Department of Energy AI chief Pam Isom leaves post
The director of the Department of Energy’s Artificial Intelligence and Technology Office has left her role, FedScoop understands.
A department spokesperson confirmed her departure and said the technology leader’s last day was Sept. 9.
Isom led the recently established Artificial Intelligence Advancement Council, which was set up in April to coordinate funding and development of algorithms and to hold other federal government agencies to account for how those algorithms are used.
DOE’s AI and Technology Office has a mandate to coordinate the responsible and trustworthy use of AI across the department and to expand public, private and international partnerships on policy and innovation. Isom had led the office since August last year, and according to LinkedIn carried out the role on an acting basis.
Prior to this, she was deputy CIO at DOE, and earlier in her career was executive director of application engineering and development at the U.S. Patent and Trademark Office.
Before entering federal service, Isom held several senior private sector roles including as a cloud strategy leader at Dell Technologies and as a technology architect at IBM.
The AI Advancement Council consists of five members, and is intended to swiftly approach task forces, implementation plans and organizational changes for the AI & Technology Office, the DOE’s Executive Secretariat and AI Program Committee to execute.
No further details about Isom’s next destination were immediately available.
White House publishes final President’s Management Agenda learning roadmap
The Office of Management and Budget on Thursday published the final version of a learning roadmap for the Biden administration’s President’s Management Agenda.
According to the document, the Biden administration has selected three broad questions that will make up the agenda: How can the federal government strengthen and empower its workforce to best serve the American people? How can the federal government deliver programs and services that build trust? What can federal government do to advance equity and support underserved communities?
The President’s Management Agenda lays out the long-term vision for modernizing federal government agencies, which is used by IT leaders and other C-suite executives at federal departments to help set key strategic priorities.
The final questions announced Thursday reinforce prior Biden administration core priorities of improved service delivery and equity.
In December, the White House published an executive order on customer experience, which was intended to reshape digital service delivery. This followed another EO issued last June that mandated U.S. government departments to use all resources at their disposal to increase diversity, equity and inclusion among the federal workforce.
Once OMB sets the over-arching vision for the management agenda, cross-agency priority goals will then be established to provide transformation milestones for department leaders.
The agenda was introduced in 2001 by then-President George W. Bush as a way of monitoring the transformation process at federal agencies and flattening hierarchy within departments.
The latest roadmap from OMB incorporates comments from industry and government stakeholders following publication of the Biden administration’s draft PMA in late 2021.
Why the US government will require software vendors to certify the security of their products
New guidance issued by the White House on Wednesday gives agencies a timeline for beginning to obtain self-attestations from software developers before using their products, rather than relying on third-party assessments.
Self-attestation refers to documentation that developers must provide to demonstrate their compliance with the Secure Software Development Framework. This is a key framework that federal IT leaders and the wider tech industry have been aware of since at least March, when the White House required agencies to start adopting it.
Details included in the latest OMB memo lay to rest concerns expressed by IT and cybersecurity experts canvassed by FedScoop in June, who worried that it could require software developers to obtain third-party verification of their compliance, which would take years to set up sensors and monitors and ensure qualified auditors existed.
Speaking with FedScoop following publication of the memo Wednesday, Dan Lorenc, CEO of software security startup Chainguard, said the White House’s decision to start with self-attestation was “pretty obvious early on.”
“If they’d have done third-party, it would’ve been shocking at this point,” he added. According to Lorenc, it is the first step to “kick-starting a complex ecosystem” in which vendors will soon be required to assess their own vendors in a wave that is likely to “spread pretty rapidly across the industry”.
Lorenc believes a transition to third-party assessments will happen at some point, a view not shared by everyone in industry.
According to Henry Young, director of policy at industry group The Software Alliance, such assessments from a third-party provider may not be necessary.
“What I’m seeing is that it’s likely that a majority of procurements can be undertaken with a vendor’s attestation, rather than the more onerous third-party certification,” he said, emphasizing that software vendors take the assurances they make very seriously because of their direct effect on customers.
The White House memo mandates any self-attestation include the software developer’s name, a description of relevant products and a statement attesting the developer complies with secure development practices.
Despite this, agencies may still require third-party assessments based on risk-based determinations on the product or service’s criticality, according to the guidance. These can be performed by either a Federal Risk and Authorization Management Program (FedRAMP) assessor or another they approve.
The Federal Acquisition Regulatory Council also plans to develop a standard self-attestation form for agencies.
Currently, basic scanning or software composition analysis tools are used after software is built to generate a machine-readable software bill of materials (SBOM), but agencies can already do that. Modern SBOMs will be developer-generated and include more information for a fuller picture of the software supply chain, Lorenc said.
Despite lawmakers’ recent efforts to codify SBOMs in the federal procurement process within the House spending bill, software developers want the government to clarify which artifacts — threat models, log entries, source code files and vulnerability scan reports — they’ll contain and how they’re to be shared before proceeding.
Language in that bill would prohibit the purchase of software with known vulnerabilities inside.
“That’s the type of thing that sounds great at first, until you get into the trenches and realize how messy a lot of these vulnerability databases are and how poor the data quality is,” Lorenc added.
SBOMs will only magnify that poor data quality, he said.
While Young is happy the White House memo includes many industry best practices concerning secure software development, capabilities and life cycle, he’s disappointed the same practices aren’t required within agencies and through contractors developing software.
The memo also doesn’t address how to streamline self-attestation across the government.
“The guidance does not do anything to harmonize requirements between agencies,” Young said. “So that means that vendors might have to provide the same or similar documentation to different agencies, which doesn’t seem to be the best use of cybersecurity resources.”
Industry groups criticize ‘vague’ software supply chain amendment to House NDAA
Industry groups have written to lawmakers, warning that software supply chain proposals included in the House version of the 2023 National Defense Authorization Act are “vague” and “internally inconsistent.”
In a letter sent to House Armed Services Committee leadership from both parties, the Alliance for Digital Innovation, the Software Alliance, Cybersecurity Coalition and the Information Technology Industry Association criticized an amendment to the defense policy that would codify a software bill of materials in the federal procurement process.
If enacted in its current form, section 6722 of the NDAA would require holders of existing covered contracts and those responding to requests for proposal from the U.S. Department of Homeland Security to provide a bill of materials, certify the items in the BOM are free of vulnerabilities or defects and identify a plan to manage any identified vulnerabilities.
Executive Director of the Alliance for Digital Innovation Ross Nodurft said: “SBOMs can be a useful part of a larger program focused on secure software development. However, the process of producing and consuming SBOMs is not mature enough for it to be codified into law at this time.”
According to the industry groups, in its current form, the amendment does not specify whether the bill of materials is limited to software or relates to all components. Risk management guidelines included in the amendment are also at odds with guidance from the Office of the Director of National Intelligence, the National Security Agency and CISA, the trade groups added.
The missive follows a White House memo published earlier today that will require vendors to self-attest their compliance with NIST software supply chain requirements before providing their services to federal agencies.
The House passed its version of the 2023 NDAA in July. The Senate is still considering its own version of the annual policy bill, after which the two chambers will look to combine them in conference before sending the final NDAA to the president.
General Services Administration hires Dan Lopez as director of Login.gov
The General Services Administration has named Dan Lopez as director of the U.S. government-backed secure sign-in service Login.gov.
An agency spokesperson confirmed his appointment to FedScoop and said the technology leader started work in the new role on Sept.12.
According to LinkedIn, Lopez was previously director of software engineering for the city of Philadelphia and before that held a variety of private sector engineering leadership roles including at educational technology company Instructure and gatherDocs.
Following his appointment, Lopez will oversee the technology as an increasing number of federal agencies turn to the identity management platform. He takes over the role from outgoing Login.gov director Amos Stone.
In April, the Department of Veterans Affairs received an infusion of $10.5 million from the Technology Modernization Fund to support its transition to Login.gov.
An increasing number of government agencies have adopted the government-operated ID verification tool amid concerns over the use of opaque facial recognition technology by private sector companies.
For example, the Internal Revenue Service in February said it was committed to Login.gov as a user authentication tool after abandoning a requirement that taxpayers provide biometric data to verify their identify through a third-party platform.
In recent weeks, lawmakers have floated legislation that if passed could make it easier for technology like Login.gov to be shared between agencies at the federal, state and local levels.
News of Lopez’s appointment was first reported by Federal Computer Week.
CISA to develop ‘self-attestation’ cybersecurity standards for federal software vendors
The White House tasked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to play a key role in deploying new cybersecurity guidelines the Biden administration rolled out Wednesday.
CISA will work with the Office of Management and Budget to create a “common form” that U.S. departments will use to show that software vendors have attested the technology they are selling to the government meets National Institute of Standards and Technology security guidelines.
The new self-attestation guidelines put the burden on the federal contractors to take additional steps to show their ware comply with supply chain security standards. CISA will have 120 days to create a form suitable for use by multiple agencies.
According to a White House memo, federal government departments will have 120 days to communicate to vendors the need to adhere to NIST standards, and to collect the relevant letters of attestation.
In addition, within a year CISA must establish plans for a governmentwide repository for software attestations and artifacts. Under the new guidance, CISA will also within 24 months evaluate requirements for the creation of a full federal interagency software artifact repository, and will publish updated guidance on software bill of materials for federal agencies if needed.
Software artifacts are the byproduct of software development and can help to describe the architecture, design and function of software. They can be used to provide an in-depth roadmap of the development process that can help establish the provenance of software.
The memo issued Wednesday morning and first reported by the Washington Post represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies.
FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.
White House cyber memo compels vendors to attest software meets security standards
Federal agencies will have to obtain self-attestation from software providers before deploying their software on government systems, according to a new memo issued Wednesday by the White House.
Under the guidance, federal departments must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.
The memo represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies. FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.
The Biden administration has introduced an array of new measures to ensure agencies modernize their cyber defenses and implement zero-trust architectures since the publication of its cybersecurity executive order in May 2021.
This June, industry executives canvassed by FedScoop expressed a strong preference that the White House pursue a self-attestation requirement rather than a third-party verification process along the lines of the Pentagon’s troubled Cybersecurity Maturity Model Certification.
According to the new memo from the Office of Management and Budget, federal agencies within 90 days will have to inventory all software and create a separate inventory for critical software.
Within 120 days of the memo, agencies must also develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers.
OMB will enforce the new guidance and manage extension requests for the implementation timeframe. It will also work with the Cybersecurity and Infrastructure Security Agency and the General Services Administration to establish requirements for a central repository for software attestations and artifacts.
A copy of the new memo was first obtained by The Washington Post.
NIST and Google sign agreement to produce open-source chips
The National Institute of Standards and Technology has signed an R&D agreement with Google to design and produce new open-source chips.
According to the agency, the deal is intended to boost public and private innovation by establishing a legal framework that eliminates license fees for the technology.
Under the agreement, NIST will create up to 40 different circuit designs for chips optimized for different applications in partnership with universities including the University of Michigan, the University of Maryland, George Washington University, Brown University and Carnegie Mellon University.
Securing the chip production supply chain and ensuring researchers have access to the technology needed for path-breaking research remains a core priority for the Biden administration. Last month President Biden signed an executive order to implement the funding for semiconductor technology included in the bipartisan CHIPS and Science Act of 2022.
The new chips will be paid for by Google and will be manufactured by Skywater Technology in Bloomington, Minnesota.
The R&D agreement is intended to support innovation by university and startup researchers, for whom the cost of developing such chips can often be prohibitive. NIST’s circuit designs will be open source, meaning that academic and small business researchers can use the chips without restriction or licensing fees.
Commenting on the new agreement, Under Secretary of Commerce for Standards and Technology and NIST Director Laurie Locascio said: “By creating a new and affordable domestic supply of chips for research and development, this collaboration aims to unleash the innovative potential of researchers and startups across the nation.” She added: “This is a great example of how government, industry and academic researchers can work together to enhance U.S. leadership in this critically important industry.”
According to DOC, the new chip designs will provide bottom-layer chips with specialized structures for measuring and testing the performance of components placed on top of it. This includes new kinds of memory devices, nano-sensors, bioelectronics, and advanced devices needed for artificial intelligence and quantum computing.
Google Public Sector CEO Will Grannis said: “Moving to an open-source framework fosters reproducibility, which helps researchers from public and private institutions iterate on each other’s work. It also democratizes innovation in nanotechnology and semiconductor research.”
The new chips will be produced as 200-millimeter discs of patterned silicon, which universities and other purchasers can then dice into thousands of individual chips at their own processing facilities.
Universities that will work with NIST on the chip designs include the University of Michigan, the University of Maryland, George Washington University, Brown University and Carnegie Mellon University.
The latest agreement comes after SkyWater Technology earlier this year received a $15 million infusion from the Department of Defense to develop an open-source design for a 90 nanometer fully depleted silicon on insulator technology.
VA plans to award sole-source training contract to support Oracle Cerner EHR migration
The Department of Veterans Affairs has issued a notice of intent to sole source a technology training contract for the agency’s Office of Information Technology to support of the transition to a modernized electronic health record.
In an update published on SAM.gov, the VA said it seeks to purchase Amazon Web Services, Red Hat and ENCOR training for staff from technology skills education company Global Knowledge Training.
According to the VA, the training will help OIT employees be better equipped for migration to the Veterans Health Administration’s modernized electronic health record system, which is operated by Oracle Cerner.
Under the contract, Global Knowledge will provide training to VA Office of Information Technology staff in three key areas: ENCOR Implementing and Operating Cisco Enterprise Network Core Technologies, architecting on Amazon Web Services and Red Hat System administration.
Under subpart 5.2 of the Federal Acquisition Regulation, when procuring a sole-source procurement, agencies are required to issue a statement so that all responsible sources may submit a capability statement, proposal or quotation.
The purchase order is expected to be in the amount of $54,000 over a base period of about two months.
VA’s implementation of the Oracle Cerner EHR system has been plagued with issues since its initial rollout in the fall of 2020. An investigation by FedScoop last month found that the system has recorded almost 500 major incidents and at least 45 days of downtime since it first went live.
Senators petition ICE to curtail ‘Orwellian’ use of facial recognition, surveillance technology
Democratic Senators on Tuesday called on Immigration and Customs Enforcement to stop using facial recognition and surveillance technology and to end the purchase of private information from data brokers.
In a letter sent to agency Acting Director Tae Johnson, Sens. Edward Markey, D-Mass., and Ron Wyden, D-OR., cited a Georgetown Law Center on Privacy & Technology investigation into the use of data for immigration enforcement. The study found that ICE in the past decade has gained access to driver’s license and home address information for three-quarters of American citizens.
The missive is the latest instance of Congress seeking to rein in the purchase of Americans’ personal data by law enforcement and intelligence agencies. Last month, House leaders sent a letter to U.S. law enforcement agencies probing their purchases of private data sets to circumvent warrant requirements.
“According to a recent report, ICE has used facial recognition and other technologies, and purchased information from data brokers, to construct a ‘dragnet surveillance system’ that helps ICE carry out deportation proceedings,” the Senators wrote in the letter.
“Much of this effort, which has enabled ICE to obtain detailed information about the vast majority of people living in the United States, has been shrouded in secrecy,” the Senators added.
The Georgetown investigation was conducted by submitting hundreds of Freedom of Information Act requests and by carrying out a comprehensive review of ICE’s contracting and procurement records.
The lawmakers’ missive comes after documents obtained by the American Civil Liberties Union earlier this year revealed that partnership with one data broker provided ICE with access to location data from about 250 million mobile devices. In total, the partnership gave the agency access to more than 15 billion location points per day.
Those ACLU documents in July showed how millions of taxpayer dollars were spent by the Department of Homeland Security and ICE to buy access to cell phone location information being aggregated and sold by two controversial and opaque government contracted data brokers, Venntel and Babel Street.
“This surveillance network has exploited privacy-protection gaps and has enormous civil rights implications,” the Senators wrote in their letter to Johnson. “ICE should immediately shut down its Orwellian data-gathering efforts that indiscriminately collect far too much data on far too many individuals.”
‘The Fourth Amendment Is Not For Sale Act,’ introduced by Sen. Ron Wyden, D-OR., and Sen. Rand Paul, R-KY., in April 2021 sought to force the police and certain federal agencies to obtain a court order before purchasing people’s personal information through third-party data brokers.