The White House’s lead regulatory office is staying focused on the Biden administration’s rulemaking agenda in the wake of the Supreme Court’s Chevron decision, while also highlighting how agencies have reduced complicated paperwork and other barriers to accessing government programs.

The Office of Information and Regulatory Affairs (OIRA) released its 2024 “burden reduction” report earlier this month. It highlights dozens of initiatives from federal agencies to streamline public programs and reduce paperwork burdens.

The report’s release comes shortly after the Supreme Court in a 6-3 ruling overturned the “Chevron” deference that gave agencies more latitude in crafting regulations. The high court’s decision on Chevron and two other cases could redefine the extent to which agencies can interpret laws passed by Congress.

OIRA, meanwhile, serves as the focal point of executive branch rulemaking. Sitting within the Office of Management and Budget, OIRA maintains the semiannual regulatory agenda. It also reviews drafts of proposed and final regulations before agencies can implement them.

“We’re laser focused on making sure that we have the strongest rules possible to move forward with the administration’s priorities,” OIRA Associate Administrator Sam Berger said an interview late last week. “That they are fully grounded in law, existing authority, and that they also are designed to be as effective and efficient as possible. And so from that standpoint, we’re going to keep doing our work.”

Former agency and legal experts say agencies could soon see an uptick in legal challenges in a post-Chevron world. GOP lawmakers are also exploring ways to challenge the administrative state.

“To the extent that there are legal requirements that change, we obviously take that into account,” Berger said. “But what we need to be doing is making sure that we have the strongest regulations, that we’re doing the most that we can to be helping the American people, helping the economy continue to grow up, helping to keep people safe, helping keep our air water clean. And that’s where our focus is on. And that’s what we’re going to keep doing.”

Cutting the ‘time tax’

OIRA’s 2024 burden reduction report highlights 49 initiatives across 18 agencies aimed at reducing what it calls the “time tax” on the public. OIRA says those burdens include “needlessly complicated forms, requests for redundant detailed information, or confusing application processes.”

The report details, for instance, how the Department of Health and Human Services collaborated with the U.S. Digital Service and state agencies to streamline renewals for Medicaid and the Children’s Health Insurance Program.

It also points to how the IRS recently redesigned and simplified 31 taxpayer forms ahead of the 2024 filing season. By next year, the IRS plans to have redesigned 200 forms representing 90% of notices sent to taxpayers.

Berger said OIRA uses its responsibilities under the Paperwork Reduction Act to make sure government form is “as minimally burdensome as possible.” And the office can further engage with agencies on their programs through the rulemaking process.

“Sometimes there might be changes that could significantly reduce administrative burden while still accomplishing the goal of agencies,” Berger said.

OIRA is also pushing agencies to better engage the people who need to fill out forms or go through agency-mandated processes to access a program or service.

“Engaging with people, engaging with stakeholders, the folks that are on the ground using it,” Berger said. “The information about where these pain points are lies with them. And ultimately, what you need to understand is, when folks are going through your program, what are the issues that they encountered? What are things that maybe you didn’t expect? What are things that seems simple or clear to you, as you wrote it, that aren’t to them?”

‘Demystifying’ OIRA

OIRA’s report highlights the importance of agencies partnering with states that administer many public programs. Similarly, OIRA is also prioritizing efforts to align eligibility criteria across multiple programs. The report highlights as an example the Social Security Administration’s efforts to simplify its reporting requirements for supplemental security income recipients.

“From the state standpoint, if they’re administering a whole set of programs that they view as hitting the same target population, but it’s four different [federal] agencies that they’re dealing with, they have to get four different agencies in the room,” Berger said.

He highlighted his office’s “convening power” in bringing different federal and state agencies together, in addition to ORIA’s ability to review the “nitty gritty” details of proposed rules.

Meanwhile, Berger said leaders also want to “demystify” OIRA, known as a wonky, cloistered office where major agency initiatives are put to the test through the rulemaking process. He said OIRA recently held training sessions on its regulatory review process. It plans to hold another set of sessions on how to provide effective public comments.

“We really want to make sure that folks have a better understanding of what OIRA is, and what it is that we do,” Berger said. “And how they can get involved in every stage of the regulatory process, including with OIRA, but perhaps even more importantly, early engagement with agencies when they’re making critical decisions on priorities around how they’re going to shape the regulations.

The post Post-Chevron, White House’s OIRA ‘laser focused’ on strong rulemaking first appeared on Federal News Network.

In an alert posted to its website, SSA notified the public about the closures. On late Friday afternoon, an SSA spokeswoman told Federal News Network that the agency plans to re-open its field offices for public service on Monday, July 22.

“Staff impacted by the widespread Microsoft and CrowdStrike issues are being brought back online,” the spokeswoman said. “Our phone lines remain operational and many online services at ssa.gov remain available.”

The IT outage is linked to a flawed software update released by cybersecurity firm CrowdStrike. The defect affects computers running Microsoft Windows, effectively shutting them down with what’s referred to as the “blue screen of death.” Crowdstrike says the incident is “not a security incident or cyberattack.” The company also reports that a fix has been deployed.

U.S. Citizenship and Immigration Services also appears to be affected by the outage. A notice on USCIS’s E-Verify website states that “customers calling E-Verify are experiencing long wait times” because “the worldwide Microsoft outage is impacting phone support.” USCIS did not immediately respond to a request for comment.

A senior Biden administration official told reporters on Friday afternoon that the White House is in “regular contact” with Crowdstrike’s leadership to get updates on the outage and remediation efforts.

“The White House has been convening agencies to assess impacts to the US government’s operations and entities around the country,” the official said. “At this time, our understanding is that flight operations have resumed across the country, although some congestion remains, and 911 centers are able to receive and process calls. We are assessing impact to local hospitals, surface transportation systems, and law enforcement closely and will provide further updates as we learn more. We stand ready to provide assistance as needed.”

The Cybersecurity and Infrastructure Security Agency, which is responsible for overseeing the security of systems across the federal civilian executive branch, said it is working with Crowdstrike, as well as federal, state, local and critical infrastructure partners, “to fully assess and address these issues.”

“Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity,” the cyber agency wrote in an alert Friday. “CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”

Rep. Nancy Mace (R-S.C.), chairwoman of the House Oversight and Accountability Committee’s cybersecurity, IT and government innovation subcommittee, said the panel has requested briefings on the outage from Crowdstrike, Microsoft and CISA .

“We’re also trying to determine the breadth of impact, especially across the federal government at this time,” Mace posted to X on Friday afternoon.

While the outage forced airlines to cancel and delay thousands of flights Friday morning, a Transportation Security Administration spokeswoman said TSA has not been directly affected by the IT incident.

“TSA is monitoring the IT system issues throughout the transportation system in partnership with stakeholders and other agencies,” the spokeswoman told FNN. “There has not been any impact to TSA operations.”

In posts on X, the Federal Aviation Administration said it was working with U.S. airlines as they resume operations.

“Currently FAA operations are not impacted by the global IT issue,” the FAA posted. “We continue to monitor the situation closely.”

Meanwhile, a Department of Veterans Affairs spokesman said the VA is “not aware of any impact on health care operations or any adverse impact on veterans who get their care from VA.”

“We will continue to monitor this situation, and we encourage any Veterans who need support – including those who may be impacted by challenges at non-VA health care facilities – to call 1-800-MYVA411 or visit their local VA medical center for assistance,” VA Press Secretary Terrence Hayes said in a statement. “We are standing by and ready to help.”

The U.S. Postal Service on Friday also said it has not experienced any immediate impacts from the IT outage.

“The Postal Service was not directly impacted by the global IT outage,” USPS spokesman David Walton said. “We are aware of impacts to some of our third-party vendors, however, this has not impacted our ability to move mail and packages for the American people.”

Officials highlight IT consolidation risks

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Crowdstrike outage showcased the “risks of consolidation.”

“The irony of this morning is that a major international cybersecurity company was impacted,” Neuberger said during an event hosted by the Aspen Institute on Friday. “So, we need to really think about our digital resilience – not just in the systems we run, but in the globally connected security systems, the risks of consolidation, how we deal with that consolidation, and how we ensure that if an incident does occur, it can be contained and we can recover quickly.”

In a letter to acting Defense Department Chief Information Officer Leslie Beavers, Sen. Eric Schmitt (R-Mo.) requested a briefing on any potential impacts to DoD networks by July 26.

“This outage is a warning that consolidation and dependence on one provider can be catastrophic, which is why business and government IT systems should have requisite redundancies in place that promote resiliency, as well as competition and innovation,” Schmitt wrote.

This is an evolving story, and we will continue to update it.

(With additional reporting from Jory Heckman)

The post Crowdstrike outage: SSA shutters offices, other agency impacts first appeared on Federal News Network.

This content is password protected. To view it please enter your password below:

Password:

The post Protected: Agencies start to focus on zero trust ‘outcomes,’ instead of checklists first appeared on Federal News Network.

DoD’s recent 90-day review of the NBIS system has led to a new 18-month roadmap for the software development project. But Milancy Harris, acting under secretary of defense for intelligence and security, said her office and the under secretary of defense for acquisition and sustainment are engaged in a “month-long” process of re-baselining the project.

“We’re looking to make sure that we can use what has been built,” Harris said during a July 10 Senate Select Committee on Intelligence hearing. “We are exploring exactly what needs to happen going forward to ensure we meet the full level of capability that is expected from this system. At this time, we are in the process of refining exactly our understanding of that timeline.”

Harris said the new documentation will include an independent cost estimate.

During the hearing, Committee Chairman Mark Warner (D-Va.) called the NBIS delays a “disaster.” The next-generation background investigation system still potentially faces years of development, even though it was originally planned to be delivered in 2019.

“If we don’t get NBIS right, the whole security clearance reform process crumbles,” Warner said.

NBIS is a lynchpin in the White House-led “Trusted Workforce 2.0” personnel vetting reform initiative. The goal of the overarching initiative is to overhaul and modernize the federal government’s vetting process, including by bringing most agencies under one background investigation system.

But the Government Accountability Office in recent years has reported on significant challenges with NBIS, including funding shortfalls due to shifting priorities at DCSA, as well as an unreliable schedule and cost estimate.

Background investigation system requirements

During last week’s Senate hearing, lawmakers and witnesses also focused on challenges with how the NBIS program office managed requirements for the background investigation system.

“The requirements were outlined in Trusted Workforce 2.0,” Harris said. “I think what we had was a breakdown in how those requirements were being managed into technical requirements for the development and how we were taking account of the delays in that process. And that is something that we are seeking to remedy immediately with more proactive oversight.”

The Pentagon has recently elevated the acquisition decision authority for NBIS from the DCSA director to the under secretary for acquisition and sustainment, while the program sponsor is now the under secretary for intelligence and security.

Meanwhile, new DCSA Director David Cattler has said getting NBIS back on track is one of his top priorities. DCSA also manages about 95% of the federal government’s background investigation cases.

During the Senate hearing, Cattler acknowledged that while the original NBIS requirements were achievable, DCSA did not have a “firm understanding of the complexity, of the technical features, nor how exactly to approach those and accomplish them.”

“We’ve brought in some new people,” Cattler said. “We know where our gaps are in the skill sets that we need to hire on the government side, we’re working with the contractor as well on actions need to be taken there. And we’re also evaluating the requirements baseline.”

The post Troubled background investigation system still under review at Pentagon first appeared on Federal News Network.

Federal agencies sought to transfer nearly 1 million cubic feet of records to the National Archives and federal records centers ahead of a landmark electronic records deadline.

On July 1, the National Archives and Records Administration stopped accepting transfer requests for analog records, including paper. Going forward, agencies will only be able to transfer electronic records, with some limited exceptions.

The passing of the June 30 deadline marks a key moment in the federal government’s shift to digital processes.

“The deadline has been the focus for so many agency federal records management programs, it’s sometimes hard to believe we’ve made it to the other side,” Lisa Haralampus, director of records management policy and outreach at NARA, said in an interview with Federal News Network.

The impending deadline sparked a surge of transfer requests, as agencies sought to shed paper and analog records.

Over the past year, Haralampus said agencies made more than 1,000 direct offers to the Archives, representing approximately 65,000 cubic feet of records. Direct offers are permanent records considered to be historically valuable. They’re directly “accessioned” into the Archives. “Not many records” clear that threshold, Haralampus said, and the amount of direct offers made ahead of the June 30 deadline is “a higher number than normal.”

Meanwhile, agencies also submitted a collective 40,000 transfer requests for records to be stored at one of NARA’s 18 Federal Records Centers over the past year. Those requests represent a cumulative 930,000 cubic feet of records. Records are stored at the FRCs until final disposition.

“The surge was real,” Haralampus said.

While the deadline for submitting analog transfer requests has passed, the Archives and the records centers will still be taking paper records “for a year or two” as NARA officials work through the backlogs of requests, Haralampus said.

But in the future, most records transfer requests will be measured in bytes rather than cubic feet.

“It is exciting and scary to realize at some point within our careers . . . we will have moved to fully electronic records management,” Haralampus said.

The move away from paper

The shift to electronic record-keeping has been more than a decade in the making. The Obama administration issued requirements for agencies to eliminate paper “to the fullest extent possible” in a 2012 directive.

In 2019, the Trump administration set a deadline of Dec. 31, 2022, for when NARA would stop accepting paper records from agencies.

“The federal government spends hundreds of millions of taxpayer dollars and thousands of hours annually to create, use, and store Federal records in analog (paper and other non-electronic) formats,” the June 2019 memo from the Office of Management and Budget stated. “Maintaining large volumes of analog records requires dedicated resources, management attention, and security investments that should be applied to more effectively managing electronic records.”

At the time, many agencies were confidently transitioning from paper to digital records. The memo sparked a flurry of additional digitization activities across government.

But COVID-19 tripped up those plans. And even without the pandemic, many agencies said they would have struggled to digitize their legacy records in time due to resource constraints.

After one-third of agencies signaled they wouldn’t meet the 2022 deadline, the Biden administration extended the cutoff date to June 30 of this year.

NARA exceptions to e-records deadline

Even after NARA clears through the backlog of requests, agencies will still be able to transfer analog records in some cases.

Haralampus said NARA has so far approved 24 exceptions to the requirements, with 20 exception requests still under consideration.

In addition to NARA no longer accepting analog record transfer requests, agencies were also required to shut down their own records storage facilities.

But Haralampus said NARA granted an exception for the FBI to continue operating its Central Records Complex in Winchester, Va. “It makes sense,” she said. “The government has invested so much. And those records are of such a sensitive nature.”

In another case, NARA approved the Environmental Protection Agency’s exception request to continue operating its new National Digitization Centers.

In addition to granting specific agency requests, NARA is also finalizing a government-wide exception for official personnel folders and employee medical files. That means agencies will still be able to transfer paper personnel records to NARA’s National Personnel Records Center (NPRC) for the foreseeable future. Haralampus said NARA will soon release more guidance on managing federal personnel records.

And even though some agencies will still be managing paper and analog records, Haralampus said the continuing work to digitize legacy records and adopt electronic processes shows a continuing commitment to the e-records goals.

“If we as the government are as a whole are getting down to talking about exceptions for specific agencies and specific record series, that means the big picture has been taken care of,” she said. “Big things have moved in the right direction with business processes, workflows, how we’re managing all of our records electronically.”

The post NARA sees requests to transfer nearly 1M cubic feet of records ahead of deadline first appeared on Federal News Network.

The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.

Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.

“We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”

He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”

“We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

‘Overly broad’ criticisms

CISA received several hundred public comments on the draft rule ahead of a July 3 deadline. Many commenters called on CISA to boost its harmonization efforts. DHS has previously reported that there are 45 different federal cyber incident reporting requirements in place across 22 federal agencies.

The Information Technology Industry Council, for instance, called on CISA to take a more “assertive role” in bringing together different rules, including those under the Federal Acquisition Regulation.

“It is encouraging that CISA has noted this issue and created the process for CIRCIA agreements,” ITI wrote in its comments. “Nonetheless, we encourage CISA to take a more proactive role in harmonizing incident reporting requirements, particularly through the [Cyber Incident Reporting Council], to converge incident reporting, and explore whether a single, national reporting function is feasible.”

ITI and other commenters have also criticized CISA’s rule for being overly broad. Even some lawmakers have pushed back on CISA’s proposal.

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), an architect of the CIRCIA law, is among the critics. Peters said the proposed rule “is overbroad and needs additional clarity in the definitions for covered incident, covered entity, and others used in the proposed rule.”

“CISA has said that it expects to receive 200,000 reports a year, but given the broad definitions, I am concerned that number may be higher than CISA’s estimate,” Peters wrote to CISA. “Under these new requirements, in 2025, thousands of businesses will have to report cyber incidents to the government, and I want to make sure this will not mean that CISA would be able to properly ingest, triage, and analyze the reported information and use the data to improve cybersecurity recommendations and support critical infrastructure.”

House Homeland Security Committee cybersecurity subcommittee Chairman Andrew Garbarino (R-N.Y.) derided the proposed rule for applying to too many entities. “Congress did not intend for CISA to subject so many entities to its reporting requirements,” Garbarino wrote to CISA Director Jen Easterly.

Garbarino also said CISA would be requesting too much data from organizations. He called the amount of information sought “tremendous – and at times, unrealistic.”

Cyber incident data

While Kahangama didn’t respond directly to those comments, he emphasized that DHS’s overarching goal is “not simply just to aggregate data.”

“It’s not simply to do a land grab of getting the most amount of information possible,” he said. “It’s to get the right amount of information in the right format, that can be best utilized to maximize prevention, security and resilience in the space.”

Kahangama said DHS and CISA will make decisions about the incident reporting requirements “through those lenses.”

“I do want to emphasize that a lot of the decisions we will make will obviously be in response to the public comments,” he said. “But it’s not simply about getting data. It’s about getting the right kind of data in the right context. So we look forward to continue to work with folks on that and putting out some more information in due course.”

The post DHS official details efforts to harmonize cyber incident reporting rules first appeared on Federal News Network.

Homeland Security Secretary Alejandro Mayorkas says his department’s advancement in the federal government’s workplace rankings did not happen by accident.

Instead, Mayorkas said the Department of Homeland Security climbed out of the bottom of the Partnership for Public Service’s Best Places to Work in the Federal Government rankings over the past two years because officials have been “intensely engaged” on workforce issues.

“It is the product of significant focus on employee wellbeing and investing in our workforce in a number of different ways,” Mayorkas said in an exclusive interview with Federal News Network. “We really have made the wellbeing of our workforce our top organizational priority.”

Several DHS components made improvements in their 2023 Best Places to Work rankings, most notably the Transportation Security Administration. TSA saw a more than 12-point boost in its employee engagement and satisfaction score, bolstered by a historic pay increase for airport screening officers that began in 2023.

On the other hand, several DHS components still struggle with employee morale. Customs and Border Protection and Immigration and Customs Enforcement, for instance, are two major frontline organizations that continue to place close to the bottom of the Partnership’s subcomponent rankings.

Out of the 459 agency subcomponents on the Partnership’s list, CBP ranked as number 432, while ICE came in as number 437.

“I think we have to be very clear-eyed and fair in understanding some of the pain points,” Mayorkas said.

The Best Places to Work series, based on data from the Federal Employee Viewpoint Survey (FEVS), shows that DHS performed well on questions related to the agency’s mission and supervisors, but received the most negative feedback from employees regarding their views on management decisions and performance recognition.

DHS jump teams aim to resolve problems quickly

Despite the uptick in its overall ranking, DHS is still struggling in a few key areas that the Partnership measures, such as employee input and recognition. Departmentwide, DHS received a score of 50 out of 100 on employee input, and 47.4 out of 100 on recognition. Both scores fall into the lowest quartile amid agencies featured in the Partnership’s rankings.

One way DHS is attempting to combat some of those ongoing challenges is by deploying “jump teams” to try to address concerns from frontline employees more quickly and effectively.

“Jump team members are responsible for helping to solve immediate issues, guide how funding is allocated and to assist in developing solutions to deliver support most effectively to our front line,” DHS explained in a May 20 press release.

Mayorkas, who’s responsible for initiating the jump teams, said the idea came after he visited a CBP facility in Miami, Florida, early in his tenure — a worksite that he called “woefully inadequate.”

“The employees who work there actually affectionately called it the ‘house of pain,’” Mayorkas said. “The lighting was poor, the connectivity was poor, some of the facilities were just awful.”

After the visit, DHS fixed the lighting, strengthened internet connections, along with adding many new amenities, such as a break room and fitness center, as well as upgrading the floors, ceilings, paint, furniture and roof. DHS held a ribbon-cutting ceremony for the new facility in April.

“The principle really underlying [that] is that we don’t have a monopoly on what the workforce needs,” Mayorkas said. “We want to hear directly from them and involve them as a team in addressing the challenges.”

Improving DHS recruiting and hiring

One of Mayorkas’ major priorities this year is improving the hiring process. Staffing has been a challenge at several DHS components, including CBP and ICE. The DHS inspector general last year reported on how staffing challenges at those agencies has led to burnout and morale issues amid rising migrant encounters at the southwest border.

Mayorkas acknowledged the hiring process at DHS can take a long time, especially for positions that require a security clearance and a polygraph exam.

“Without curtailing security thresholds, we can drive a far greater amount of efficiency in those processes,” he said. “And we lose candidates, sometimes because of the length of time it takes to onboard them. That’s especially true in the in the tech sector, but also in law enforcement and elsewhere. And also, a vacant position is a drain on morale, because the work needs to get done. And that means others are shouldering more.”

He said DHS is working on “innovative ways of recruiting talent.” During a recent two-day career expo in Chantilly, Virginia, DHS conducted more than 1,200 interviews and extended more than 400 tentative job offers. The career expo also let job candidates get started on some of the early steps of the clearance process, like fingerprinting, in an effort to reduce DHS’ time-to-hire by several weeks.

The department is additionally looking to hire from “places that we might not otherwise have gone to,” Mayorkas said. He pointed to DHS’ goal to have its law enforcement ranks comprise 30% women by 2030.

“We’re going to exceed that goal,” Mayorkas said.

Meanwhile, DHS has a long way to go toward improving “mobility,” or the ability of an employee to move between different jobs within the department.

“If somebody has been cleared, has received a security clearance in one agency, and they want to move to another agency, we still haven’t eliminated the redundancies entirely,” Mayorkas said.

DHS sees ‘tremendous’ interest in AI jobs

DHS is also putting all hands on deck to onboard more staff expertise in artificial intelligence and other emerging technologies.

In June, the department announced its first “AI Corps” cohort, comprising 10 new recruits with various AI expertise. DHS has more plans on the way to expand the program, aiming to recruit a total of 50 experts by the end of the year.

“It’s been tremendous,” Mayorkas said. “We see a greater thirst for public service in the tech sector.”

So far, there have been about 6,000 “expressions of interest” in AI Corps positions at DHS, Mayorkas said.

Soon, there may be even more opportunities opening for a broader array of candidates who are looking either at DHS or elsewhere across government for AI-related positions. The White House is aiming to shift federal tech positions in the government’s main IT job series away from relying on degrees, and instead focusing more on skills-based hiring.

Supervisor scores driving upward

One key part of improving engagement and satisfaction scores from DHS employees has been focusing on supporting agency managers and supervisors.

“Engagement begins at the top and must cascade throughout,” Mayorkas said. “Whether it is your first-line supervisor, which is where the rubber meets the road, but [also] upwards and sideways and every which way, it has to be cascading.”

DHS’ efforts to support supervisory employees are gradually starting to pay off. Employees’ views of their supervisors across DHS have continually increased, on average, over the last several years. Currently, DHS has a score of 77.4 out of 100 when it comes to agency supervisors.

The ‘Patron Saint of Admin Leave’

Mayorkas has also been lauded online in places like the Fed News subreddit for his generous granting of administrative leave to DHS employees around the holidays. His affinity for giving extra time off to staff has even led some to jokingly dub him the “Patron Saint of Admin Leave.”

Most recently, Mayorkas doled out eight hours of paid administrative leave ahead of the Fourth of July holiday.

“It’s a small gesture of recognition and appreciation,” Mayorkas explained. “When one travels around the country and the world and sees how incredibly hard our people work and their unbelievable skill and talent, admin leave is a tool that I have to say, ‘We recognize that, we appreciate it. And here is an expression of gratitude.’”

The post Mayorkas details DHS workforce gains, future plans first appeared on Federal News Network.

Editor’s Note: This story is part of a DHS special report for Federal News Network. Check back for more interviews and content about DHS’ workforce engagement and satisfaction efforts throughout the week.

Employees at the Department of Homeland Security’s Countering Weapons of Mass Destruction office have had a turbulent few years.

Fresh off a major reorganization and already facing longstanding morale issues, the CWMD office saw its authority in law expire last December. About two-dozen employees then departed the DHS office over a six-month period, representing about 10% of CWMD’s federal workforce.

But Mary Ellen Callahan, assistant secretary of DHS for the CWMD office, says she’s optimistic about the organization’s future. Callahan took over as director last August after serving as chief of staff to former DHS Deputy Secretary John Tien.

“This office really does extraordinary work every day,” Callahan said in an interview. “And I want [employees] to feel connected to the department and understand that their mission really matters.”

The office in recent months has hired about 30 new staff, including 10 at DHS’s job expo last month. Callahan said she hopes CWMD will be “close to 100%” staffing by the end of 2024.

Most importantly, the potential termination of the office has not come to fruition. While lawmakers didn’t agree to reauthorize it, Congress has continued to fund the DHS office through the annual appropriations process.

Compared to last fall, the threat of termination is now “muted,” Callahan said.

“We have pretty candid conversations about the authorization tethered to appropriations,” she said. “I feel pretty confident that we’re going to be in that position for at least the rest of this calendar year. And what we want to do is get well set up in the beginning of the next Congress so that we can have a strong authorization and that we can further establish ourselves. But right now, people do feel on relatively solid footing. And I’m just trying to communicate and be as transparent as possible.”

Still, given the uncertainty around reauthorization last year, it may be no surprise that the CWMD office continues to rank at the bottom of the Partnership for Public Service’s “Best Places to Work in the Federal Government” list for 2023. The scores are based on results from the Federal Employee Viewpoint Survey (FEVS), which is administered in the first half of the year.

CWMD saw a 7-point improvement in its overall engagement and satisfaction score in 2023. But in a year when those scores rose across the federal government, the DHS office still ranks 457 out of 459 agency subcomponents in the Partnership’s rankings.

“The FEVS scores and the Best Places to Work, they’re important metrics, but they’re not the only metrics,” Callahan said. “And we are really working on finding ways to engage with the workforce to talk about efficiency, effectiveness, professional development and job satisfaction.”

Focus on team building

The CWMD office is responsible for working with state and local governments as well as international organizations to guard against chemical, biological, radiological and nuclear threats to the United States.

Recently, it’s also taken on a big role at DHS in analyzing and preparing for threats stemming from artificial intelligence. In June, CWMD published a report on the intersection of AI and chemical, biological, radiological and nuclear threats.

Internally, Callahan said the theme in 2024 for CWMD is “prepare, connect, transform.”

“I’m very optimistic about where the office is going to go and where we’re taking it,” she said. “I’ve been excited that people have been tying their own work to the ‘prepare, connect,’ and then how do we transform this and make this even more of a robust entity.”

To help boost morale and engagement, Callahan said she holds town halls every two weeks to discuss key issues for the workforce. She also hosts office hours every week, along with sending out a weekly leadership email update.

After getting feedback that employees felt disconnected from other parts of the organization, CWMD will start allowing staff involved in its mentorship program to go on two-week “mini details” to other directorates.

“The chemists don’t necessarily know what the physicists work on, and vice versa,” Callahan said. The program will allow mentees “to go and experience a different director and leadership to better understand what CWMD does, and to also experience different leadership styles as well.”

On July 16, several CWMD directorates will host a “Trinity Day” — named after the first nuclear weapon test in 1945 — for staff to learn about the history of the Trinity test and also participate in team-building exercises.

“We are also going to have a competition to see who can find radiological materials fastest, because we’re all competitive at the end of the day, mimicking what our mobile detection deployment unit does every time they deploy,” Callahan said.

The day will also feature trivia, as well as a promotion ceremony for one of the 12 military service members assigned to the CWMD office.

With many staff working remotely, Callahan said the goal is to be “intentional about in-person time.”

Supervisors and efficiencies

FEVS results can be a lagging indicator. That’s especially true for an organization like CWMD, which has seen leadership changes and a Congressional authorization skirmish in the year since the 2023 surveys were completed.

But the office’s 2023 FEVS results, which improved in several key areas, also notably showed a downturn in how CWMD employees felt about their supervisors.

Callahan said that was a “unique circumstance” that has since been addressed, indicating that there were problematic supervisors at the DHS office who have since left the organization.

“Some of the criticisms associated with that supervisory number are no longer an issue in the office,” she said.

CWMD has also brought in several new second line supervisors and is boosting training for individuals in leadership positions.

“We’re looking to develop leadership skills and promotional opportunities across the board,” Callahan said. “And we’re also working on getting training to first line and second line supervisors, as well. That’s a standard approach in an office, but we are honing in on those types of leadership skills.”

Additionally, Callahan said she is working on several “modest changes” to CWMD’s structure that will be revealed in the coming months.

“I am not a big fan of coming in, and wholesale changing structures and offices,” she said. “I’ve got some suggestions on making it a little more efficient.”

The post How one DHS office is trying to bounce back amid low morale numbers first appeared on Federal News Network.

For years, the Department of Homeland Security’s bottom spot in the annual “Best Places to Work in the Federal Government” rankings seemed etched in stone.

DHS finished last out of all large agencies every year between 2012 and 2021. But in 2022, DHS crawled out of the basement for the first time in a decade, to 16 out of 17 large agencies.

And in 2023, DHS jumped up to 14 out of 17 in the Partnership for Public Service’s rankings. DHS’ latest score is tied with the State Department, and it betters both the Justice Department and the Social Security Administration. DHS made these strides in a year when engagement and satisfaction were generally on the rise across federal agencies. 

In a recent interview with my colleague Drew Friedman and I, Homeland Security Secretary Alejandro Mayorkas said DHS has made workforce well-being a top priority. He highlighted specific component efforts, like the push to increase pay at the Transportation Security Administration, as well as cross-DHS initiatives, including pulse surveys and “jump teams” that address employee issues.

“We have been intensely engaged with our workforce in understanding what they need and delivering for them,” Mayorkas said. The full interview will run this Thursday, July 11, on the Federal Drive with Tom Temin.

Our interview with Mayorkas is part of a broader series we’re publishing this week looking at how DHS has made key strides with employee engagement and satisfaction. We’ll also explore where the department goes from here.

DHS’ varying progress

The first thing to understand about DHS’ scores and rankings is that the department is not a monolith. DHS employs more than 260,000 people spanning multiple operational components and support organizations. Its missions range from border security to airport screening to cybersecurity to emergency management and more.

At one end of the spectrum, the Coast Guard had an employee engagement score of 76.6 in 2023, while U.S. Citizenship and Immigration Services (USCIS) scored a respectable 73.5. Both scores are high for DHS, and firmly in the middle of the pack compared to the rest of the federal government.

On the other hand, Immigration and Customs Enforcement continued to struggle with a score of 54.7 in 2023, while DHS’ Countering Weapons of Mass Destruction Directorate’s score of 46.5 ranks 457 out of 459 agency components governmentwide.

Chris Cummiskey, who served as acting undersecretary of DHS for management during the Obama administration, said your experience as an employee at DHS largely depends on where you sit.

“If you’re in region nine in California with FEMA, or if you’re at the southern border with the Border Patrol or in [US]CIS call centers in Vermont, you’re going to have a much different view of what the department means to you,” Cummiskey said. “That, I think, is the biggest challenge, is trying to meet folks where they are and recognizing that in a department with 29,000 frontline managers, that’s really where the most opportunity for change takes place … not necessarily from edicts coming out of D.C.”

For employees at TSA — DHS’ largest operational component by far — 2023 was a banner year for engagement and satisfaction. TSA’s score rose by 12 points last year. The agency saw a major increase in pay satisfaction after employees received a historic salary increase in 2023. Check out Drew’s story for more details on how TSA leaders are looking to build on those gains.

Better-paid employees make for happier employees. But TSA and the rest of DHS saw marginal improvements in other key Partnership categories in 2023, including effective leadership; diversity, equity, inclusion, and accessibility; and “mission match.”

Those improvements are good news. But the fact is, DHS remains in the lower quartile of all federal agencies when it comes to the categories mentioned above and others, including employee recognition and professional development.

Strengths and challenges

Many DHS employees responded positively to items in the 2023 Federal Employee Viewpoint Survey inquiring about their mission, their supervisor, and their customer service. But DHS also saw high rates of negative responses to items regarding management decisions, performance recognition and senior leadership.

While TSA made strides last year, other large DHS components like ICE and Customs and Border Protection have struggled to move the needle on engagement and morale. The DHS inspector general has reported on how conditions at the southwest border have exacerbated staffing challenges at CBP and ICE, leading to morale problems and potential attrition.

No matter the component, the demanding nature of many DHS jobs means that the department’s senior leaders and supervisors need to be constantly attentive to the needs of their employees. Doing that could help DHS continue its crawl up the Best Places to Work rankings.

“What can they do to compensate for that? Is it more flexibility? Is it better shift scheduling? Is it childcare subsidies?” Cummiskey said. “They’ve got a toolkit to draw from. I think they just have to be innovative going forward. It’s not always going to be pay increases, but what else can you bring to the table? And a lot of times, it’s also just recognizing the work that’s being done and listening to employees and trying to take steps that improve the conditions so that they can do their job.”

Nearly Useless Factoid

By: Derace Lauderdale

DHS has more than 240,000 employees, making it the third largest Cabinet department after the Departments of Defense and Veterans Affairs.

Source: AFGE

The post At DHS, job satisfaction is improving, but it depends on where you sit first appeared on Federal News Network.

The intelligence community’s new IT roadmap lays out a plan to pursue artificial intelligence “at scale,” as IC technology leaders develop guidance for AI standards and services.

The Office of the Director of National Intelligence published the roadmap, “Vision for the IC Information Environment,” late last month. In an exclusive interview, IC Chief Information Officer Adelle Merritt said the roadmap calls for “bold and transformational investments” in technology. She said the roadmap was developed in coordination with all 18 elements of the intelligence community.

“This roadmap really provides a unified vision for where the IC needs to go over the next five years,” Merritt said on Inside the IC.

The strategy makes clear that officials believe AI is poised to “transform the IC’s mission.” It describes several efforts to advance “AI at scale” through 2030.

“Secure, generative, and predictive AI can reduce the time for intelligence insights from days or weeks to mere seconds,” the document states.

By fiscal 2025, intelligence community officials will develop enterprise guidance for AI, including standards, use policies and architectures, to guide how intelligence agencies adopt the technology. The IC’s recently designated chief AI officer is also leading the development of a new IC-wide AI strategy.

The roadmap also shows that between fiscal 2026 and 2029, officials plan to establish “AI enabling services at scale,” including a model repository and training data.

Merritt said ODNI officials need to move quickly with their guidance to keep up with the rapidly evolving state of AI.

“It is critically important that we focus on getting this out and not let it languish, because things are moving on,” she said. “The world has started to adopt this. And it’s a really exciting capability.”

At the same time, Merritt emphasized that the IT roadmap’s five focus areas and 19 initiatives can’t be done in isolation.

“It is a collection of things that all must be done,” she said. “It’s not something that’s ala carte, that you can pick and choose what you decide you want to work on.”

‘Optimizing’ the IC’s cloud

The intelligence community’s successful use of AI will in large part depend on other elements of the roadmap, including cloud computing, data management and cybersecurity.

“As a CIO, when I hear about AI, I quickly think, you’re going to need a lot of data in order to do AI,” Merritt said. “And to have all that data, I’m going to need to store it. I’m also going to need to process it. And I’m going to need to move it around from where I get it to where the users are. So when I hear AI as a CIO, I’m thinking, storage, compute and transport.”

The roadmap lays out a key initiative to “optimize” the intelligence community’s use of the cloud. Intelligence agencies had initially adopted cloud infrastructure using Amazon Web Services under the CIA’s “C2S” contract. But agencies are now moving to the CIA’s “C2E” contract, which includes five major cloud vendors.

Merritt says four of the major cloud providers have now received an authority-to-operate on the IC’s classified networks.

“So we now have some of the best cloud capability on the planet available to us, and so making sure that we continue to nurture that infrastructure underneath upon which all the amazing capabilities will be added,” Merritt said.

In fiscal 2025, the roadmap describes how the intelligence community will develop “a tool, methodology, or process to help IC elements determine which approach and service provider would be most appropriate to meet their individual requirements.”

Merritt said a multi-vendor cloud environment is “critical” for the IC

“It is critically important that we turn the different capabilities that each of these unique cloud service providers have and turn them into mission advantage, and not just resort to the lowest common denominator,” she said. “And so much as we learned how to operate in a single cloud environment, we are now turning our attention to learn how to operate and thrive in a multiple cloud environment.”

Zero trust steering committee

The roadmap also homes in “robust cybersecurity” as a key focus area. And the IC’s strategy for zero trust largely lines up with the Defense Department’s timelines for adopting the security architecture.

The strategy states the intelligence community will achieve a “basic” level of zero trust maturity by Sept. 30, 2025, and an “intermediate” state by Sept. 30, 2027.

Merritt said the IC has also established a “zero trust steering committee” to guide those efforts. The committee includes officials from all 18 elements of the intelligence community.

“Some of our elements have done some amazing things on their zero trust journey, and they have been very willing to share,” she said. “So we’ve had some technical exchanges where we brought in subject matter experts in a specific area invited technical experts from across the elements to learn and to ask questions, so we can accelerate our journey by sharing our knowledge.”

Meanwhile, the roadmap also highlights the move to post-quantum cryptography. “Cryptographic security in a post-quantum world will be pivotal for safeguarding data and digital communications,” the document states. “This includes the development and deployment of advanced cryptographic algorithms designed to be secure against threats from quantum computers, both in commercially available and government devices.”

By fiscal 2027, the intelligence community plans to deploy quantum-resistant cryptography solutions “to bolster the confidentiality of IC networks and transport services,” the plan shows.

Merritt said the IC is working on the plan for deploying quantum-resistant algorithms in the coming years.

“It is important that we do this in a deliberative, thoughtful way, because whenever you start to change technology, you do open up some risk,” she said. “And so when we talk about this as being a race, we can’t be moving so fast that we get sloppy on this.”

The post Intelligence community pushes for ‘AI at scale’ under new IT roadmap first appeared on Federal News Network.

Secretary of State Antony Blinken announced “AI.State” as a “central hub for all things AI” for the department’s 80,000 employees.

“It offers formal and informal training, including videos that are up there to help folks get started,” Blinken said during an event at the State Department today. “It’s a home for all of our internal State Department AI tools, libraries of prompts and use cases. And I would just say, try it out. I’d encourage everyone to test it out, to try it out, to explore it, to try to learn from it. And also lend your own ideas and input because this is something that will continue to be iterative and a work in progress.”

The State Department last fall released an enterprise AI strategy. The strategy prioritizes an “AI-ready workforce.” The agency has also been exploring using generative AI to help employees plan their next career steps.

Blinken said a big motivation for the State Department’s use of AI is improving analysis, while also freeing up its employees to work on high-priority tasks.

“We can automate simple, routine tasks,” Blinken said. “We can summarize and translate research. Something that would take normally days, even weeks, can be done in a matter of seconds.”

Blinken and other State officials at the event today encouraged the workforce to not just experiment with AI, but share use cases to better inform the agency’s approach to the technology.

“If that particular solution isn’t shared, if it just stays with that one person, that one group and that one country or that one place, then you have this reinvention of the wheel that has to go on time and time again,” Blinken said. “Our ability to draw from the experience that all of our teams are going to have using, deploying, experimenting with AI all around the world, but then bringing it back and having these use cases – especially the ones that are producing really interesting new things –come to the top, but then be taken and shared across the enterprise.”

State’s AI ‘North Star’

Earlier this spring, the State Department rolled out a new AI tool called “North Star” that can analyze and summarize news stories in more than 200 countries and in over 100 languages. Matthew Graviss, the State Department’s chief data and AI officer, said the agency’s public diplomacy officers are already making use of the tool.

“The ability to summarize in the media space, and then use that time that you saved to call the reporter find out a little more context around why they wrote that article, maybe shape the next article,” Graviss said today. “It’s repurposing that time to the higher value asks that we want our experts in diplomacy doing.”

Elizabeth Allen, under secretary for public diplomacy and public affairs, estimated the media monitoring tool could save PD officers 180,000 hours over the next year. “We have a lot of opportunity in the communication space to use AI,” Allen said today.

But she added that State’s public affairs offices also need to ensure that people are ultimately reviewing any outputs from generative AI, particularly if it helps feed prepared remarks made by ambassadors.

“We always have to be making sure that we have human checks, particularly when it comes to public communications,” Allen said.

The State Department also recently released a chatbot, “State Chat.” Graviss said his team can analyze the prompts and tweak the tool accordingly.

Kelly Fletcher, State’s chief information officer, said the department’s cybersecurity specialists are also “red teaming” any new enterprise tools like State Chat.

“We do that with almost all of our platforms and systems,” Fletcher said. “In the case of the newest AI technology, we were testing it . . . we found some stuff. Honestly, these folks managed to do some really cool sneaky things. And they were able to see what some folks’ prompts were, they were able to see information they shouldn’t have been able to see, and we fixed it.”

She said training is mandatory to use any new AI tools. And State’s IT teams are also monitoring tools like State Chat for nefarious activity.

“We can see what prompts people are using, not just to inform how is this technology being used and how is innovation happening in the field, but also we can see if somebody’s up to no good,” Fletcher said. “Whether they’re a person who works at the State Department, or somebody who’s managed to get in and is pretending to be a person who works at the State Department.”

Meanwhile, Uzra Zeya, under secretary for civilian security, democracy and human rights, said her team launched an AI research assistant called “data collection management tool,” DCT, in February 2023. Zeya said the tool will reduce by one-third – 52,000 hours per year – the time her officers spend researching and fact-checking reports.

The DCT capability is now available through AI.State.

“I’m really proud of what we’ve been able to accomplish, and I think this is an example of technology supporting not supplanting our work,” Zeya said.

Blinken said he believes AI will be fully integrated into the State Department’s work within the next 10 years.

“Some of this entails experimentation, some of it entails risk,” Blinken said. “But if we’re not leaning in, we’re going to be left out and left behind.”

The post With new AI tools available, State Department encourages experimentation first appeared on Federal News Network.

The Navy Department’s “Black Pearl” software factory program is making headway on partnering with customers across the department, as it looks to move its services into the realm of classified networks.

Manuel Gauto, chief engineer for Black Pearl, said in an early June interview that the program has gotten “unclassified down,” with the software factory accredited up to “impact level five” data, which includes controlled unclassified information and national security systems.

Now, Black Pearl is looking to get accredited for “impact level six” so it can work with secret-level classified workloads.

“So the folks who aren’t able to operate on unclassified [networks] also have an option,” Gauto said on Federal News Network.

In the few years since it was established, Black Pearl has worked with a range of organizations to deliver DevSecOps software practices, including the program executive office for integrated weapon systems, which runs the Navy’s Aegis Weapon System platform.

Black Pearl is also helping the Rapid Autonomy Integration Lab in their mission to deliver unmanned naval vessels.

“We’re kind of pretty pervasive at this point,” Gauto said.

Navy’s ATO journey

But as it seeks IL-6 authorization, perhaps the most important partnership the Black Pearl program has developed is with the authorizing officials at organizations across the Navy. The offices that grant or deny authority-to-operate packages are often seen as a barrier to new technologies, including agile software development services.

Gauto said his initial approach with authorizing offices was “less diplomatic” as the program worked to gain ATOs.

“Now, we’ve brought in a lot more people,” Gauto said. “We have a cyber team on Black Pearl. We’ve built relationships with the authorizing official team. They now work together to figure out how to get to ‘yes.’ It’s much less adversarial.”

Still, Gauto said he would choose security over compliance “11 times out of ten.” He said policy often lags behind technology and threats, meaning Black Pearl has to go above and beyond to ensure its internal systems stay secure, while also working with their customers to secure their software environments.

But Gauto said he believes authorizing officials have the “best interests of the Navy at heart.”

“They want the Navy to be better,” Gauto said. “They want the Navy to be secure. But they also are custodians of this process that has been built upon for a long time now. So we kind of have to slowly guide them into alignment with the newer technologies that are coming out. And I think that’s where we’ve had success.”

The program has also developed guidance for Navy organizations to make it easier to talk with authorizing officials about software containers, Kubernetes, the cloud and other leading edge technologies, Gauto said.

Black Pearl’s ‘Shipyard’

Black Pearl is now developing a new offering called “Shipyard” that Gauto said is “our software factory for delivering to the cloud.”

“It will be the policies and procedures, it will be the rules for the code scanners, it will be a little dashboard or something that’s like, ‘you are good to go or you are not good to go because XYZ,’” Gauto said.

Black Pearl has also developed services that help translate cybersecurity data into “a tool that authorizing officials are familiar with,” Gauto said.

“That’s kind of an intermediate step,” he said. “Let’s at least start leveraging the data and make them comfortable with where the data is coming from. And then we can have a conversation around, okay, well, maybe you can take the data in it’s less transformed form because it actually has even more information that may be more helpful for you. And that’s where we’re really focused. It’s having those conversations with the authorizing officials and in a way, negotiating what they want to see on behalf of the community.”

The post Navy’s ‘Black Pearl’ software factory forging ahead toward secret-level authorization first appeared on Federal News Network.

The General Services Administration’s FedRAMP cloud security program is launching a pilot to allow cloud service providers to quickly introduce security features into their products.

Ryan Palmer, senior technical and strategic advisor for FedRAMP at GSA, said the pilot will launch this summer. The effort is centered on a “nonblocking significant change request process,” Palmer said.

“We’re working on running a pilot where some capabilities and some changes are going to be able to be made with an informed but not an approved step for those agencies,” Palmer said.

Palmer joined Chad Poland, cybersecurity product manager at the Cybersecurity and Infrastructure Security Agency, for a panel during Federal News Network’s Cloud Exchange 2024 to discuss continuing initiatives at GSA and CISA to help agencies secure their cloud presences.

Making FedRAMP more adaptable

Currently, FedRAMP requires cloud service providers have an approved “significant change request” before making major updates to their already authorized cloud services, such as new technologies.

The process has been seen as an impediment, however, to CSPs introducing new features that could help better secure agency data and services.

“I think that pilot can enable some of those capabilities to be offered,” Palmer said. “There’s a crawl, walk, run approach I think we have to do when we look at how we do change management within the program.”

The pilot comes amid broader reforms to the long-running FedRAMP program. The reforms are aimed at addressing the time and cost for CSPs to get approved. The changes are specifically intended to expand the pool of available software as a service offerings for agencies, Palmer said.

GSA released a FedRAMP roadmap earlier this year to help guide the program’s evolution. The Office of Management and Budget is also finalizing a White House draft memo on FedRAMP.

Palmer said GSA is also looking to introduce more automation into the process, including by moving to a common data format for FedRAMP authorization documents.

“Once we get there — and I think we’re going to get there fairly quickly — we can start using that data and combine data to start speeding up the process,” he said.

Automation could help cloud service providers catch errors in their paperwork, for instance, potentially saving time during the FedRAMP review process. Palmer compared it to tax preparation software that alerts users to obvious errors and typos.

“Through automation, I see us providing increased insights to cloud service providers early in the process,” he said.

CISA dives deeper on SCuBA

Meanwhile, CISA continues to work on additional tools and services as well.

For example, its Secure Cloud Business Applications, which offers agencies baseline security configurations for their cloud environments, finalized the Microsoft 365 secure configuration baseline in December. SCuBA is also piloting a draft configuration for Google Workspace products with several agencies.

Poland said the strength of the SCuBA baselines is in their specificity.

“They’re very prescriptive,” he said. “So it tells an end user exactly what setting they need to change, why they should change it via a rationale statement. And then we’ve actually gone a step further and provided mappings to MITRE ATT&CK so that they know, if they turn the setting on, what actual TTP it’s going to prevent.”

The program also offers open source assessment tools that agencies can use to evaluate their security posture for Microsoft 365 and Google Workspace respectively.

Meanwhile, FedRAMP is examining how to incorporate the SCuBA program’s guidance into secure configuration profiles in the first half of fiscal 2025, according to FedRAMP’s roadmap.

Poland said CISA is also considering how to expand its work on secure configurations to other cloud products beyond Microsoft 365 and Google Workspace.

“There are hundreds of other SaaS products out there on the marketplace, and then thousands of other SaaS products out there not on the FedRAMP marketplace,” he said. “How can we scale that and try to see if we can mimic that same type of prescriptive guidance for organizations?”

Ensuring secure government AI adoption

Both CISA and GSA are also playing pivotal roles in the government’s secure use of AI. In March, GSA released a draft emerging technology framework to help prioritize FedRAMP’s approval process for technologies like AI.

FedRAMP finalized the prioritization framework on June 27. Vendors can start submitting generative AI capabilities for priority approvals starting Aug. 31.

Palmer said GSA received more than 200 comments on the draft.

“We’ve tried to incorporate those changes into the final framework,” he said. “Some of the things that we heard were the concerns around the limits that we had in the framework. We tried to adjust those and clarify that those are going to be flexible and really driven by agencies’ needs.”

Many commenters also focused on the framework’s benchmarking process.

“Collectively, people liked the benchmarks,” Palmer said. “But some of the concerns around the benchmarks were, ‘How are they relating to different agency use cases?’ Let’s say there’s a need for an AI large language model to do a translation capability. Is the highest performing large language model also the best one for that translation? There could be large language models that are related to specific industries or particular government areas that may be the highest performing but may not show up on the initial benchmarks. So we are looking at standardized communication around what benchmarks are relevant to the use cases and what those use cases are for particular models that are being offered as part of a cloud service offering.”

CISA’s SCuBA program is also examining the incorporation of AI into the Microsoft 365 and Google Workspace products, Poland said.

“Both of them are add-ons to those base platforms,” he said. “And so once we go to the internal approval process, we’re going to get those into our test environments and see how they affect and change some of those configurations. Do we need to provide additional policies? Does our assessment tool need to adapt to make sure that we’re capturing everything? Can we leverage some information from that in order to make our products better? It’s something we’re already working on.”

Discover more articles and videos now on Federal News Network’s Cloud Exchange 2024 event page.

The post Cloud Exchange 2024: GSA’s Ryan Palmer, CISA’s Chad Poland on new tools to help agencies protect data in the cloud first appeared on Federal News Network.

DHS Chief Information Officer Eric Hysen said his office, the Cybersecurity and Infrastructure Security Agency, and the Federal Emergency Management Agency have collectively hired 189 individuals using CTMS. The CIO’s office and CISA were the first DHS organizations to use the new talent system. FEMA gained authority to use CTMS last year.

“We are pushing to aggressively expand CTMS,” Hysen said during a House Homeland Security Committee hearing on Wednesday. “We are working to bring it onboard with additional components. We are also looking across the offices that are already using it to expand utilization for some of their existing hires.

CTMS is exempt from many of the federal government’s traditional competitive hiring and compensation practices. The goal is to enable DHS to more quickly recruit and onboard talented cybersecurity professionals.

The system represents a major civil service reform effort. But the program’s slow rollout has led some lawmakers to question whether it’s working.

“While CTMS is a major value-add to the department, its rollout was not without challenges,” Hysen wrote in his prepared testimony. “It took us too long from receiving this authority to launch the program and begin hiring under it, and our initial rate of hires have not met our aggressive targets. Designing and launching an entirely new personnel system in the Federal Government is an extremely difficult task, and we learned from these efforts.”

He said DHS is working with hiring managers “to make it a more effective tool.”

“We knew that simply eliminating a step in the hiring process or adding a pay grade would not do enough to make DHS competitive, so we designed CTMS as a true attempt at civil service reform,” Hysen continued. “It is a complex, transformative, and challenging effort, but necessary to position the department for long-term success.”

CTMS ‘not going to be the answer for every position’

Last year, CISA Director Jen Easterly acknowledged her agency was continuing to use traditional Title 5 practices for most hires. Easterly also said CISA wanted to ramp up its use of CTMS.

While the new system contains more flexibilities around compensation and grade, officials have said it also features a “rigorous process” for skills identification and interviews.

Beyond CTMS, DHS has been leveraging direct-hire authorities granted by the Office of Personnel Management for artificial intelligence positions.

During this week’s hearing, Hysen acknowledged “CTMS is not going to be the answer for every position.”

“Traditional Title Five hiring will still play an important role,” he said. “That’s why we’re looking to streamline through leveraging direct hire authority from OPM and other sources of traditional hiring.”

Still, Hysen said the new talent system has allowed DHS to establish a “ready talent pool” of candidates.

“So that when we have vacancies arise, we can reach out to candidates that have gone through the first stages of their assessment process already and then just start from there, which significantly can significantly reduce time to hire,” he said.

DHS is also aiming to re-balance its mix of federal employee and contractor workforce. Hysen said the department is using CTMS to “look at areas where we need more federal technology expertise in our workforce.”

“We’ve done that with our network operations and security center where we have been rebalancing what was predominantly a very contract heavy workforce and are now adding in additional levels through these new hiring authorities of federal personnel,” Hysen said. “It’s something we’re looking to expand.”

Security clearances are another factor in holding up cyber hiring across DHS, Hysen said. The CIO said the department is looking to reduce requirements for security clearances.

“If you’re not going into a SCIF, looking at classified material, we shouldn’t be holding up your hiring on that,” Hysen said. “So we have been looking to reduce requirements, expand the use of interim clearances at both the secret and top secret level, which can be issued faster, as well.”

The post DHS aims to expand CTMS after ‘challenges’ with rollout first appeared on Federal News Network.

In congressional testimony Wednesday, DCSA Director David Cattler said the Defense Department this spring initiated a 90-day recovery plan for the NBIS program, which is charged with delivering new IT capabilities to support the background investigation mission. Cattler took over as director of DCSA in March. He has said addressing NBIS delays is one of his top priorities.

“With the help of our partners in the department and the [Government Accountability Office], we developed a recovery plan to fix these problems including NBIS’s cost, its delivery schedule and its overall performance,” Cattler said during Wednesday’s hearing before the House Oversight and Accountability Committee’s government operations subcommittee. “And outcome of the recovery plan is initial 18-month capability roadmap for NBIS development.”

“To be clear, NBIS development will extend beyond the next 18 months. But I’m confident with this path forward to reset the program,” he added.

NBIS is a key component in the White House-led “Trusted Workforce 2.0” personnel vetting reform initiative. But NBIS is years behind schedule and more than $600 million over budget. DoD planned to deliver all new NBIS capabilities by 2019. But so far, the program has delivered a limited set of new capabilities, including a new “e-application” portal for security clearance applicants.

Cattler said out of the $1.35 billion spent on NBIS so far, approximately $800 million has gone toward new software development, while the remainder has gone to sustaining legacy background investigation systems.

“So we need to prioritize the retirement of the legacy software systems with the thought of how much they cost,” Cattler said. “And ideally, sunset the programs that cost the most at the earliest opportunity, if the technology will allow us to do so.”

Last August, GAO reported for the second time in three years on issues with NBIS, including funding shortfalls due to shifting priorities at DCSA, as well as an unreliable schedule and cost estimate.

Alissa Czyz, director of defense capabilities management at GAO, told the House subcommittee that “DoD was not always listening” to the issues GAO raised regarding NBIS. But she said GAO is “encouraged by recent leadership changes” at DCSA.

“I can’t emphasize enough that [DoD] needs to embrace key program management principles, like having a reliable schedule and cost estimate,” Czyz said. “Without these, programs will continue to suffer setbacks.”

Cattler also said he was committed to working with GAO and other oversight entities. The Pentagon’s acquisition and sustainment office is now the milestone decision authority for NBIS. And Cattler has also asked DCSA’s inspector general to audit the NBIS program.

“I’m committed to building a culture of accountability at DCSA that was lacking in the program,” Cattler said. “Simply and directly: the delay in fielding NBIS is unacceptable to everyone.”

NBIS in the cloud

By the end of June, Cattler said DCSA aims to gain approval for updated acquisition, requirements and program documents for NBIS.

In written testimony, he said DCSA would prioritize five actions over the next 18 months: “modernizing and migrating NBIS applications, aligning acquisition and development actions, adapting our NBIS workforce, aligning program cost and service pricing, and strengthening cybersecurity protections.”

Once the new program plan is approved, Cattler said he will direct DCSA to migrate select systems to cloud services provided through DoD’s Joint Warfighting Cloud Capability (JWCC) contract.

“This will give NBIS a stable, modern platform, security, the ability to scale and will provide application developers and investigative service providers access to modernize to their specific needs,” Cattler explained in written testimony. “In time, this move will allow for shared services.”

DCSA is also focused on restructuring the NBIS team and retraining the program’s workforce. The agency recently hired both a new program executive officer and NBIS program manager.

“We’ve had a lot of advice on who else to hire, who else to bring in,” Cattler said. “For example, user experience experts, [and] people that can help us a little bit more with data architecture. We sent our people out for agile training. We’ve had over 140 receive updated training and agile methods for software development. And we sent some of the program management staff over to the Defense Acquisition University as well, for further training on program management related skills.”

DCSA is also working on a new cost estimate for the NBIS program. Cattler said the agency would also get a separate, independent cost estimate for the updated program.

Czyz applauded DCSA’s new efforts, but said the agency needs to demonstrate more rigor in its planning going forward.

“We are looking forward to seeing the new roadmap and plans,” she said. “But I will say that we have reviewed multiple NBIS roadmaps over the years. And none of them had reliable schedules. In fact, we did a review in 2021. It was unreliable. In our 2023 report, when we re-looked at the new roadmap and new schedule, it was actually worse than the 2021 [plan]. So it’s great that new plans are being formed. But it’s essential that you follow best practices for integrated master schedules to get the plan right, or else we’re just going to keep repeating this over and over.”

The post DCSA has a new roadmap for delayed background investigation IT system first appeared on Federal News Network.