments, differing from DFARS 7012’s self-attestation and unverified self-reported scores.

Even more encouraging, the proposed rule specifies the type of required CMMC assessment at every tier of a defense supply chain. While there had previously been some ambiguity around how these requirements would “flow down” from a prime contractor to their subcontractors, the new CMMC model has established clear accountability mechanisms for upstream and downstream supply chain cyber risk.

That said, any regulatory framework can only go so far. The path to cyber resilience is ultimately a shared burden between the Defense Department and its suppliers. Many of the critical vulnerabilities susceptible to attack are often hiding in plain sight; ensuring direct and swift communication between DoD and DIB security teams is often the hardest, but most important, operational hurdle to overcome.

The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously. There is a long road ahead, but with it comes meaningful improvement that will effectively reduce cybersecurity risk and increase industrial base resilience in the long term. Once the final CMMC rule is in effect, these changes will go a long way to make the DIB more secure.

Lorri Janssen-Anessi is director of external assessments at BlueVoyant.

The post The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/the-original-cmmc-program-was-missing-one-key-component-heres-how-the-newly-proposed-rule-should-fix-that/feed/ 0
Happy 40th birthday to the FAR, but has it gone too far? https://federalnewsnetwork.com/commentary/2024/04/happy-40th-birthday-to-the-far-but-has-it-gone-too-far/ https://federalnewsnetwork.com/commentary/2024/04/happy-40th-birthday-to-the-far-but-has-it-gone-too-far/#respond Fri, 05 Apr 2024 15:56:56 +0000 https://federalnewsnetwork.com/?p=4951633 So as the FAR enters its 41st year, it is time to identify and empower a governmentwide champion to streamline procurement.

The post Happy 40th birthday to the FAR, but has it gone too far? first appeared on Federal News Network.

]]>
April 1 marked the 40th birthday of the Federal Acquisition Regulation (FAR).  No one can question the need for a regulation implementing procurement law and providing guidance to tens of thousands of Federal procurement professionals and industry partners. There has always been something comforting in knowing that everything needed to conduct an acquisition was contained in one (albeit very large) procurement “bible.” The FAR’s guiding principles include maximizing the use of commercial products and services, promoting competition, and minimizing administrative operating costs. These principles are buttressed by the underlying FAR principle that the acquisition team can take actions that are in the best interests of the government even if the proposed action(s) are not outlined in, or contemplated by, the FAR (and not prohibited by law). This empowering FAR principle, in theory, provides the acquisition team with a flexible framework supporting efficient and effective competition for customer agency mission requirements.

Does the “theory” jibe with reality or has the FAR gone too FAR?

The current FAR is over 2,000 pages long, and a new Part 40 on cybersecurity and supply chain risk management is coming. There are also over 30 agency FAR supplements accounting for thousands of additional pages of regulations. In addition, various procuring agencies have issued thousands of pages of internal acquisition guidance, most, if not all, of which have not gone through public notice and comment. The sheer number of contract clauses, certifications, prescriptions, representations, reporting requirements, and compliance mandates is staggering. This highly complex regulatory framework increases administrative burdens, performance costs, and compliance risks for small, medium, and large businesses. As a result, the federal customer has reduced access to innovation and best value solutions from the commercial market.

The data is clear. The industrial base supporting the federal government is shrinking. Small business participation in the federal market has fallen approximately 50% between 2010 and 2022, during a decade where the overall economy grew, and the number of small businesses increased. From fiscal 2011 to 2020, the number of small businesses receiving Department of Defense (DoD) contract awards decreased by 43% despite obligations increasing by 15%. The number of large businesses receiving contract awards fell, on average, by more than seven percent annually over the same period. A telling indicator is the decrease in the number of small businesses participating in the federal market, while at the same time, overall obligations to small businesses have increased. This dynamic reflects a market where the regulatory barriers to entry have stymied the growth of the industrial base, leaving an ever shrinking “incumbent class” of contractors available to the federal customer.

The federal customer deserves streamlined, efficient access to competition and innovation driven by the commercial market. Acquisition teams across government are looking for the path of least resistance in acquiring innovative solutions from the commercial market. Significantly, spending by the DOD and other agencies under Other Transaction Authority (OTA) has increased by 1,600% since 2015, at least in part, to avoid the FAR processes and associated requirements. Other popular streamlined procurement channels outside the FAR include the Department of Homeland Security’s and the General Services Administration’s commercial solutions opening (CSO) authority. These streamlined channels are evolving into strategically important procurements tools at a time of growing competition with near-peer adversaries.

The increasing interest in procurement frameworks outside the FAR-based system is likely based on a view that the system cannot reform itself. In this regard, the commercial item regulatory framework is instructive. Ten years after the FAR was issued, Congress streamlined the Federal procurement system by promulgating the Federal Acquisition Streamlining Act of 1994 (FASA). FASA created a streamlined commercial item contracting regime and institutionalized a preference for exempting commercial items and services from new laws unless the law provided otherwise. The impact was immediate. In 1995, there were 28 FAR clauses that could be included in a commercial item contract, with only six clauses required.  Today, some 90 FAR clauses can be included in commercial item contracts and more than 30 clauses are mandatory. Regarding clauses that flow down in subcontracts for commercial items, in 1995 there were four, today there are at least 22 clauses that must be flowed down.

Individual agency FAR supplements include additional clauses that apply to commercial item contracts. For example, there are 110 Defense Federal Acquisition Regulation Supplement (DFARS) clauses applicable to commercial item contracts. As the Section 809 panel report noted:

“Since FASA was implemented, the number of DoD‐related commercial buying provisions and clauses has increased by 188 percent, and the number of commercial clauses that may be flowed down has increased five‐fold. In 1995, the FAR and DFARS contained a combined total of 57 government clauses applicable to commercial items. Today there are 165 clauses, with 122 originating in statute, 20 originating in executive orders, and 23 originating in agency‐level policies.”

Since the 809 Panel report was published in 2018, things have not gotten better. This re-regulation of commercial item contracts has contributed to customer agencies and contractors looking to mechanisms outside the traditional FAR framework to get work done.

Significantly, FASA provided the FAR Council with the tools to maintain the streamlined commercial item contracting framework. The FAR Council has the statutory authority to essentially exempt commercial item contracting from new laws and executive orders. However, the default position over the last 30 years has been for the FAR Council to determine that it would not be in the best interests of the Government to exempt commercial items and services from most new laws and executive orders. In 2018, the Section 809 Acquisition Advisory Panel recommended eliminating the 55 DFARS provisions applicable to commercial item contracts and, despite a recent Congressionally mandated review of the DFARS clauses, the resulting review left approximately 50 DFARS clauses still applicable.

So as the FAR enters its 41st year, it is time to identify and empower a governmentwide champion to streamline procurement. This champion would be responsible for a section-by-section review of the FAR to identify and address/eliminate requirements where the cost/burdens outweigh the benefits.  Additionally, this champion would conduct a review of the various procurement processes and establish criteria as to when the default acquisition methodology should be an OTA or CSO depending on the nature of the requirement.

The Coalition stands ready to work with all stakeholders to streamline the procurement process to ensure sound business opportunities for commercial firms that deliver best value mission support for customer agencies. Let us know your thoughts on streamlining the FAR!  Ideally, we would love to have them before our spring training conference, on May 8th and 9th. Good ideas come from all stakeholders across government and industry.

The post Happy 40th birthday to the FAR, but has it gone too far? first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/happy-40th-birthday-to-the-far-but-has-it-gone-too-far/feed/ 0
President Biden’s AI-facing executive order should be applauded https://federalnewsnetwork.com/commentary/2024/04/president-bidens-ai-facing-executive-order-should-be-applauded/ https://federalnewsnetwork.com/commentary/2024/04/president-bidens-ai-facing-executive-order-should-be-applauded/#respond Thu, 04 Apr 2024 20:05:49 +0000 https://federalnewsnetwork.com/?p=4950703 President Biden's recently-issued executive order that outlined his administration’s plan to promote “Safe, Secure and Trustworthy Artificial Intelligence."

The post President Biden’s AI-facing executive order should be applauded first appeared on Federal News Network.

]]>
In years to come, we may look back at it as the birth of responsible artificial intelligence. President Biden’s recently-issued executive order that outlined his administration’s plan to promote “Safe, Secure and Trustworthy Artificial Intelligence” represented a much-needed response to a growing problem: data privacy in AI systems.

Companies are being reckless with AI, putting the potential benefits of the technology ahead of data privacy. This is not a new condition. Historically, companies rush to adopt disruptive technology without fully considering potential ramifications. ChatGPT and Microsoft already have had AI-related breaches that grabbed headlines this year, and there will certainly be more as the popularity of the technology grows. Without the proper guardrails, these types of headline-grabbing incidents will further compromise consumer privacy.

The momentum propelling this historic executive order began earlier this year when OpenAI CEO Sam Altman appealed to Congress to consider stronger regulations around how companies use generative AI systems to avoid putting consumer privacy at risk. I praised Altman then, and have a similar enthusiasm for President Biden’s executive order.

The executive order is a responsible response to this emerging issue. The section titled “Protecting Americans’ Privacy” is especially poignant. This particular portion of the order considers the significant risks of consumer data exposure via generative AI and proactively calls on Congress to pass bipartisan data privacy legislation addressing four critical components.

Fast-tracking privacy-enhancing technologies

The order first asks Congress to protect Americans’ privacy “by prioritizing federal support for accelerating the development and use of privacy-preserving techniques.” Once locked away in databases, data lives in the cloud and is on the move, especially when used for AI. While privacy-preserving technologies have made tremendous progress, the push to find efficiencies via AI has made data protection a “bare minimum” exercise — monitoring data breaches rather than preventing them. This section of the order understands the critical nature of privacy-preserving techniques that will make organizations better positioned to protect data and infrastructure. As AI systems are being trained, data is continually protected, even in the case of a breach.

Strengthening of privacy research and development

Next, the executive order calls for creating a research coordination network that would promote “rapid breakthroughs and development” of privacy-preserving research and technologies and would work with the National Science Foundation to encourage the adoption of these technologies by federal agencies. This part of the order is incredibly encouraging because it further reiterates the importance of data security to protect the public as new technologies like generative AI emerge. The ways in which data exposure occurs — whether nefarious or accidental — continue to evolve, and the use of generative AI further complicates things. Having a federally funded group dedicated to researching this complex challenge is critical to finding ways to maintain data privacy in AI environments.

Reviewing means for AI-based data collection

Requirements for federal agencies do not stop there. According to the executive order, the suggested legislation would also include provisions to evaluate how federal agencies “collect and use commercially available information” and consider AI usage to strengthen data privacy guidance for federal agencies. Requiring federal agencies to adopt advanced technologies and set more stringent rules for data collection sets an excellent example for enterprises. It shows that the public sector is taking data privacy seriously, which is a positive sign when contrasted with other countries’ measures to protect consumer privacy.

Creating guidelines for privacy technology effectiveness

Another forward-thinking section of the executive order would require guidelines for proving the effectiveness of privacy-preserving techniques. In doing so, federal agencies will have to do more than just implement a solution; they will have to demonstrate efficacy. This provision is most critical because it asks agencies to be diligent in their vetting processes. It is easy to implement a technology or internal policy and assume you have taken the necessary steps to protect data, but is it working? Standards that evaluate how well solutions work are essential to ensuring the best possible protection, especially for federal agencies that should be held to the highest standards for protecting consumer data.

There is still so much to learn about AI, but our journey to harness its potential must be a responsible one. The potential damage is too great to ignore. I believe President Biden’s executive order is an excellent example of how governments can quickly progress to address emerging risks in ubiquitous technologies before problems expand to nearly irreversible proportions. The announcement is a positive first step, and all companies that use consumer data should take note and employ the necessary measures to ensure the safe and responsible use of AI.

Ameesh Divatia is co-founder and CEO of Baffle.

The post President Biden’s AI-facing executive order should be applauded first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/president-bidens-ai-facing-executive-order-should-be-applauded/feed/ 0
The dust has settled from the AI executive order – Here’s what agencies should tackle next https://federalnewsnetwork.com/commentary/2024/04/the-dust-has-settled-from-the-ai-executive-order-heres-what-agencies-should-tackle-next/ https://federalnewsnetwork.com/commentary/2024/04/the-dust-has-settled-from-the-ai-executive-order-heres-what-agencies-should-tackle-next/#respond Wed, 03 Apr 2024 14:31:05 +0000 https://federalnewsnetwork.com/?p=4948429 While it’s clear the government has made progress since the initial guidance was issued, there’s still much to be done to support overall safe federal AI.

The post The dust has settled from the AI executive order – Here’s what agencies should tackle next first appeared on Federal News Network.

]]>
After the dust has settled around the much anticipated AI executive order, the White House recently released a fact sheet announcing key actions as a follow-up three months later. The document summarizes actions that agencies have taken since the EO was issued, including highlights to managing risks and safety measures and investments into innovation.

While it’s clear the government has been making progress since the initial guidance was issued, there’s still much to be done to support overall safe federal AI adoption, including prioritizing security and standardizing guidance. To accomplish this undertaking, federal agencies can look to existing frameworks and resources and apply them to artificial intelligence to accelerate safe AI adoption.

It’s no longer a question of if AI is going to be implemented across the federal government – it’s a question of how, and how fast can it be implemented in a secure manner?

Progress made since the AI EO release

Implementing AI across the federal government has been a massive undertaking, with many agencies starting at ground zero at the start of last year. Since then, the White House has made it clear that implementing AI in a safe and ethical manner is a key priority for the administration, issuing major guidance and directives over the past several months.

According to the AI EO follow-up fact sheet, key targets have been hit in several areas including:

  • Managing risks to safety and security: Completed risk assessments covering AI’s use in every critical infrastructure sector are the most crucial area.
  • Innovating AI for good: Included launches of several AI pilots, research and funding initiatives across key focus areas including HHS and K-12 education.

What should agencies tackle next?

Agencies should further lean into safety and security considerations to ensure AI is being used responsibly and in a manner that protects agencies’ critical data and resources. In January, the National Institute of Standards and Technology released a publication warning regarding privacy and security challenges arising from rapid AI deployment. The publication urges that security needs to be of the utmost importance for any public sector agency interested in implementing AI, which should be the next priority agencies tackle along their AI journeys.

Looking back on similar major technology transformations over the past couple years, such as cloud migration, we can begin to understand what the current problems are. It took the federal government over a decade to really nail down the details of ensuring cloud technology was secure — as a result of the federal government’s migration to the cloud, the government released the Federal Risk and Authorization Management Program (FedRAMP) as a form of guidance.

The good news is, we can learn from the lessons of the last ten years of cloud migration to accelerate AI and deliver it faster to the federal government and the American people by extending and leveraging existing governance models including the Federal Information and Security Management Act and FedRAMP Authority to Operate (ATO) by creating overlays for AI-specific safety, bias and explainability risks. ATO is a concept first developed by NIST to create strong governance for IT systems. This concept, along with others, can be applied to AI systems so agencies don’t need to reinvent the wheel when it comes to securing AI and deploying safe systems into production.

Where to get help?

There’s an abundance of trustworthy resources federal leaders can look to for additional guidance. One new initiative to keep an eye on is from NIST’s recently created AI Safety Institute Consortium (AISIC).

AISIC brings together more than 200 leading stakeholders, including AI creators and users, academics, government and industry researchers, and civil society organizations. AISIC’s mission is to develop guidelines and standards for AI measurement and policy, to help our country be prepared for AI adoption with the appropriate risk management strategies needed.

Additionally, agency leaders can look to industry partners with established centers of excellence or advisory committees with cross-sector expertise and third-party validation. Seek out counsel from industry partners that have experience working with or alongside the federal government, that truly understand the challenges that the government faces. The federal government shouldn’t have to go on this journey alone. There are several established working groups and trusted industry partners eager to share their knowledge.

Agencies across a wide range of sectors are continuing to make progress in their AI journeys, and the federal government continues to prioritize implementation guidance. It can be overwhelming to cut through the noise when it comes to what’s truly necessary to consider or to decide what factors to prioritize the most.

Leaders across the federal government must continue to prioritize security, and the best way to do this is by leaning into already published guidelines and seeking the best external resources available. While the federal government works on standardizing guidelines for AI, agencies can have peace of mind by following the roadmaps that they are most familiar with when it comes to best security practices and apply these to artificial intelligence adoption.

Gaurav “GP” Pal is found and CEO of stackArmor.

The post The dust has settled from the AI executive order – Here’s what agencies should tackle next first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/the-dust-has-settled-from-the-ai-executive-order-heres-what-agencies-should-tackle-next/feed/ 0
Harness the power of good habits to pursue your financial goals https://federalnewsnetwork.com/commentary/2024/04/harness-the-power-of-good-habits-to-pursue-your-financial-goals/ https://federalnewsnetwork.com/commentary/2024/04/harness-the-power-of-good-habits-to-pursue-your-financial-goals/#respond Mon, 01 Apr 2024 19:30:46 +0000 https://federalnewsnetwork.com/?p=4946338 While financial education plays a role in improving military families’ money mastery, it’s not the only solution.

The post Harness the power of good habits to pursue your financial goals first appeared on Federal News Network.

]]>
There is no one-size-fits-all approach to achieving your financial goals. The approach that will work best for you is specific to your income, expenditures, debt, goals and more. That’s why our advisors coach clients to focus on the fundamentals, starting with a strong foundation of money knowledge.

The results of our 13th annual financial readiness test show career military families struggle in this area. Only 2% of military test takers correctly answered all nine questions, which is designed to measure basic money knowledge associated with financial readiness. This compares to 6% of civilian respondents.

While financial education plays a role in improving military families’ money mastery, it’s not the only solution. There are two other key elements — which go hand-in-hand — that can help military families improve their financial readiness.

Using good habits to pursue goals

The role of everyday habits cannot be overstated. In his book “Atomic Habits,” James Clear asserts “habits are the compound interest of self-improvement.” He makes the case that daily, seemingly insignificant choices — saving a few dollars, investing consistently, or avoiding unnecessary debt — compound over the years into something powerful. Clear proves the point that small habits can lead to big transformations. First Command Financial Advisors see this in action every day as they coach military families in their pursuit of financial security.

We recommend consistency in simple habits, like automatically depositing a portion of each paycheck into savings or an investment account or sticking to a budget. While this can be easier said than done, 2024 might be an ideal time to increase your savings. Service members are expected to receive a 5.2% pay raise in January, one of the biggest annual pay raises in the last 40 years. Consider stashing a little more money into a savings or investment account. First Command Advisors believe in the merits of the 50/50 Plan. The idea is to allocate half of every pay raise to upgrading your current lifestyle and the other half to building a foundation for your financial future.

Creating systems to form good habits

Many people set out to adopt new habits but fail without a system to achieve the habit. For example, you may have a goal to stick to a budget. While this is a worthy aim, without a budgeting tool and time set aside to make sure you’re staying on track, you likely won’t. In many cases, the probability that you’ll form a long-lasting habit is as likely as the strength of the system you have in place.

Katy Milkman, author of the book “How to Change,” advises this five-pronged approach to habit formation.

  • Set a specific goal. Try a specific goal like “I’ll save $100 each month.” Research shows a benefit to being specific about exactly what you want to achieve.
  • Create a detailed, cue-based plan. You need to think about exactly how you’ll fit this goal into your life. For a budget-based goal, this could be “I’ll review my budget every Tuesday after dinner.”
  • Make it fun to repeat. If the idea of reviewing your monthly budget sounds like pulling teeth, consider adding a positive reward to sweeten the routine. This could look like trying a new restaurant for takeout or enjoying your favorite beverage.
  • Foster flexibility. If your routine becomes too brittle, you’ll follow through less often. If your original plan doesn’t pan out, be OK with pivoting.
  • Find the right kind of social support. Milkman emphasizes the importance of social support in building and maintaining habits. For some habits, this could mean sharing your goals with family and friends. For financial habits, this could be the support of a financial advisor. 

Financial advisors: Your financial habit building support team

The second way you pursue financial readiness is by enlisting the help of a financial advisor. The First Command Financial Behaviors Index shows that, on average, military families who work with an advisor report average monthly contributions to savings and retirement accounts totaling $3,316 per month versus $1,298 for their colleagues without an advisor. If you’re looking to improve your financial literacy and set good habits, start by reaching out to a financial advisor who knows the military lifestyle.

You work hard in service of your family and the nation. Don’t neglect to pursue your financial goals. By establishing a system to nurture good financial habits and working with a financial advisor, even your most far-fetched goals may be possible.

Mark Steffe is president and CEO of First Command Financial Services, Inc.

 

The post Harness the power of good habits to pursue your financial goals first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/04/harness-the-power-of-good-habits-to-pursue-your-financial-goals/feed/ 0
Leveraging small businesses in the age of replicator https://federalnewsnetwork.com/commentary/2024/03/leveraging-small-businesses-in-the-age-of-replicator/ https://federalnewsnetwork.com/commentary/2024/03/leveraging-small-businesses-in-the-age-of-replicator/#respond Fri, 29 Mar 2024 19:50:13 +0000 https://federalnewsnetwork.com/?p=4944502 The Department of Defense is currently struggling to attract many of the most innovative and promising small businesses to the defense market.

The post Leveraging small businesses in the age of replicator first appeared on Federal News Network.

]]>
This column was originally published on Roger Waldron’s blog at The Coalition for Government Procurement and was republished here with permission from the author.

The Federal Government’s small business strategy dates back to 1953, when President Dwight D. Eisenhower signed the Small Business Act, establishing the Small Business Administration. President— and General — Eisenhower recognized that equity dictates that small businesses be given a fair opportunity to compete for government contracts. However, he also recognized the importance of small businesses to national security. From experience, he knew that small businesses can be more nimble and less bureaucratic, allowing them to develop capabilities faster and shift focus more rapidly. Over the years, the Department of Defense (DoD) has significantly benefited from its small business efforts.

Unfortunately, DoD is currently struggling to attract many of the most innovative and promising small businesses to the defense market. When partnerships do occur, DoD faces obstacles to effectively capitalize on technologies developed by small businesses, due to factors such as complexities with integrating designs and scaling production. DoD moves too slowly; startups and investors find it hard to justify the upfront investment and endure long cycle times to get a return on investment — even if the return would otherwise be attractive. For these reasons, many vital technology start-ups are deterred from government collaborations.

While DoD consistently meets its targets for the dollar-number of contracts that it awards to small businesses, these targets appear to be an end in themselves, rather than a catalyst for a small business strategy that prioritizes small business’ capabilities to improve national defense. As the Section 809 Panel found,

“DoD is not fully capitalizing on small businesses’ innovativeness. Instead, DoD appears to focus its small business policies and programs on acquiring goods and services based on meeting societal goals not related to mission.

These findings led the Panel to recommend that DoD refocus its “small business policies and programs to prioritize mission[…].” We concur. DoD needs to reimagine its small business strategies to focus more on capabilities developed by, not dollars awarded to, small businesses. Awarding contracts to small businesses that are not adding value to goods and services should not be the primary barometer of success. Rather, how rapidly DoD identifies and integrates small businesses’ novel capabilities into its military and business operations, as well as the utility of these capabilities, are examples of better metrics. As the most recent National Defense Industrial Strategy points out, speed of acquisition and production/adoption at scale are critical for defining success. In its effort to implement innovative industrial base strategies, DoD should establish a mentor-purchaser pathway, focused on rewarding small businesses (and investors) who develop needed capabilities, and then rapidly scaling and integrating these capabilities into the force.”

Enticing Small Businesses

DoD and other government agencies can entice small businesses to enter the government industrial base by enabling profitable exit strategies on projects. For example, DoD could establish a mentor-purchaser pathway, focused on rewarding small businesses (and investors) who develop needed capabilities, and then rapidly scaling and integrating these capabilities into the force. The Army unrolled a program called Project Vista that partially addresses this goal by incentivizing large defense contractors with source selection credits if they include in their proposals technology developed through the Small Business Innovation Research (SBIR) program. Let us take this one step further —DoD should consider leaning into programs that combine government and private sector-funded venture capital with mentorship from experienced defense contractors. These larger contractors can, when beneficial to all parties, eventually purchase, scale, and/or more seamlessly integrate such technologies for faster use by  DoD.

The argument for a mentor-purchaser pathway is simple. Some small companies (and their investors) have neither the resources nor the desire to try to slog through the “Valley of Death.” They may require a faster exit strategy. They may prefer to remain an engineering or R&D-oriented company. They may not want to run the DoD acquisition gauntlet of excessive regulation and confusing bureaucracy. Or they may lack the expertise and capital to rapidly grow and develop a promising capability into production at scale.  A mentor-purchaser pathway can provide incentives for private venture capital to support entrepreneurial small businesses developing groundbreaking technologies. This can allow small businesses to thrive in their element– nimbly developing capabilities–and allow larger defense contractors to leverage some of their core competencies (i.e., their balance sheets and infrastructure) to more rapidly produce and integrate capabilities at scale. The ability to marry emerging capabilities developed by small businesses with the production capabilities of large businesses seems to be an ideal way to meet the goals of DoD’s Replicator effortThis can apply to production or widespread implementation of technology or software.

This is not about encouraging small businesses to exit the defense industrial base; it is about encouraging more entrants. Creating more promising and easier pathways to exit will entice more small businesses to enter the DIB in the first place. More entrants means more competition, more access to new capabilities, and a more resilient industrial base.

Key to this pathway is for all parties to benefit: providing the financial rewards that will incentivize small businesses by creating a profitable exit strategy, rewarding large companies for their institutional know-how and production capabilities, and most importantly, letting DoD integrate capabilities at speed and scale. This approach can reduce the risk of hesitancy on behalf of DoD in moving forward with start-ups or small businesses who lack the experience producing at scale. At the same time, this approach can assuage small businesses’ reticence to partner with DoD due to uncertainties about funding or the lack of a viable exit strategy.

As the Wall Street Journal reported, while venture capital firms have poured over $100 billion into U.S. defense-related startups since 2021, DoD investment in potentially useful technologies developed by these companies has been scant. This is partly because DoD has been slow to identify how to integrate and scale these technologies. Venture capital may not continue investing in defense technologies without a clear exit strategy pathway that provides competitive financial returns.  A mentor-purchaser program provides an exit strategy for developers of useful tech that will keep many venture capitalists interested in the defense markets and willing to keep money flowing into defense-related investment.

A mentor-purchaser program is not right for all small businesses. Many companies will choose to grow and remain independent. This is to be encouraged. But a mentor-purchaser program  may be ideal for some, where their founders’ and engineers’ primary passion is creating technological advancements, rather than navigating bureaucratic hurdles, mastering the ins and outs of contracting, or becoming marketing mavens. This new pathway is aimed at those serial entrepreneurs who would rather develop a new capability, realize returns, and move on to the next creation. In implementing this new pathway, certain issues will have to be addressed, including to what extent the large company is a mentor, partner for scaling, or purchaser, how to avoid conflict of interest issues, and how to protect the IP rights of small businesses.

Other Ways to Support Small Business

A Mentor-Purchaser program is not the only way to reimagine the small business strategy and both expand small business participation in the defense industrial base and identify promising capabilities offered by small businesses. For example, companies seeking to compete for classified contracts require a workforce that has security clearances and facilities that are accredited to handle classified work. The process to establish, build, and accredit Secure Compartment Information Facilities (SCIFs) takes time and considerable financial resources — resources that small businesses generally cannot afford. This creates a barrier to entry. However, such small businesses could be supported through a program that creates shared SCIFs, either through allowing access to underutilized existing SCIF space — or establishing new SCIFs in excess GSA facilities. To offset the costs to the government, a WeWork time model could be adopted where companies pay for the time they use the spaces.

Novel approaches to a new small business strategy, such as establishing a mentor-purchaser program and creating shared SCIF spaces, can help foster a more innovative, responsive, and collaborative ecosystem that drives progress and ensures a competitive edge for DoD in an ever-evolving technological landscape.

 

The post Leveraging small businesses in the age of replicator first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/leveraging-small-businesses-in-the-age-of-replicator/feed/ 0
Navigating federal IT modernization: choosing between NaaS and HWaaS https://federalnewsnetwork.com/commentary/2024/03/navigating-federal-it-modernization-choosing-between-naas-and-hwaas/ https://federalnewsnetwork.com/commentary/2024/03/navigating-federal-it-modernization-choosing-between-naas-and-hwaas/#respond Fri, 29 Mar 2024 17:44:26 +0000 https://federalnewsnetwork.com/?p=4944431 In the ever-evolving landscape of federal IT modernization, Network-as-a-Service (NaaS) has emerged as a transformative solution.

The post Navigating federal IT modernization: choosing between NaaS and HWaaS first appeared on Federal News Network.

]]>
In the ever-evolving landscape of federal IT modernization, Network-as-a-Service (NaaS) has emerged as a transformative solution, promising a new delivery model to drive advancements in government enterprise networks. Yet, for many federal agencies, its counterpart Hardware-as-a-Service (HWaaS) may be the more appropriate centerpiece of an IT strategy for continuous modernization. Here’s why.

Understanding NaaS through the “Three O’s”

NaaS, at its core, revolves around three fundamental principles known as the “Three O’s”: ownership, operation and outcome. It departs from traditional ownership models, involves operational and service elements, and aligns with customers’ business or mission objectives.

  • Ownership – In an as-a-service offering the customer is paying for access to something that they do not own. NaaS departs from traditional ownership models and should not be confused with acquiring assets over time like customers would in a conventional leasing model.
  • Operation – In an as-a-service offering there is some level of operations or services being done for the customer. NaaS offerings involve a spectrum of operational and service elements, such as platform management, infrastructure oversight and network optimization.
  • Outcome – In an as-a-service offering, the model is aligned in some way to the customer’s business or mission outcomes. The essence of NaaS lies in its alignment with customers’ mission or business objectives. It delivers results, whether through service level agreements, consumption tracking, or other metrics tied to achieving critical goals.

NaaS applies these “Three O’s” to a delivery model for network functionality. Based on this philosophy, it delivers an outcome to customers so that they don’t own the burden of building and managing their own networks, mirroring what cloud service providers accomplished with cloud-based data centers. NaaS also goes beyond what legacy network managed services providers (MSPs) did in the past with focusing primarily on operation & management services (O&M).

The promises: Reducing technical debt, accelerating modernization, and simplifying lifecycle management

For many agencies, NaaS can be a solution to pressing issues, such as reducing technical debt, accelerating modernization, and simplifying lifecycle management. Yet, while it holds substantial promise for addressing federal government challenges, several concerns can hinder its adoption.

Technical debt refers to the backlog of outdated technology and infrastructure. NaaS offers an effective solution to address this challenge by providing a predictable, all-inclusive operational expenditure (OPEX) cost model. This model can help remediate technical debt more quickly while alleviating budget constraints, a significant contributor to the accumulation of technical debt across the federal government.

When it comes to government modernization efforts, the primary focus often centers on upgrading networking hardware, software and licensing. However, the modernization of network configurations, designs and architectures tends to receive less attention. NaaS presents a unique solution that encompasses both aspects. It can be used to optimize and modernize network designs and architectures with the guidance of industry experts. This inherent capability within NaaS offerings allows federal customers to stay at the forefront of technology adoption.

NaaS offerings also help to offload the burden of lifecycle management from the customer to the NaaS provider, while providing better asset visibility and shorter refresh cycles so you have the newest technologies without the need to worry about aging assets.

The challenges: Ownership of hardware and maintaining control of mission-critical networks

For all its many promises, NaaS does have some important challenges it must overcome to be appropriate for all federal networks, especially those that are highly sensitive.

NaaS operates on the premise that customers pay for hardware use rather than ownership. This poses questions about how federal customers handle scenarios like “termination for convenience” clauses in federal contracts, especially when that hardware is essential for critical missions and cannot be removed from its environment.

Due to the sensitive nature of federal networks, a full-scale NaaS offering may be overkill. In mission-critical scenarios, agencies and departments still need to retain control over the operation and management of these networks. The comprehensive operation and management services typically associated with NaaS may not align with the specific requirements of certain environments.

Enter Hardware-as-a-Subscription (HWaaS)

HWaaS focuses on the core NaaS capabilities that resonate most with federal customers while addressing the terms and conditions necessary for federal contracts and resolving concerns related to hardware ownership.

HWaaS operates on an all-inclusive operational expenditure (OPEX) pricing model, covering critical components such as networking hardware, software, licensing, installation services (Day 0), modernized deployment services (Day 1) and asset management services. Notably, HWaaS does not encompass managed services (operations and maintenance), allowing federal customers to retain control over their operational and sustainment activities while benefiting from other vital NaaS features.

Additionally, HWaaS offers comprehensive network assessments, design and optimization services to ensure that your network architecture remains up-to-date and modernized. Knowledge transfer and training services are also provided to facilitate a seamless handover to your operational teams.

The advantage of HWaaS for federal government

The HWaaS offering is built in a way that incentivizes the NaaS provider to implement the offering as quickly as possible, in coordination with an agency’s network operation teams, ensuring a swift and efficient deployment across the entire enterprise.

HWaaS can offer significant value and benefits to federal customers, including:

  • Faster tech debt reduction: HWaaS offers a single subscription-based consumption model that consolidates hardware, software, licensing, and Day 0 and Day 1 services into a predictable annual cost, allowing for the quicker elimination of technical debt.
  • Flexible modernization options: Based on your specific needs and requirements, HWaaS offers modernization options for areas like wireless, software-defined networking (SDN), automation and security including solutions like comply-to-connect.
  • Optimized and modernized architecture: The offering focuses on optimizing architecture to eliminate oversized hardware footprints and facilitates the rapid adoption of new technologies.
  • Simplified lifecycle management and asset management: HWaaS includes a contractor-managed lifecycle management program with a predictable and reliable technology refresh cycle every five years. It also provides enhanced visibility into asset deployment on your network.

Overall, HWaaS represents a significant step for federal agencies on their journey towards aligning network consumption models and outcomes with the seamless experiences delivered by similar as-a-service offerings, like cloud services. The strategic decision-making process between NaaS and HWaaS allows federal IT leaders to tailor their approach to IT modernization, ensuring efficiency, flexibility and continuous advancements in government enterprise networks.

Wade Lehrschall is principal strategic architect at Iron Bow Technologies.

The post Navigating federal IT modernization: choosing between NaaS and HWaaS first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/navigating-federal-it-modernization-choosing-between-naas-and-hwaas/feed/ 0
Implementing the Evidence Act – What’s Next? https://federalnewsnetwork.com/commentary/2024/03/implementing-the-evidence-act-whats-next/ https://federalnewsnetwork.com/commentary/2024/03/implementing-the-evidence-act-whats-next/#respond Thu, 28 Mar 2024 20:06:47 +0000 https://federalnewsnetwork.com/?p=4943356 On January 14, 2019, Congress passed the “Foundations for Evidence-Based Policymaking Act of 2018,” also known as the “Evidence Act.” The Evidence Act and the accompanying guidance from the White House Office of Management and…

The post Implementing the Evidence Act – What’s Next? first appeared on Federal News Network.

]]>
On January 14, 2019, Congress passed the “Foundations for Evidence-Based Policymaking Act of 2018,” also known as the “Evidence Act.”

The Evidence Act and the accompanying guidance from the White House Office of Management and Budget ambitiously aims to transform federal decision making by introducing unprecedented requirements for transparency and releasability of federal data.

But five years into the journey, many agencies are only just beginning to implement many of the key provisions.

For many of the 24 agencies subject to the act’s provisions, the human capital, technological and modernization investments needed to make the law actionable have been largely unfunded or underfunded.

So now what? How can agencies comply with the intent of the law despite imperfect conditions and incomplete guidance?

Here’s a look at what’s next five years into implementation of the Evidence Act.

Set the timeline

Implementing the Evidence Act will be a multi-year and likely multi-decade initiative for most agencies. Full implementation requires massive organizational changes that include investments in human capital (hiring, training and retaining a skilled workforce) and technology. The prospect of engaging in such a large effort can be overwhelming and polarizing in federal agencies. Therefore, it may be necessary to embark upon a phased approach with right-sized goals and shorter timelines to ensure there is continuous delivery of important wins along the way.

Tell the story

Each goal along the timeline should be linked to a key stakeholder’s priorities or pain point for maximum impact. Those wishing to groundswell intra-agency support for resources to implement the Evidence Act should become master storytellers and target their stories to stakeholders directly impacted by the scope of the law.

For example, Title II of the Evidence Act, also called the OPEN Government Data Act, requires agencies to release all data assets that would otherwise be made available under the Freedom of Information Act (FOIA) to be publicly disclosed in machine-readable formats. This requirement could place a large burden on the FOIA/Disclosure office or the requirement could lessen the normal workload.

On average, the federal government processed over 750,000 FOIA requests each year of the last decade. Each request, on average, took over 210 hours to process, with this number climbing to its highest in 2019 at 314 hours or roughly 15% of a normal work year.

If FOIA is a time-consuming and costly process in an agency, a curious leader may be seeking a way to streamline. This is the type of stakeholder with a pain point that implementation of the Evidence Act can help year over year.

Find a champion

Although the Evidence Act is certainly data-driven, the reality is that people are at the heart of its implementation. To successfully implement the Act, it is essential to understand the stakeholders that can influence or impact implementation efforts — and to find one or more champions.

 

A common approach to locate champions is to first make an interest-influence chart. Start by listing stakeholder groups. Beginning with the largest suborganization levels (offices, divisions or directorates, etc.) list key individual stakeholders and move down through the levels of the organization. Then, if enough information is known about each of the stakeholders, map their influence-interest.

 

Champions will reside in the high influence, high interest quadrant. They may not be experts in the Evidence Act, but they may know enough about their pain point to help implementers design use cases and compelling stories.

 

Conclusion

Embarking upon implementation is a major change management effort. The Evidence Act offers a great opportunity to support federal agencies as they select tools, technologies and staff to support their compliance and unleash the power of their data.

But this is both complex and challenging involving process, people and technology. Organizations should understand where they are, what they need, how implementation will be delivered, and the impact this will have internally and externally.

Carmen Robinson is a senior principal consultant at ABSG Consulting Inc. (“ABS Consulting”), Global Government Sector.

The post Implementing the Evidence Act – What’s Next? first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/implementing-the-evidence-act-whats-next/feed/ 0
Navigating the new landscape: Understanding and implementing NIST CSF 2.0 https://federalnewsnetwork.com/commentary/2024/03/navigating-the-new-landscape-understanding-and-implementing-nist-csf-2-0/ https://federalnewsnetwork.com/commentary/2024/03/navigating-the-new-landscape-understanding-and-implementing-nist-csf-2-0/#respond Wed, 27 Mar 2024 15:39:45 +0000 https://federalnewsnetwork.com/?p=4941561 While NIST CSF 2.0 offers valuable guidance for organizations, regardless of size or industry, certain sectors stand to gain immense value from its adoption.

The post Navigating the new landscape: Understanding and implementing NIST CSF 2.0 first appeared on Federal News Network.

]]>
The innovations in technology have had incredible impacts to how we interact with the world. Less than a decade ago, IoT felt foreign. Now generative AI is changing how we interact with the internet. And with all of this, cybersecurity threats have evolved as well, demanding agility and constant adaptation from organizations.

Recognizing this reality, the National Institute of Standards and Technology released the highly anticipated NIST Cybersecurity Framework (CSF) 2.0. This updated framework aims to equip organizations with a robust and adaptable guide to managing cybersecurity risks in today’s dynamic environment.

In this blog post, we summarize changes to the NIST CSF and highlight industries that should be aware of these changes.

The enduring importance of the NIST CSF

First introduced in 2014, the original NIST CSF quickly became a cornerstone for cybersecurity risk management. Its flexible approach, agnostic to industry or size, resonated with organizations worldwide. The framework provided a common language for discussing cybersecurity, guiding organizations in identifying, prioritizing and implementing security measures.

However, the cybersecurity landscape has undergone significant transformations since then. Emerging threats, evolving technologies and regulatory complexities necessitated a refresh.

Enter NIST CSF 2.0: A framework evolved

Building upon the success of its predecessor, NIST CSF 2.0 offers several key enhancements:

Expanded scope: The framework now caters to a wider range of cybersecurity objectives, encompassing identify, protect, detect, respond, recover and govern. This holistic approach addresses the entire cybersecurity lifecycle.

New function – “govern”: This addition emphasizes the critical role of governance in managing cybersecurity risks and ensuring alignment with organizational strategies.

Enhanced guidance: CSF 2.0 provides more comprehensive and practical guidance on implementing the framework, including improved examples and resources.

Improved clarity and usability: The revised framework streamlines terminology and simplifies structure, making it easier for organizations to understand and utilize.

While the core principles of identify, protect, detect, respond and recover remain, the addition of the “govern” function and more granular guidance mark a significant evolution.

Industries especially benefiting from NIST CSF 2.0: Adapting to mitigate risk

While NIST CSF 2.0 offers valuable guidance for all organizations, regardless of size or industry, certain sectors stand to gain immense value from its adoption:

Critical infrastructure sectors: The framework’s focus on aligning cybersecurity with organizational objectives resonates strongly with industries like energy, transportation, healthcare and finance. These sectors, deemed critical to national security and economic well-being, face heightened threats and regulatory scrutiny. NIST CSF 2.0 offers a standardized approach to managing these risks, potentially aiding in regulatory compliance and stakeholder trust.

Data-driven industries: Organizations heavily reliant on data, such as technology, finance and healthcare, can leverage the framework’s emphasis on protecting sensitive information. The robust identification and prioritization of security requirements help safeguard valuable data assets from theft or misuse.

Highly regulated industries: Sectors like healthcare, finance and pharmaceuticals operate under strict regulations with specific cybersecurity requirements. NIST CSF 2.0 acts as a bridge between these regulations and practical implementation, simplifying compliance efforts and demonstrating adherence to best practices.

Supply chain ecosystems: As interconnectedness grows, supply chain vulnerabilities become critical concerns. The framework’s emphasis on identify, protect and detect across the entire supply chain ecosystem aids in mitigating these risks and building trust with partners and customers.

Industries facing evolving threats: Sectors susceptible to rapid changes in the threat landscape, such as technology, finance and energy, require adaptable security postures. NIST CSF 2.0’s flexible yet structured approach empowers organizations to continuously adapt their cybersecurity measures to emerging threats.

Beyond industry specificity: It’s important to remember that any organization concerned with protecting sensitive information, maintaining operational resilience, and building trust can benefit from NIST CSF 2.0. Its industry-agnostic nature allows for customization and tailoring to unique needs and risk profiles.

Mandatory adoption? Navigating the nuances:

While currently no mandate exists for widespread adoption of NIST CSF 2.0, certain scenarios warrant increased attention:

Government contractors: Depending on the contract and agency involved, some government contractors may need to demonstrate alignment with NIST CSF 2.0 or its predecessor. Staying informed about specific requirements is crucial.

Sector-specific regulations: Certain industries, like healthcare (HIPAA), finance (PCI DSS), and energy (NERC CIP), have existing regulations with overlapping cybersecurity objectives. NIST CSF 2.0 can serve as a valuable tool for demonstrating compliance with these regulations while implementing broader security improvements.

Timing is key

While no mandated deadlines exist, proactive adoption offers numerous advantages:

Building a secure foundation: Early implementation allows organizations to establish a robust cybersecurity posture before facing serious incidents.

Demonstrating proactive security: Aligning with the latest framework showcases commitment to best practices and strengthens stakeholder trust.

Future-proofing security measures: The adaptable nature of NIST CSF 2.0 helps organizations stay ahead of evolving threats and regulatory changes.

Ultimately, the decision to adopt NIST CSF 2.0 depends on individual organizational needs and risk profiles. However, understanding the potential benefits and considering the evolving regulatory landscape makes a strong case for proactive engagement with this updated cybersecurity framework.

Ashley Leonard is CEO at Syxsense.

The post Navigating the new landscape: Understanding and implementing NIST CSF 2.0 first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/navigating-the-new-landscape-understanding-and-implementing-nist-csf-2-0/feed/ 0
Procurement policy spring cleaning checklist https://federalnewsnetwork.com/commentary/2024/03/procurement-policy-spring-cleaning-checklist/ https://federalnewsnetwork.com/commentary/2024/03/procurement-policy-spring-cleaning-checklist/#respond Mon, 25 Mar 2024 18:21:05 +0000 https://federalnewsnetwork.com/?p=4938889 Spring also means it is time for a Procurement Policy Spring Cleaning Checklist highlighting the key initiatives that will shape procurement operations.

The post Procurement policy spring cleaning checklist first appeared on Federal News Network.

]]>
It is finally spring, and the cherry blossoms are in full bloom here in Washington. Day-light savings time is disrupting sleeping patterns across the nation; neighbors are out and about; lacrosse season has kicked off; next week is MLB opening day; and, of course, I have just finished my brackets for March Madness.

Spring also means it is time to get organized and clean things up for the rest of the year. At home, that means putting together my “Spring Cleaning Checklist.” This year my home checklist includes, against all odds, turning my garage, which currently serves as a home storage unit, back into a garage.

Spring also means it is time for a Procurement Policy Spring Cleaning Checklist highlighting the key initiatives that will shape procurement operations for customer agencies and industry partners. Set forth below are just some of the items that should appear on the “Fair and Reasonable” checklist:

  • Cybersecurity. The winter months saw a tsunami of proposed rules, management memos, and attestation forms all addressing various aspects of cybersecurity. Do all these “directives” provide a coherent, government-wide approach?  Is there an opportunity to improve harmonization of the cybersecurity framework? How do firms, especially small businesses, find the resources to make sense of it all?
  • Artificial Intelligence (AI). Increasingly, AI is making its way into procurement operations.  What are the implications for government and industry? How is AI being leveraged to streamline procurement processes and evaluations? How is industry using AI to compete and win government business? And what of the data that is the “fuel” powering AI? How is that data validated and being used to avoid bias?
  • Multiple Award Schedule (MAS) Price Evaluation.  Significantly, the Federal Acquisition Service (FAS) is revising its guidance to contracting officers regarding the evaluation/negotiation of MAS contract pricing. The Coalition appreciates the efforts of FAS to maintain dialogue with industry on this important guidance. Our members look forward to providing additional feedback when FAS issues a request for information regarding the proposed update.
  • Small business opportunities. A host of recent studies have identified the shrinking industrial base serving the federal government and the corresponding impact on competition, innovation, and costs.  In the case of small businesses, while the overall amount of funds going to small businesses has increased over the last decade, the number of small businesses supporting the federal government has decreased. This decrease is a strong indication that structural barriers to entry into the government market are limiting the government’s access to the commercial market and small businesses. Over the coming months, the Coalition will be offering our recommendations on reducing barriers and increasing opportunities for small businesses in the federal space.
  • Follow-on IT GWACs and more. Alliant, NASA SEWP, Polaris, CIO-SP4, ASCEND BPA, and OASIS+ are in various stages of the procurement process. As such, 2024 will be the year that shapes the interagency contracting market for the next five to 10 years. The Coalition has appreciated the engagement with each of these programs and looks forward to continuing the dialogue on ensuring they provide sound business opportunities for industry partners that deliver best value mission support for customer agencies.
  • Sustainability. Recognizing that a significant amount of plastic waste comes from “one and done” packaging, the General Services Administration (GSA), among the largest government buyers purchasing a diverse set of products, sought information in connection with an anticipated rule on single-use packaging in products on the MAS. There are other policy initiatives under consideration, as announced in a recent Coalition Green Committee meeting by designated officers on the GSA Acquisition Policy Federal Advisory Committee (GAP FAC). These initiatives include addressing per- and polyfluoroalkyl substances (PFAS) and human health risks in federal procurement. Further action on single-use plastic packaging is expected later this spring, but vendors certainly will want to keep an eye out for the next steps associated with all these initiatives.
  • GSA’s legislative proposals. A key legislative proposal recently announced by GSA seeks to amend the Competition in Contracting Act (CICA) of 1984 to adjust the statutory authority for the MAS  program by clarifying what constitutes “competitive procedures” under the law. Currently, under CICA, the MAS  program is deemed a competitive procedure if participation is open to all responsible sources, and if orders and contracts under the program “result in the lowest overall cost alternative to meet the needs of the Federal Government.” (Cf. 41 USC 152(3)). When CICA was enacted, the MAS was a mandatory source limited to products, like commodities, and the language “lowest cost alternative” was interpreted as the lowest price because price was the most discriminating factor. The world, however, has changed in four decades. The Schedules program no longer is a mandatory source; most acquisitions under the program are for services; and the products and solutions sought include some of the most cutting-edge technologies, such as cloud, geospatial, and cyber solutions. Government buyers want and need the best value solution, one that encompasses price and other factors that may prove critical in driving buying decisions, such as the unique experience, technology, delivery terms, time, and/or the solution offered. GSA’s proposed legislation would address these government buyer needs and will fundamentally improve procurement operations for agencies and the American people.
  • E-commerce follow-on. GSA has been working on the award of the next generation of the Commercial Platforms program, which was to expire last December. The program was extended under a short-term bridge contract and that extension is set to end next week. The program has become a significant channel for the acquisition of routine Commercial Off-The-Shelf (COTS) items, as well as a means for vendor market access. How GSA moves forward this spring promises to be quite newsworthy.
  • Supply chain risk management and domestic sourcingRecently, the Departments of Homeland Security, Health and Human Services, and Veterans Affairs notified industry of the White Paper on Protective Equipment Procurement (PPE), Current State of Personal Protective Equipment Procurement by Make PPE in America Act Covered Agencies. This paper includes forecasts for the PPE needs of all three agencies and, borne of the nation’s experiences with COVID-19, is part of a larger effort to reduce Government reliance on essential foreign goods, including PPE. The government is planning to host events for industry to provide feedback on the paper and strengthen the domestic PPE supply chain. Such government-industry collaboration is important here, in connection with other supply chain issues, to assure continuity of mission, especially in times of crisis.

Based on the foregoing, readers readily can see that spring chores abound in federal procurement. Given the nature of a presidential election year, however, less time than usual may be available for all the chores to be completed. Rest assured, the Coalition stands ready to engage to offer a common sense perspective to improve the system on which so many rely.

The post Procurement policy spring cleaning checklist first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/procurement-policy-spring-cleaning-checklist/feed/ 0
The secret sauce to winning more government contracts https://federalnewsnetwork.com/commentary/2024/03/the-secret-sauce-to-winning-more-government-contracts/ https://federalnewsnetwork.com/commentary/2024/03/the-secret-sauce-to-winning-more-government-contracts/#respond Mon, 25 Mar 2024 18:05:27 +0000 https://federalnewsnetwork.com/?p=4938853 To foster AI adoption, contractors should start to leverage resources and references to enhance their understanding and implementation of AI technologies.

The post The secret sauce to winning more government contracts first appeared on Federal News Network.

]]>
In today’s dynamic business culture, artificial intelligence is the agent for transformation and with it, every tech giant (Google, Meta, Amazon and Microsoft), The White House, the Federal Trade Commission and Congress are getting involved. AI is receiving attention from both the business community for productivity increases and the government for regulatory reasons.

This leaves a newly overlooked aspect of AI’s potential – the ability to impact cross-section positively: the business side of government operations. With one out of every ten dollars of federal government spending going to third-party vendors, the government contractors (GovCon) industry is at the forefront of harnessing AI’s capabilities to gain a competitive edge. AI enhances efficiency, productivity and effectiveness, propelling companies to secure more business.

First adopters

More than 60% of business owners believe AI will increase productivity, and government contractors and consultancy agencies are on the front line of this tech transformation. Even the State Department has spoken out about the need to incorporate generative AI and conduct market research on using emerging technology to write contracts. State’s perspective is that AI would not only reduce costs, manual labor and the chance of errors but also improve decision-making and deliver better contract outcomes.

Aeyon LLC, a business management consultancy with deep expertise in the Defense Department and related civilian agencies, was among the selected awardees to deliver AI services for DoD’s Joint Artificial Intelligence Center (JAIC) to bolster various business operations through 2027. Other integration examples include multi-billion dollar public services company, Serco, which is implementing AI for knowledge management and collaboration purposes. While embracing AI for these purposes, GovCon companies must look to underscore the vital role of transparency to strengthen trust across the board.

AI market confusion: What about transparency and trust?

Amidst market uncertainties and inquiries regarding the impact of AI in diverse sectors, trailblazing early adopters in the GovCon realm have emerged as shining examples of advancement. This is particularly noteworthy given the public sector’s responsibility to manage highly sensitive and confidential information, coupled with the substantial financial resources involved. However, according to KPMG’s 2023 Trust in Artificial Intelligence global study, 61% of respondents are wary about trusting AI. This spans across industries, but adopters in the GovCon space are leading the charge and setting guidelines with these tools while handling sensitive information.

In this industry – no matter the tech solution – ensuring transparency and trust is paramount, because it fosters accountability, reduces safety concerns, enables open communication and maintains regulatory compliance. In a competitive landscape, choosing which AI solutions prioritize transparency and trust can provide security as well as a significant business advantage.

What’s next?

As technology adoption continues to proliferate, there is a growing expectation for businesses to respond swiftly to procurement opportunities – this will make its way into the government contracting space, too. Embracing AI now provides a competitive advantage, as it allows organizations to respond to more bids within the allotted timeframe. As AI becomes more prevalent, the response timeframe may be shortened, requiring federal contractors to adapt and respond within tighter deadlines.

Just as computers revolutionized the way documents are created and processed compared to typewriters, AI will bring about similar advancements in procurement processes. AI will also serve as a democratizing tool, leveling the playing field for businesses of all sizes. By automating routine and repetitive tasks, AI frees up procurement professionals to focus on strategic and value-adding activities. This enables smaller businesses to compete more effectively against larger, established firms.

The emerging trend of consultancies in the government procurement space adopting AI comes at a time when implementing these technologies is a key factor to remain competitive. As early adopters, government contractors are leaning into the increase in speed, accuracy and efficiency that AI technologies offer to now deliver proposals in a more timely manner.

To foster AI adoption, government contractors should start to leverage available resources and references to enhance their understanding and implementation of AI technologies. Proactive steps by government contractors towards AI adoption can drive innovation, improve efficiency, and enhance their competitiveness in the market.

Elizabeth Lukas is CEO of Americas at AutogenAI.

The post The secret sauce to winning more government contracts first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/the-secret-sauce-to-winning-more-government-contracts/feed/ 0
Federal agencies beware: AI is not all it’s cracked up to be – at least not yet https://federalnewsnetwork.com/commentary/2024/03/federal-agencies-beware-ai-is-not-all-its-cracked-up-to-be-at-least-not-yet/ https://federalnewsnetwork.com/commentary/2024/03/federal-agencies-beware-ai-is-not-all-its-cracked-up-to-be-at-least-not-yet/#respond Fri, 22 Mar 2024 11:30:37 +0000 https://federalnewsnetwork.com/?p=4935653 The general public is talking more about and understanding the possibilities with AI. This buzz is also present inside federal agencies. 

The post Federal agencies beware: AI is not all it’s cracked up to be – at least not yet first appeared on Federal News Network.

]]>
Samsung released its new Galaxy S24 phone in January. The big buzz was centered around how Galaxy users discover the world around them by incorporating artificial intelligence into photo manipulation, product searches for e-commerce, instantaneous language translation while abroad, and more. The general public is talking more about and understanding the possibilities with AI. This buzz is also present inside federal agencies.

There’s no doubt that artificial intelligence has begun – and will continue – to transform the way we work and live, and there’s no denying its power and potential. But the fact is despite what most people want to believe what AI is and can do, we’re just not there yet.

As the founder of a digital accessibility company who is disabled and has challenges completing many everyday tasks that most people take for granted, there isn’t a bigger fan of AI than me. I have big hopes for it. In time, I know it will succeed. I’m also a realist, and I know that time isn’t now.

AI has made significant strides in recent years, with advancements in machine learning, natural language processing and computer vision. However, despite these breakthroughs, AI still has a long way to go before reaching its full potential. In fact, there are numerous challenges and limitations that hinder the development and deployment of AI systems. Rather than talk about them in great detail, it’s better to move the conversation along by concentrating on viable solutions that will bring us closer to implementing real AI.

Patience is a virtue

The most prudent thing that any federal agency looking to adopt AI can do is sit on the sidelines and wait. Granted, that’s not the popular answer or the response that anyone wants to hear, but it’s the smartest move at this point in time. Federal agencies that take a premature leap into AI will most likely be disappointed, waste time and money, and will probably have more work redoing tasks that didn’t yield the desired outcomes from AI. This technology is in its infant stages. Although it is groundbreaking and exciting, we must walk before we can run.

Better data and bias mitigation

You may have heard the saying, “garbage in, garbage out.” AI systems are data-driven, and if that data is skewed, incorrect or biased, the AI models will inherit and perpetuate these mistakes. Issues related to fairness, transparency and accountability are significant concerns. It’s critical that federal agencies take extreme caution in this area. They must implement measures to identify and mitigate biases and errors in AI algorithms and data sets. This may involve conducting thorough bias assessments during the development phase and ongoing monitoring of AI systems in operation. Agencies must remember that when it comes to data, humans tend to steer things for the outcome they want instead of what the facts are. Right now, there is such a backlog of corrupt data that current AI models misinterpret differentiating between correct information and skewed data. AI can only be as good as the information it is given.

Implementing safeguards

Federal agencies must have safeguards in place when it comes to AI. Promote transparency in AI systems by documenting their development process, data sources, algorithms used, and again, potential biases. Agencies should also establish mechanisms for accountability, such as assigning responsibility for AI system decisions and outcomes. Ensure that AI systems are interpretable and explainable, especially for critical decision-making processes. This involves designing algorithms that produce transparent results and providing explanations for AI-generated decisions when necessary.

Risk management

Even with all these safeguards in place, federal agencies must conduct comprehensive risk assessments to identify potential risks associated with AI implementation, including cybersecurity threats, legal liabilities and unintended consequences. Develop risk mitigation strategies to address these concerns effectively. We’ve already seen what happens when we’re not careful. Take AI facial recognition technology, for example. The number of innocent people arrested after being misidentified by AI facial recognition technology (FRT) keeps increasing, wreaking havoc on innocent people and bringing about lawsuits against federal agencies. Similarly, federal agencies need to be especially careful when it comes to predictive modeling. A predictive policing algorithm was recently found to be both discriminatory and inaccurate.

Collaboration and knowledge sharing

Federal agencies must take a think-tank approach to AI because we’re all in this together. Foster collaboration and knowledge sharing among federal agencies, industry partners, academic institutions, and other stakeholders. Sharing best practices, lessons learned and research findings can help improve the responsible use of AI across the government. Similarly, federal agencies must establish mechanisms for continuous monitoring and evaluation of AI systems’ performance, effectiveness and impact. This includes soliciting feedback from end-users and stakeholders to identify areas for improvement and address emerging issues promptly.

The takeaway

I can’t wait for the day that AI gets to where it fully enhances the way we live and work, but that day isn’t today. It won’t be next month or next year, either. We’ve only begun to scrape the surface. To celebrate AI as this life-changing technology that’s revolutionizing a new mobile device or anything else is irresponsible and nothing more than marketing hype at this time. Consumers see a new phone with built-in AI and think they need it, yet most couldn’t explain why or tell you how or if it will differ from their current device. It’s no different at the federal level when agencies want a faster and better way to do things. But all in due time.

In order for AI to truly reach its full potential will take researchers, developers, policymakers and ethicists to work collaboratively to navigate the complex landscape of AI development, ensuring that it evolves responsibly and ethically. Only through concerted efforts and further development can we pave the way for AI to make a lasting, positive impact on society, the way everyone imagines.

Mark Pound is the founder and CEO of CurbcutOS, a digital accessibility firm making the digital world more user-friendly for people with disabilities.

The post Federal agencies beware: AI is not all it’s cracked up to be – at least not yet first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/federal-agencies-beware-ai-is-not-all-its-cracked-up-to-be-at-least-not-yet/feed/ 0
Responding in harmony: Cyber reporting as a team sport https://federalnewsnetwork.com/commentary/2024/03/responding-in-harmony-cyber-reporting-as-a-team-sport/ https://federalnewsnetwork.com/commentary/2024/03/responding-in-harmony-cyber-reporting-as-a-team-sport/#respond Wed, 20 Mar 2024 17:59:32 +0000 https://federalnewsnetwork.com/?p=4932882 For publicly traded companies, the risk of a cyberattack affects a lot more than their bottom line.

The post Responding in harmony: Cyber reporting as a team sport first appeared on Federal News Network.

]]>
We live in the age of digital connections. Every industry, every service, every sector utilizes these connections to advance their businesses, whether that’s making manufacturing more efficient or developing the next groundbreaking medication.

The Securities and Exchange Commission’s (SEC) role, at least in the eye of the public, has been to regulate the financial industry. That’s as true as it ever was, but like all industries, the financial sector has come to rely on the exchange of sensitive data across networks to make their processes more efficient, effective and ultimately more lucrative.

But with these great advances come great responsibilities. For publicly traded companies, the risk of a cyberattack affects a lot more than their bottom line. It also affects the thousands of shareholders who trust that these companies have appropriate security and have a plan if things go wrong.

That’s where the SEC comes into the world of cybersecurity.

When the SEC was developing new cyber disclosure rules, its goal was to “provide investors with timely, consistent and comparable information about an important set of risks that can cause significant losses to public companies and their investors.” The rules were meant to empower investors to evaluate those risks as they make investment and voting decisions.

What do the rules actually mean?

The new rules, which went into effect Dec. 18, require publicly traded organizations to disclose and describe in detail any cybersecurity incident they determine to be “material.” That includes the incident’s nature, scope and timing along with the likely impact on the organization. This must be done by reporting the breach on SEC Form 8-K within four business days after the incident is determined to be material.

Disclosure may be delayed if the Justice Department determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.

But the more interesting parts of the new SEC rules that many may be overlooking are in the regulation that will require organizations to describe their cyber plans annually through SEC Form 10-K. That includes processes for assessing, identifying and managing the risk posed from cybersecurity threats. Companies must also describe the roles of the board of directors and other corporate officers in overseeing cyber risk management, including management’s role and expertise in assessing and managing material risks from cybersecurity threats. Boards have been becoming more cyber-savvy over the past decade, and this is likely to accelerate that trend.

The net effect of these new rules will be to put companies on record about their cyber plans — or lack thereof. While it will satisfy the SEC regulation to say ‘none’ in response to the SEC questions on cyber preparation, a negative response is less likely to be satisfactory to investors and shareholders. One of the goals of the 2023 National Cyber Strategy was to provide transparency in the marketplace about cybersecurity. While much of the focus has been on products (the Federal Communications Commission’s Cyber Trust Mark initiative) or processes (the Secure Software Development Framework created by the National Institute of Standards and Technology and others), this new SEC rule starts to bring greater transparency to organizational-level cybersecurity and resilience.

How can all this get done?

All of this context is important because it underscores how important it will be for the private sector and the public sector to work together. Collaboration has always been a critical component to cyber security readiness and the SEC’s new cyber rules are no exception.

For the SEC’s part, the financial regulator made a good faith effort to listen to industry and other experts on how to improve the regulator’s draft rule back in March 2023. For example, the scope of information to be disclosed was narrowed to avoid providing information that could help threat actors or impede voluntary information sharing between companies.

The FBI also lent a hand in both clarifying and offering guidance around the four-day disclosure mandate and how victims of cyber breaches can request disclosure delays for national security or public safety reasons. This includes guidance on how and when to notify the FBI.

The recommendations aren’t just procedural, either. The FBI offers pre-emptive, relationship-building guidance such as establishing a relationship with the cyber squad at the closest local FBI field office before an incident and participating in collaborative information sharing activities like Infragard.

And since this is a team effort, industry must do its part as well to refine how it responds to a breach, addressing not just technical issues of incident investigation and response, but also outlining an organizational playbook for response with different roles for different parts of the organization. When a significant — or to use the SCC’s term, material — breach happens, organizational elements far beyond CISOs and the security teams that run day-to-day security operations have equities and become involved in the response.

Planning will be key for organizations. As companies revise their cyber incident reporting strategies around the new SEC rules, it’s critical that they ask questions of federal agencies when clarity is needed. The SEC, Cybersecurity and Infrastructure Security Agency and other agencies are there to help and that’s best done before a breach occurs. While it can sometimes seem like government requirements are burdensome and intrusive, I know from experience that these agencies genuinely truly want to make the digital world safer for everyone.

Jim Richberg is head of cyber policy, global field chief information security officer at Fortinet, and a Fortinet Federal Board Member.

The post Responding in harmony: Cyber reporting as a team sport first appeared on Federal News Network.

]]>
https://federalnewsnetwork.com/commentary/2024/03/responding-in-harmony-cyber-reporting-as-a-team-sport/feed/ 0