CISA considering the future state of EINSTEIN as agencies modernize
The Cybersecurity and Infrastructure wants feedback from industry on the future of its EINSTEIN federal cybersecurity program.
CISA is looking to modernize parts of EINSTEIN — the program also known as the National Cybersecurity Protection System, which provides a frontline capability to monitor network traffic in and out of federal civilian branch agencies and situational awareness of malicious activity across the federal government — as “evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides,” the agency said in a request for information published this week.
This means replacing sensors on agency networks that have been in place, in some cases, for a decade or longer. Specifically, CISA is considering changes to EINSTEIN 1 and EINSTEIN 2, which monitor traffic routed in and out of physical networks and systems.
“The visibility provided by existing EINSTEIN sensors remains a crucial enabler of CISA’s mission to protect [federal civilian executive branch] agencies,” reads the RFI, posted by the General Services Administration on behalf of CISA. “It is one component that CISA uses to gain operational visibility, protect FCEB agencies, and respond to threats. With the limitations of EINSTEIN capabilities, CISA stands to lose that needed visibility. Consequently, a new solution may be necessary to compensate for this loss of visibility to protect FCEB agencies adequately.”
Federal agencies’ enterprise IT architectures have been modernized and have evolved, largely by migrating to the cloud, since EINSTEIN was first introduced in 2003 and subsequently added to. This means CISA and agencies will need to also “consider other broader strategies beyond replacing the existing footprint of EINSTIEN capabilities (e.g., optimal placements in federal agencies, new technologies/techniques to maximize visibility, etc.).”
“For future CISA needs, the augmentation or replacement of this visibility must be considered within the current networking environment and how it may be combined and used with other data sources acquired by CISA analysts,” the RFI reads.
Industry responses are due by July 14.
The contract motion comes after CISA, in the fiscal 2024 president’s budget proposal, requested $425 million to restructure parts of EINSTEIN into a new Cyber Analytics and Data System. That system is meant to provide “tools and capabilities to facilitate the ingestion and integration of data as well as orchestrate and automate the analysis of data that supports the rapid identification, detection, mitigation, and prevention of malicious cyber activity.”
The 2024 budget request also called for $67 million for EINSTEIN and another $408 million for the agency’s Continuous Diagnostics and Mitigation (CDM) program, which provides agencies with a “window into the security posture of agency computers, servers, and other Internet-connected devices.”
CISA recently released a separate RFI for deploying new CDM capabilities across the federal government.
NIH needs strategy to address data science workforce shortage, watchdog says
The National Institutes of Health hasn’t made much headway on efforts to remedy its shortage of data science experts and needs to make a plan for doing so, a federal government watchdog said Thursday.
The agency, which is the medical research arm housed within the Department of Health and Human Services, hasn’t “fully implemented” practices for workforce planning that are established in federal guidance, such as identifying staffing gaps, the Government Accountability Office found.
A dearth of data science experts means the agency risks not having the workforce needed “to administer tens of billions of dollars in annual research grants,” the GAO said. Increased data collection and research advances will only add to the importance of data in the biomedical field, the report said.
The watchdog agency made eleven recommendations that were mostly aimed at NIH building a strategy to address the issue and monitor its progress. In a response to the report provided to the GAO, the agency said it agreed with nine of the recommendations and already implemented two others related to data management.
While NIH set a goal to enhance its data science workforce in a June 2018 Strategic Plan for Data Science, GAO said the agency’s work wasn’t linked to filling the gaps in its workforce because it hadn’t identified those gaps in the first place.
Efforts the agency made included launching a Data Fellows program and creating a “Data Science at NIH” webpage with related training resources and information, the GAO said.
SAIC wins $1.3B Treasury cloud contract
The Department of Treasury awarded Science Applications International Corp. a $1.3 billion cloud modernization contract, the company announced Thursday.
Under the single-award contract, called T-Cloud, SAIC will support Treasury’s adoption of a multi-cloud environment as a cloud broker, centralizing management of services from major cloud providers like Amazon, Google, IBM, Microsoft and Oracle, with the opportunity to onboard others.
“T-Cloud will enable the Treasury Department to rapidly and securely adopt a modern, flexible and cost-effective approach to utilizing and consuming data in the cloud,” said Bob Genter, SAIC’s president of defense and civilian sector. “SAIC is honored to be the Treasury Department’s cloud services digital transformation partner.”
SAIC will also provide services for business operations, technical, security, network, service desk, subject matter expert support, and transition services, according to a news release.
Treasury has been planning out T-Cloud since as far back as 2019, when it introduced a cloud roadmap developed by its Office of the Chief Information Officer in collaboration with the IRS, procurement offices and other stakeholders.
“At present, Treasury bureaus are individually moving forward with cloud solutions, and have implemented a number of cloud solutions to address unique mission priorities requiring agile and elastic approaches, often through duplicative contract actions,” that roadmap explained. “This scattered approach, while offering varying degrees of agility for individual customers, ignores opportunities for cost reduction through service deduplication and consolidated procurement actions.”
The contract has a seven-year period of performance.
Treasury isn’t the only large department to award a major cloud contract recently. The Department of the Interior last week awarded Peraton a $1 billion cloud contract. And, the Department of Agriculture is plotting a similar departmentwide contract for cloud adoption.
NIST launches public working group aimed at generative AI
The National Institute of Standards and Technology will create a new public working group focused on generative AI tools like ChatGPT, Commerce Secretary Gina Raimondo announced on Thursday.
The hope is that the new group, which is expected to include leaders from the private and public sectors, will play a part in cultivating the technology — while also clamping down on its challenges.
The new working group will focus on several objectives related to generative AI, including developing new ways to evaluate and measure the technology’s effectiveness. The group will also help create guidance for using NIST’s AI risk management framework, which was crafted to inform the development of the technology.
Eventually, the group is expected to analyze how generative AI tools could help address some of the biggest challenges facing the country today, including climate change, according to a press release released by NIST on Thursday.
“This new group is especially timely considering the unprecedented speed, scale and potential impact of generative AI and its potential to revolutionize many industries and society more broadly,” Laurie E. Locascio, NIST director and Commerce undersecretary for standards and technology, said in a statement. “We want to identify and develop tools to better understand and manage those risks, and we hope to attract broad participation in this new group.”
The creation of the group represents he latest in the Biden administration’s AI agenda, which seeks to balance the opportunities and challenges created by the technology. The president met with AI experts earlier this week, and Senate Majority Leader Chuck Schumer announced his plan to regulate — and develop — AI on Wednesday.
The National Artificial Intelligence Advisory Committee, which was created by NIST last year, released its first report on Thursday, as well.
Technology Modernization Fund faces uphill battle after House committee zeroes out 2024 funding
The federal government’s Technology Modernization Fund is facing a familiar uphill battle in the appropriations process after the House’s draft funding bill suggested giving the program no money for fiscal 2024.
The House Appropriations Committee on Wednesday said in a summary of the Financial Services and General Government appropriations bill that it wants to eliminate funding for the TMF in fiscal 2024 as part of its efforts to “cut wasteful spending” across the federal government.
The Subcommittee on Financial Services and General Government conducted its markup of the bill Thursday morning. The bill also seeks to ensure “agencies return to pre-COVID telework policies and levels.”
The Biden administration requested $200 million for the TMF in its 2024 budget request earlier this year, compared to the $300 it requested for fiscal 2023 — which resulted in just $50 million of additional funding, despite the urging of some top lawmakers to fund the program at the requested levels.
It’s been common since the creation of the TMF for fiscally conservative lawmakers to try to zero it out.
Speaking with FedScoop earlier this year on the fifth anniversary of the TMF, Federal CIO Clare Martorana told FedScoop the fund has proven itself as an alternative model to drive modernization that delivers near-term impact in the federal government outside of the otherwise snaillike two-year budget cycle.
“There’s some data out in the marketplace done by large consulting companies that talk about the failure rate of IT projects. And it’s pretty significant — projects over $6 million with a significant failure rate. And that’s not acceptable to us. And as technologists, we know how to do this differently. And the way that you do it differently is the way that we’ve designed TMF,” Martorana explained during an interview on the Daily Scoop podcast.
Despite the potential absence of funding for fiscal 2024, the General Services Administration-managed TMF still has money to spend from the $1 billion injection it received as part of the American Rescue Plan in 2021.
So far, the fund has invested more than $700 million across 38 IT modernization projects at 22 federal agencies since it was launched five years ago. It has more than $786 million remaining to spend, according to federal spending data.
GSA extends Alliant 2 contract by five years
The General Services Administration has decided to exercise an option to extend its Alliant 2 governmentwide technology contract by five years, the agency announced Thursday.
Though GSA has been in the process of conducting market research for a forthcoming Alliant 3 contract, the agency wants to give federal agencies an additional five years to contract for wide-ranging IT solutions available on the existing Alliant 2 contract, such as cloud, cybersecurity, and artificial intelligence services.
This brings the total length of the contract to 10 years.
“GSA remains committed to driving efficiency, cost savings, and innovation through our acquisition solutions,” GSA Federal Acquisition Service Commissioner Sonny Hashmi said in a statement. “Exercising the Alliant 2 option provides agencies with a flexible, streamlined, and agile procurement vehicle that keeps pace with rapidly evolving technology trends and has a proven track record of delivering results.”
The extension comes after GSA last August decided also to raise the ceiling on the contract to $75 billion, up from the previous $50 billion, citing huge demand that “surpassed our expectations at every turn,” per Hashmi.
GSA has touted the success of Alliant 2 in giving small businesses more opportunities to subcontract with other providers to deliver IT services to federal agencies.
Exodie C. Roe III, GSA’s associate administrator for the Office of Small and Disadvantaged Business Utilization, said the extension “demonstrates GSA’s dedication to promoting small business participation and economic growth, creating a win-win scenario for both federal agencies and small business owners alike.”
GSA says on its website that the request for proposals under the eventual Alliant 3 contract will come no sooner than the first quarter of fiscal 2024 to allow the market research process to move forward. The agency issued a draft solicitation for the contract last fall.
While the extension of Alliant 2 technically gives GSA more time to hash out Alliant 3, Laura Stanton, assistant commissioner of IT Category at GSA, said last year that “we’re looking at moving forward on Alliant 3 much, much faster and earlier than we ever anticipated” because of the success of its predecessor.
FAA aircraft privacy program transition is running years behind
The Federal Aviation Administration’s plans to transition to a third-party system designed to limit the public’s ability to track certain aircraft appear to be running years behind.
Back in 2019, the aviation agency announced a new program called the Privacy International Civil Aviation Organization aircraft address, or PIA, program. The system is designed so that some aircraft can fly under a temporary vehicle address that isn’t directly assigned to the owner registered in the Civil Aircraft Registry — theoretically, anonymizing the vehicle — while also remaining trackable by the FAA, according to the agency.
“Real-time tracking of the geographic location of a specific aircraft is possible, generating privacy concerns for the aircraft operator community,” explains the FAA on its website. The agency adds that PIA is “limiting the extent to which the aircraft can be quickly and easily identified by non-U.S.government entities, while ensuring there is no adverse effect on [air traffic control] services.”
Notably, this is the same program that SpaceX tried to use to prevent the tracking of CEO Elon Musk’s private jet. Vice reported earlier this year that employees at the company did not use the system properly, which eventually enabled the viral (and subsequently banned) Twitter account @ElonJet, which tracked the whereabouts of the billionaire’s aircraft.
The PIA program has received support from organizations that represent the users and manufacturers of private jets. Others, though, see the ability to track these vehicles as a source of transparency and accountability for some of the world’s wealthiest people.
Nevertheless, the PIA program was originally anticipated to be transferred to a third-party provider or providers by the middle of 2020, according to several reports from aviation publications at the time. Jens Henning, the vice president of operations at the General Aviation Manufacturers Association, an aviation trade organization, also said that the FAA had originally indicated the transition would take place in 2020.
As of now, that transition hasn’t happened. The FAA would not comment on the frequency of user issues with the program in “the interest of privacy.” The agency did not provide a comment on why the transition is running behind by the time of publication.
“The PIA program is currently in Phase 1, with the FAA operating, monitoring and maintaining the service,” an FAA spokesperson told FedScoop. “We are working to transition the service to Phase 2, where a third-party service provider or providers would operate, monitor and maintain it.”
The FAA added: “The Privacy International Civil Aviation Organization (PIA/ICAO) Address (PIA) program will continue without any interruption to users while the FAA investigates the feasibility of transitioning it to a third party. The FAA will base its decision on demand, final requirements and FAA needs.”
Henning, from GAMA, said that the PIA program is one of two systems focused on addressing the privacy of these aircraft. The other is the Limited Aircraft Data Displayed program, a system established back before the PIA program that filters out some information about aircraft before it’s shared with third parties that work with the FAA.
“[T]he aircraft identification is transmitted through ADS-B enabled Mode S transponders to any ground-based receiver — government operated and private networks. This basic aircraft transponder functionality logic was developed in the 1970s and is still core to how an aircraft is identified with a unique address,” said Henning. “The ground receivers are internet-connected, which means an aircraft can be tracked online, which raises security concerns for many aircraft owners as a result of their real-time location being known.”
If and when the FAA transitions the service, there are companies that already provide third-party call signs, and which could serve as providers of the PIA service, according to Henning. Still, this approach may not necessarily be a perfect solution for people looking to completely hide their jets, according to researchers who’ve found that — with enough effort — these vehicles can still be tracked.
Sen. Schumer introduces AI policy framework, calls for ‘comprehensive legislation’
Senate Majority Leader Chuck Schumer on Wednesday introduced a plan to develop comprehensive legislation in Congress to regulate and advance the development of artificial intelligence in the U.S.
New York Democrat Schumer’s plan, called the “Safe Innovation Framework for AI Policy,” outlines ways to “protect, expand, and harness AI’s potential” as Congress pursues legislation, his office said.
In a keynote speech at the Center for Strategic and International Studies in Washington, Schumer said there is “no choice but to acknowledge that AI’s changes are coming,” and pointed out the need for a strategy to support innovation.
He also highlighted the role of the federal government in AI regulation.
“How much federal intervention on the tax side and on the spending side must there be? Is federal intervention to encourage innovation necessary at all? Or should we just let the private sector develop on its own?” Schumer questioned during his remarks.
At the same time, a bipartisan group of lawmakers led by Reps. Ted Lieu, D-Calif. and Ken Buck, R-Colo., introduced legislation Tuesday that would create a blue-ribbon commission on artificial intelligence to develop a comprehensive framework for the regulation of the emerging technology.
The bicameral National AI Commission Act would create a 20-member commission to explore AI regulation, including how regulation responsibility is distributed across agencies, the capacity of agencies to address challenges relating to regulation, and alignment among agencies in their enforcement actions.
“We must come up with a plan that encourages — not stifles — innovation in this new world of AI, and that means asking some important questions,” Schumer said Wednesday. “We are going to work very hard to come up with comprehensive legislation. Because this is so important, we are going to do everything we can to succeed.”
In April, Schumer met with the CEOs of AI giants like OpenAI, Microsoft, and Google to discuss the development and regulation of the technology.
President Joe Biden and his administration have also expressed commitment to safeguarding Americans’ rights and safety with a focus on protecting user privacy and addressing bias and misinformation in AI. Biden earlier this week met with tech leaders and academics in the AI space in Silicon Valley.
Justice Department developing privacy policy for AI
The Department of Justice is in the process of developing a draft policy concerning privacy and the use of artificial intelligence, a top department IT official said Tuesday.
Brian Merrick, deputy director of solutions delivery staff for Justice, said during a webinar event the department’s Office of the Chief Information Officer is working through a draft policy involving privacy and the department’s application of AI technologies and “the considerations around using it.”
Privacy — as well as things like diversity, equity and inclusion — is “an active ongoing conversation that we make sure we circulate into any of the new emerging tech efforts so we’ve got the right controls in place, we’ve got the right equity holders involved and engaged fully, so that we make sure that we’re meeting all those requirements going forward, because obviously, being Department of Justice, we are highly focused on making sure that we follow those requirements,” Merrick said during the Federal News Network event.
While he couldn’t comment on when or if the draft policy might be made public, Merrick did say the AI privacy policy would be focused “in general [on] governing how we use the technology. But there will be certainly some intersections, I think, with the public interest, and when appropriate, we’ll make sure that the public interest is satisfied and all of our notification requirements.”
Interest in AI has exploded in recent months with the widespread introduction new capabilities like generative AI, and many federal agencies have begun exploring how they can take advantage of the emerging technology.
FedScoop recently spoke with Melinda Rogers, DOJ chief information officer, in an exclusive interview, during which she shared the department’s plans to use generative AI to improve customer experience for its IT service desk program.
In December 2020, the department issued an artificial intelligence strategy focused on
“cultivating an AI-ready workforce, aligning activities with the DOJ Data Strategy, building a governance structure, and supporting Department-wide AI adoption—with implementation designed to adapt to the evolving technology landscape.”
Merrick said the DOJ has “several AI efforts that are in play right now” including in the law enforcement community and for the legal community, particularly around “enhanced search options … [and] managing documents.”
“It’s a huge requirement for us as we’re one of the largest law firms, I guess, you would say,” he said.
Internally, Justice’s IT division is also using AI tools “with our own datasets that we manage to be able to glean those insights and help us expedite some of our processing,” Merrick said.
On the generative AI front, Merrick said “everyone is grappling with a completely different animal.”
“And so that’s gonna require a much more concerted effort as we really review policy with the rest of the world, frankly, and make sure that we’ve got our policy aligned with use cases and fully understand how that technology works,” he said. “So we’re still a bit off on that. But we’re starting to explore the possibilities and see what that looks like in the future.”
Federal courts exploring breach and attack simulation for cyber threats
The federal court system is looking for more information about products used to test security against breaches and attacks amid increasing cyber threats.
The Administrative Office of the U.S. Courts (AO), the arm of the federal courts that deals with non-judicial business, wants information about a product that regularly simulates threats to test cybersecurity, known as a “Breach and Attack Simulation,” according to a request for information posted online.
The AO is looking for a product that “will enable continuous and consistent testing of multiple attack vectors against the Courts’ assets, including external and insider threats, lateral movement, and data exfiltration,” the solicitation said.
The courts’ Information Technology Security Office would use a Breach and Attack Simulation product to “identify the levels of risk that may not be readily apparent,” the solicitation said.
The judiciary, like other federal entities, has been the subject of cyberattacks in recent years, and those attempts are expected to become more acute.
In its fiscal year 2024 budget request, the judiciary disclosed its cyber-defenses halted “approximately 600 million harmful events from reaching court local area networks in 2022.” It previously reported those defenses stopped 43 million “harmful events” in 2020.
The judiciary, in the most recent budget request, said it expected cyberattacks to “continue to intensify as hackers become increasingly proficient.”
The Administrative Office didn’t immediately have more details on the solicitation.