Former Obama administration tech policy leader joins White House OSTP

Alexander Macgillivray has been appointed as principal deputy U.S. chief technology officer at the White House Office of Science and Technology Policy.

He rejoins the government after previously serving as deputy federal chief technology during the Obama administration. Before working in government, he held private sector roles as deputy general counsel at Google and general counsel at Twitter.

Macgillivray’s appointment comes shortly after that of Denice Ross, who last month was named U.S. chief data scientist at the White House.

In a note on Twitter, Macgillivray said that his first priority was to grow the team of technologists at the OSTP.

OSTP was established by Congress in 1976 and has a wide mandate to advise the president on the effects of science and technology on domestic and international affairs.

In a statement on behalf of department leadership, OSTP said: “We’re incredibly excited that Alex is joining OSTP as Principal Deputy Chief Technology Officer. He]will help lead efforts to grow the tech team, including helping to find the next U.S. Chief Technology Officer.”

2 DHS agencies mostly handled ‘major’ privacy incidents effectively

Four agencies within the Department of Homeland Security experienced breaches of personally identifiable information due to privacy incidents between July 2018 and June 2019, according to the Government Accountability Office.

Of the privacy incidents at Customs and Border Protection, the Federal Emergency Management Agency, Immigration and Customs Enforcement, and the Transportation Security Administration, only the first two were deemed “major.”

Incidents placing sensitive information at risk are on the rise governmentwide, but GAO found all four agencies identified and reported theirs in a timely fashion — although CBP failed to report its most recent risk assessment findings or its decision not to notify people affected due to low risk of harm.

“Fully documenting remediation activities helps ensure that all appropriate steps have been taken to lessen potential harm that the loss, compromise or misuse of PII could have on affected individuals,” reads the GAO report released Friday.

GAO recommended CBP fully document its risk assessments and recommendations for notifying people affected in privacy incidents in its incident database.

Of the two other agencies reviewed, DHS Headquarters had a privacy incident but no breach of personally identifiable information (PII), while the Coast Guard reported no incidents.

DHS and its contractors maintain “large amounts” of PII, from dates of birth to Social Security Numbers, and the department has privacy policies in place for contractor-operated systems that its agencies don’t always comply with, according to the report.

Headquarters and the Coast Guard only partially administered annual and targeted, role-based privacy training for employees and contractors, so GAO recommended DHS’s Privacy Office begin providing it for contractors handling PII.

The Coast Guard failed to address gaps in privacy compliance, so GAO recommended it set a timeframe for developing a gap assessment and work with its acquisition office to ensure contractors accept privacy requirements.

Both the Coast Guard and TSA failed to evaluate new instances of PII sharing with third parties, so GAO recommended they fully document the process.

The DHS Privacy Office responded to GAO’s recommendations that it would review privacy training and requested GAO close its recommendations the Coast Guard create a gap assessment and both that agency and TSA evaluate new PII sharing with third parties. But GAO found no evidence those recommendations had been addressed.

DHS further agreed to work with CBP to update the department’s Privacy Incident Handling Guidance.

“This proposed language will include clearly delineated roles for the posting of finalized risk assessments and an incident journal input when an accident is categorized as MAJOR/SIGNIFICANT,” reads DHS’s response letter.

Federal CIO, USDS more aligned ‘than ever before’

The Office of the Federal CIO and U.S. Digital Service are working more in lockstep than they have ever before, according to the heads of those organizations.

In an interview on FedScoop’s the Daily Scoop Podcast, Federal CIO Clare Martorana and USDS Administrator Mina Hsiang detailed how the two federal technology units have made it a priority to work together on the administration’s top tech priorities —like cybersecurity, modernization and customer experience — where their predecessors weren’t as closely partnered.

“We represent the White House’s technology team,” said Martorana. “And so it’s important for us to be working together on the most strategic parts of the president’s agenda.”

That wasn’t always the case with past administrations, in which the federal CIO and USDS served similar missions but less frequently partnered on top tech initiatives, despite both being housed in the same agency — the Office of Management and Budget. In fact, it was an early criticism of USDS that it didn’t work closely enough with the Federal CIO, per the Government Accountability Office. 

“I think we’re more aligned on approach and objectives than ever before,” Hsiang said. “And that just makes it much more straightforward to work together.”

She continued: “Clare and I both have sufficient experience in this arena now to sort of see how it evolves. And my time spent in agencies, we’re much more focused on capacity building and supporting agencies to sort of build long-term capabilities than we had been in the past because that is an option now and sort of has worked well in an array of places. So we’re definitely looking to do that a lot more. And obviously, that requires really close partnership with Clare and her team.”

Martorana got her start in government as part of the USDS team, where she worked with Hsiang previously, a natural starting point for the partnership between the two teams.

“The fact that Clare is now the federal CIO is like USDS participating in capacity building,” Hsiang said of USDS’s evolution. “We got Clare in here, she was engaged and trained up. We have a number of other CIOs who come through USDS.”

Martorana and Hsiang in the podcast go on to discuss how they’re partnering to deliver on the president’s management agenda and much more, including the priorities set out in the new customer service executive order. Listen to the episode to hear more about how the Office of the Federal CIO and USDS are partnering on the administration’s top IT objectives.

Senate confirms DelBene as VA chief information officer

The Senate last week confirmed former Microsoft executive Kurt DelBene as chief information officer and assistant secretary for information and technology at the Department of Veterans Affairs.

He was nominated last month for the role by President Biden, after retiring from the private sector in September, where most recently he was executive vice president of corporate strategy, core services and operations at Microsoft.

DelBene was confirmed Dec. 16 by a voice vote.

Earlier in his career, DelBene worked in the Obama administration for a brief time, during which he led improvement work on Healthcare.gov as a senior adviser to the secretary of the Department of Health and Human Services. While working on Healthcare.gov, he helped to troubleshoot issues encountered during the first open enrollment period.

Other previous roles include a spell at McKinsey and Company, where he focused on business strategy for technology companies. Before that, he also worked as a software developer and systems engineer for AT&T Bell Laboratories.

When DelBene left Microsoft to work on Healthcare.gov, Bill Gates in a blog post described him as “a talented and capable executive.”

He is the first permanent CIO of the VA during the Biden administration. Jim Gfrerer vacated the position at the end of the Trump administration after serving in it for two years. Since then, the role has been filled in an acting capacity by Dominic Cussatt and, more recently, Neil Evans.

Legislation to improve federal workforce understanding of AI passes Senate

A bipartisan bill to improve federal employees’ understanding of the threats and opportunities presented by artificial intelligence passed the Senate on Saturday.

The Artificial Intelligence Training for the Acquisition Workforce Act was approved by unanimous consent. Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, are the sponsors. It’s unclear when the House might act on the bill.

If enacted, the bill will require the director of the Office of Management and Budget to provide and regularly update an AI training program for federal employees who manage and purchase the technology.

The training also is intended to raise awareness of how the U.S. can remain competitive as other countries such as China forge ahead with the technology.

“In order to use artificial intelligence properly and in a way that ensures our nation can compete with our foreign adversaries – federal workers need to understand the technical and ethical implications of these technologies for the safety, security, and freedoms of Americans,” Peters said.

Portman added: “This important bill will help our government better understand artificial intelligence and ensure we are using it in a manner that is consistent with American values and our democracy.”

The National Security Commission on Artificial Intelligence has raised the need to train the federal workforce on AI, especially those who procure and manage these technologies. Experts remain concerned that if used improperly, the technology could harm U.S. citizens and compromise national security.

Oracle to acquire key VA tech provider Cerner for $28.3B

Oracle announced Monday that it has signed an agreement to acquire Cerner, the key technology provider behind the electronic health record modernization (EHRM) program at the Department of Veterans Affairs.

The cloud provider will acquire Cerner for $28.3 billion in an all-cash deal, news of which was first reported by the Wall Street Journal.

Oracle’s acquisition of Cerner comes as the EHR modernization program at the Department of Veterans Affairs has received scrutiny following major cost overruns and safety concerns.

Following the deal, Cerner will become a dedicated industry business unit within Oracle.

“Oracle and Cerner are committed to continued and enhanced stewardship of health information, which will be bolstered by Oracle’s global operational infrastructure,” the companies said in a joint statement.

The companies added that the transaction will improve the availability of technologies such as cloud, artificial intelligence and machine learning to customers and that the goal is to deliver zero unplanned downtime for Cerner systems running on Oracle’s Gen2 cloud.

Cerner’s Millennium platform makes up the backbone of the VA’s EHR modernization program, which has so far risen in cost to $16 billion — a 60% increase from the $10 billion initially budgeted for the project.

Commenting on the transaction, Cerner president and CEO David Feinberg said: “Cerner. “Joining Oracle as a dedicated Industry Business Unit provides an unprecedented opportunity to accelerate our work modernizing electronic health records (EHR), improving the caregiver experience, and enabling more connected, high-quality and efficient patient care.”

Earlier this month, Reps. Jerry Moran, R-Kan., and Jon Tester, D-Mont., introduced new legislation that is intended to improve transparency around the program.

John Sherman confirmed, sworn in as DOD CIO

The Department of Defense has a permanent IT leader for the first time in nearly a year with the Senate’s approval of John Sherman as CIO.

The Senate confirmed Sherman’s nomination last week and he was sworn in Friday, a DOD spokesperson told FedScoop.

Sherman had served as acting CIO since January until President Biden officially nominated him for the job in September and Kelly Fletcher stepped in to perform the duties of CIO while he awaited his confirmation. Dana Deasy was the last to officially hold the role in a Senate-confirmed capacity before vacating it at the start of the Biden administration.

Sherman has a long career in government and the military. He is an Army veteran who later served in many top IT jobs throughout government, including as the principal deputy CIO in the Pentagon before taking over as acting CIO when the role became vacant. Before joining DOD, he was also the CIO of the intelligence community.

Sherman takes over as CIO at a pivotal time, with senior leaders placing new emphasis on the type of tech his office will oversee, including the DOD’s migration to a version of Office 365 email and collaboration tools dubbed “DOD365,” a wholesale push to zero trust cybersecurity and integrating communications tech related to Joint All Domain Command and Control (JADC2).

Managing the department’s electromagnetic spectrum is likely to be a major priority for Sherman, something Fletcher recently said had taken up a large part of her time while performing the CIO’s duties.

His office will also play a key role in helping to manage the development of the Joint Warfighter Cloud Capability (JWCC) as the DOD looks to adopt an enterprise cloud architecture.

CMMC AB board names Jeff Dalton as chairman

The board overseeing the Cybersecurity Maturity Model Certification Accreditation Body has voted to appoint Jeff Dalton as chairman.

Dalton is a founding member of the AB, having most recently served as the board’s vice chairman. The board also voted on new vice chair to replace Dalton, Paul Michaels, and Sheryl Hanchar was confirmed for a second term as board secretary. Dalton replaced outgoing Chairman Karlton Johnson, who decided not to seek a second term.

“I am honored to lead the CMMC-AB Board of Directors,” Dalton said in a statement. “I am profoundly grateful for the contributions of Karlton Johnson, who took on a very challenging situation at a critical time in standing up this nascent effort, using only the services of patriotic volunteers to create something unprecedented. He did a tremendous job keeping the AB mission-focused and leading the Board to where we are today.”

The CMMC AB is one of the most critical components of the DOD’s new method for ensuring that contractors that handle sensitive DOD data are protected against cyberattacks. As part of the program, contractors are required to get a cybersecurity assessment form inspectors accredited by the AB.

Dalton said his priorities are to ensure the CMMC ecosystem understands the new policies put out by the DOD called “CMMC 2.0” and that the AB’s CEO has all he resources he needs.

“In addition, we are committed to ensuring that we have the most professional and highly qualified Board possible,” he said. “That will include recruiting additional experienced and capable professionals to join our Board, as well as incorporating formal training and certification programs while we transition the AB to align with requirements defined by the International Organization for Standardization (ISO).”

Dalton has had a long career in software development and served as a technology adviser to several federal agencies.

CMMC 2.0 is a paired down version of the initial policy of requiring all contractors to get an assessment. The result could threaten the AB’s importance by dramatically shrinking the demand for assessors.

Oracle in talks to acquire EHR giant Cerner

Oracle is in talks to buy electronic health record giant Cerner, the Wall Street Journal reported Thursday.

The deal could be worth about $30 billion and would be the largest transaction ever pursued by Oracle, Wall Street Journal reported.

Cerner is the key contractor working on the electronic health record modernization (EHRM) program at the Department of Veterans Affairs, which has attracted concern from lawmakers over escalating costs and patient safety complaints.

Earlier this month, lawmakers in the Senate introduced bipartisan legislation intended to bolster transparency and oversight of the EHRM program. This follows the release in July of three reports by the VA Office of Inspector General that raised concerns about the records modernization process.

At the start of December, the VA announced that it had created two new senior technical management positions to oversee the modernization program: a new deputy CIO for EHR as well as a program executive director for EHR integration.

IRS cyber deficiencies leave taxpayer data at risk, IG report says

The IRS has cybersecurity deficiencies leaving taxpayer data open to misuse, tampering or disclosure due, in part, to the agency’s over-reliance on old systems, according to the Treasury Inspector General for Tax Administration.

An annual assessment of the IRS‘s IT program found the agency needed to boost its abilities to detect cyber events through continuous monitoring and keep track of its hardware and software.

The American Rescue Plan (ARP) Act passed in March gave the IRS an additional $1 billion in funding, including provisions to modernize legacy systems. But conservative political groups have opposed further efforts to increase the tax collection agency’s budget, reported The Washington Post.

“The reliance on legacy systems and aged hardware and software, and its use of outdated programming languages, pose significant risks to the IRS’s ability to deliver its mission,” reads the inspector general’s report released Tuesday. “Modernizing the IRS’s computer systems has been a persistent challenge for many years and will likely remain a challenge for the foreseeable future.”

IT weaknesses could limit the IRS’s ability to collect the $4.1 trillion in taxes and process the $1.1 trillion in refunds and outlays it handled in fiscal 2021, as well as fairly enforce tax law, according to TIGTA.

After receiving additional funding, the IRS released an ARP Modernization document in June detailing initiatives for tech innovation and faster rollout of capabilities. The plan would accelerate Phase 2 of the IRS Integrated Modernization Business Plan.

But the agency continues to struggle with maintaining a comprehensive inventory of information systems, TIGTA said, and it hasn’t completed Phase 1 of the federal Continuous Diagnostics and Mitigation program, which involves implementing a scanning tool for identifying unnecessary hardware and software.

TIGTA found most laptops and desktops the IRS provides employees are sanitized prior to disposal, but the process to verify that is ineffective.

The IRS implemented most baseline security controls for its Get My Payment application, but the use of weak cryptographic ciphers could allow an attacker to compromise the system, according to the report. And the agency has the tools needed to detect vulnerabilities in the app but failed to readily remediate 17 critical and 169 high-risk vulnerabilities within the mandated 90 days.

Other IRS success include the agency creating a roadmap for finding encryption solutions for the systems it’s developing, deploying Release 1 of its Enterprise Case Management solution and defining the role and responsibilities of its chief information officer.

“However, the chief information officer is not notified of all significant information technology acquisitions,” reads the report. “Problems were also reported with the IRS’s information technology acquisitions, asset management, human capital, project management, risk management, implementation of corrective actions, modernizing operations, and the coronavirus disease 2019 response.”