Trying to take skills-based hiring a step further, Reps. Nancy Mace (R-S.C.) and Raja Krishnamoorthi (D-Ill.) introduced the bipartisan ACCESS Act Tuesday. If enacted, the legislation would remove college degree requirements from jobs in the federal contracting space.

The concept of prioritizing hands-on skills over educational background for job candidates is not new. Beginning in the Trump administration, and now continuing through the Biden administration, skills-based hiring efforts for the federal workforce have remained a priority for agencies as they recruit for federal jobs.

An executive order from the Trump administration initially urged agencies to focus on skills over education. After the Biden administration upheld the order, the Office of Personnel Management issued guidance to agencies on how to implement it.

Despite the continued emphasis, a spokesperson for Mace said the pace of skills-based hiring efforts remains unclear.

“This bill is meant to accelerate those efforts,” the spokesperson said in an email to Federal News Network. “The Biden administration maintained [the Trump administration’s] executive order, though it’s unclear how effectively they are implementing it.”

Currently, cybersecurity, human resources and acquisition remain the three major governmentwide, mission-critical skills gaps, OPM has said. Many experts, however, view skills-based hiring as one way to help address these gaps.

Now, the ACCESS Act seeks to stretch that concept to encompass personnel working on federal contracts, in addition to the federal workforce overall. Specifically, the legislation would bar contract solicitations from including minimum experience or educational requirements for the proposed contractor personnel.

Contracting officers, however, could still include degree requirements in some cases, but only if they include a written justification explaining why personnel with college degrees would be necessary for the specific solicitation.

Additionally, under the ACCESS Act, the Office of Management and Budget would be required to give agencies implementation guidance and help them establish the new requirements within 180 days of the bill’s enactment.

“We believe in empowering talent over credentials, and the ACCESS Act embodies this principle. By removing unnecessary degree barriers, we’re not just opening doors, but unlocking a wealth of untapped potential,” Mace said in a statement. “It’s about recognizing skills, not just diplomas, and ensuring that everyone, regardless of their educational background, has a fair shot at contributing to our nation’s workforce and innovation landscape.”

Skills-based hiring has become a priority in large part due to long-standing skills gaps in the federal workforce. Skills gaps appear when agencies don’t have the right skills or enough employees in the first place, on board.

In turn, skills gaps can create persistent challenges for agencies and their programs. In fact, more than half of the areas on the Government Accountability Office’s 2023 High-Risk List stem from issues related to mission-critical skills gaps. Strategic human capital management, or the ability for agencies to address mission-critical skills gaps, has remained on GAO’s list since 2001.

OPM has pointed to several promising practices from agencies as they work to increase their use of skills-based hiring.

For instance, the Interior Department reported that 74% of its job announcements use an additional assessment for candidates beyond the typical self-assessment questionnaire. Self-assessments often lead to inaccurate self-ratings, unwieldy applicant pools and large numbers of unqualified applicants, OPM said in its Workforce of the Future playbook.

The concept of skills-based recruitment is also included in the Chance to Compete Act, a bill which the House passed in a vote of 422 to 2 near the start of 2023. The Senate version of the bill was referred to the Homeland Security and Governmental Affairs Committee, but so far has not had further action.

For the ACCESS Act, a spokesperson for Mace said for now, there is no leading partner for a Senate version of the legislation.

The post Lawmakers push skills-based hiring for federal contractors first appeared on Federal News Network.

OPM also saw improvements in the inventory backlog shrinking it by 2,786 bringing the current number of claims to 16,823. This is the lowest backlog the agency has seen since December 2023. OPM is still 3,823 claims above the steady state goal of 13,000.

After seeing improvements in February, OPM ‘s average processing time increased from 47 days to 55 days in March.

OPM said March retirement cases completed in less than 60 days on average took 39 days to process, while cases that took more than 60 days on average took 134 days to fully process.

The post OPM retirement backlog continues improvement in processed claims for March first appeared on Federal News Network.

Twelve members of Congress shave been appointed to a new commission to lead the House’s exploration of AI’s transformational opportunities and potential challenges. Their mission? To create guiding principles, recommendations and bipartisan policy proposals for the regulation of AI. One of those members joined Federal News Network’s Eric White on The Federal Drive with Tom Temin to discuss the task ahead: Rep. Don Beyer (D-Va.)

Interview Transcript:  

Eric White We have been bombarded with hearing about the potentials of AI. And so I’m sure that as a member of Congress, you’re hearing from your constituents as well as their concerns and things that might be brought up if it is implemented fully. So how did this task force on AI all come together?

Don Beyer Eric, for a few years, there’s been an artificial intelligence caucus. Democrats and Republicans coming together once a month to just talk about AI, but no legislation was really moving. It wasn’t clear which committees had jurisdiction, wasn’t clear where there was really momentum behind specific pieces of legislation. So Kevin McCarthy (R-Calif.), back before the infamous vacation of the chair, had talked about forming a task force, never happened. And eventually, just a few weeks ago, speaker Mike Johnson (R-La.) And Democratic Leader Hakeem Jeffries (D-N.Y.) appointed these members very bipartisan, an even number of Democrats or Republicans. And we’ve met a couple of times already. Were now meeting every fly out morning at 9:00. And the goal is by the end of the year to present a completely written up report on AI and what Congress should be doing. And hopefully, Eric, on the way, we’ll also actually pass four or five or six foundational bills. Bills we can build upon in the years to come.

Eric White Yeah. What can you tell me about the discussions that you just mentioned? Everybody loves to talk about the divisions in Congress and everything. But this issue, you might have a luxury of everybody generally wants a safe thing, a safe, efficient way for AI to be implemented into everyday life. What are you all mostly discussing when you have those conversations?

Don Beyer Eric, it’s been interesting. In the first couple of meetings, I spent a lot of going around the room saying, what are your priorities? And they’re all over the place. For example, one Democratic member from New York had been very concerned about the use of AI delivering porn, especially with child sexual images. Where instead of the old terrible way of kidnaping children and forcing the reform porn in some garage, they actually generate it using large language models and stuff. It’s just as evil, but without an actual child in play. So you can get a lot more of it a lot faster, which is even sadder. On the other hand, you get people that are really concerned about deepfakes and what it will mean for elections this year. We all know that more people will vote in 2024 than in any year in the history of mankind. Oh, all over the world and very big elections here in the United States. So it varies, but you could boil it down into 12 main topics. And then the notion is how do you address each one of them? What role does Congress really have or federal government have in these 12 different areas?

Eric White And that’s a perfect segue into my next question of what is Congress’ role in this? Obviously, you have a vested interest in stopping some of the terrible things that can come from AI that you just mentioned. But as far as getting ahead of it and coming out with some overarching principles, is that where you see Congress’ enacting a role in working with other branches of government?

Don Beyer Yeah, very much so. So far, we’ve been really thrilled that there’s been little partizan bickering, very little partizan divide. There’s nothing like the divide we have on guns or on the right to reproductive freedom, things like that. So I’m optimistic about us being able to move forward. And on the role, it’s interesting the Europeans who the European Union have recently passed their EU Artificial Intelligence Act, the EU AI act. And they were, I heard it referred to recently, is that they are super regulatory power. They really like regulation. Our tendency, both Democratic and Republican, is to focus on innovation and creation and new uses that can change the way our lives unfold. So almost all of us, across party lines, want to have a relatively light touch from a regulation perspective, unlike the Europeans.

Eric White It’s interesting. Usually we’re trying to find ways to reduce red tape, and the Europeans tend to say, no, we need more red tape here. We’re speaking with Virginia Congressman Don Beyer. Congress has always been a punching bag for the American public. And they’re seen as sometimes being a little bit behind on when new technologies come in. And there are those viral clips of some of your fellow congressmen describing some things that maybe are off the cuff or out there. Where do you see as this is improving Congress’ understanding of AI? Because it’s a new technology and not too many people actually get with the facts of what it actually takes to create those deep fakes or actually have technology that will change Americans lives.

Don Beyer Well, the good part, Eric, is that while there are only a handful of actual technologists who serve in Congress, the 24 people on this task force, almost all of them are pretty sophisticated about AI across the political landscape. So I’m really encouraged by that. When Speaker Johnson and Leader Jeffries pointed, they were looking for people who already had expressed a deep interest in artificial intelligence and done a lot of reading and a lot of visiting, a lot of experimenting. So that’s a really good piece of it. And I also think while Congress always lags the American public, that’s because that’s the way our founding mothers and fathers set it up. It’s two different entities, the House and the Senate. There’s a filibuster in the Senate. You really have to spend a lot of time to get to a middle ground before something actually becomes law. And sometimes that slowness frustrates us. But it also can often be wise, because we’re not overreacting or doing something quickly and hastily that we later need to reverse.

Eric White Let’s talk about you yourself. You got appointed to this mostly because we’ve interviewed you before. You’ve taken a deep interest in AI, and even have taken some classes in learning more about the technology. What can you tell me of where you stand personally in your understanding of it?

Don Beyer I’m learning very quickly. I just came back from a four day AI conference with some of the smartest people I’ve ever met, and I had lots and lots of questions. And with every exposure, I learn a little bit more. By the way, having my coding background now, just in Python three and in Java, is also helping. No, I can’t be a huge AI scientist right now. I’m years away from doing that, but I have a good inkling about how they’re going about it and why, which helps. Although, ultimately, here in Congress in this task force, we’re not going to be writing any code. We’re going to be trying to come up with the right sets of policies for things like the democratization of artificial intelligence. We don’t want to just to be owned by the big four. By ChatGPT, by OpenAI and Microsoft and Google. We want to make sure that people like you and me also have access to it. The small businesses and medium sized businesses do it, and researchers everywhere. So the democratization is a big piece of it. And I also think that we have to look really deeply at the potential downsides. How many AI optimists? I think it’s could do much more good than harm. But as members of Congress, our job is to protect the American people. So thinking about the potential downsides is very important to you.

Eric White Providing me an opening to ask about those big four and the plethora of famous technologists that we’ve seen making the rounds on news programs, talking about it. Are you bringing in any sort of experts during these conversations with your task force, or are you just kind of reaching out on your own accord and then coming back and reporting to the task force?

Don Beyer It’s a really good question here, because it’s sort of in between. We have had, from Jay Obernolte (R-Calif.), who chairs the overall conference with Ted Lieu (D-Calif.). I think he’s been deluged with different people who want to come present to the task force, enough so that they can take up the next three or four years just listening to people tell us their ideas. So he’s going to be judicious in terms of the people we bring before us. But so far, it’s been the leaders of the big four, but also people like Dario Gil, who’s head of research at debt, at IBM. So some of the really great intellectuals and founders of this field are talking to us both in small groups and of big groups. Mark Andreasen, who is an early major technologist, has already come to talk to us. But we’re also hearing interesting, Eric, from not just the technologist, but people who’ve been affected by it. For example, we had one fascinating meeting with the folks that do photography and illustrations, and who write music and who published books, who are seeing artificial intelligence as perhaps taking all of their creative work and making it for free on the internet through the large language models. So what’s the business model that allows a photographer still makes a living other than at weddings?

The post New Congressional task force looks to make sure it’s not left behind by AI advancements first appeared on Federal News Network.

As a former EEOC lawyer and later a partner in a management law firm, I’m highly familiar with the need to establish and maintain a compliant work environment free from harassment and discrimination. I’m also familiar with the difficulties of developing effective training programs that establish the behaviors needed to achieve a non-discriminatory workplace.

A common challenge with mandated workforce training is that it’s often treated like a necessary evil. The GAO pointed out several deficiencies in the current training protocols and after reviewing the specific recommendations, I agree with the requested efforts. They’re all in line with industry best practices for effective training. However, after decades in the training industry, I’ve learned that focusing just on training initiatives isn’t enough to ensure long-term behavioral change.

When it comes to sexual harassment and other forms of illegal and improper workplace behavior, the issue is seldom that the offender isn’t aware of the standards or rules. It’s because they believe they’re immune from repercussions, or that victims or bystanders don’t speak up or follow the established processes. Or worse yet, they follow the proper processes to address the situation, and those responsible for responding fail to take the necessary corrective action.

This type of phenomenon often speaks to a bigger issue, which is that the organization’s culture isn’t fully aligned with its values.

Most organization’s values include respect, fairness, teamwork, accountability and others. Sexual harassment, discrimination and other EEO concerns, along with most forms of uncivil behavior — rudeness, bullying, dismissiveness and bias — are in direct conflict with those values. Instilling core behavioral standards aligned with the organization’s values, along with the appropriate consequences for failing to meet them, will help ensure EEO compliance as well as support a healthy, productive workplace.

An expanded focus on instilling core behaviors that can help prevent an array of improper behaviors like harassment should be the real goal of such initiatives. And just like any other training, there’s no one-size-fits-all approach that works. There are some inherent best practices to include, as well as some pitfalls to avoid.

Navigating these factors is paramount to success, and as the GAO has discovered, some of these agencies have crucial work to do.

Dedicated content addressing your organization’s unique needs and tailored to your leaders is critical to establishing their unique role in establishing and reinforcing behavioral standards. Sessions should be highly interactive so that your leaders don’t just attend them; they experience the training. The material should be highly contextual to demonstrate the real-world implications, with examples that tie behaviors back to EEO compliance as well as your stated values.

Similarly, employee training should be highly engaging and instill the same core behavioral principles using relevant, real-world scenarios. To scale the efforts, sessions using in-person, virtual, and online presentations can be utilized, as long as the core materials are included, and interactivity is maintained. Content can be tailored to unique audiences to ensure applicability and impact.

To achieve the desired impact, “learning” shouldn’t end with once-a-year training sessions. Organizations should make an explicit effort to include practical tools that reinforce the core concepts of their training. Give your leaders tips on applying the learning in everyday situations and remind staff of their role in supporting these standards, directly and indirectly. If applicable, identify specific cohorts of stakeholders who are highly influential to performance (often middle managers) and provide additional learning experiences and tools they can use to optimize engagement with peers, direct reports and even upwards.

With all of these factors in play to reinforce the desired behaviors, they can become habits that others will soon recognize as the new normal.

Lastly, be sure to evaluate your training’s effectiveness to gauge how well it was received. Did participants find the content relevant to their daily jobs? Do they intend to apply what they learned? Would they recommend it to colleagues? If possible, commit to a long-term evaluation strategy going to Level 3 of the Kirkpatrick Measurement Model. Are leaders and team members actively applying the learning? Are they behaving differently as a result? Most importantly, do people understand and appreciate that they are supposed to report issues to leaders and others? Do they have confidence that when they report something, they will be listened to and not retaliated against in any way?

As the GAO report illustrates, sexual harassment is still a major issue, and without effective preventive measures, any organization — public or private — can be at risk for lawsuits, financial penalties and myriad other issues. For the named federal agencies and any others facing similar issues, training efforts and other purposeful measures that imprint the organization’s values into cultural norms should be viewed as strategic initiatives to support their success in the long run.

Stephen Paskoff is a former Equal Employment Opportunity Commission attorney and CEO of workplace training company Employment Learning Innovations (ELI).

The post How federal workplaces can better prevent harassment and avoid risk first appeared on Federal News Network.

The University of South Florida (USF) recently opened a new lab aimed at providing quick, innovative solutions to the different challenges facing the Department of Defense. The new Rapid Experimentation Lab (REL) hopes to provide a unique, collaborative space to rapidly test concepts. To learn more, Federal News Network’s Eric White spoke with Taylor Johnston on The Federal Drive with Tom Temin , COO of USF’s Institute of Applied Engineering, which is managing the lab.

Interview Transcript:  

Eric White Absolutely. So why don’t we start from the beginning? How did this all come together? How did you find yourself in business with the Department of Defense? Trying to solve some of their always complex problems.

Taylor Johnston Thanks for the question. I am actually a 21 year Air Force veteran, so I’m a buyer by trade. I flew the C-21 C-130 and KC-135 in the Air Force. And while I was in the Air Force, I got to community and help a unit called Contingency Response Units. Contingency response units are challenged with setting up an air base anywhere in the world at a moment’s notice. And this is back in the mid to 2015-2016 timeframe, where essentially the problems we got were, hey, you’ve got two planes coming tonight. Figure what you can put on board and go. At that time we were dealing with antiquated generators and some other old equipment where that really got my innovation green and innovation meter ideas going, and we started looking at new ways to do power generation, new ways to use communications. And this is also at the start of AFWERX and some of the DIUs at the Defense Innovation Unit. And I got to be at the ground floor of that as an active duty member. Following my tours and the contingency response units, I ended up as the Director of Innovation for the six day Refueling Wing, which is MacDill Air Force Base. After retirement, one of the universities that I dealt with at the time was the University of South Florida. Now, the University of South Florida has this interesting arm that is a 500 1C3 nonprofit that connects those academics to federal money via contracts basis. So that’s kind of how I got involved in it. And what we do for the DoD writ large is try to solve and bring those academics to solve those tough problems for the DoD. So it’s not from a business where a 501c3 attached to the university. It’s more providing that PhD lift of  talent to the top problems of the DoD.

Eric White So before we get into the lab itself, we say complex problems. Why don’t we put a label on that? What kind of problems are you looking towards. And obviously they’re complex. So don’t feel the need to get too into the nitty gritty. But overall, what are you all going to be looking at?

Taylor Johnston Well, the Institute of Applied Engineering started in 2019 as a primarily an engineering solutions program to solve everything from a rapid mechanical design problem or some software solutions for some unattended ground sensors. What we figured out over the course of the last five years is you don’t just need that unattended ground sensor that talks to the tech network, that talks across the spectrum. You need a holistic approach to some of these new designs and new solutions. Because if I’m building anything on a mechanical thing, it’s obviously going to have some sort of electrical component, which is going to involve a chip. Where does that chip come from? How do I look at this from a business case example to an engineering solution? And then what are the policy implications of that incident solution. So we’re able to bridge the entire university to come to a solution for the DoD that actually is able to attack those wicked problems.

Eric White Gotcha. All right. So let’s get into the facility itself. You had mentioned some experience that you had with AFWERX and DIU. What lessons did you take from those agencies when modeling this lab? Did you take anything of, Oh, they do it real well over there. Let’s make sure to implement it here.

Taylor Johnston Well, one of the things that I noticed both from AFWERX, and the beautiful thing about AFWERX is there’s no real innovation, what we call Air Force specialty code. They take an airman that could be a maintainer, could be a medic, could be a troop, could be a flier like myself. And they bring them into a room with a whole bunch of different experiences. Let them ideate, let them try to solve the problem and think about different solutions, because those different perspectives usually bring about a better solution than a stovepipe kind of answer, solely by the troops or solely by the maintainers. That’s what we try to do at the lab is create a space where I have mechanical engineers, electrical engineers, RF engineers, physicists, medical folks all in the same room, and all with that collaboration space that they’re able to go from the whiteboard to a 3D printer to a welder, to an RF chamber, an anechoic chamber, and able to bring an idea to a solution, interdisciplinary wise.

Eric White We’re speaking with Taylor Johnston. He’s the chief operating officer of the Institute of Applied Engineering at the University of South Florida. So an 8,000 square foot facility is what you have, and you want to let your engineers cook in there. What sorts of new tools and innovative technologies are you bringing in there to make sure that these engineers, they’re not going to be there forever, obviously, and they’re in high demand, I’m sure once they graduate, what do they get out of this?

Taylor Johnston Well, we do have everything from our student interns to graduate assistants to professional staff. So I have 21 engineers on my staff that are permanent members of the institute, and we’re able to actually bring in university professors to the lab. The beautiful thing about the lab is that there are seven different types of additive manufacturing machines. There’s also soldering and welding equipment in there. There’s also printed circuit machines in there, sort of print circuit boards. And there’s also RF and anechoic chambers in there too, and also everything from drill presses to laser engravers to CNC machines. Basically, everything you need to make a product that we all know is not just fabricating a product that is also incorporated in electronics in the product.

Eric White Yeah. And I want to go back to this concept of you just kind of letting the engineers do their thing. What space do they have to also conduct some experiments where it may not all work out, but tinkering is how a lot of things are discovered. What can you tell me about that aspect of things?

Taylor Johnston I’ll go back to a little bit of the fact that we are primarily a task driven organization. So the DoD comes to us with that, Hey, I need a solution to this. And we’ll go out and either do an analysis of alternatives, or we’ll go out and try and prove what they’re trying to do and actually build what they want to have built. Part of that also, as you intimated towards, allows our engineers to figure out things that they may or may not be useful in applications towards the DoD, but they are something like using the iridium satellite network for communications versus the new Starlink. What’s capable of this? Some of the things that are out there that may or may not be useful today. And how are we able to parse things and do edge computing for things that may or may not be done on the cloud? So a lot of the things today are cloud computing and cloud infrastructure. But when you start to talk about the Department of Defense’s needs for able to be computed on edge on device in a remote environment, you start to see some different types of problems there than usual businesses face.

Eric White What can you tell me about where this facility stands as far as setting apart other opportunities at other universities? Is this a unique opportunity for University of South Florida students, or are there facilities like this at other universities, and if so, what makes this one different from those?

Taylor Johnston There are seeing these around the nation. There are 13, I believe, university affiliated research center. So those are dedicated sponsored activities from the DoD at specific universities around the nation. The University of South Florida is more of a startup in an established ecosystem. So there’s the behemoths out there, like Johns Hopkins Applied Physics Lab and Georgia Tech Research Institute. We do a lot of research for the DoD. Those are both. The University of South Florida is well positioned just because of its geographical location, next to two combatant commands, which know where the university can really offer next to CENTCOM and SOCOM, and able to be basically a young, scrappy startup that’s able to do things a little bit outside of the box, that these older institutions may or may not have the capacity to do.

Eric White And of course, the weather’s not too bad.

Taylor Johnston The weather is absolutely perfect. Today it’s about 76 degrees and I do not see a cloud the day.

Eric White Can’t beat that. All right. Anything else that we didn’t touch on that you think is important for the conversation?

Taylor Johnston One of the important things here to note, when you think of universities, you usually think of what we call 6.1 or 6.2  basic and fundamental research dollars. It’s usually grant based. The institute is primarily designed around doing things these contract based and federal acquisition regulations and agreements with researchers, which is rare, and the ability to do things at both the controlled, unclassified level and also up to the top secret, secure compartmentalized information level so it allow researchers to do things on contract, which means that you actually do get something at the end, on time and on the schedule, versus a researcher doing things that a researcher may or may not want to do, that may or may not have applicability with the DoD. You get something that’s on time, on schedule, and it is able to be at the classification of the customer.

The post DoD gets partner from academia to help tackle complex problems first appeared on Federal News Network.

It is an old story, but new versions keep happening. A high-level military official negotiates with a contractor. He seeks employment, leaves the government, and joins the contractor. He may not have a conflict of interest, but if it looks like he does, that’s trouble. The Federal Drive with Tom Temin discusses this potential problem with Zach Prince, a procurement attorney with Haynes and Boone, LLP.

Interview Transcript:  

Tom Temin Zach, tell us about the most recent decision resulted from protest, but a company was left out of a competition because of that appearance. What happened? Yeah.

Zach Prince So this is a procurement involving, dual band decoy system, which is intended to be, mitigation system for radar guided missiles that are targeting military aircraft and specifically the F-18. So right now, that you’ve got missiles that use two bands of radar to track aircraft, it’s very challenging to have effective countermeasures for them. So, the Navy is trying to develop and then implement a replacement for their current solution. So, they had two rounds of this and they’re going to have multiple iterations of the program. The first was a technical demonstration type portion that started a few years ago and followed on with an engineering, manufacturing and design phase and phase. Now, ultimately, it’ll go into, you know, low rate and full rate production. BAE and Raytheon were both recipients of the contract for the demonstration of the existing technologies. As part of this, at some point between that portion and the next portion, Raytheon started discussing employment with a Navy employee, longtime mathematician and technical expert with the Navy, with Navy Air, specifically who was running this program. And he left and joined Raytheon and then began representing Raytheon back to the government as a concern. This program had something to do with their response to the Navy’s request for information for the second round, some disputed amount of involvement for the submission of the proposal for the second round. And at some point the Navy realized, hey, this at least has a bad smell to it, and started doing a pretty thorough investigation.

Tom Temin Right? So, this fellow VK had participated in all of the work on the Navy’s behalf for the first phase of this long-term program, and while he was negotiating and dealing with Raytheon, he was also trying to get a job there, basically, and got the job. And now they’re into the dealing with the Navy for the follow on.

Zach Prince Yeah, to be fair, it wasn’t as egregious as I think. We all remember the tanker case from back in the early 2000 with the Air Force and Boeing. This guy VK was not actually negotiating for the government. He was doing some very technical work making recommendations on the technical implementation of the program. He wasn’t deciding solutions, but he did have access to proprietary information. And he had signed an NDA with the Navy expressly saying that he wouldn’t work for anybody who was part of this program.

Tom Temin Okay, so if it’s a very wide gray area, he was at one edge of it, let’s say, and a contracting officer decided to pull on that thread.

Zach Prince Yeah, he did. And somebody from the government raised the issue internally. The Navy did exactly what they’re supposed to do. They did a very thorough, extensive, monthslong investigation where they spoke to a number of people in the Navy. They gave Raytheon multiple opportunities to offer, comment and respond. And ultimately, they concluded that the appearance of impropriety here, they didn’t say there was necessarily impropriety, although it was really close, but at least the appearance was enough that they felt they had to exclude Raytheon from the competition.

Tom Temin And therefore I imagine Raytheon said, nope, we protest.

Zach Prince That’s right. I mean, it’s an important program. And the initial award, the MD phase, I think it was maybe $50 million. So, it’s not huge. But I think long term this is going to be multiple hundreds of millions of dollars not to get into full rate production or more. So, this is an important project for them. They protested to GAO and lost. Because the agency has a lot of discretion in these types of determinations. And then they filed that on to the court.

Tom Temin Right. And what happened at the court level?

Zach Prince They lost again, they had some pretty extensive briefing, some interesting arguments raised about why the mere appearance of impropriety without real hard facts that taint the procurement is not enough. But ultimately, their arguments tried to sideline some pretty clear Federal Circuit case law and the consistent decisions of the Court of Federal Claims, which really uphold the decisions of the contracting officer on this issue. In fact, Judge Sampson, who wrote this decision, said he did a survey of all the cases that have been decided by the court on this issue, at least since a federal Circuit decision that sort of set the precedent in the early 2000s. And not once has the court overturned the government’s decision on this.

Tom Temin Yeah. You wonder what the motivation of the company, or at least the judgment of the company was. I mean, you can see from an employee standpoint, the industry beckons with compensation packages, you know, in a cushy type of situation. But the company institutionally knows these shoals, especially long serving old line company like Raytheon. I mean, we can only speculate. So right now, then they’re out. Period. The end.

Zach Prince Yeah. That’s right. And my impression from reading these cases, I don’t think Raytheon really knew at all how much in-depth involvement this guy had with the program, and they knew that he was a fairly senior, very technically skilled individual from the Navy office that they have dealings with. And I think the level of expertise in electronic warfare countermeasures, particularly that this guy had, are really unique. So, Raytheon wanted to hire him on. He didn’t tell them that he had involvement with this program. And in fact, he called HR, the record shows like two days after he started with Raytheon and said that his involvement was very, very light in this program. He didn’t tell his ethics people that in the government, when he got his ethics letter, it was pretty clear that he was obfuscating his involvement because he did want to go to the private sector.

Tom Temin Right. So, one of the lessons is you don’t have to be part of the source selection board to get the government and your future employer into trouble.

Zach Prince Yeah. That’s right. If you’re a contractor, don’t let your contracting officer counterparts be blindsided by stuff like this if you possibly can. And maybe they couldn’t have. Here, make sure that you’re coming up with some mitigation strategy as early as you can. And Raytheon, as much as I just said, yeah, they probably didn’t know his full involvement. The record also shows it, BAE sent a letter to Raytheon not long after this guy started saying, hey, we know that you’ve got this guy. We think that there are some major issues with you having had this guy, because he had major exposure to our technical solutions and IP, you know, make sure to be following those government employment restrictions. They didn’t really.

Tom Temin Yeah. It’s almost what happened with the Defense Department more recently with the cloud contract, the Jedi contract that ultimately got sank. And one of the reasons involved there was that someone had worked in the government and ended up at the cloud company, or had been at the cloud company, then at the government, whatever. Not a source selection person necessarily, but an influencer, an adviser deep in there. And somebody ferreted that out and that ultimately helped sink that whole program, which they’ve now replaced with the joint warfare cloud capability. And that one is going and its multiple vendors. So, any other lessons that companies ought to take from this?

Zach Prince Yeah. It’s always such a challenging balancing act because on the one hand, as a company doing business with DoD, you want to have people who understand the inner workings of DoD. On the other hand, there are many situations were hiring just those types of people can create at least the appearance of conflicts, and that’s enough to taint the procurement. If the government is not convinced that there are mitigation mechanisms in place. So, you do want a firewall. People like this off from their former programs as much as possible, set up some ways in advance that you’ve documented for avoiding the appearance of impropriety, because otherwise you could end up in this type of situation precluded from doing work in a major program.

Tom Temin Yeah, sometimes the revolving door leads to a brick wall, you might say.

Zach Prince Good way to frame it.

The post When the door from government-to-industry leads to a brick wall first appeared on Federal News Network.

• The Navy has a new strategy for science and technology. Navy leaders have branded it a “call to service” for scientists and engineers from across the country to help solve military problems. The focus areas include autonomy and artificial intelligence, power and energy, manufacturing, and a host of other issues. The plan does not spell out how the Navy will make progress on those objectives, but Navy Secretary Carlos del Toro said the new work will involve partnerships with the Office of Naval Research, the Naval Postgraduate School, the U.S Naval Academy and the Naval War College.
  (SECNAV Delivers Keynote at Sea Air Space Luncheon - U.S. Navy)
• An Air Force legislative proposal to transfer National Guard space units to the Space Force is sparking a backlash among state governors. The National Governors Association has called for the immediate withdrawal of the proposed legislation to eliminate governors’ authority over their National Guard units. Utah Gov. Spencer Cox and Colorado Gov. Jared Polis said reducing governors’ authority over their National Guard personnel will affect military readiness, recruitment, retention and the National Guard infrastructure across the country. Air Force officials proposed legislation to bypass governors in seven states and move 14 Guard units with space missions to the Space Force.
  (Air Force’s proposal to move Guard units causes backlash - National Governors Association)
• Two agencies have obtained extra money for IT modernization projects. NASA won its first award from the Technology Modernization Fund. The Labor Department garnered its sixth in almost six years. These are the fourth and fifth awards the board has made since January 1 and continues its focus on cybersecurity and application modernization. The space agency is receiving $5.8 million to accelerate cybersecurity and operational upgrades to its network. Labor is getting $42 million for the Office of Workers’ Compensation Programs to replace its outdated Integrated Federal Employee Compensation System. The TMF board now has invested in 43 projects since receiving the $1 billion appropriation in the American Rescue Plan Act in 2021.
  (NASA, Labor receive extra funding for IT modernization - Federal News Network)
• U.S. Cyber Command (CYBERCOM) is considering the best way to build its forces in the future, by conducting a study on future force generation models. The command has typically relied on the military services to train and equip its digital warriors. But leaders have pushed to embrace a more independent U.S. Special Operations Command-type model in recent years. And others have called for the Defense Department to establish an independent cyber service. CYBERCOM is slated to brief Pentagon leadership on the results of the study this summer.
  (CYBERCOM considers options for future force generation model - Federal News Network)
• Chandra Donelson is the Department of the Air Force's new acting chief data and artificial intelligence officer. In her new role, Donelson will be responsible for implementing the department’s data management and analytics, as well as AI strategy and policies. Donelson previously served as the space data and artificial intelligence officer for the Space Force, a role she will continue to hold. Her fiscal 2024 goals include integrating data and AI ethics into the department’s mission systems and programs.
  (Air Force appoints acting chief data and artificial intelligence officer - USAF)
• The Postal Service is looking to raise prices on its monopoly mail products for the sixth time since 2020, when it gets approval from its regulator to set mail prices higher than the rate of inflation. USPS is planning to raise the price of a first-class Forever stamp from 68 to 73 cents. If approved by the regulator, these new USPS prices would go into effect on July 14. A recent study warned that USPS price increases are driving away more customers than the agency anticipated. But USPS said the data behind the study is “deeply flawed.”
  (USPS Recommends New Prices for July 2024 - Postal Service)
• The Department of Veterans Affairs is reviewing more than 4,000 positions that are at risk of a downgrade in their respective pay scales. The six VA positions under review include a mix of white-collar General Schedule (GS) and blue-collar Wage Grade (WG) positions. They include housekeeping aides, file clerks and boiler-plant operators. The VA expects to complete its review of these positions by the end of May. The American Federation of Government Employees said affected employees have received notices in the mail. But, the union said, it has not received notice from the VA about any imminent downgrades.
  (VA reviewing 4,000 employee positions at risk of downgrade in pay scale - Federal News Network)
• With cyber attacks on the rise, incident response is a big part of managing security risks. Now the National Institute of Standards and Technology is seeking feedback on new recommendations for cyber incident response. The draft guidance is tied to NIST’s recently issued Cybersecurity Framework 2.0. The revised publication layout is a new, more integrated model for organizations responding to a cyber attack or other network security incident. Comments on the draft publication are due to NIST by May 20.
  (Incident response recommendations and considerations for cybersecurity risk management: a CSF 2.0 community profile - NIST)

The post Navy unveils new strategy for science, technology first appeared on Federal News Network.

The Department of Veterans Affairs is reviewing more than 4,000 positions at risk of a downgrade in their respective pay scales.

The six VA positions under review include a mix of white-collar General Schedule (GS) and blue-collar Wage Grade (WG) positions.

The American Federation of Government Employees (AFGE) estimates about 56% of VA employees in these 4,000 positions are veterans. Some of the positions under review cover VA employees who make less than $20 an hour.

The positions the VA is reviewing cover all 18 Veterans Integrated Services Networks (VISNs). More than 1,700 positions under review are located in the Veterans Health Administration’s Finance Revenue Operations and Procurement and Logistics Office.

AFGE says affected employees have received notices in the mail about the consistency reviews. But Thomas Dargon, supervisory attorney for AFGE’s National VA Council, said the union hasn’t received notice from the VA yet about any imminent downgrades.

However, if the VA decides to downgrade any of these positions, Dargon said the department will face an even harder time filling these positions.

“The bell’s already been rung here. I’ve seen the letters that have gone out to impacted employees, and VA doesn’t have a lot of answers to the questions they’re asking,” Dargon said.

The VA put a moratorium on downgrading employee positions in 2012, allowing the department to revise a national handbook, computer software and other administrative tasks to ensure it classified employees fairly and consistently.

The VA, however, ended that moratorium earlier this year, and is conducting “consistency reviews” on six of its occupations, at the direction of the Office of Personnel Management.

VA Press Secretary Terrence Hayes told Federal News Network in a statement that OPM directed the VA to conduct agency-wide consistency reviews of these six occupations, after VA employees appealed the classification of their positions to OPM.

OPM, following a classification oversight review of VA in spring 2023, determined that two positions, industrial hygienist GS-0690-12 and purchasing agent (prosthetics) GS-1105-06, were not properly classified at the correct grade level.

VA, in a memo obtained by Federal News Network, said its Office of the Chief Human Capital Officer, “is working to strengthen consistency and oversight of classification determinations across the department by taking action to ensure employees are in appropriately and consistently classified positions, reduce geographical and organizational pay disparities and decrease hiring times.”

The VA is conducting consistency reviews on the following positions:

• File Clerk (GS-0305-05 and above)
• Financial Accounts Assistant (GS-503-all grades)
• Industrial Hygienist (GS-0690-12 and above)
• Purchasing Agent (OA) (GS-1105-07 and above)
• Housekeeping Aid (WG-3 and above)
• Boiler Plant Operator (WG-5402-10 and above)

Reviews of these occupations will occur in two phases. The first phase of reviews began on March 1 and will conclude on April 26. The department will start a second phase on April 29, and complete the reviews by May 1. VA expects to submit all its reviews to OPM by May 1.

“VHA Consolidated Classification Units will be required to initiate a consistency review process, which will require the identification of [position descriptions] in need of review. [Position descriptions] determined not properly classified will be sunset through attrition and positions impacted will be recruited at the appropriate grade levels, as applicable,” the VA memo states.

Once VA conducts its consistency reviews, it will provide reports back to OPM on whether their internal findings demonstrated that those positions are properly classified as compared to OPM standards.

“From there, I suspect some decision will be made,” Dargon said. “AFGE has not been notified of any imminent downgrade at this point, but I do not suspect the consistency reviews to result in employees being upgraded.”

Dargon said AFGE “does not support any downgrade whatsoever, and that “there is already a significant pay disparity between the public sector and the private sector.”

“VA has a notoriously difficult time not only recruiting, but retaining employees, and downgrading these positions is not going to make it any easier to fill them. And it is not going to bolster morale in the workplace,” Dargon said.

Hayes told Federal News Network that the VA issued a letter temporarily suspending changes to lower grade actions on June 29, 2012. Hayes said OPM assessed VA’s classification process in March 2023, and in September 2023, “determined there were no barriers prohibiting VA from conducting the reviews.”

VA, he added, expects to complete its consistency reviews of these positions by May 31.

“Should the reviews conclude that any positions were improperly classified, VA will consider all potential options to correct this misclassification,” Hayes said. “VA will do all we can to mitigate any potential adverse impact to our current employees. VA is committed to partnering with OPM to update classification standards and ensure they reflect the work done at VA and across the federal government.”

According to slides obtained by Federal News Network from a VA briefing presentation, VHA directed its Workforce Management and Consulting Office to cancel any VHA job opportunity announcements (JOAs) for occupations and grades that are subject to the consistency reviews.

As part of the consistency reviews, VHA classifiers will take a closer look at the qualifications required to perform the work for each occupation, and whether the agency has properly applied OPM’s classification or job-grading standards.

Classifiers cannot compare these six positions to other VA jobs or positions, consider any qualifications the employee has that are not required to perform the job, or account for how well an employee performs the work or the amount of work the employee performs.

“The goal of a classification consistency review is to ensure positions are classified in compliance with OPM classification standards and graded consistently VHA-wide,” the presentation slides state.

VHA is outlining “mitigation strategies” for pay-related staffing challenges. They include supplementing the base pay of these six positions with recruitment and retention incentives — such as critical skills incentives and special salary rates available under the toxic-exposure PACT Act.

“I can appreciate that the HR community at VA is trying to create a soft landing for employees who may be impacted by these downgrades through various recruitment and retention incentives, or ‘mitigation strategies,’ as they call them. But that’s not good enough, Dargon said. “There’s no reason to downgrade these employees, to make these positions harder to fill than they already are.”

Under Secretary for Heath Shereef Elnahal included housekeepers as part of a “Big Seven” list of occupations outlined in the VHA’s top hiring priorities in 2023. Those “Big Seven” positions cover VHA jobs that have a direct impact on patient care — and include physicians, nurses, licensed practical nurses, nursing assistants and food service workers.

Dargon warned that any potential reduction in pay for housekeepers would “be felt very quickly and sharply by folks in that field.” He said VA housekeepers in Pittsburgh, for example, are currently making about $16 an hour.

“These jobs are difficult to fill, and it’s difficult to retain workers,” Dargon said. “We have people who have military backgrounds themselves, who are veterans coming back to the VA, continue giving back, who believe in the mission, who are making just over $15, $16, $17 an hour — and you’ve got VA considering a downgrade.”

Dargon said the VA, by sending these letters to impacted employees, puts them in a position of “feeling undervalued or not seen.”

“Housekeeping aids are very much the backbone of health care institutions. You do not need to be a nurse or a doctor to be considered a vitally important part of the healthcare system that is VA,” he said. “Telling those employees who are working, in some instances, in really difficult environments, every hour of the day, to keep the VA clean and safe, that their position is actually compensated too highly — I can’t imagine what that feels like.”

Dargon said that if VA were to downgrade any of these occupations, it would probably lead to the department contracting out more of this work, “because the positions have become so unattractive through pay or other working conditions.”

VA saw record hiring last year, but is now looking to manage the size of its largest-ever health care workforce.

VA in its fiscal 2025 budget request plans to reduce its total workforce headcount by 10,000 positions. Most of the workforce reduction would come from VHA.

VHA Chief Financial Officer Laura Duke told reporters last month that the workforce reduction is necessary, because the agency far exceeded its hiring goals last year, and because it’s seeing higher-than-expected retention rates.

VHA earlier this year rescinded some temporary and final job offers to prospective hires. But the agency later issued a memo, telling leadership and HR officials to only rescind job offers as an “action of last resort.”

AFGE and VA finalized a new labor agreement last August, updating the terms of their labor contract for the first time in more than a decade.

VA Secretary Denis McDonough, at the signing ceremony, said the new contract would help with “easing the process by which we can fill vacancies,” and will allow the department to make new hires more quickly.

Dargon, however, said recent events suggest the VA is no longer making an effective pitch to prospective hires.

“I was on the negotiating team for the master agreement, and sat at the bargaining table with department officials who insisted that the reason they could not quickly hire employees was because of the provisions in the collective bargaining agreement — that it took too long that these were hurdles or impediments to quick hiring. We knew that was never the case, but we agreed to certain revisions in our contract to allow for more streamlined hiring procedures,” Dargon said. “Now they’re telling us they’ve hired too many people, maybe they’re not going to hire as quickly, they’re not going to fill vacancies through attrition. And now we’re looking at existing positions, and the idea of downgrading them.”

The post VA reviewing 4,000 positions at risk of pay downgrade first appeared on Federal News Network.

The Pentagon proposed a fiscal 2025 budget of $849.8 billion, about 1% higher than this year’s budget request. The top line figure aligns with the Fiscal Responsibility Act passed last year, which sets limits on defense and non-defense discretionary spending. Defense officials said the 1% increase would not be enough to cover inflation.

“Overall, [fiscal 2024] was a good budget. As we pivot toward this year, I think it’s a much more difficult budget, we’re gonna see some very difficult trade-offs. I’m not sure if we’re going to see as positive outcomes as all communities might want see,” Matt Borron, the Association of Defense Communities executive director, said during the Defense Communities National Summit on Tuesday.

2024 being an election year adds complexity to negotiating and passing the 2025 defense budget. Members of Congress will go back to their districts in July and return sometime in the fall to pass a continuing resolution to temporarily fund the federal government. After that, they won’t be back until after the presidential election.

“I think every year we seem to find new ways to make this hard. And yet, we generally still manage to get it across the line. But this year does feel particularly difficult. And election years can play either way. You can have folks willing to make a deal to get things done before they go home and try to keep their jobs. But it doesn’t feel that way right now. So I think it is going to be rough,” Jeanine Womble, the House Armed Services Committee staff lead, said. 

Passing the 2025 NDAA

Borron said while there were some contentious issues during the 2024 National Defense Authorization Act negotiations, they weren’t “as contentious as they might have come across in some of the debates.”

“That’s why I think you got a relatively quick passage of the NDAA certainly, as compared to the appropriations bill,” said Borron.

The same social issues, such as the Diversity, Equity and Inclusion spending, will most likely come up during this year’s NDAA negotiations. But the resolution of those contentious issues will hinge on the results of this year’s election.

“I think you’re gonna see those same social issues come up for discussion. I don’t see necessarily a different outcome this year,” said Borron.

“All of that is really dependent on the election. I think they can resolve many of those issues, but the more contentious ones are going to have to wait until we know who’s in charge of the White House, who’s running the Senate, who’s running the House. I think in general, there’s a desire to make members as happy as possible. But I don’t think those contentious issues have really changed. The needle hasn’t shifted. We’ll see a rehash of it. And the outcome will be dependent on the elections.”

Womble believes that despite the contentious issues that will come up during this year’s round of debates, the NDAA will ultimately pass.

“I can’t give you a certain date when it will pass, but I believe it will,” said Womble.

“Maybe not quite before October 1, but in the neighborhood. I truly believe that Rep. Mike Rogers, R-Ala., chairman of the House Armed Services Committee, Rep. Adam Smith (D-Wash.) and the members of [the House Armed Services Committee] very much want to get it done every year. There are contentious issues every year, there are things that go to the very end. In a bipartisan way, the committee finds a way.”

The post Passing 2025 defense spending bill will be ‘particularly difficult’ first appeared on Federal News Network.

Gen. Timothy Haugh, in his first public remarks since taking over as head of CYBERCOM and the National Security Agency in early February, said the force generation study is due to the secretary of defense this summer.

CYBERCOM has traditionally relied on the military services to train cyber warriors for the Cyber Mission Force. With that leading to readiness issues, officials have also looked to adopt more of a U.S. Special Operations-command type model. And some have called on the Defense Department to establish an independent cyber force.

“We’re doing a study right now that will evaluate, and we brought in an outside think tank to help us look at this, what are the spectrum of options?” Haugh said at the CYBERCOM Legal Conference today. “There are also a number of things in between there that we should consider, and also whether or not any of that menu should be applied together. So we’re evaluating that.”

Last year, Congress tasked CYBERCOM with evaluating the readiness of the military services in their ability to provide forces to the command. Haugh said the study identified five specific things the services could improve upon.

“Most of those things were areas that had previously been tackled by SOCOM, as it looks at how the Special Operations Forces are managed,” Haugh said. “And it was around personnel policies. It was in how the services leverage tools that Congress had given for retention to each of the services, and it was about assignment policies.”

In the year since that study, Haugh said each of the services have taken individual actions to improve readiness. He pointed to the Army’s new incentive pay for cyber personnel; the Air Force’s new tech track pilot for extending an individual’s service in the cyber field; and the Navy’s new cyber rating, as well the Marine Corps’ new eight-year initial enrollment for a cyber officer.

“Those are all really good examples of something each service has done,” Haugh said. “We would like to see them all raise that floor farther.”

Retired Gen. Paul Nakasone, the former head of CYBERCOM and the NSA, said he wanted to see a “bold move forward” with what’s been dubbed CYBERCOM 2.0

The command is better positioned to control its future thanks to a new provision in law. The fiscal 2024 appropriations bill passed by Congress last month gave CYBERCOM new programming and budgeting authorities. Referred to as “enhanced budget control” by Haugh, the authorities gives the head of CYBERCOM direct control over the planning, programming, budgeting and execution of resources for the Cyber Mission Force.

“We now have the budget responsibility for equipping the offensive and defensive cyberspace force for the Department of Defense, that force that we operate,” Haugh said. “So now we have the ability to be able to validate a requirement under our authorities that we’ve been given. We can allocate the resources against whatever that need is. And then we will be able to acquire that under our own authorities, either inside U.S. Cyber Command or in partnership with the services, where we drive the requirement, we have the resources, and now we’re going to be able to produce the capability that we need for our forces. That’s a pretty radical change from where we started.”

Integral to the conversations around the future of CYBERCOM is a new assistant secretary of defense for cyber policy position announced by DoD last month. The job serves as the secretary of defense’s top advisor on matters related to military cyber force and activities.

Secretary of Defense Lloyd Austin nominated the Army’s principal cyber advisor, Michael Sulmeyer, to serve in the new role. While he awaits confirmation, Ashley Manning is serving as acting ASD for cyber policy.

Manning and Haugh are set to testify before the House Armed Services Committee’s cyber, information technology and innovation subcommittee on Wednesday.

“It’ll be our opportunity to talk about what we see this looking like,” Haugh said of the new partnership.

The post CYBERCOM considers options for future force generation model first appeared on Federal News Network.

These are the fourth and fifth awards since Jan. 1 and continues the board’s focus on cybersecurity and application modernization.

“It is our responsibility to protect high-priority systems and enable our federal workforce to deliver on their agency’s mission seamlessly and securely,” said Clare Martorana, federal chief information officer and TMF Board chairwoman in a release. “These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public – from strengthening NASA spacecraft control to supporting injured and ill workers through DOL’s Office of Workers’ Compensation Programs.”

Labor’s award from the TMF of $42 million is among the larger investments over the last few years.

Labor’s Office of Workers’ Compensation Programs (OWCP) will use the money to accelerate the replacement of its outdated Integrated Federal Employee Compensation System (iFECS).

Currently iFECS is built on technology from 20 years ago and runs 98 different applications with what it calls “elaborate and archaic workflows,” according to the TMF website. “This adds significant friction to case management which can overwhelm claims examiners, delay processing and interrupt tasks.”

In fiscal 2023, the system provided services to more than 2.5 million workers, with over 200,000 new cases processed.

“This initiative aims to revolutionize services and benefits for injured and ill workers, making processes faster, more efficient, and less prone to cybersecurity, operational, and financial risk,” the release from the TMF Board stated. “TMF has allocated $42 million to support this endeavor and aims to overhaul iFECS by transitioning to a modern, cloud-based architecture and leveraging automation technologies. This shift promises to reduce claim adjudication times, enhance customer interactions and bolster data security, particularly crucial given the sensitive nature of federal employee health records and annual claims.”

Labor’s sixth TMF award since 2018

“IFECS services the entire federal government as the processor of all workers’ compensation claims filed by federal workers,” said Nancy Griswold, the deputy director of OWCP, in the release. “As such, improvements in iFECS that will allow for the faster processing of claims will have an impact not only on the claimants themselves, but also their federal employers, as studies have shown that faster payment of claims results in a faster return to work for many claimants.”

Labor’s first award came in 2018 and the department has won a total of more than $77.3 million from the TMF over the last six years.

NASA’s first award is for $5.8 million that will accelerate cybersecurity and operational upgrades to its network. The board said the money will be used for specific initiatives including automating network management, modernizing legacy infrastructure, standardizing network configurations across all NASA locations and collecting additional telemetry data to align with federal cybersecurity mandates.

“NASA’s IT infrastructure plays a critical role in every aspect of NASA’s mission, from enabling collaboration to controlling spacecraft to processing scientific data. Therefore, protecting and effectively evolving NASA’s information technology infrastructure remains a top agency priority,” said Jeff Seaton, the NASA CIO, in the release. “This TMF funding will help the agency to accelerate critical cybersecurity and operational upgrades two years earlier than originally planned.”

NASA’s inspector general highlighted the space agency’s need for additional attention around cybersecurity in its August report on compliance with the Federal Information Security Modernization Act (FISMA).

Auditors said “NASA’s information security program and practices were not effective” in fiscal 2023. The IG made 27 recommendations across the five functional areas: identify, protect, detect, respond and recover. NASA’s overall maturity came in at 2.48 out of 5 for its maturity across the core FISMA metrics and 2.86 out of 5 across the 2023 supplemental metrics.

TMF board has less money in 2024

Along with the awards to Labor and NASA in calendar year 2024, the board made three investments in January worth $70 million for modernization projects at the Justice Department, the General Services Administration and the Armed Forces Retirement Home.

The board continues to allocate funding from the $1 billion it received in the American Rescue Plan Act in 2021. Since that appropriation, the board said it has used that funding to invest in now 43 projects.

It’s unclear how much of the $1 billion the TMF received from the American Rescue Plan Act remains. President Joe Biden’s fiscal 2025 budget request shows about $790 million left in the TMF that is unobligated for 2024, but that also includes money awarded to agencies, but not yet sent out the door.

But going forward, the board faces less available funding as the Senate in the 2024 appropriations rescinded $100 million from the ARPA windfall.

The post NASA, Labor receive extra funding for IT modernization first appeared on Federal News Network.

The following will be a summary of insights that are particularly pertinent for federal agencies, which face a unique set of challenges due to the nature and scale of their digital operations. In this dynamic cybersecurity landscape, learning from such incidents is crucial for adapting and enhancing security measures to protect against the sophisticated threats of the digital age.

The relevance of current cybersecurity policies and regulations to the attack

Federal agencies are bound by stringent cybersecurity regulations, notably Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in May 2021, this order mandates agencies to enhance cybersecurity and software supply chain integrity, adopt secure cloud services and zero-trust architecture, and deploy multifactor authentication and encryption within a specific timeframe​​. These requirements align closely with the vulnerabilities exposed in the Okta breach.

Furthermore, the federal government’s latest identity, credentialing and access management (ICAM) policy, as outlined in the OMB M-19-17 memorandum, sets forth comprehensive guidelines for managing, monitoring and securing access to protected resources. This policy emphasizes identity proofing, establishing enterprise digital identities, and adopting effective authentication and access control processes​​. These elements are crucial in preventing incidents like the Okta breach, where weaknesses in identity and access management were exploited.

The Okta breach analysis underscores the need for a shift in cybersecurity focus from traditional perimeter defense to identity-centric strategies. This shift is vital for federal agencies whose operations often span multiple networks and cloud environments. Understanding the attacker’s perspective is essential for federal agencies as they prioritize the security of identity management systems and adopt robust privileged access management (PAM) practices.

Key lessons from the Okta breach relevant to federal agencies

1. Identity is at the core of cybersecurity:

The breach reinforces the concept of identity as the new security perimeter. Federal agencies must ensure that identity management systems are robust and capable of thwarting similar exploits.

2. The importance of privileged access management:

PAM is essential to protecting sensitive information, assets and systems. Implementing strong PAM solutions is a key step for agencies to safeguard against vulnerabilities. The integration of PAM into federal cybersecurity strategies is not just about mitigating risks; it’s also about enabling secure and efficient operations. By balancing security with operational functionality, PAM solutions help federal agencies maintain a high level of agility and responsiveness, which is essential in today’s fast-paced, digitally driven world.

3. Agencies need to adapt to evolving cyber threats:

The breach exemplifies the dynamic nature of cyber threats. Federal agencies need to continuously update their cybersecurity strategies, incorporating lessons from incidents like the Okta breach into their protocols, staying informed about emerging threats, and integrating advanced technologies and methodologies. Incorporating lessons from incidents like the Okta breach is essential, ensuring that strategies remain effective against increasingly sophisticated attacks. It’s a continuous cycle of assessment, adaptation and enhancement, crucial for maintaining the security and integrity of federal digital infrastructure.

A defense-in-depth approach is critical

As threat actors focus more on exploiting identities, agencies need tools that can help provide visibility and control of identities and privileges, reduce risk, and detect threats. Good specific policies and internal controls are necessary, but PAM can help provide a defense-in-depth approach, where multiple layers of controls and identity security monitoring capabilities can help prevent the failure of a single control or process from resulting in a breach.

The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture. By aligning with federal regulations and adopting a proactive approach to identity security, agencies can significantly enhance their defense against sophisticated cyber threats. Implementing lessons learned from such breaches is a critical step in fortifying the digital infrastructure that underpins national security and public service delivery.

Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

Defense installations often have mutually beneficial relationships with the communities that surround them. Communities can be both social and economic. They have even got their own group: The Association of Defense Communities. To ask about the top issues facing these communities,  the Federal Drive with Tom Temin spoke with the association’s Executive Director, Matt Borron.

Interview Transcript: 

Tom Temin I confess, this is the first time I’ve known about this association, and I thought I knew all the ones in Washington, but there’s plenty out there. What does this association do? What’s what is the goal here?

Matt Borron ADC has been around for about 50 years. We actually got our start back in the day when DoD started closing bases. And this was really before they even had to ask Congress for permission so they could literally padlock the gate and throw the community the key and say, good luck. And they did that, as you know. And even then, when Congress got involved with the Base Realignment and Closure around the 90s and the last 1 in 2005. But, when they first started this some 50 years ago, some communities where this had happened, where they’d lost their base, they got together and they said, really, what do we do now? How do we recover from losing x thousand amount of jobs kind of overnight? And so for probably the first half of our existence, that’s who we were. We were these communities grappling with economic redevelopment and environmental clean up and reuse and redevelopment issues, kind of all of that awful stuff. But if you fast forward to today, our membership is almost entirely consistent of communities that host active military bases. And it’s organizational base membership. So sometimes it’s a city, sometimes it’s a county. A lot of times it could be a chamber of commerce or a standalone defense alliance. But really, it’s whichever organization they’re at the local level that has come to take the lead when it comes to installation, military advocacy and partnership work.

Tom Temin It seems like local acquisition is important because so much of defense acquisition is done centrally or by the big commands for the local installations, and things gets shipped out through various means. But there’s also, I guess, important local contracting that can happen for a base that members try to encourage.

Matt Borron Absolutely. At the end of the day, our members look at their installation through an economic development lens. In most cases, it’s the largest economic engine they’re, thousands of workers. And the kind of the waterfall effects of where they live and service members and their families live off base. 70% or so. It really is through that lens and our members, do everything we can to prop up the defense sector. So whether it’s land use or encroachment mitigation, that’s a lot of workforce development. It’s a lot of infrastructure, roads, utilities all these things that the base relies on. More recently it’s been quality of life.

Tom Temin What are the top quality of life issues for military members? I mean housing comes up, but that’s a localized issue. What are some of them.

Matt Borron And that’s that’s really kind of the the meat of it, is all of these quality of life issues are local and they are all kind of different. Housing, child care, spouse employment is a huge one. Military spouses have some of the highest unemployment in the country. And it’s related to moves and constantly having to find new employers. But you see a lot of things, military child education now. And so, like you said, housing on the list kind of seems to grow every day.

Tom Temin Yes. So can members of the association, the local counties or the states or whoever, again, is surrounding that community? It seems one of the issues that comes up is just simply recognizing a licensed trade from one area and honoring that when the spouse moves with the service member to another state or local.

Matt Borron Licensure and reciprocity is has been a huge issue. And you’re absolutely right. If I’m a teacher, can I have a teacher’s license in one state? Does it apply to the other state? And it goes down. It can be beauticians. It can be, lawyers and nurses, you kind of name it. And states have really tried to address that, but it hasn’t been easy. All of these different professions kind of have their own licensure silos, if you will, within their states. So it’s been a lot of coordination. And we have something we call the State Advisors Council. Most states now have an organization at the state level that is responsible for military affairs for work. And so by coordinating that, you’ve seen a lot of states now passed legislation kind of providing that blanket, reciprocity for these.

Tom Temin We’re speaking with Matt Borron. He is executive director of the Association of Defense Communities. And you also have a conference annually. And what kinds of things get discussed there. And looks like you have a pretty good lineup of congressional members speaking.

Matt Borron It’s amazing how connected our communities can be to their congressional delegations. Again, installations and military issues are one of the things that could bring us together still in a lot of cases in a bipartisan way. So we do have a good robust caucus on the House and the Senate side. And our national summit next week is really our event and our opportunity to bring all of our communities together and really kind of press Congress and DoD and talk about the issues that are important to us.

Tom Temin Now, [Base Realignment and Closure (BRAC)] as a process seems to be a thing of the past, even though it’s statutorily there in the toolbox. But Congress just never actually gets started anymore. So what do you expect in terms of the line up in the population of bases and installations in the future?

Matt Borron BRAC is a four letter word, and I think it only comes up when you’re talking to a lobbyist. But I don’t foresee a BRAC round anytime in the near future. If anything, our communities aren’t worried about losing their bases any more. They’re worried about growing. How do they attract the next F-35 mission? Or how do they get a piece of Space Force? How can they grow their defense sector at the local level? So the issues that we’ll talk about are creating new authorities by which communities and bases can partner on a full range of issues, whether it’s infrastructure or quality of life. We’ve been very successful in getting some of those programs created within DoD.

Tom Temin And what about the civilian workforce that is in all of these installations? That’s a group of people that tend to stay put relative to the service members on active duty that come and go and the rotation in and out there is probably a whole different set of people every two years or so. What are some of the issues connected to the civilian workforce, which is a little bit more permanent, if you will, in a given spot?

Matt Borron Well, honestly, a lot of times the civilian workforce is that that continuity. So these partnerships that are created when, like you said, a base commander comes and goes every 2 or 3 years, who maintains the inter-governmental support agreements, or the sharing of services and facility maintenance costs. And often that’s the civilian workforce. But a lot of times they have kind of specialized needs as well. And communities are really looking at how do they grow with that workforce. What are the types of workforce development programs can they put in place, not just for adults, but even at the high school level? The state of Arkansas has done some really interesting program at the high school there where they partnered with the base, and they now have a two semester long cybersecurity and coding course. They teach at the high school, and it’s taught by uniformed personnel. And these are just the types of programs that, whether you’re in uniform or not, can really help drive partnership at the local level.

Tom Temin Sounds like there’s a lot of idea sharing among members from all over the country.

Matt Borron And that’s really the goal of ADC. At the end of the day, our mission is education and connection.

The post Examining the ecosystem that supports military installations first appeared on Federal News Network.

Following its previous Federal Health IT Strategic Plan, the Health and Human Services Department is looking to continue the effort with its latest plan, which covers the next six years. HHS is now open for public comment. Officials are hoping to continue improving the exchange and availability of electronic health information. They also have some new goals in mind. Federal News Network’s Eric White got the change to speak to one HHS official: Dustin Charles, Policy Specialist in the Office of the National Coordinator for Health Information Technology on the Federal Drive with Tom Temin.

Interview Transcript: 

Eric White Absolutely. So why don’t we just take the 40,000-foot view and hear a little bit about what this new update to the federal health IT strategic plan is, and what it hopes to accomplish.

Dustin Charles Our federal Health I.T. mission is to improve the health and well-being of individuals and communities using technology and health formation that is accessible when and where it matters most. We have a vision of a health system that uses health information to engage individuals, to lower health costs, to deliver high quality care and improve individual and population health. So, when we were planning this version of the strategic plan, we really wanted to focus on improving the experience and outcomes for those who are use and are impacted by health it. So, if you look at the plan, you’ll see what we’ve done with the goals is delineate them by the different types of health I.T users. So, goal one focuses on individuals, populations, and communities’ goals to those involved in health care delivery, including patients, providers, caregivers, public health professionals, and others in the health care sector. Goal three is focus on research and development of health I.T. and finally, go for just as that infrastructure needed to achieve the other goals.

Eric White When you say health infrastructure, you know the health IT infrastructure, which seems to be always the biggest bugaboo, right? I mean, it’s because a lot of these places, you know, the hospitals and medical offices weren’t set up for this kind of exchange of information and to be constantly updating their technology. What does that specifically say in this new plan to address that?

Dustin Charles Have we done these plans? So, the earlier plans were really focused on adoption of new technology, particularly getting providers to adopt electronic health record systems. And then, for example, the next plan was really more about the exchange. And the current plan that we’re in is really more about addressing barriers to exchange and ensuring that there is that access that we use to health information. So, with this plan, we are focusing a little bit more broadly outward. We have made major headways in exchange, but there are still some obstacles in the way and there are still some new charging technologies. We want to make sure are addressed in this plan as we move forward in the next six years. So, it’s really taking the progress that we’ve done and then looking at, okay, where are some of the remaining gaps and what are the new things that need to be addressed?

Eric White Yeah. Can we go back to the previous plan? What was some of the progress that you all saw in the implementation of that one? And you know out yourself which ones are you guys most proud of?

Dustin Charles Some of the stuff we’re most proud of is some of the advancements. In exchange, we have what we call the TEFCA. The national exchange framework is definitely one of them. And the other side of the exchange is the Fire standards, sort of the HL7 FHIR standards that allow providers to have a, a shared way of communicating electronic health information with one another. We’re also happy to see that a lot of hospitals are particularly APIs. And so not just FHIR APIs, but they have some of their own homegrown APIs and others that they’re using as well. So, we’ve seen significant progress throughout the whole health IT in using a lot of the technology that has been developed, and particularly those promoted through the federal government.

Eric White We’re speaking with Dustin Charles. He’s a policy specialist at the office of the National Coordinator for Health Information Technology, part of the Department of Health and Human Services. And so, let’s go back into the plan itself. You guys coordinated with a plethora of other partners in this activity. Can you tell me a little bit about the roles that some of the other agencies played in the formulation of this new policy?

Dustin Charles One of the things to note this is a federal health IT strategic plan. So, it doesn’t just cover the strategies for the Department of Health and Human Services, which is what my office is under, but the entire federal government. So, we might, within the plan, cite some federal programs or projects as examples, but we don’t prescribe any specific programs for federal agencies to engage in. Rather, the plan itself serves as a roadmap for federal agencies to help them prioritize their resources, coordinate efforts across agencies, signal priorities to the private sector, as well as benchmark and assess any changes over time. So, we wrote the plan broadly to capture the overall priorities and goals of the federal government in regard to health IT. So some of the things that federal agencies do in health IT beyond just the work that ONC does is regulate, purchase, developing news, help it to deliver care, improve patient health and provide services the public may funding contribute to health, I.T., development and research at all the different levels of the government and also we also facilitate coordination across public and private sectors. We want to align our standards that we’re promoting with the work that’s being done in the private sector. We want to promote innovation and competition. We want to share best practices. So, because of this, when we get to the final plan, it will be that roadmap that will guide federal agencies, initiatives, and programs over the next six years.

Eric White Gotcha. And this plan is now out for public comment. I’m just curious, who are some of the stakeholders that you all expect to hear from in regard to, how the plan will actually be implemented?

Dustin Charles What we really hope to hear from as many different people within the health care industry as we can. Anyone who has an interest in health, IT, and the role of the federal government. We do expect to hear from health I.T developers. We expect to hear from hopefully health care organizations as well as we would love to hear from patients and health care providers themselves and kind of get what their insights are, what they would like to see in Health IT. We have public comment until May 28th so you can access our public comments at healthIT.gov. Forward slash feedback and up until May 28th. And we look forward to getting those comments. We will share them with our colleagues in other federal agencies and coordinate them to develop them.

Eric White I’ll give you my comment now. Can you make it so that I don’t have to fill out the same form seven times every time I visit the officer? Is that out of your purview?

Dustin Charles I think that’s something that I will add to that.

Eric White Fantastic. All right. Well, I’ve submitted my public comment. Now, Dustin Charles is a policy specialist with the office of the National Coordinator for Health Information Technology. Dustin, thank you so much for joining me.

Dustin Charles We do.

The post Federal Plan for improving electronic-health info first appeared on Federal News Network.

A newly proposed rule by the Cybersecurity and Infrastructure Security Agency, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours and to report ransom payments within 24 hours of making a payment. These new requirements would significantly lengthen the To-Do List of these entities. For analysis on what the impact could be, Federal News Network’s Eric White spoke to Beth Waller on the Federal Drive with Tom Temin, Principal at the law firm Woods Rogers Vandeventer Black.

Interview Transcript: 

Eric White So 1,000 foot view. What are the major changes here and what is going to be the impact on these critical sector entities?

Beth Waller I think 40,000 foot view. Everyone was expecting the director of CISA to come out with these proposed rules. The big earth shattering component of it is really the definition of covered entity who falls within the orbit of needing to report. And so really, the proposed rule really kind of breaks it into two different sections. We have really those who have to report based on their size, how large they are, and those that have to report based on their sector. I think most folks who are watching for this proposed rule were really expecting the sector side of the house. We weren’t really expecting the size side of the house. And so from a 40,000 foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.

Eric White Yeah. Is there anything in place to notify a company that, hey, by the way, this new rule, it applies to you.

Beth Waller I really think that CISA is going to need to do a good job of educating the public to let them know that, hey, you may fall within this, because again, when we look at the proposed definition of covered entity, for example, when it talks about size, it refers to an entity that exceeds the small business size standards specified by the applicable North American Industry Classification System Code and the US Small Business Administration Small Business Size regulations.

Eric White I read those yesterday.

Beth Waller That’s right. So if you look at those, as I think many of us did, went with bated breath to see, well, wait a minute. What does this mean? We start to see that, well, it really means anybody who has more than 500 employees and certain sectors, and with average annual receipts, over 7.5 million would qualify as somebody who would be needing to report. Now, there are certain exceptions by industry under the SBA regulations. But I think that really what is surprising for me, as somebody who really focuses in on critical infrastructure incident response, says, now we’re going to be really looking those SBA requirements and doing that math in the midst of an incident. And what I can’t really emphasize enough is the fact that we need to remember that this isn’t sitting at home twiddling your thumbs or the quiet of a Tuesday morning or whatever the case may be. You’re in the midst of a ransomware incident and your organization is down and you’ve been essentially taken hostage. And what you’re trying to do is within those first 72 hours, do this math and start figuring out, do I qualify, do I need to report? And so the proposed rule really focuses in on that size. Are we big enough to have to report and then the sector. And then of course sector, size doesn’t matter. It really is whether you fall within these different buckets. And the buckets are what you would somewhat expect. Nuclear reactors, energy, things like that. But then there are some areas that you might not expect, for example, in the health care and public health sector, for example, the proposed rules says that those that operate a hospital with 100 or more beds or are critical access hospitals. Well guess what, you’re dragged into that dragnet. So if I’m a small hospital in a rural location, I might not have 100 beds, but I might be considered critical access, and I would therefore be obligated to report a ransomware incident within 72 hours of finding it out.

Beth Waller Similarly, you have information technology, any entity that provides IT software, hardware, system or services to the federal government. So if you’re a teeny tiny software company, but you provide or have a contract with the federal government, well guess what, you’re grabbed into this. Similarly, if you are considered an original equipment manufacturer or a vendor or integrator of OT hardware, that’s operational technology, hardware or software, or those that perform functions related to DNS operations, guess what? You’re grabbed in. So again, you have some things that are kind of what you would expect chemical facilities, water, wastewater treatment systems, transportation systems. But then you have some unusual things including communications. So for example, wire radio communication services. So if FNN had an incident, you’d be doing that kind of analysis as to whether or not you needed to report within 72 hours as well. The other little tidbit I would say is that it’s not cut and dry the way the proposed rule is set up. I really think of it like it’s going to be a flow chart or a choose your own adventure type situation, because even with water and wastewater systems, for example, it breaks it down to say, is it a community water system? Publicly owned treatment works that serve more than 3,300 people? Well, that’s a random number to be trying to remember in the middle of an incident response do I qualify? Do I not qualify? Similarly with education. You’re looking at populations of 50,000 or more. We’re in the education sector. More than a thousand students. Or any institute of higher education that receives funding under title nine. And then finally, folks like the defense industrial based sector. Many of those folks, again, many of my clients in that space are very used to doing reporting to the DoD. Well guess what, that doesn’t necessarily get us out of jail free. We may also be having to do the same kind of report to CISA. And so those are the big kind of surprises in some ways, is that the sector really start getting into a lot of nuance and detail. And then of course, that size component. And again, if you qualify under one bucket, you’re just in. So if you got more than 500 employees and you’re manufacturing space, it doesn’t matter that you’re in the defense industrial base sector, you’re going to be in regardless. And so I think that a lot of folks are going to be gobbled up by this, because CISA wants as much information as possible to start really looking at these trends nationally of the types of incidents so that we as a nation are facing.

Eric White We’re speaking with Beth Waller, who is a cybersecurity attorney at Woods Rogers Vandeventer Black. And so it’s the people on that one end of the spectrum that the smaller entities that you mentioned. How big of a burden is this actually going to be on them? I imagine that for the bigger folks that are used to this, they’ve got maybe a whole team that’s assigned just to making sure they’re compliant. But there are probably some folks in rural hospitals who have never even heard of this process.

Beth Waller That’s right. And I really think that for those of us, again, I’m a cybersecurity data privacy attorney. And what I do is respond to these types of incidents and get signed in to these types of incidents. I think it’s going to really fall a lot on the legal profession to try to educate folks. Those of us that are called in to do breach response work, number one. But I would also say, I would argue that it’s not just onerous on the small businesses. It’s going to be really a huge task for the big businesses. And I would say that because the report itself is very detailed, it’s more detailed than the report that I would be giving, for example, if I was just in the defense industrial sector under the DFARS 7012,  filing on the DIDNet, those types of things. We’re used to doing that in this space. The report to CISA requires us to identify the covered entity. So the entity making the report. But in order to do that, what CISA is proposing is that I need to know the state of incorporation, trade names, legal names, the DUN number, tax ID, the EPA numbers, all this kind of stuff. Again, I go back to, think about what we’re in the midst of. We’re in the midst of a ransomware incident, highly unlikely that I have access to my work device. And so those first 72 hours, I can guarantee you you’re not getting access to a device that’s from your company. So you’re going to need to be able to pull this information together rapidly. It’s one thing if I’m a smaller defense contractor or a smaller contractor, to be able to know my state of incorporation. It’s another thing if I’m a mega corporation and I’ve made up a bunch of different LLCs or a bunch of different entities, or I have trade names, those types of issues. Pulling that kind of information together can be very challenging. And so I would argue that it’s going to be a burden to almost any entity that is going to be reporting to try to pull these things together.

Beth Waller In addition to that, the type of information about the incident that CISA is requesting, again, from somebody who has experienced an incident response, what they want to know within the first 72 hours is pretty broad. So, for example, they want a description of the covered incident with identification of affected information systems, including the physical locations of the impacted systems, networks and or devices. If I am a mega company, for example, and I have, 50,000 employees across the United States talking about the physical location of those impacted systems or networks. If I’m a manufacturer, it could be quite challenging in the midst of that first 72 hours, keeping in mind that the people who are needing to answer this are also potentially two people trying to come back online, getting things together, managing the incident response team. In addition to that, they want to know things like IOCs, which in the industry is indicators of compromise. They want to know the bad guys. What’s the telephone number, the IP address that they called from. They want to copy the malicious code and they want to know, for example, if you’re paying the ransom, which is another separate reporting requirement, they want to know exactly what your instructions were for payment of the ransom and things like that. I will say the good news is, thankfully there’s going to be a dropdown box for unknown at this time type answers given that this is the first 72 hours, but there is a requirement for supplemental reporting, and that supplemental reporting requires a report to be given every time there’s substantially new or different information becoming available. Again, if I’m in the midst of this incident, that is a very hefty burden to be thinking about.

Eric White Yeah, obviously this would be a substantial task order for, as you mentioned, somebody going through a cyber incident like this. But coming from CISA’s standpoint, this is pretty important information. A lot of people’s lives rely on these companies and obviously the critical infrastructure sector that runs the country basically. So, coming from them, why is this information so critical for an agency like CISA in the fight in ensuring that a lot of our big companies and critical infrastructure sectors are cyber secure.

Beth Waller Well, I think that what it does, it does create this dragnet of information to be able to really look at our adversaries and to be able to say, okay. Because a lot of times in the ransomware world, they have almost nonsense names. You’ve got Lockbit, Alphv/BackCat. You’ve got all royal, you’ve got, you know, all the different types of ransomware that are out there. And I tell folks, it’s kind of like their gangs, like off of The Sopranos or The Godfather movies. They’re just cyber gangs. And so being able to track the information of being able to say, okay, well, this is associated with this nation state or it’s not is really incredibly important to CISA. And again, as someone who is a federal partner in the midst of these incidents, because I do critical infrastructure incident reporting. So again, when you’re representing a state agency or a local government, you are already acting as a partner to your federal partners and providing information. So I think that there are big benefits to working with CISA and currently reporting to CISA as we do. But I think that with regards to the kind of nuances that are being asked for in this reporting, it’s going to create a lot of headaches. And keep in mind, many of these businesses are folks that are operating under multiple regimes. So for example, the financial sector is one of these that is considered critical infrastructure here. Well, if you’re already a bank, you’re reporting to the office of the Comptroller of the Treasury at the same time or reporting to CISA. If you are, for example, a manufacturer that is global, as many of our manufacturing Fortune 500 may be, you are also dealing with the laws in Europe. So GPR related laws, you’re also probably publicly traded. And so now you have the new Securities Exchange Commission rules and regulations about getting a notice out to your shareholders within four days of determining materiality. It’s really a very complex arena that CISA is coming into already from a regulatory standpoint.

Beth Waller I will say that the proposed rule says if CISA has an information sharing agreement in place with one of these other agencies that was receiving the report, that is potentially a get out of jail for a duplicate report filing, but it’s unclear at this time where CISA has that information sharing already. And I think that puts a lot of burden on the victim to try to figure that out. So hopefully Department of Defense, for example, creates an information sharing system with CISA where if you’re already again reporting to the DIDNet and going through that side of the process, you wouldn’t have to necessarily do it again here. Again, those clocks also start not on a Tuesday morning at 9:00 a.m. they often start at 1:00 am on Saturday morning whenever that network engineer figures us out. So a lot of times the folks that would be filling this out are not necessarily aware of it until, let’s say, 36 hours into an incident, depending on how large the organization is. So my argument would be to many businesses, look at your incident response plan. If these proposed rules come in to a final rule in the same manner that they’re currently looking at like right now, we’re going to want to make sure your incident response plan has a lot of this information gathered already, because, for example, maybe you could create something off line that says, this is our state of incorporation,  those types of things, so you’ve got that at the ready. Because again, keep in mind, most the time we’re dealing with something like ransomware where the entire network is encrypted. So how are we going to get at this information even if we wanted to, unless you just know it?

The post Facing cyber attacks, critical infrastructure gets new reporting requirements first appeared on Federal News Network.