Completing move to zero trust among Customs and Border Protection’s new IT goals
U.S. Customs and Border Protection identified moving to a zero-trust architecture as a top priority in the agency’s updated IT strategy.
The Department of Homeland Security agency identified the cybersecurity model as an area of focus in its IT strategy document for 2023 to 2027, which was published recently. Ensuring federal agencies adopt zero-trust architecture remains a top priority for the White House.
In the new report, CBP said one of its goals for the next four years is to shift its existing “perimeter-facing” cyber protection model to zero trust in an effort to “create a more robust and resilient security, simplify security management, improve end-user experience, and enable modern IT practices.”
The move comes as the Biden administration has focused on zero trust implementation across the federal government to enhance cybersecurity. In January 2022, the Office of Management and Budget outlined a path for implementing zero-trust architecture throughout the federal government by 2024 and required agencies to start taking certain steps.
Zero trust refers to a cybersecurity framework that includes continuous authentication throughout its architecture for improved security. The structure moves away from models with defenses that existed at only the perimeter of a network.
CBP also listed developing and maintaining its cyber workforce and improving cybersecurity awareness at the agency as part of its cyber goals. In addition to cybersecurity, CBP’s strategy includes goals for mission infrastructure, mission applications, trusted partners, enterprise IT governance and Chief Information Officer business operations.
Commerce launches EU-US data privacy framework certification website
The Department of Commerce has launched a website to help American companies certify their participation with the recently adopted EU-U.S. Data Privacy Framework.
The new site follows protracted negotiations between the United States and the EU to re-establish a mechanism for the transfer of European citizens’ personal data to the United States following a previous decision by a European court to invalidate the previous EU-U.S. Privacy Shield Framework.
U.S. companies transferring data to and from the EU can begin relying on the new landmark agreement but must certify their participation by Oct. 10 at www.dataprivacyframework.gov.
Through the new website, they can also certify compliance with the U.K. extension to the data privacy framework and Swiss-U.S. data privacy principles.
In October, President Biden issued an executive order to boost privacy and civil liberties safeguards as they relate to U.S. signals intelligence. Earlier this month, the EU adopted a data regime adequacy decision to permit the sharing of data.
The European Commission decided that the U.S. has provided adequate protections to E.U. citizens’ data after Washington implemented safeguards for Europeans against U.S. surveillance, including redress in front of a new data protection review court for E.U. citizens who believe American intelligence collected their personal data in a way that violates the agreement.
Under the agreement, U.S. tech companies are obligated “to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties,” according to a European Commission press release.
NextGen to pay $31M in False Claims Act settlement over health record allegations
The electronic health record vendor NextGen Healthcare Inc. agreed to a multi-million dollar settlement to resolve allegations that it violated federal fraud statute by misrepresenting its product.
The $31 million dollar agreement follows allegations that the company misrepresented what some versions of its electronic health record (EHR) software was could do and provided “unlawful remuneration” to users as an inducement to recommend the product, the Department of Justice said in a Friday statement.
The DOJ alleged that NextGen “improperly obtained certification for its EHR product” under the 2014 edition of certification program for health technology operated by the Office of the National Coordinator, according to a DOJ complaint filed with the settlement. It then used that certification “to obtain incentive payments.”
NextGen, DOJ alleged, used “an auxiliary product” during the certification that was designed to run test scripts it needed to perform for approval. As a result, the EHR released to users lacked functionalities, such as “the ability to record vital sign data, translate data into required medical vocabularies, and create complete clinical summaries,” the statement said.
The government also alleged that NextGen violated the Anti-Kickback Statute by giving credits to users whose recommendation resulted in a sale of the EHR system. Those credits “often worth as much as $10,000,” DOJ said.
The settlement includes resolution of whistleblower claims brought by two health care professionals — Toby Markowitz and Elizabeth Ringold — under the False Claims Act. The whistleblowers in the case will receive roughly $5.6 million, the DOJ said.
In a written statement regarding the settlement, a NextGen spokesperson said: “The Company denies that any of its conduct violated the law, and the settlement agreement does not include any admissions of wrongdoing. This agreement relates to claims from more than a decade ago.”
The spokesperson added that the settlement doesn’t change NextGen’s products or policies for compliance. They added: “To avoid the distraction and expense of litigation, we believe it is in the best interest of the Company to put this historical matter behind us and keep our attention focused on innovating solutions that enable better healthcare outcomes for all.”
Appeals Court pauses ban on federal agency contact with social media companies
The Fifth Circuit Court of Appeals on Friday temporarily halted a lower court’s ruling that restricts Biden administration and federal government communications with social media companies in relation to controversial content online.
The Justice Department on Monday requested a stay to federal judge Terry Doughty’s ruling last week that U.S. Digital Services administrator Mina Hsiang, Cybersecurity and Infrastructure Security Agency chief Jen Easterly as well as a number of major federal agencies be restricted from interacting with social media firms for the purpose of discouraging or removing First Amendment-protected speech.
Doughty, a Trump-appointed judge of the U.S. District Court for the Western District of Louisiana, denied the Justice Department’s prior request for a stay, arguing that his preliminary injunction ruling wasn’t as broad as it appeared and only prohibited contacting social media companies for the purposes of suppressing free speech. The fifth circuit ruling temporarily pauses Doughty’s ruling.
Doughty’s original judgement marked a victory for Republicans who have accused federal government and White House officials of censorship while Democrats pushed back on the ruling arguing that social media platforms have failed to address rampant cases of misinformation.
In its filing to the fifth circuit, the Justice Department warned that Doughty’s initial ruling could potentially restrict a broad and essential part of communications between the government and social media platforms, such as preventing the president from asking platforms to act responsibly regarding misinformation about a natural disaster circulating online.
The DOJ also said that Doughty’s ruling has the potential to stop communications between the government and social media platforms regarding national issues like the fentanyl crisis or the security of federal elections, warning that that the ruling could create legal ambiguity that could lead to “disastrous delays” in responding to misinformation online.
The Justice Department filing indicated that the DOJ would also consider bringing the case to the Supreme Court and therefore asked the appeals court for a 10-day stay, at minimum, for the highest court in the land to consider an application for a stay.
The Justice Department did not immediately respond to request for comment.
Chinese hacking operation puts Microsoft in the crosshairs over security failures
Senate appropriations panel seeks to claw back $290M from Technology Modernization Fund
Lawmakers in the Senate have approved legislation that would slash funding for the General Services Administration-operated Technology Modernization Fund if it passes into law in its current form.
The Senate Committee on Appropriations on Thursday approved language in the Financial Services and General Government appropriations bill for fiscal 2024 that would rescind $290 million allocated to the TMF through the American Rescue Plan.
A major reduction in support for the TMF would cut the amount of funding available to agencies for governmentwide IT modernization projects. The latest proposed cut comes shortly after House appropriators last month zeroed out funding for the TMF in its draft funding bill for fiscal year 2024.
The Technology Modernization Fund has been celebrated by the Biden administration as a crucial funding mechanism for fast-tracking progress of certain IT modernization projects across the federal government. It was established in 2018 and was conceived as a self-sustaining fund, meaning that government departments would repay savings that resulted from projects supported by the TMF.
The fund has attracted both support and criticism from the federal IT community, with advocates saying it helps bring the best of agile private sector development practices to technology modernization projects. Opponents argue that using the fund for ad hoc IT projects can reduce spending oversight where it is needed most.
Mike Hettinger, former House Oversight Government Operations Subcommittee staff director and founder of Hettinger Strategy Group, said: “It’s disappointing to see the Senate FSGG look to rescind $290M in previously appropriated funds for the TMF. The program, despite its faults, has been a critical funding source for zero trust and related cybersecurity modernization, as well as certain CX initiatives. If Congress is serious about ensuring agencies have the resources needed to protect critical systems, TMF funding has to be a part of that strategy.”
Hettinger added that while the committee’s report highlighted the lack of full reimbursement as one reason for the rescission, savings with agency technology programs are often hard to find or take more years than desired to materialize.
“When TMF made the change to the payback requirements a couple years ago, it was because that area had been identified as a hinderance to agency participation. The change was intended to broaden the pool of potential TMF applicants and by most accounts it has. Going backwards isn’t the answer,” he added.
The Financial Services and General Government appropriations bill was approved 29-0 by the Senate Appropriations Committee Thursday.
Sen. Jerry Moran, R-Kan., who authored legislation that created the fund, said funding for TMF was his priority and called the rescission “a bad mistake” at the markup. Moran pointed to recent cyberattacks on the federal government — including a recent attack on the U.S. Marshals Service — as needs for technology modernization.
“These breaches are incredibly damaging to the work of the federal government, intrude upon the privacy of Americans, and we should be doing more, not less, to address these vulnerabilities,” Moran said.
Sen. Chris Van Hollen, D-Md., who chairs the Financial Services and General Government Subcommittee, said he agreed that TMF “serves a useful purpose” but explained the cuts were needed to help fund the salaries and expenses.
“One of the challenges we faced, especially in FSGG, was most of the agencies we fund are salaries and expenses, and therefore they would have seen very deep cuts in real terms if we weren’t able to take some of the funds from some of the capital budget parts,” Van Hollen said.
Addressing Moran, Van Hollen added: “There are a number of capital-type accounts within the FSGG purview, as the process proceeds, we look forward to working with you and GSA to see if we can identify funds to put back at least some of these dollars into the TMF account.”
The Technology Modernization Fund received a $1 billion infusion as part of the American Rescue Plan, which was enacted in March 2021. It currently manages at least 45 investments at 27 federal agencies, including five new cybersecurity and customer experience projects that were announced earlier this month.
The bill in its current form will now move forward to be considered by lawmakers on the Senate floor.
Speaking with FedScoop, Sen. Moran’s Deputy Chief of Staff Tom Brandt said the senator tabled an amendment that would have removed the rescission after he and Van Hollen agreed to work together to identify an alternative.
Moran’s amendment would have instead rescinded the $290 million from unobligated balances of amounts part of a $2.2 billion appropriation under the Inflation Reduction Act for the GSA to use materials that have lower greenhouse gas emissions in their construction projects.
If the senators aren’t able to come to a decision, Brandt said could see a scenario where an amendment is offered on the Senate floor.
In a statement to FedScoop, GSA Administrator Robin Carnahan said: “At a time when the government needs to invest more to combat cybersecurity threats and improve technology systems to better serve the public, this proposed rescission is a step in the wrong direction.
Carnahan added: “TMF investments are doing everything from helping millions of veterans get better access to their benefits and records, to helping expedite inspection for billions of pounds of food each year to feed our kids, military, and families. Supporting the TMF is a smart investment – it saves money, enhances security, and improves delivery of services to taxpayers.”
Editor’s note, 7/14/23: This story was updated to include comment from Sen. Moran’s chief of staff and Robin Carnahan.
Senate subcommittee eyeing hearing on federal employee retirement backlog
The Government Operations and Border Management Subcommittee, which is held within the Senate Committee on Homeland Security, is considering a new hearing focused on the retirement application backlog at Office of Personnel Management, a Senate aide told FedScoop. The hearing hasn’t been scheduled yet, but could happen in the coming months.
The backlog of retirement applications, which are processed through a primarily paper-based system, has been a years-long issue at the agency. While the inventory of applications is now around 16,000 — nearly half of the 36,349 applications that were on-hand in March 2022 — Congress still isn’t satisfied with OPM’s progress. According to statistics released by OPM for June, the average processing time for retirement applications at OPM, per month, is creeping up, too.
Earlier this week, Sen. James Lankford, R-OK, sent a letter to OPM Director Kiran Ahuja noting that, despite progress on the backlog overall, processing times for the more difficult cases processed by OPM — or cases that take longer than 60 days — have increased. Those more complex retirement applications take an average of 142 days for OPM to process, the inquiry noted.
The recent statistics reported slightly more updated numbers, “that cases that were produced in more than 60 days, on average, took 126 days to complete.”
In April, several members of Congress, led by Sen. Dick Durbin (D-IL), also wrote to OPM expressing “our concern with the excessive delays federal retirees in our states are facing as they wait to obtain their hard-earned retirement benefits.” The letter noted that there had also been delays in responses to congressional inquiries, and it’s not clear if OPM ever provided a response.
FedScoop has reached out to OPM for comment.
FTC investigating OpenAI for possible ‘reputational harm’ caused by ChatGPT
The Federal Trade Commission has reportedly opened an investigation into OpenAI, the maker of popular AI tool ChatGPT, on claims the chatbot has harmed consumers through its data collection and false results on individuals, according to an FTC demand.
The FTC earlier this week sent a 20-page request for records about how OpenAI addresses risks related to its AI models. The agency is investigating whether the company engaged in unfair or deceptive practices that resulted in “reputational harm” to consumers, according to the letter, which was reported by the Washington Post.
The FTC called on OpenAI to provide detailed accounts of all consumer complaints it had received regarding ChatGPT making “false, misleading, disparaging or harmful” statements about individuals.
Since OpenAI released it, ChatGPT has astounded users, writing short college essays, cover letters, and a weirdly passable Seinfeld scene in which Jerry needs to learn the bubble sort algorithm.
If the FTC finds that a company has violated consumer protection laws, it can fine the company or require it to follow a consent decree dictating how the company handles data. In the past few years, the FTC has emerged as the federal government’s top cop of Big Tech companies like Meta, Amazon and Twitter, levying large fines against the tech giants for alleged violations of consumer protection laws related to their respective platforms.
The investigation comes at a time when demand for ChatGPT is exploding within Congressional offices and generative AI pilot programs similar to ChatGPT are popping up in all corners of the federal government and many industries across the private sector.
The State Department, the National Science Foundation, the Justice Department and the Department of Veterans Affairs have all announced generative AI related pilot projects or research initiatives in the past few months.
OpenAI and the FTC didn’t immediately respond to requests for comment.
NOAA launches new hurricane forecasting model
The National Oceanic and Atmospheric Administration’s National Hurricane Center has launched a new hurricane forecasting model.
The agency’s new Hurricane Analysis and Forecast System (HAFS) went into operation on June 27 and is set to run alongside existing models for the 2023 season before being deployed as NOAA’s main hurricane forecasting model.
NOAA’s updated model more accurately predicts the rapid intensification of storms and has a range of features including the ability to provide higher resolution observations. In particular, the new model showed a 10% to 15% improvement in predictions of storm track, compared with existing models.
The National Hurricane Center’s forecasting models are crucial for giving U.S. citizens advanced warning about storms and are also widely used by the private sector, including the insurance industry, to model economic damage.
Commenting on the new model, NOAA Administrator Rick Spinrad said: “The quick deployment of HAFS marks a milestone in NOAA’s commitment to advancing our hurricane forecasting capabilities, and ensuring continued improvement of services to the American public.”
He added: “Development, testing and evaluations were jointly carried out between scientists at NOAA Research and the National Weather Service, marking a seamless transition from development to operations.”
NOAA will continue upgrading the model over the next few years, and to halve the number of model forecast errors detected in 2017 by 2027. HAFS is also the first new major forecast model to use NOAA’s updated weather and climate supercomputers, which were installed last summer.
HAFS was jointly created by NOAA’s National Weather Service Environmental Modeling Center, Atlantic Oceanographic & Meteorological Laboratory and NOAA’s Cooperative Institute for Marine & Atmospheric Studies.