It is an old story, but new versions keep happening. A high-level military official negotiates with a contractor. He seeks employment, leaves the government, and joins the contractor. He may not have a conflict of interest, but if it looks like he does, that’s trouble. The Federal Drive with Tom Temin discusses this potential problem with Zach Prince, a procurement attorney with Haynes and Boone, LLP.

Interview Transcript:  

Tom Temin Zach, tell us about the most recent decision resulted from protest, but a company was left out of a competition because of that appearance. What happened? Yeah.

Zach Prince So this is a procurement involving, dual band decoy system, which is intended to be, mitigation system for radar guided missiles that are targeting military aircraft and specifically the F-18. So right now, that you’ve got missiles that use two bands of radar to track aircraft, it’s very challenging to have effective countermeasures for them. So, the Navy is trying to develop and then implement a replacement for their current solution. So, they had two rounds of this and they’re going to have multiple iterations of the program. The first was a technical demonstration type portion that started a few years ago and followed on with an engineering, manufacturing and design phase and phase. Now, ultimately, it’ll go into, you know, low rate and full rate production. BAE and Raytheon were both recipients of the contract for the demonstration of the existing technologies. As part of this, at some point between that portion and the next portion, Raytheon started discussing employment with a Navy employee, longtime mathematician and technical expert with the Navy, with Navy Air, specifically who was running this program. And he left and joined Raytheon and then began representing Raytheon back to the government as a concern. This program had something to do with their response to the Navy’s request for information for the second round, some disputed amount of involvement for the submission of the proposal for the second round. And at some point the Navy realized, hey, this at least has a bad smell to it, and started doing a pretty thorough investigation.

Tom Temin Right? So, this fellow VK had participated in all of the work on the Navy’s behalf for the first phase of this long-term program, and while he was negotiating and dealing with Raytheon, he was also trying to get a job there, basically, and got the job. And now they’re into the dealing with the Navy for the follow on.

Zach Prince Yeah, to be fair, it wasn’t as egregious as I think. We all remember the tanker case from back in the early 2000 with the Air Force and Boeing. This guy VK was not actually negotiating for the government. He was doing some very technical work making recommendations on the technical implementation of the program. He wasn’t deciding solutions, but he did have access to proprietary information. And he had signed an NDA with the Navy expressly saying that he wouldn’t work for anybody who was part of this program.

Tom Temin Okay, so if it’s a very wide gray area, he was at one edge of it, let’s say, and a contracting officer decided to pull on that thread.

Zach Prince Yeah, he did. And somebody from the government raised the issue internally. The Navy did exactly what they’re supposed to do. They did a very thorough, extensive, monthslong investigation where they spoke to a number of people in the Navy. They gave Raytheon multiple opportunities to offer, comment and respond. And ultimately, they concluded that the appearance of impropriety here, they didn’t say there was necessarily impropriety, although it was really close, but at least the appearance was enough that they felt they had to exclude Raytheon from the competition.

Tom Temin And therefore I imagine Raytheon said, nope, we protest.

Zach Prince That’s right. I mean, it’s an important program. And the initial award, the MD phase, I think it was maybe $50 million. So, it’s not huge. But I think long term this is going to be multiple hundreds of millions of dollars not to get into full rate production or more. So, this is an important project for them. They protested to GAO and lost. Because the agency has a lot of discretion in these types of determinations. And then they filed that on to the court.

Tom Temin Right. And what happened at the court level?

Zach Prince They lost again, they had some pretty extensive briefing, some interesting arguments raised about why the mere appearance of impropriety without real hard facts that taint the procurement is not enough. But ultimately, their arguments tried to sideline some pretty clear Federal Circuit case law and the consistent decisions of the Court of Federal Claims, which really uphold the decisions of the contracting officer on this issue. In fact, Judge Sampson, who wrote this decision, said he did a survey of all the cases that have been decided by the court on this issue, at least since a federal Circuit decision that sort of set the precedent in the early 2000s. And not once has the court overturned the government’s decision on this.

Tom Temin Yeah. You wonder what the motivation of the company, or at least the judgment of the company was. I mean, you can see from an employee standpoint, the industry beckons with compensation packages, you know, in a cushy type of situation. But the company institutionally knows these shoals, especially long serving old line company like Raytheon. I mean, we can only speculate. So right now, then they’re out. Period. The end.

Zach Prince Yeah. That’s right. And my impression from reading these cases, I don’t think Raytheon really knew at all how much in-depth involvement this guy had with the program, and they knew that he was a fairly senior, very technically skilled individual from the Navy office that they have dealings with. And I think the level of expertise in electronic warfare countermeasures, particularly that this guy had, are really unique. So, Raytheon wanted to hire him on. He didn’t tell them that he had involvement with this program. And in fact, he called HR, the record shows like two days after he started with Raytheon and said that his involvement was very, very light in this program. He didn’t tell his ethics people that in the government, when he got his ethics letter, it was pretty clear that he was obfuscating his involvement because he did want to go to the private sector.

Tom Temin Right. So, one of the lessons is you don’t have to be part of the source selection board to get the government and your future employer into trouble.

Zach Prince Yeah. That’s right. If you’re a contractor, don’t let your contracting officer counterparts be blindsided by stuff like this if you possibly can. And maybe they couldn’t have. Here, make sure that you’re coming up with some mitigation strategy as early as you can. And Raytheon, as much as I just said, yeah, they probably didn’t know his full involvement. The record also shows it, BAE sent a letter to Raytheon not long after this guy started saying, hey, we know that you’ve got this guy. We think that there are some major issues with you having had this guy, because he had major exposure to our technical solutions and IP, you know, make sure to be following those government employment restrictions. They didn’t really.

Tom Temin Yeah. It’s almost what happened with the Defense Department more recently with the cloud contract, the Jedi contract that ultimately got sank. And one of the reasons involved there was that someone had worked in the government and ended up at the cloud company, or had been at the cloud company, then at the government, whatever. Not a source selection person necessarily, but an influencer, an adviser deep in there. And somebody ferreted that out and that ultimately helped sink that whole program, which they’ve now replaced with the joint warfare cloud capability. And that one is going and its multiple vendors. So, any other lessons that companies ought to take from this?

Zach Prince Yeah. It’s always such a challenging balancing act because on the one hand, as a company doing business with DoD, you want to have people who understand the inner workings of DoD. On the other hand, there are many situations were hiring just those types of people can create at least the appearance of conflicts, and that’s enough to taint the procurement. If the government is not convinced that there are mitigation mechanisms in place. So, you do want a firewall. People like this off from their former programs as much as possible, set up some ways in advance that you’ve documented for avoiding the appearance of impropriety, because otherwise you could end up in this type of situation precluded from doing work in a major program.

Tom Temin Yeah, sometimes the revolving door leads to a brick wall, you might say.

Zach Prince Good way to frame it.

The post When the door from government-to-industry leads to a brick wall first appeared on Federal News Network.

• The Navy has a new strategy for science and technology. Navy leaders have branded it a “call to service” for scientists and engineers from across the country to help solve military problems. The focus areas include autonomy and artificial intelligence, power and energy, manufacturing, and a host of other issues. The plan does not spell out how the Navy will make progress on those objectives, but Navy Secretary Carlos del Toro said the new work will involve partnerships with the Office of Naval Research, the Naval Postgraduate School, the U.S Naval Academy and the Naval War College.
  (SECNAV Delivers Keynote at Sea Air Space Luncheon - U.S. Navy)
• An Air Force legislative proposal to transfer National Guard space units to the Space Force is sparking a backlash among state governors. The National Governors Association has called for the immediate withdrawal of the proposed legislation to eliminate governors’ authority over their National Guard units. Utah Gov. Spencer Cox and Colorado Gov. Jared Polis said reducing governors’ authority over their National Guard personnel will affect military readiness, recruitment, retention and the National Guard infrastructure across the country. Air Force officials proposed legislation to bypass governors in seven states and move 14 Guard units with space missions to the Space Force.
  (Air Force’s proposal to move Guard units causes backlash - National Governors Association)
• Two agencies have obtained extra money for IT modernization projects. NASA won its first award from the Technology Modernization Fund. The Labor Department garnered its sixth in almost six years. These are the fourth and fifth awards the board has made since January 1 and continues its focus on cybersecurity and application modernization. The space agency is receiving $5.8 million to accelerate cybersecurity and operational upgrades to its network. Labor is getting $42 million for the Office of Workers’ Compensation Programs to replace its outdated Integrated Federal Employee Compensation System. The TMF board now has invested in 43 projects since receiving the $1 billion appropriation in the American Rescue Plan Act in 2021.
  (NASA, Labor receive extra funding for IT modernization - Federal News Network)
• U.S. Cyber Command (CYBERCOM) is considering the best way to build its forces in the future, by conducting a study on future force generation models. The command has typically relied on the military services to train and equip its digital warriors. But leaders have pushed to embrace a more independent U.S. Special Operations Command-type model in recent years. And others have called for the Defense Department to establish an independent cyber service. CYBERCOM is slated to brief Pentagon leadership on the results of the study this summer.
  (CYBERCOM considers options for future force generation model - Federal News Network)
• Chandra Donelson is the Department of the Air Force's new acting chief data and artificial intelligence officer. In her new role, Donelson will be responsible for implementing the department’s data management and analytics, as well as AI strategy and policies. Donelson previously served as the space data and artificial intelligence officer for the Space Force, a role she will continue to hold. Her fiscal 2024 goals include integrating data and AI ethics into the department’s mission systems and programs.
  (Air Force appoints acting chief data and artificial intelligence officer - USAF)
• The Postal Service is looking to raise prices on its monopoly mail products for the sixth time since 2020, when it gets approval from its regulator to set mail prices higher than the rate of inflation. USPS is planning to raise the price of a first-class Forever stamp from 68 to 73 cents. If approved by the regulator, these new USPS prices would go into effect on July 14. A recent study warned that USPS price increases are driving away more customers than the agency anticipated. But USPS said the data behind the study is “deeply flawed.”
  (USPS Recommends New Prices for July 2024 - Postal Service)
• The Department of Veterans Affairs is reviewing more than 4,000 positions that are at risk of a downgrade in their respective pay scales. The six VA positions under review include a mix of white-collar General Schedule (GS) and blue-collar Wage Grade (WG) positions. They include housekeeping aides, file clerks and boiler-plant operators. The VA expects to complete its review of these positions by the end of May. The American Federation of Government Employees said affected employees have received notices in the mail. But, the union said, it has not received notice from the VA about any imminent downgrades.
  (VA reviewing 4,000 employee positions at risk of downgrade in pay scale - Federal News Network)
• With cyber attacks on the rise, incident response is a big part of managing security risks. Now the National Institute of Standards and Technology is seeking feedback on new recommendations for cyber incident response. The draft guidance is tied to NIST’s recently issued Cybersecurity Framework 2.0. The revised publication layout is a new, more integrated model for organizations responding to a cyber attack or other network security incident. Comments on the draft publication are due to NIST by May 20.
  (Incident response recommendations and considerations for cybersecurity risk management: a CSF 2.0 community profile - NIST)

The post Navy unveils new strategy for science, technology first appeared on Federal News Network.

The Department of Veterans Affairs is reviewing more than 4,000 positions at risk of a downgrade in their respective pay scales.

The six VA positions under review include a mix of white-collar General Schedule (GS) and blue-collar Wage Grade (WG) positions.

The American Federation of Government Employees (AFGE) estimates about 56% of VA employees in these 4,000 positions are veterans. Some of the positions under review cover VA employees who make less than $20 an hour.

The positions the VA is reviewing cover all 18 Veterans Integrated Services Networks (VISNs). More than 1,700 positions under review are located in the Veterans Health Administration’s Finance Revenue Operations and Procurement and Logistics Office.

AFGE says affected employees have received notices in the mail about the consistency reviews. But Thomas Dargon, supervisory attorney for AFGE’s National VA Council, said the union hasn’t received notice from the VA yet about any imminent downgrades.

However, if the VA decides to downgrade any of these positions, Dargon said the department will face an even harder time filling these positions.

“The bell’s already been rung here. I’ve seen the letters that have gone out to impacted employees, and VA doesn’t have a lot of answers to the questions they’re asking,” Dargon said.

The VA put a moratorium on downgrading employee positions in 2012, allowing the department to revise a national handbook, computer software and other administrative tasks to ensure it classified employees fairly and consistently.

The VA, however, ended that moratorium earlier this year, and is conducting “consistency reviews” on six of its occupations, at the direction of the Office of Personnel Management.

VA Press Secretary Terrence Hayes told Federal News Network in a statement that OPM directed the VA to conduct agency-wide consistency reviews of these six occupations, after VA employees appealed the classification of their positions to OPM.

OPM, following a classification oversight review of VA in spring 2023, determined that two positions, industrial hygienist GS-0690-12 and purchasing agent (prosthetics) GS-1105-06, were not properly classified at the correct grade level.

VA, in a memo obtained by Federal News Network, said its Office of the Chief Human Capital Officer, “is working to strengthen consistency and oversight of classification determinations across the department by taking action to ensure employees are in appropriately and consistently classified positions, reduce geographical and organizational pay disparities and decrease hiring times.”

The VA is conducting consistency reviews on the following positions:

• File Clerk (GS-0305-05 and above)
• Financial Accounts Assistant (GS-503-all grades)
• Industrial Hygienist (GS-0690-12 and above)
• Purchasing Agent (OA) (GS-1105-07 and above)
• Housekeeping Aid (WG-3 and above)
• Boiler Plant Operator (WG-5402-10 and above)

Reviews of these occupations will occur in two phases. The first phase of reviews began on March 1 and will conclude on April 26. The department will start a second phase on April 29, and complete the reviews by May 1. VA expects to submit all its reviews to OPM by May 1.

“VHA Consolidated Classification Units will be required to initiate a consistency review process, which will require the identification of [position descriptions] in need of review. [Position descriptions] determined not properly classified will be sunset through attrition and positions impacted will be recruited at the appropriate grade levels, as applicable,” the VA memo states.

Once VA conducts its consistency reviews, it will provide reports back to OPM on whether their internal findings demonstrated that those positions are properly classified as compared to OPM standards.

“From there, I suspect some decision will be made,” Dargon said. “AFGE has not been notified of any imminent downgrade at this point, but I do not suspect the consistency reviews to result in employees being upgraded.”

Dargon said AFGE “does not support any downgrade whatsoever, and that “there is already a significant pay disparity between the public sector and the private sector.”

“VA has a notoriously difficult time not only recruiting, but retaining employees, and downgrading these positions is not going to make it any easier to fill them. And it is not going to bolster morale in the workplace,” Dargon said.

Hayes told Federal News Network that the VA issued a letter temporarily suspending changes to lower grade actions on June 29, 2012. Hayes said OPM assessed VA’s classification process in March 2023, and in September 2023, “determined there were no barriers prohibiting VA from conducting the reviews.”

VA, he added, expects to complete its consistency reviews of these positions by May 31.

“Should the reviews conclude that any positions were improperly classified, VA will consider all potential options to correct this misclassification,” Hayes said. “VA will do all we can to mitigate any potential adverse impact to our current employees. VA is committed to partnering with OPM to update classification standards and ensure they reflect the work done at VA and across the federal government.”

According to slides obtained by Federal News Network from a VA briefing presentation, VHA directed its Workforce Management and Consulting Office to cancel any VHA job opportunity announcements (JOAs) for occupations and grades that are subject to the consistency reviews.

As part of the consistency reviews, VHA classifiers will take a closer look at the qualifications required to perform the work for each occupation, and whether the agency has properly applied OPM’s classification or job-grading standards.

Classifiers cannot compare these six positions to other VA jobs or positions, consider any qualifications the employee has that are not required to perform the job, or account for how well an employee performs the work or the amount of work the employee performs.

“The goal of a classification consistency review is to ensure positions are classified in compliance with OPM classification standards and graded consistently VHA-wide,” the presentation slides state.

VHA is outlining “mitigation strategies” for pay-related staffing challenges. They include supplementing the base pay of these six positions with recruitment and retention incentives — such as critical skills incentives and special salary rates available under the toxic-exposure PACT Act.

“I can appreciate that the HR community at VA is trying to create a soft landing for employees who may be impacted by these downgrades through various recruitment and retention incentives, or ‘mitigation strategies,’ as they call them. But that’s not good enough, Dargon said. “There’s no reason to downgrade these employees, to make these positions harder to fill than they already are.”

Under Secretary for Heath Shereef Elnahal included housekeepers as part of a “Big Seven” list of occupations outlined in the VHA’s top hiring priorities in 2023. Those “Big Seven” positions cover VHA jobs that have a direct impact on patient care — and include physicians, nurses, licensed practical nurses, nursing assistants and food service workers.

Dargon warned that any potential reduction in pay for housekeepers would “be felt very quickly and sharply by folks in that field.” He said VA housekeepers in Pittsburgh, for example, are currently making about $16 an hour.

“These jobs are difficult to fill, and it’s difficult to retain workers,” Dargon said. “We have people who have military backgrounds themselves, who are veterans coming back to the VA, continue giving back, who believe in the mission, who are making just over $15, $16, $17 an hour — and you’ve got VA considering a downgrade.”

Dargon said the VA, by sending these letters to impacted employees, puts them in a position of “feeling undervalued or not seen.”

“Housekeeping aids are very much the backbone of health care institutions. You do not need to be a nurse or a doctor to be considered a vitally important part of the healthcare system that is VA,” he said. “Telling those employees who are working, in some instances, in really difficult environments, every hour of the day, to keep the VA clean and safe, that their position is actually compensated too highly — I can’t imagine what that feels like.”

Dargon said that if VA were to downgrade any of these occupations, it would probably lead to the department contracting out more of this work, “because the positions have become so unattractive through pay or other working conditions.”

VA saw record hiring last year, but is now looking to manage the size of its largest-ever health care workforce.

VA in its fiscal 2025 budget request plans to reduce its total workforce headcount by 10,000 positions. Most of the workforce reduction would come from VHA.

VHA Chief Financial Officer Laura Duke told reporters last month that the workforce reduction is necessary, because the agency far exceeded its hiring goals last year, and because it’s seeing higher-than-expected retention rates.

VHA earlier this year rescinded some temporary and final job offers to prospective hires. But the agency later issued a memo, telling leadership and HR officials to only rescind job offers as an “action of last resort.”

AFGE and VA finalized a new labor agreement last August, updating the terms of their labor contract for the first time in more than a decade.

VA Secretary Denis McDonough, at the signing ceremony, said the new contract would help with “easing the process by which we can fill vacancies,” and will allow the department to make new hires more quickly.

Dargon, however, said recent events suggest the VA is no longer making an effective pitch to prospective hires.

“I was on the negotiating team for the master agreement, and sat at the bargaining table with department officials who insisted that the reason they could not quickly hire employees was because of the provisions in the collective bargaining agreement — that it took too long that these were hurdles or impediments to quick hiring. We knew that was never the case, but we agreed to certain revisions in our contract to allow for more streamlined hiring procedures,” Dargon said. “Now they’re telling us they’ve hired too many people, maybe they’re not going to hire as quickly, they’re not going to fill vacancies through attrition. And now we’re looking at existing positions, and the idea of downgrading them.”

The post VA reviewing 4,000 positions at risk of pay downgrade first appeared on Federal News Network.

The Pentagon proposed a fiscal 2025 budget of $849.8 billion, about 1% higher than this year’s budget request. The top line figure aligns with the Fiscal Responsibility Act passed last year, which sets limits on defense and non-defense discretionary spending. Defense officials said the 1% increase would not be enough to cover inflation.

“Overall, [fiscal 2024] was a good budget. As we pivot toward this year, I think it’s a much more difficult budget, we’re gonna see some very difficult trade-offs. I’m not sure if we’re going to see as positive outcomes as all communities might want see,” Matt Borron, the Association of Defense Communities executive director, said during the Defense Communities National Summit on Tuesday.

2024 being an election year adds complexity to negotiating and passing the 2025 defense budget. Members of Congress will go back to their districts in July and return sometime in the fall to pass a continuing resolution to temporarily fund the federal government. After that, they won’t be back until after the presidential election.

“I think every year we seem to find new ways to make this hard. And yet, we generally still manage to get it across the line. But this year does feel particularly difficult. And election years can play either way. You can have folks willing to make a deal to get things done before they go home and try to keep their jobs. But it doesn’t feel that way right now. So I think it is going to be rough,” Jeanine Womble, the House Armed Services Committee staff lead, said. 

Passing the 2025 NDAA

Borron said while there were some contentious issues during the 2024 National Defense Authorization Act negotiations, they weren’t “as contentious as they might have come across in some of the debates.”

“That’s why I think you got a relatively quick passage of the NDAA certainly, as compared to the appropriations bill,” said Borron.

The same social issues, such as the Diversity, Equity and Inclusion spending, will most likely come up during this year’s NDAA negotiations. But the resolution of those contentious issues will hinge on the results of this year’s election.

“I think you’re gonna see those same social issues come up for discussion. I don’t see necessarily a different outcome this year,” said Borron.

“All of that is really dependent on the election. I think they can resolve many of those issues, but the more contentious ones are going to have to wait until we know who’s in charge of the White House, who’s running the Senate, who’s running the House. I think in general, there’s a desire to make members as happy as possible. But I don’t think those contentious issues have really changed. The needle hasn’t shifted. We’ll see a rehash of it. And the outcome will be dependent on the elections.”

Womble believes that despite the contentious issues that will come up during this year’s round of debates, the NDAA will ultimately pass.

“I can’t give you a certain date when it will pass, but I believe it will,” said Womble.

“Maybe not quite before October 1, but in the neighborhood. I truly believe that Rep. Mike Rogers, R-Ala., chairman of the House Armed Services Committee, Rep. Adam Smith (D-Wash.) and the members of [the House Armed Services Committee] very much want to get it done every year. There are contentious issues every year, there are things that go to the very end. In a bipartisan way, the committee finds a way.”

The post Passing 2025 defense spending bill will be ‘particularly difficult’ first appeared on Federal News Network.

Gen. Timothy Haugh, in his first public remarks since taking over as head of CYBERCOM and the National Security Agency in early February, said the force generation study is due to the secretary of defense this summer.

CYBERCOM has traditionally relied on the military services to train cyber warriors for the Cyber Mission Force. With that leading to readiness issues, officials have also looked to adopt more of a U.S. Special Operations-command type model. And some have called on the Defense Department to establish an independent cyber force.

“We’re doing a study right now that will evaluate, and we brought in an outside think tank to help us look at this, what are the spectrum of options?” Haugh said at the CYBERCOM Legal Conference today. “There are also a number of things in between there that we should consider, and also whether or not any of that menu should be applied together. So we’re evaluating that.”

Last year, Congress tasked CYBERCOM with evaluating the readiness of the military services in their ability to provide forces to the command. Haugh said the study identified five specific things the services could improve upon.

“Most of those things were areas that had previously been tackled by SOCOM, as it looks at how the Special Operations Forces are managed,” Haugh said. “And it was around personnel policies. It was in how the services leverage tools that Congress had given for retention to each of the services, and it was about assignment policies.”

In the year since that study, Haugh said each of the services have taken individual actions to improve readiness. He pointed to the Army’s new incentive pay for cyber personnel; the Air Force’s new tech track pilot for extending an individual’s service in the cyber field; and the Navy’s new cyber rating, as well the Marine Corps’ new eight-year initial enrollment for a cyber officer.

“Those are all really good examples of something each service has done,” Haugh said. “We would like to see them all raise that floor farther.”

Retired Gen. Paul Nakasone, the former head of CYBERCOM and the NSA, said he wanted to see a “bold move forward” with what’s been dubbed CYBERCOM 2.0

The command is better positioned to control its future thanks to a new provision in law. The fiscal 2024 appropriations bill passed by Congress last month gave CYBERCOM new programming and budgeting authorities. Referred to as “enhanced budget control” by Haugh, the authorities gives the head of CYBERCOM direct control over the planning, programming, budgeting and execution of resources for the Cyber Mission Force.

“We now have the budget responsibility for equipping the offensive and defensive cyberspace force for the Department of Defense, that force that we operate,” Haugh said. “So now we have the ability to be able to validate a requirement under our authorities that we’ve been given. We can allocate the resources against whatever that need is. And then we will be able to acquire that under our own authorities, either inside U.S. Cyber Command or in partnership with the services, where we drive the requirement, we have the resources, and now we’re going to be able to produce the capability that we need for our forces. That’s a pretty radical change from where we started.”

Integral to the conversations around the future of CYBERCOM is a new assistant secretary of defense for cyber policy position announced by DoD last month. The job serves as the secretary of defense’s top advisor on matters related to military cyber force and activities.

Secretary of Defense Lloyd Austin nominated the Army’s principal cyber advisor, Michael Sulmeyer, to serve in the new role. While he awaits confirmation, Ashley Manning is serving as acting ASD for cyber policy.

Manning and Haugh are set to testify before the House Armed Services Committee’s cyber, information technology and innovation subcommittee on Wednesday.

“It’ll be our opportunity to talk about what we see this looking like,” Haugh said of the new partnership.

The post CYBERCOM considers options for future force generation model first appeared on Federal News Network.

These are the fourth and fifth awards since Jan. 1 and continues the board’s focus on cybersecurity and application modernization.

“It is our responsibility to protect high-priority systems and enable our federal workforce to deliver on their agency’s mission seamlessly and securely,” said Clare Martorana, federal chief information officer and TMF Board chairwoman in a release. “These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public – from strengthening NASA spacecraft control to supporting injured and ill workers through DOL’s Office of Workers’ Compensation Programs.”

Labor’s award from the TMF of $42 million is among the larger investments over the last few years.

Labor’s Office of Workers’ Compensation Programs (OWCP) will use the money to accelerate the replacement of its outdated Integrated Federal Employee Compensation System (iFECS).

Currently iFECS is built on technology from 20 years ago and runs 98 different applications with what it calls “elaborate and archaic workflows,” according to the TMF website. “This adds significant friction to case management which can overwhelm claims examiners, delay processing and interrupt tasks.”

In fiscal 2023, the system provided services to more than 2.5 million workers, with over 200,000 new cases processed.

“This initiative aims to revolutionize services and benefits for injured and ill workers, making processes faster, more efficient, and less prone to cybersecurity, operational, and financial risk,” the release from the TMF Board stated. “TMF has allocated $42 million to support this endeavor and aims to overhaul iFECS by transitioning to a modern, cloud-based architecture and leveraging automation technologies. This shift promises to reduce claim adjudication times, enhance customer interactions and bolster data security, particularly crucial given the sensitive nature of federal employee health records and annual claims.”

Labor’s sixth TMF award since 2018

“IFECS services the entire federal government as the processor of all workers’ compensation claims filed by federal workers,” said Nancy Griswold, the deputy director of OWCP, in the release. “As such, improvements in iFECS that will allow for the faster processing of claims will have an impact not only on the claimants themselves, but also their federal employers, as studies have shown that faster payment of claims results in a faster return to work for many claimants.”

Labor’s first award came in 2018 and the department has won a total of more than $77.3 million from the TMF over the last six years.

NASA’s first award is for $5.8 million that will accelerate cybersecurity and operational upgrades to its network. The board said the money will be used for specific initiatives including automating network management, modernizing legacy infrastructure, standardizing network configurations across all NASA locations and collecting additional telemetry data to align with federal cybersecurity mandates.

“NASA’s IT infrastructure plays a critical role in every aspect of NASA’s mission, from enabling collaboration to controlling spacecraft to processing scientific data. Therefore, protecting and effectively evolving NASA’s information technology infrastructure remains a top agency priority,” said Jeff Seaton, the NASA CIO, in the release. “This TMF funding will help the agency to accelerate critical cybersecurity and operational upgrades two years earlier than originally planned.”

NASA’s inspector general highlighted the space agency’s need for additional attention around cybersecurity in its August report on compliance with the Federal Information Security Modernization Act (FISMA).

Auditors said “NASA’s information security program and practices were not effective” in fiscal 2023. The IG made 27 recommendations across the five functional areas: identify, protect, detect, respond and recover. NASA’s overall maturity came in at 2.48 out of 5 for its maturity across the core FISMA metrics and 2.86 out of 5 across the 2023 supplemental metrics.

TMF board has less money in 2024

Along with the awards to Labor and NASA in calendar year 2024, the board made three investments in January worth $70 million for modernization projects at the Justice Department, the General Services Administration and the Armed Forces Retirement Home.

The board continues to allocate funding from the $1 billion it received in the American Rescue Plan Act in 2021. Since that appropriation, the board said it has used that funding to invest in now 43 projects.

It’s unclear how much of the $1 billion the TMF received from the American Rescue Plan Act remains. President Joe Biden’s fiscal 2025 budget request shows about $790 million left in the TMF that is unobligated for 2024, but that also includes money awarded to agencies, but not yet sent out the door.

But going forward, the board faces less available funding as the Senate in the 2024 appropriations rescinded $100 million from the ARPA windfall.

The post NASA, Labor receive extra funding for IT modernization first appeared on Federal News Network.

The following will be a summary of insights that are particularly pertinent for federal agencies, which face a unique set of challenges due to the nature and scale of their digital operations. In this dynamic cybersecurity landscape, learning from such incidents is crucial for adapting and enhancing security measures to protect against the sophisticated threats of the digital age.

The relevance of current cybersecurity policies and regulations to the attack

Federal agencies are bound by stringent cybersecurity regulations, notably Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in May 2021, this order mandates agencies to enhance cybersecurity and software supply chain integrity, adopt secure cloud services and zero-trust architecture, and deploy multifactor authentication and encryption within a specific timeframe​​. These requirements align closely with the vulnerabilities exposed in the Okta breach.

Furthermore, the federal government’s latest identity, credentialing and access management (ICAM) policy, as outlined in the OMB M-19-17 memorandum, sets forth comprehensive guidelines for managing, monitoring and securing access to protected resources. This policy emphasizes identity proofing, establishing enterprise digital identities, and adopting effective authentication and access control processes​​. These elements are crucial in preventing incidents like the Okta breach, where weaknesses in identity and access management were exploited.

The Okta breach analysis underscores the need for a shift in cybersecurity focus from traditional perimeter defense to identity-centric strategies. This shift is vital for federal agencies whose operations often span multiple networks and cloud environments. Understanding the attacker’s perspective is essential for federal agencies as they prioritize the security of identity management systems and adopt robust privileged access management (PAM) practices.

Key lessons from the Okta breach relevant to federal agencies

1. Identity is at the core of cybersecurity:

The breach reinforces the concept of identity as the new security perimeter. Federal agencies must ensure that identity management systems are robust and capable of thwarting similar exploits.

2. The importance of privileged access management:

PAM is essential to protecting sensitive information, assets and systems. Implementing strong PAM solutions is a key step for agencies to safeguard against vulnerabilities. The integration of PAM into federal cybersecurity strategies is not just about mitigating risks; it’s also about enabling secure and efficient operations. By balancing security with operational functionality, PAM solutions help federal agencies maintain a high level of agility and responsiveness, which is essential in today’s fast-paced, digitally driven world.

3. Agencies need to adapt to evolving cyber threats:

The breach exemplifies the dynamic nature of cyber threats. Federal agencies need to continuously update their cybersecurity strategies, incorporating lessons from incidents like the Okta breach into their protocols, staying informed about emerging threats, and integrating advanced technologies and methodologies. Incorporating lessons from incidents like the Okta breach is essential, ensuring that strategies remain effective against increasingly sophisticated attacks. It’s a continuous cycle of assessment, adaptation and enhancement, crucial for maintaining the security and integrity of federal digital infrastructure.

A defense-in-depth approach is critical

As threat actors focus more on exploiting identities, agencies need tools that can help provide visibility and control of identities and privileges, reduce risk, and detect threats. Good specific policies and internal controls are necessary, but PAM can help provide a defense-in-depth approach, where multiple layers of controls and identity security monitoring capabilities can help prevent the failure of a single control or process from resulting in a breach.

The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture. By aligning with federal regulations and adopting a proactive approach to identity security, agencies can significantly enhance their defense against sophisticated cyber threats. Implementing lessons learned from such breaches is a critical step in fortifying the digital infrastructure that underpins national security and public service delivery.

Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

Defense installations often have mutually beneficial relationships with the communities that surround them. Communities can be both social and economic. They have even got their own group: The Association of Defense Communities. To ask about the top issues facing these communities,  the Federal Drive with Tom Temin spoke with the association’s Executive Director, Matt Borron.

Interview Transcript: 

Tom Temin I confess, this is the first time I’ve known about this association, and I thought I knew all the ones in Washington, but there’s plenty out there. What does this association do? What’s what is the goal here?

Matt Borron ADC has been around for about 50 years. We actually got our start back in the day when DoD started closing bases. And this was really before they even had to ask Congress for permission so they could literally padlock the gate and throw the community the key and say, good luck. And they did that, as you know. And even then, when Congress got involved with the Base Realignment and Closure around the 90s and the last 1 in 2005. But, when they first started this some 50 years ago, some communities where this had happened, where they’d lost their base, they got together and they said, really, what do we do now? How do we recover from losing x thousand amount of jobs kind of overnight? And so for probably the first half of our existence, that’s who we were. We were these communities grappling with economic redevelopment and environmental clean up and reuse and redevelopment issues, kind of all of that awful stuff. But if you fast forward to today, our membership is almost entirely consistent of communities that host active military bases. And it’s organizational base membership. So sometimes it’s a city, sometimes it’s a county. A lot of times it could be a chamber of commerce or a standalone defense alliance. But really, it’s whichever organization they’re at the local level that has come to take the lead when it comes to installation, military advocacy and partnership work.

Tom Temin It seems like local acquisition is important because so much of defense acquisition is done centrally or by the big commands for the local installations, and things gets shipped out through various means. But there’s also, I guess, important local contracting that can happen for a base that members try to encourage.

Matt Borron Absolutely. At the end of the day, our members look at their installation through an economic development lens. In most cases, it’s the largest economic engine they’re, thousands of workers. And the kind of the waterfall effects of where they live and service members and their families live off base. 70% or so. It really is through that lens and our members, do everything we can to prop up the defense sector. So whether it’s land use or encroachment mitigation, that’s a lot of workforce development. It’s a lot of infrastructure, roads, utilities all these things that the base relies on. More recently it’s been quality of life.

Tom Temin What are the top quality of life issues for military members? I mean housing comes up, but that’s a localized issue. What are some of them.

Matt Borron And that’s that’s really kind of the the meat of it, is all of these quality of life issues are local and they are all kind of different. Housing, child care, spouse employment is a huge one. Military spouses have some of the highest unemployment in the country. And it’s related to moves and constantly having to find new employers. But you see a lot of things, military child education now. And so, like you said, housing on the list kind of seems to grow every day.

Tom Temin Yes. So can members of the association, the local counties or the states or whoever, again, is surrounding that community? It seems one of the issues that comes up is just simply recognizing a licensed trade from one area and honoring that when the spouse moves with the service member to another state or local.

Matt Borron Licensure and reciprocity is has been a huge issue. And you’re absolutely right. If I’m a teacher, can I have a teacher’s license in one state? Does it apply to the other state? And it goes down. It can be beauticians. It can be, lawyers and nurses, you kind of name it. And states have really tried to address that, but it hasn’t been easy. All of these different professions kind of have their own licensure silos, if you will, within their states. So it’s been a lot of coordination. And we have something we call the State Advisors Council. Most states now have an organization at the state level that is responsible for military affairs for work. And so by coordinating that, you’ve seen a lot of states now passed legislation kind of providing that blanket, reciprocity for these.

Tom Temin We’re speaking with Matt Borron. He is executive director of the Association of Defense Communities. And you also have a conference annually. And what kinds of things get discussed there. And looks like you have a pretty good lineup of congressional members speaking.

Matt Borron It’s amazing how connected our communities can be to their congressional delegations. Again, installations and military issues are one of the things that could bring us together still in a lot of cases in a bipartisan way. So we do have a good robust caucus on the House and the Senate side. And our national summit next week is really our event and our opportunity to bring all of our communities together and really kind of press Congress and DoD and talk about the issues that are important to us.

Tom Temin Now, [Base Realignment and Closure (BRAC)] as a process seems to be a thing of the past, even though it’s statutorily there in the toolbox. But Congress just never actually gets started anymore. So what do you expect in terms of the line up in the population of bases and installations in the future?

Matt Borron BRAC is a four letter word, and I think it only comes up when you’re talking to a lobbyist. But I don’t foresee a BRAC round anytime in the near future. If anything, our communities aren’t worried about losing their bases any more. They’re worried about growing. How do they attract the next F-35 mission? Or how do they get a piece of Space Force? How can they grow their defense sector at the local level? So the issues that we’ll talk about are creating new authorities by which communities and bases can partner on a full range of issues, whether it’s infrastructure or quality of life. We’ve been very successful in getting some of those programs created within DoD.

Tom Temin And what about the civilian workforce that is in all of these installations? That’s a group of people that tend to stay put relative to the service members on active duty that come and go and the rotation in and out there is probably a whole different set of people every two years or so. What are some of the issues connected to the civilian workforce, which is a little bit more permanent, if you will, in a given spot?

Matt Borron Well, honestly, a lot of times the civilian workforce is that that continuity. So these partnerships that are created when, like you said, a base commander comes and goes every 2 or 3 years, who maintains the inter-governmental support agreements, or the sharing of services and facility maintenance costs. And often that’s the civilian workforce. But a lot of times they have kind of specialized needs as well. And communities are really looking at how do they grow with that workforce. What are the types of workforce development programs can they put in place, not just for adults, but even at the high school level? The state of Arkansas has done some really interesting program at the high school there where they partnered with the base, and they now have a two semester long cybersecurity and coding course. They teach at the high school, and it’s taught by uniformed personnel. And these are just the types of programs that, whether you’re in uniform or not, can really help drive partnership at the local level.

Tom Temin Sounds like there’s a lot of idea sharing among members from all over the country.

Matt Borron And that’s really the goal of ADC. At the end of the day, our mission is education and connection.

The post Examining the ecosystem that supports military installations first appeared on Federal News Network.

Following its previous Federal Health IT Strategic Plan, the Health and Human Services Department is looking to continue the effort with its latest plan, which covers the next six years. HHS is now open for public comment. Officials are hoping to continue improving the exchange and availability of electronic health information. They also have some new goals in mind. Federal News Network’s Eric White got the change to speak to one HHS official: Dustin Charles, Policy Specialist in the Office of the National Coordinator for Health Information Technology on the Federal Drive with Tom Temin.

Interview Transcript: 

Eric White Absolutely. So why don’t we just take the 40,000-foot view and hear a little bit about what this new update to the federal health IT strategic plan is, and what it hopes to accomplish.

Dustin Charles Our federal Health I.T. mission is to improve the health and well-being of individuals and communities using technology and health formation that is accessible when and where it matters most. We have a vision of a health system that uses health information to engage individuals, to lower health costs, to deliver high quality care and improve individual and population health. So, when we were planning this version of the strategic plan, we really wanted to focus on improving the experience and outcomes for those who are use and are impacted by health it. So, if you look at the plan, you’ll see what we’ve done with the goals is delineate them by the different types of health I.T users. So, goal one focuses on individuals, populations, and communities’ goals to those involved in health care delivery, including patients, providers, caregivers, public health professionals, and others in the health care sector. Goal three is focus on research and development of health I.T. and finally, go for just as that infrastructure needed to achieve the other goals.

Eric White When you say health infrastructure, you know the health IT infrastructure, which seems to be always the biggest bugaboo, right? I mean, it’s because a lot of these places, you know, the hospitals and medical offices weren’t set up for this kind of exchange of information and to be constantly updating their technology. What does that specifically say in this new plan to address that?

Dustin Charles Have we done these plans? So, the earlier plans were really focused on adoption of new technology, particularly getting providers to adopt electronic health record systems. And then, for example, the next plan was really more about the exchange. And the current plan that we’re in is really more about addressing barriers to exchange and ensuring that there is that access that we use to health information. So, with this plan, we are focusing a little bit more broadly outward. We have made major headways in exchange, but there are still some obstacles in the way and there are still some new charging technologies. We want to make sure are addressed in this plan as we move forward in the next six years. So, it’s really taking the progress that we’ve done and then looking at, okay, where are some of the remaining gaps and what are the new things that need to be addressed?

Eric White Yeah. Can we go back to the previous plan? What was some of the progress that you all saw in the implementation of that one? And you know out yourself which ones are you guys most proud of?

Dustin Charles Some of the stuff we’re most proud of is some of the advancements. In exchange, we have what we call the TEFCA. The national exchange framework is definitely one of them. And the other side of the exchange is the Fire standards, sort of the HL7 FHIR standards that allow providers to have a, a shared way of communicating electronic health information with one another. We’re also happy to see that a lot of hospitals are particularly APIs. And so not just FHIR APIs, but they have some of their own homegrown APIs and others that they’re using as well. So, we’ve seen significant progress throughout the whole health IT in using a lot of the technology that has been developed, and particularly those promoted through the federal government.

Eric White We’re speaking with Dustin Charles. He’s a policy specialist at the office of the National Coordinator for Health Information Technology, part of the Department of Health and Human Services. And so, let’s go back into the plan itself. You guys coordinated with a plethora of other partners in this activity. Can you tell me a little bit about the roles that some of the other agencies played in the formulation of this new policy?

Dustin Charles One of the things to note this is a federal health IT strategic plan. So, it doesn’t just cover the strategies for the Department of Health and Human Services, which is what my office is under, but the entire federal government. So, we might, within the plan, cite some federal programs or projects as examples, but we don’t prescribe any specific programs for federal agencies to engage in. Rather, the plan itself serves as a roadmap for federal agencies to help them prioritize their resources, coordinate efforts across agencies, signal priorities to the private sector, as well as benchmark and assess any changes over time. So, we wrote the plan broadly to capture the overall priorities and goals of the federal government in regard to health IT. So some of the things that federal agencies do in health IT beyond just the work that ONC does is regulate, purchase, developing news, help it to deliver care, improve patient health and provide services the public may funding contribute to health, I.T., development and research at all the different levels of the government and also we also facilitate coordination across public and private sectors. We want to align our standards that we’re promoting with the work that’s being done in the private sector. We want to promote innovation and competition. We want to share best practices. So, because of this, when we get to the final plan, it will be that roadmap that will guide federal agencies, initiatives, and programs over the next six years.

Eric White Gotcha. And this plan is now out for public comment. I’m just curious, who are some of the stakeholders that you all expect to hear from in regard to, how the plan will actually be implemented?

Dustin Charles What we really hope to hear from as many different people within the health care industry as we can. Anyone who has an interest in health, IT, and the role of the federal government. We do expect to hear from health I.T developers. We expect to hear from hopefully health care organizations as well as we would love to hear from patients and health care providers themselves and kind of get what their insights are, what they would like to see in Health IT. We have public comment until May 28th so you can access our public comments at healthIT.gov. Forward slash feedback and up until May 28th. And we look forward to getting those comments. We will share them with our colleagues in other federal agencies and coordinate them to develop them.

Eric White I’ll give you my comment now. Can you make it so that I don’t have to fill out the same form seven times every time I visit the officer? Is that out of your purview?

Dustin Charles I think that’s something that I will add to that.

Eric White Fantastic. All right. Well, I’ve submitted my public comment. Now, Dustin Charles is a policy specialist with the office of the National Coordinator for Health Information Technology. Dustin, thank you so much for joining me.

Dustin Charles We do.

The post Federal Plan for improving electronic-health info first appeared on Federal News Network.

During this webinar, you will gain the unique perspective of top government cybersecurity experts:

• Sean Connelly, Federal Zero Trust Technical Architect, Cybersecurity and Infrastructure Security Agency
• Roy Luongo, CISO, US Secret Service, Department of Homeland Security
• Louis Eichenbaum, Zero Trust Program Manager, Department of the Interior
• Chris Roberts, Director, Federal Sales Engineering, Public Sector, Quest Software
• Steve Faehl, Federal Chief Technology Officer, Microsoft
• Wes Withrow, Senior Client Executive, Cybersecurity, Verizon
• Moderator: Luke McCormack, Host of the Federal Executive Forum

Panelists also will share lessons learned, challenges and solutions, and a vision for the future.

The post Federal Executive Forum Zero Trust Strategies in Government Progress and Best Practices 2024 first appeared on Federal News Network.

A newly proposed rule by the Cybersecurity and Infrastructure Security Agency, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours and to report ransom payments within 24 hours of making a payment. These new requirements would significantly lengthen the To-Do List of these entities. For analysis on what the impact could be, Federal News Network’s Eric White spoke to Beth Waller on the Federal Drive with Tom Temin, Principal at the law firm Woods Rogers Vandeventer Black.

Interview Transcript: 

Eric White So 1,000 foot view. What are the major changes here and what is going to be the impact on these critical sector entities?

Beth Waller I think 40,000 foot view. Everyone was expecting the director of CISA to come out with these proposed rules. The big earth shattering component of it is really the definition of covered entity who falls within the orbit of needing to report. And so really, the proposed rule really kind of breaks it into two different sections. We have really those who have to report based on their size, how large they are, and those that have to report based on their sector. I think most folks who are watching for this proposed rule were really expecting the sector side of the house. We weren’t really expecting the size side of the house. And so from a 40,000 foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.

Eric White Yeah. Is there anything in place to notify a company that, hey, by the way, this new rule, it applies to you.

Beth Waller I really think that CISA is going to need to do a good job of educating the public to let them know that, hey, you may fall within this, because again, when we look at the proposed definition of covered entity, for example, when it talks about size, it refers to an entity that exceeds the small business size standards specified by the applicable North American Industry Classification System Code and the US Small Business Administration Small Business Size regulations.

Eric White I read those yesterday.

Beth Waller That’s right. So if you look at those, as I think many of us did, went with bated breath to see, well, wait a minute. What does this mean? We start to see that, well, it really means anybody who has more than 500 employees and certain sectors, and with average annual receipts, over 7.5 million would qualify as somebody who would be needing to report. Now, there are certain exceptions by industry under the SBA regulations. But I think that really what is surprising for me, as somebody who really focuses in on critical infrastructure incident response, says, now we’re going to be really looking those SBA requirements and doing that math in the midst of an incident. And what I can’t really emphasize enough is the fact that we need to remember that this isn’t sitting at home twiddling your thumbs or the quiet of a Tuesday morning or whatever the case may be. You’re in the midst of a ransomware incident and your organization is down and you’ve been essentially taken hostage. And what you’re trying to do is within those first 72 hours, do this math and start figuring out, do I qualify, do I need to report? And so the proposed rule really focuses in on that size. Are we big enough to have to report and then the sector. And then of course sector, size doesn’t matter. It really is whether you fall within these different buckets. And the buckets are what you would somewhat expect. Nuclear reactors, energy, things like that. But then there are some areas that you might not expect, for example, in the health care and public health sector, for example, the proposed rules says that those that operate a hospital with 100 or more beds or are critical access hospitals. Well guess what, you’re dragged into that dragnet. So if I’m a small hospital in a rural location, I might not have 100 beds, but I might be considered critical access, and I would therefore be obligated to report a ransomware incident within 72 hours of finding it out.

Beth Waller Similarly, you have information technology, any entity that provides IT software, hardware, system or services to the federal government. So if you’re a teeny tiny software company, but you provide or have a contract with the federal government, well guess what, you’re grabbed into this. Similarly, if you are considered an original equipment manufacturer or a vendor or integrator of OT hardware, that’s operational technology, hardware or software, or those that perform functions related to DNS operations, guess what? You’re grabbed in. So again, you have some things that are kind of what you would expect chemical facilities, water, wastewater treatment systems, transportation systems. But then you have some unusual things including communications. So for example, wire radio communication services. So if FNN had an incident, you’d be doing that kind of analysis as to whether or not you needed to report within 72 hours as well. The other little tidbit I would say is that it’s not cut and dry the way the proposed rule is set up. I really think of it like it’s going to be a flow chart or a choose your own adventure type situation, because even with water and wastewater systems, for example, it breaks it down to say, is it a community water system? Publicly owned treatment works that serve more than 3,300 people? Well, that’s a random number to be trying to remember in the middle of an incident response do I qualify? Do I not qualify? Similarly with education. You’re looking at populations of 50,000 or more. We’re in the education sector. More than a thousand students. Or any institute of higher education that receives funding under title nine. And then finally, folks like the defense industrial based sector. Many of those folks, again, many of my clients in that space are very used to doing reporting to the DoD. Well guess what, that doesn’t necessarily get us out of jail free. We may also be having to do the same kind of report to CISA. And so those are the big kind of surprises in some ways, is that the sector really start getting into a lot of nuance and detail. And then of course, that size component. And again, if you qualify under one bucket, you’re just in. So if you got more than 500 employees and you’re manufacturing space, it doesn’t matter that you’re in the defense industrial base sector, you’re going to be in regardless. And so I think that a lot of folks are going to be gobbled up by this, because CISA wants as much information as possible to start really looking at these trends nationally of the types of incidents so that we as a nation are facing.

Eric White We’re speaking with Beth Waller, who is a cybersecurity attorney at Woods Rogers Vandeventer Black. And so it’s the people on that one end of the spectrum that the smaller entities that you mentioned. How big of a burden is this actually going to be on them? I imagine that for the bigger folks that are used to this, they’ve got maybe a whole team that’s assigned just to making sure they’re compliant. But there are probably some folks in rural hospitals who have never even heard of this process.

Beth Waller That’s right. And I really think that for those of us, again, I’m a cybersecurity data privacy attorney. And what I do is respond to these types of incidents and get signed in to these types of incidents. I think it’s going to really fall a lot on the legal profession to try to educate folks. Those of us that are called in to do breach response work, number one. But I would also say, I would argue that it’s not just onerous on the small businesses. It’s going to be really a huge task for the big businesses. And I would say that because the report itself is very detailed, it’s more detailed than the report that I would be giving, for example, if I was just in the defense industrial sector under the DFARS 7012,  filing on the DIDNet, those types of things. We’re used to doing that in this space. The report to CISA requires us to identify the covered entity. So the entity making the report. But in order to do that, what CISA is proposing is that I need to know the state of incorporation, trade names, legal names, the DUN number, tax ID, the EPA numbers, all this kind of stuff. Again, I go back to, think about what we’re in the midst of. We’re in the midst of a ransomware incident, highly unlikely that I have access to my work device. And so those first 72 hours, I can guarantee you you’re not getting access to a device that’s from your company. So you’re going to need to be able to pull this information together rapidly. It’s one thing if I’m a smaller defense contractor or a smaller contractor, to be able to know my state of incorporation. It’s another thing if I’m a mega corporation and I’ve made up a bunch of different LLCs or a bunch of different entities, or I have trade names, those types of issues. Pulling that kind of information together can be very challenging. And so I would argue that it’s going to be a burden to almost any entity that is going to be reporting to try to pull these things together.

Beth Waller In addition to that, the type of information about the incident that CISA is requesting, again, from somebody who has experienced an incident response, what they want to know within the first 72 hours is pretty broad. So, for example, they want a description of the covered incident with identification of affected information systems, including the physical locations of the impacted systems, networks and or devices. If I am a mega company, for example, and I have, 50,000 employees across the United States talking about the physical location of those impacted systems or networks. If I’m a manufacturer, it could be quite challenging in the midst of that first 72 hours, keeping in mind that the people who are needing to answer this are also potentially two people trying to come back online, getting things together, managing the incident response team. In addition to that, they want to know things like IOCs, which in the industry is indicators of compromise. They want to know the bad guys. What’s the telephone number, the IP address that they called from. They want to copy the malicious code and they want to know, for example, if you’re paying the ransom, which is another separate reporting requirement, they want to know exactly what your instructions were for payment of the ransom and things like that. I will say the good news is, thankfully there’s going to be a dropdown box for unknown at this time type answers given that this is the first 72 hours, but there is a requirement for supplemental reporting, and that supplemental reporting requires a report to be given every time there’s substantially new or different information becoming available. Again, if I’m in the midst of this incident, that is a very hefty burden to be thinking about.

Eric White Yeah, obviously this would be a substantial task order for, as you mentioned, somebody going through a cyber incident like this. But coming from CISA’s standpoint, this is pretty important information. A lot of people’s lives rely on these companies and obviously the critical infrastructure sector that runs the country basically. So, coming from them, why is this information so critical for an agency like CISA in the fight in ensuring that a lot of our big companies and critical infrastructure sectors are cyber secure.

Beth Waller Well, I think that what it does, it does create this dragnet of information to be able to really look at our adversaries and to be able to say, okay. Because a lot of times in the ransomware world, they have almost nonsense names. You’ve got Lockbit, Alphv/BackCat. You’ve got all royal, you’ve got, you know, all the different types of ransomware that are out there. And I tell folks, it’s kind of like their gangs, like off of The Sopranos or The Godfather movies. They’re just cyber gangs. And so being able to track the information of being able to say, okay, well, this is associated with this nation state or it’s not is really incredibly important to CISA. And again, as someone who is a federal partner in the midst of these incidents, because I do critical infrastructure incident reporting. So again, when you’re representing a state agency or a local government, you are already acting as a partner to your federal partners and providing information. So I think that there are big benefits to working with CISA and currently reporting to CISA as we do. But I think that with regards to the kind of nuances that are being asked for in this reporting, it’s going to create a lot of headaches. And keep in mind, many of these businesses are folks that are operating under multiple regimes. So for example, the financial sector is one of these that is considered critical infrastructure here. Well, if you’re already a bank, you’re reporting to the office of the Comptroller of the Treasury at the same time or reporting to CISA. If you are, for example, a manufacturer that is global, as many of our manufacturing Fortune 500 may be, you are also dealing with the laws in Europe. So GPR related laws, you’re also probably publicly traded. And so now you have the new Securities Exchange Commission rules and regulations about getting a notice out to your shareholders within four days of determining materiality. It’s really a very complex arena that CISA is coming into already from a regulatory standpoint.

Beth Waller I will say that the proposed rule says if CISA has an information sharing agreement in place with one of these other agencies that was receiving the report, that is potentially a get out of jail for a duplicate report filing, but it’s unclear at this time where CISA has that information sharing already. And I think that puts a lot of burden on the victim to try to figure that out. So hopefully Department of Defense, for example, creates an information sharing system with CISA where if you’re already again reporting to the DIDNet and going through that side of the process, you wouldn’t have to necessarily do it again here. Again, those clocks also start not on a Tuesday morning at 9:00 a.m. they often start at 1:00 am on Saturday morning whenever that network engineer figures us out. So a lot of times the folks that would be filling this out are not necessarily aware of it until, let’s say, 36 hours into an incident, depending on how large the organization is. So my argument would be to many businesses, look at your incident response plan. If these proposed rules come in to a final rule in the same manner that they’re currently looking at like right now, we’re going to want to make sure your incident response plan has a lot of this information gathered already, because, for example, maybe you could create something off line that says, this is our state of incorporation,  those types of things, so you’ve got that at the ready. Because again, keep in mind, most the time we’re dealing with something like ransomware where the entire network is encrypted. So how are we going to get at this information even if we wanted to, unless you just know it?

The post Facing cyber attacks, critical infrastructure gets new reporting requirements first appeared on Federal News Network.

• After a scorching report, one Senator wants to see the federal government overhaul its cybersecurity practices. Sen. Ron Wyden (D-Ore) on Monday released draft legislation to set minimum federal cyber standards for collaboration technologies, like Slack and Teams. Under the bill, the National Institute of Standards and Technology would establish interoperable standards for those technologies. The legislation would also require the use of end-to-end encryption. The bill comes after a Cyber Safety Review Board report blamed Microsoft's inadequate cybersecurity culture for multiple federal hacks. Wyden argued that interoperable standards would reduce the federal government's reliance on Microsoft.
  (Wyden releases draft legislation to end federal dependence on insecure, proprietary software in response to repeated damaging breaches of government systems - Sen. Ron Wyden (D-Ore.))
• Radha Plumb has officially assumed the role of the Defense Department’s Chief Digital and Artificial Intelligence Officer. Prior to her new role, Plumb served as the deputy under secretary of Defense for acquisition and sustainment. Deborah Rosenblum, the assistant secretary of Defense for nuclear, chemical and biological defense programs will take over Plumb’s previous role starting April 8. Plumb will replace Craig Martell, who became the Pentagon’s first permanent chief digital and artificial intelligence officer in 2022.
  (Plumb officially assumes CDAO role - Defense Department )
• Underutilized federal buildings could turn into affordable housing if a House bill makes it through Congress. The Government Facilities to Affordable Housing Conversion Act would require agencies to identify vacant and underutilized buildings that would be suitable for converting into residential use. The bill provides funding to study the effectiveness of converting office space into housing and also creates a grant program for state and local governments to undergo these conversion efforts. Reps. Adam Schiff (D-Calif.) and Jimmy Gomez (D-Calif.) are leading the bill.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Some new recommendations aim to kick-start federal shared services. In the five years since the Office of Management and Budget relaunched the federal shared services initiative, experts said progress has languished. The Shared Services Leadership Coalition (SSLC) said in a new report that agencies have not achieved any of the goals outlined in the 2019 memo and federal shared services remain resource starved. The good-government group outlined four legislative and regulatory policy recommendations to get agencies moving in the right direction. SSLC's recommendations include mandating shared services as a required business blueprint and creating a new Senate-confirmed position called, "The Commissioner of Government Operations" at the General Services Administration.
  (4 policy recommendations to kick-start shared services - Shared Services)
• The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is reminding employees of their whistleblower rights after being called out by a lawmaker. Sen. Chuck Grassley (R-Iowa) said an ATF memo, issued late last fall, chilled lawful whistleblowing. It warned employees against disclosing unclassified information without prior authorization. But it contained no references to lawful disclosures to Congress or federal watchdogs. After Grassley pressed the agency on the memo earlier this year, ATF recently issued an update with repeated references to the Whistleblower Protection Act and other disclosure rights.
  (Grassley successfully ensures ATF employees know their whistleblower rights - Sen. Chuck Grassley (R-Iowa))
• Over the next five years, the General Services Administration (GSA) will eliminate the use of PFAS, known as "forever chemicals," in the cleaning of federal buildings. GSA is requiring government contractors to purchase cleaning products that are free of the toxic chemicals. Instead, contractors will be required to use alternative products, certified to ecolabels such as EPA’s Safer Choice and certain Green Seal® certifications. GSA’s Public Building Service has more than 600 contracts for custodial services at more than 1,500 government-owned buildings at a cost of more than $400 million per year. GSA expects that most of these contracts will include the new and safer specifications within five years.
  (GSA, EPA team up to eliminate 'forever chemicals' from federal buildings - General Services Administration)
• James Lee, who led the IRS-Criminal Investigations office for the last three years and served 29 years in the federal government, retired on March 31. He has joined Chainalysis as its global head of capacity building. Lee said his initial focus will be helping international law enforcement agencies develop solutions against cryptocurrency-based crime. During his time at the IRS, Lee led IRS and federal law enforcement efforts to shut down Hydra, the world’s largest darknet market. He also conducted the largest crypto-seizure connected to terrorism financing and rescued 23 children and arrested 337 child abusers around the globe after taking down Welcome to Video, the world's largest distributor of child sexual abuse material.
  (Former IRS-Criminal Investigations chief lands new role in industry - Chailalysis)
• The office of the Air Force chief information officer just got a new director of the enterprise information technology directorate. Keith Hardiman will oversee the management, planning, governance and resource allocation for the department's information and cyber enterprise, which has a budget of nearly $7 billion. Prior to his new role, Hardiman served as the director of the Air Force's information management and chief information office, where he led the Air Force's declassification and publications distribution offices.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Leaders of the Senate Veterans Affairs Committee are pushing for a higher cost-of-living increase for veterans and their surviving family members. The higher COLA would impact disability payments, clothing allowances, and compensation for surviving spouses and children of veterans. The cost-of-living adjustment would be determined by the annual COLA adjustment set by the Social Security Administration, and would go into effect December 1, 2024. Committee Chairman Jon Tester (D-Mont.) and Ranking Member Jerry Moran (R-Kan.) are leading the bill.
  (Tester, Moran push for cost-of-living increase for veterans - Senate Veterans Affairs Committee)

The post Oregon Senator fed up with data breaches, blasts Big Tech, demands mandatory standards first appeared on Federal News Network.

Earlier this spring, several House lawmakers introduced a new bill to address a burgeoning post-pandemic trend: the use of employee monitoring technologies.

The “Stop Spying Bosses Act” would create new rules around the use of worker surveillance technologies. It would also establish a new division at the Labor Department to regulate workplace surveillance.

The legislation comes in response to an explosion in the use of everything from video surveillance to keylogging software to keep tabs on employees. A 2023 survey of 1,000 companies with remote or hybrid workforces found the vast majority use some form of employee monitoring. There’s even a new term for tech that enables this kind of continuous activity tracking: “bossware.”

As the country’s largest employer, where does the federal government stand? To date, there’s little evidence that federal agencies and their managers are taking up the more intrusive employee monitoring practices being embraced in the private sector.

But the unions that represent feds are also guarding against the potential as the technology evolves. National Federation of Federal Employees Executive Director Steve Lenkart said the issue is intertwined with the evolution of telework.

“As our technology improves, and we have more capabilities for people not to be in a centralized place, we’re going to have to invest in technologies that make it easier for that employee to function,” Lenkart said in an interview. “And there’s always going to be questions of supervision. And then it leads to questions of surveillance.”

SSA watchdog monitors employee computers

There is at least one instance where federal employees working remotely have had their computers monitored for performance.

In 2021, employees at the Social Security Administration’s Office of the Inspector General were subject to a survey of computer logs and telephone records to measure time online. Some employees were subject to disciplinary action or terminated.

While the Federal Law Enforcement Officers Association (FLEOA) — which represents more than 90% of SSA OIG agents – pushed back on that practice, SSA Inspector General Gale Ennis argued it was necessary “as stewards of taxpayer dollars, to hold employees accountable, when appropriate.”

“Failing to do so would be detrimental to public service, the OIG mission, and the morale of the many employees who go above and beyond in their contributions every day,” Ennis wrote in a September 2021 letter to the union.

Later that month, the FLEOA took a vote in which 98% of responding employees said they had “no confidence” in Ennis’s leadership. The use of computer logs for employee monitoring was among the issues cited by the union in its statement on the vote.

More than two years later, an FLEOA spokeswoman said the issue around the computer monitoring has yet to be resolved. “To our knowledge, the data analytics from employee monitoring are not being used for disciplinary actions as they were before, but they could be using it for other reasons,” the spokeswoman told Federal News Network.

In a statement for this story, FLEOA President Mat Silverman said SSA OIG employees were terminated “based on computer logs often without any corroborating or mitigating evidence from an employee’s immediate supervisor, raising serious doubts about the legitimacy of the terminations.”

“As agencies become increasingly skeptical about the benefits of remote work, we do fear the trend of remote monitoring will continue; however, we hope the strong criticism, high attrition, and decreased morale SSA OIG experienced will send a strong message to other agencies that this is neither an effective nor appropriate workplace policy,” Silverman said. “Ultimately, a workplace is successful when there is mutual trust, transparency, and confidence between employees and their leadership. Conversely, remote monitoring is demeaning to employees and undermines these important workplace values.”

In response to questions about the use of computer monitoring, an SSA OIG spokeswoman said, “Social Security Administration Office of the Inspector General supervisors measure productivity and performance of their employees using performance plans.”

‘No rulebook’ on employee monitoring

As the telework era continues to evolve, Lenkart said it will take time to strike the balance between supervision and surveillance.

“I think there’s going to be a little bit of operational uncomfortableness,” he said. “If you don’t trust your employee enough where you have to watch them minute-by-minute, then that’s probably not a good candidate to be working home or the supervisor has trust issues that need to be addressed. There’s no rulebook written on this yet.”

While workplace collaboration technologies, like Microsoft Teams and Zoom, are key to remote work, some unions are keeping a close eye on how those technologies are used by management. The National Treasury Employees Union, for instance, said it “opposes the use of technology for anything other than its intended purpose.”

In a statement, NTEU National President Doreen Greenwald said the union negotiates language in contracts that any “new or upgraded workplace technology cannot be used to track and monitor employees, measure productivity or replace existing official methods for tracking time and attendance.”

“For example, monitoring an employee’s colored-dot status on Microsoft Teams is not an indicator of productivity or attendance, and we would enforce our contracts to contest agency managers trying to use it as the basis of discipline or an adverse action against an employee,” Greenwald continued.

On its “Telework FAQ” page, the Office of Personnel Management encourages supervisors to focus on what an employee is accomplishing, rather than what it “looks like” an individual is doing.

“By focusing on the work product instead of the work activity, many supervisors find they are better able to communicate clear expectations to their employees,” OPM writes. “The resulting agreement on job expectations often leads to increases in employee productivity and job satisfaction.”

OPM did not respond to questions about the potential use of employee monitoring technology within the federal government.

In a 2021 blog, the Government Accountability Office underlined how first-line supervisors are key to reporting whether they think an employee is abusing time and attendance requirements. While agencies are increasingly using automated timekeeping systems and other internal controls to detect misconduct, managers are “still the most important internal control for managing time and attendance,” GAO wrote.

That’s a sentiment Lenkart reiterated in highlighting the disparate nature of many federal jobs and the difficulty of measuring performance from time spent on a computer.

“In the end, it’s always going to come back to the local supervisor to determine whether you have a good employee or not,” he said.

Nearly Useless Factoid

By: Derace Lauderdale

Close to 80% of employers use monitoring software to track employee performance and online activity.

Source: CNBC

The post With ‘spying bosses’ on the rise, where do federal agencies stand on employee monitoring? first appeared on Federal News Network.

It seems like long ago. Thousands of active duty service members applied for religious exemptions from COVID vaccines. Now we know how well the armed services did in processing the exemptions and the discharges of service members from the armed services. For details, the Federal Drive with Tom Temin talked to Project Manager Marie Godwin in the Defense Department’s Office of Inspector General.

Interview Transcript: 

Marie Godwin We wanted to ensure that service members were treated fairly, and that their exemption requests and discharges were processed in accordance with the law and DoD regulations. And we also received a number of hotline complaints alleging that the military services were improperly processing religious accommodation requests. So we wanted to review that process and determine if those allegations had any merit. So specifically, the complaints were alleging that the military services were processing the requests too quickly and not performing individualized review of the requests as required by the law and DoD policy. But in the end, we found the allegations did not jibe with our findings, and our report confirms that those allegations were, in fact, unfounded.

Tom Temin All right. Do the requirements on the DoD specify a timeline or a period of time in which they have to decide these? Usually the problem is the government gets backlogs of things. In this case they were processing them. It sounds like efficiently.

Marie Godwin Yes, the DoD does establish time requirements, and the time requirement depends on if the service requires a waiver of policy for that religious accommodation request or not. So for the Army, Marine Corps and Navy, they had 90 days to process the requests. The Air Force had 30 days to process the requests because they had decentralized decision process that did not require a waiver of policy.

Tom Temin You didn’t look then at whether the discharges or the exemptions were correct or not. It was just simply looking at whether they were processed in a way that was in accordance with their policy for processing them.

Marie Godwin That’s correct.

Tom Temin All right. Let’s go into that a little bit further. You said the Army, Navy, Marine Corps had a 90 day policy and the Air Force 30 days, maybe a little bit more detail on why that was the case, that variance.

Marie Godwin Sure. That’s just an overarching DoD policy that establishes the time requirements. And the DoD policy says that if the religious accommodation request requires a waiver of department policy, then it can be processed within 90 days. And I think the thought behind that is that it takes longer to process that through a central decision authority. If the request does not require a waiver of policy, as is the case with the Air Force, then the time requirement for that processing is only 30 days.

Tom Temin In what’s involved in processing that even takes 30 days?

Marie Godwin Sure. There’s a number of things that happen in the process, and it differs by military service. But generally, the service member submits a request. They have recommendations from their chain of command. They meet with a military chaplain to discuss their request. There’s also medical subject matter expert recommendations, and all these are processed up through the decision authority to consider.

Tom Temin Right. And just to clarify once more. You didn’t look at the quality of the decisions versus, yeah, you can stay or you’re discharged. But again, just whether they were processed in the proper manner.

Marie Godwin Right. So we looked at did they have all of the required recommendations? And was the proper decision authority deciding on their request?

Tom Temin We’re speaking with Marie Godwin. She’s a project manager in the Inspector General’s Office at the Defense Department. So generally, everything went according to each armed service’s policy for getting those things processed. Any exceptions or any outlying issues that you discovered?

Marie Godwin So for religious accommodation requests, we found that the Army and Air Force were taking much longer to process the exemptions than the DoD time requirements. So the Army, as we said before, had 90 days to process those requests, and they were averaging about 192 days to process the requests. The Air Force had 30 days to process those requests, and they were averaging about 168 days.

Tom Temin Yikes. And do we know why it took so long to do those?

Marie Godwin Well, we spoke with the military personnel involved in processing religious accommodation requests, and they told us that in a typical year, they only receive 3 or 4 requests for religious accommodation. So they were just overwhelmed by the sheer number of the requests.

Tom Temin  And could be that the religious exemption has maybe more subtle decision making that’s required. It’s hard to tell, that sounds like a tough one. Maybe they’re afraid to make the call in some cases.

Marie Godwin Well, I think they just wanted to take the time to make the correct decision and make sure that it was an informed decision.

Tom Temin All right. So what recommendations do you have then? Sounds like they would be centering around the religious exemption request because that’s what caused the outlying cases.

Marie Godwin So we had three recommendations. We had one for religious accommodation requests, one for medical and administrative exemptions and one for discharges. So for religious accommodation requests, we recommended that the DoD issued new guidance for periods of high volume request to decrease processing times. Military personnel told us that they only receive a few requests per year, and under those conditions, the existing policies were sufficient, but not in periods of high volume requests. So this recommendation aims to improve the processing time so that service members are not significantly impacted while they’re awaiting a decision.

Tom Temin All right. And what about for the medical and administrative? Recommendations there?

Marie Godwin Sure. We recommended that the DoD require personnel to document exemption approvals in service members personnel records. We had found that they weren’t always being documented in their records, so we anticipate that requirement will reduce the risk of errors and ensure that the service members vaccination status is accurate in the medical readiness systems.

Tom Temin And for the discharge petitions. That means that people want to be released from the military rather than have the vaccine. That’s what that particular application is.

Marie Godwin Correct. So we recommended that the DoD require uniform discharge types and reentry codes for all service members who were discharged for vaccination refusal. And we made that recommendation because of the DoD does not issue uniform discharge types and reentry codes, then service members will experience different impacts to their educational benefits and eligibility to re-enlist.

Tom Temin I was going to say reentry codes. Does that mean that there’s like a revolving door over vaccinations? You can be discharged and then come back?

Marie Godwin Well, when a service member leaves military service, they’re issued a certificate of release from active duty service. And that lists your discharge type and your reentry code. And the reentry code just indicates a service members eligibility to re-enlist in the service later. So we found that some service members received reentry codes that required them to obtain a waiver to re-enlist, while other service members receive codes that banned re-enlistment altogether.

Tom Temin Got it. And so the recommendation there was or did you have any for that particular class of application.

Marie Godwin So we recommended that they have uniform discharge types and uniform reentry codes.

Tom Temin Got it. And did the department say yeah we agree.

Marie Godwin They actually did not agree with that recommendation. But they provided another plan to address the recommendation. So once they provide that plan to us, we’ll reevaluate the recommendation.

Tom Temin This is more than history then. Because should another type of pandemic happen in the country, or we have another one of these situations where mass vaccinations become the general mode of the land, this could come up again.

Marie Godwin You’re absolutely right. And so DoD allows service members to request medical or administrative exemptions from any vaccination, not just COVID 19.

Tom Temin It could be measles, mumps or polio for that matter.

Marie Godwin Right. The military services have a list of ten or so required vaccinations for all service members.

The post Pentagon report card for dealing with vaccine refuseniks first appeared on Federal News Network.

• Service members are apparently not getting enough sleep each night to properly do their jobs. A watchdog organization found that service members are consistently getting less than 6 hours of sleep. Military personnel say they fall asleep on the job, which Government Accountability Offce said creates serious safety concerns. The GAO wants the Pentagon to conduct an assessment of DoD's oversight structure for fatigue-related efforts. And the Defense Department recommended that troops get seven hours of sleep each night.
  (Service members don’t get enough sleep, putting their lives at risk - GAO)
• Attention vendors, who provide grants services to the government, this RFI's for you. The Grants Quality Service Management Office (QSMO) is ready to expand its marketplace of service providers. But first, it is taking the pulse of the vendor community to gauge the capabilities of the sector. The QSMO's new Request for Information (RFI) is asking vendors for details about their grants management system, including whether it is set up as a software-as-a-service, whether it integrates with SAM.gov and login.gov and whether it is highly configurable and does not require code changes. Responses to the RFI are due by April 30.
  (Grants shared services office kicks off marketplace expansion - General Services Administration)
• Agencies have likely escaped budget cuts due to sequestration for another year. The Congressional Budget Office (CBO) analyzed the fiscal 2024 spending bills and estimated that the discretionary budget authority for defense and non-defense agencies falls under the caps established in the Fiscal Responsibility Act of 2023. CBO, however, said the final decision about whether cuts are needed under sequestration will come from the Office of Management and Budget (OMB), based on its own estimates of federal spending. OMB told Congress in August it did not think sequestration cuts would be necessary based on current estimates, but it will send another letter to Congress later this year with the final decision.
  (CBO estimates sequestrations cuts not necessary for fiscal 2024 - Congressional Budget Office)
• There is a new artificial intelligence chief at the top U.S. spy agency. John Beieler has been named the chief AI officer at the Office of the Director of National Intelligence. He also serves as the top science and technology adviser to Director of National Intelligence Avril Haines. Beieler now leads a council of chief AI officers across the 18 components of the intelligence community. One of the first tasks for that group is developing an AI directive for the IC. Beieler said it will cover everything from data standards to civil liberties and privacy protections.
  (Intelligence community gets a chief AI officer - Federal News Network)
• The Postal Service may soon ask for a sixth rate increase, since November 2020, that would go into effect this summer. But the Postal Regulatory Commission is taking a closer look at whether this new pricing model is actually helping USPS improve its long-term finances. The regulator is asking for public feedback on whether the current pricing model is working for USPS and its customers — and if not, what modifications to the ratemaking system should be made, or what alternative system should be adopted? The regulator will accept comments through July 9.
  (Postal Regulatory Commission seeks feedback on USPS pricing model - Federal News Network)
• The Cybersecurity and Infrastructure Security Agency (CISA) is preparing to host its biggest biannual cybersecurity exercise. Dubbed “Cyber Storm,” the event will kick off this month with more than 2,000 participants from government and industry. The weeklong exercise simulates the response to a cyber attack on multiple critical infrastructure sectors. This year’s Cyber Storm comes as CISA rewrites the national plan for responding to major cyber incidents. CISA expects to release the updated plan by the end of 2024.
  (CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan - Federal News Network)
• The IRS is looking to take the next steps in its most ambitious project under the Inflation Reduction Act. The IRS is letting taxpayers in 12 states test out its “Direct File” platform this filing season, as it gets feedback from earlier users, in the hopes of scaling up the pilot program. In a roundtable discussion with Direct File users, the IRS said all participants said they would recommend Direct File to eligible friends and family. Roundtable participants included college students, military veterans, as well as nonprofit and government employees.
  (IRS' direct file platform receives positive initial feedback - Treasury Department)
• The Air Force wants to bypass governors in seven states and transfer the National Guard space units to the Space Force. Air Force officials are calling for legislation to bypass existing law requiring them to obtain a governor’s consent before making changes to a National Guard unit. It would allow the service to transfer 14 Air National Guard space units located in New York, Florida, Hawaii, Colorado, Alaska, California and Ohio and make them part of the Space Force. Not surprisingly, the idea is facing criticism from governors.
  (Air Force wants to override law in 7 states, transfer Guard units to Space Force - Federal News Network)

The post Feds in fatigues, too fatigued to properly do their jobs, GAO says first appeared on Federal News Network.