Vote today for the 2025 FedScoop 50 awards.

Cast your vote!

White House proposes binding AI regulatory principles for agencies

The White House proposed the first binding set of principles Tuesday for regulatory consistency among agencies trying to govern the development of artificial intelligence in the private sector.

Senior administration officials detailed the new principles Monday to reporters ahead of their release. They explained that their hope is to set a consistent global standard for how AI is developed that every country in the world can adopt.

“I think what we’re trying to do is establish a consistency across all of our federal agencies, who seem to be more and more often coming across situations where they’re dealing with AI-powered technologies,” an administration official said on a press call. “For example, we’re the first administration in history to have an AI-powered medical diagnostic approved by the [Food and Drug Administration] and a very novel and unique approach to that process in order to get that device out the door and in the hands of Americans.”

Section 6 of the February 2019 executive order on maintaining U.S. leadership in AI called for creating regulatory principles that ensure public engagement, limit agency overreach and promote trustworthy technology.

All agency AI regulations will need approval from the White House Office of Information and Regulatory Affairs once the principles are finalized.

Some states and localities have banned AI-enabled tech, and the Office of Management and Budget hopes to avoid that kind of “overregulation” with its 10 principles, according to administration officials.

“When states or localities make decisions like banning facial recognition across the board, you end up in tricky situations where civil servants may be breaking the law when they try and unlock their government-issued phone,” an administration official said. “So we want to avoid situations where we’re outright banning new technologies and rather creating a robust regulatory framework which allows for these technologies to thrive in our country.”

There are 10 principles in total:

Public trust in AI – Agencies should use regulatory and nonregulatory means to promote industry’s development of reliable tech.

Public participation – Agencies should allow for input at all stages of the AI rulemaking process, especially when the tech requires information from individuals.

Scientific integrity and information quality – Agencies should allow technical evidence to inform AI policy decisions.

Risk assessment and management – Agencies should use a risk-based approach to determine when AI’s harm and costs are unacceptable.

Benefits and costs – Agencies should consider regulation’s distributional effects on AI.

Flexibility – Agencies should pursue performance-based regulations that can adapt to rapid changes in AI tech.

Fairness and nondiscrimination – Agencies should consider whether AI applications’ outcomes and decisions will increase or reduce unlawful discrimination.

Disclosure and transparency – Agencies should decide when to acknowledge that AI is in use to the public to increase its trust and confidence in the tech.

Safety and security – Agencies should implement controls ensuring the confidentiality, integrity and availability of information processed, stored and transmitted by AI systems.

Interagency coordination – Agencies should work with each other to share AI experiences and ensure consistent policy.

While OMB guidance doesn’t apply to independent agencies like the Federal Communications Commission, they traditionally follow such principles.

Federal agencies’ use of AI falls outside the purview of the memo, which is open for public comment for 60 days — after which a final version will be issued.

The White House identified AI as a research and development priority for the third consecutive year in fiscal 2021.

Aside from the new regulatory principles, the American AI Initiative launched by the 2019 executive order also includes non-regulatory approaches to promoting the tech like pilots and release of agency datasets, said Lynne Parker, U.S. deputy chief technology officer. Meanwhile, the National Institute of Standards and Technology continues to develop technical standards for AI performance.

“The Trump administration has made advancing artificial intelligence a top priority; we view U.S. leadership in AI as critical to the future of American prosperity and security,” said Michael Kratsios, U.S. CTO. “From our national strategy, the American AI Initiative, to historic AI research and development investments, this administration has taken significant action to maintain and strengthen the U.S. position of leadership.”

U.S. attorneys look to close Oracle’s case against JEDI

Attorneys representing the Department of Defense are hoping to put Oracle’s protest of the $10 billion Joint Enterprise Defense Infrastructure cloud acquisition to bed — especially now that an award to Microsoft has rendered several parts of the litigation “moot.”

Department of Justice attorneys, on behalf of the Pentagon, recently issued their response to Oracle’s JEDI complaint in federal appeals court, once again looking to cut down the company’s claims of prejudice by hammering home that it did not meet basic security requirements — or gate criteria — to qualify for the acquisition.

“It is undisputed that Oracle could not meet two of the JEDI solicitation’s Gate Criteria, Sub-factors 1.1 and 1.2, and DoD determined that satisfying these criteria was necessary to meet its minimum requirements,” lawyers wrote of Oracle’s previous failed protest in the U.S. Court of Federal Claims. “The trial court correctly rejected Oracle’s arguments that Sub-factor 1.2 was irrational and illegal and, thus, correctly determined that Oracle was not prejudiced by any of its other alleged errors.”

In November, Oracle took its case to the U.S. Court of Appeals for the Federal Circuit claiming that the federal claims court made “fatal legal and factual errors” in its denial.

Taken wholesale, the arguments from the U.S. attorneys are mostly a recycling of their claims from and in support of the decisions in the earlier stages of Oracle’s protest of the acquisition, which has now far exceeded a year in various venues.

On top of that, now that Microsoft has been named the winner of JEDI, DOD’s attorneys say that invalidates Oracle’s secondary allegations of conflict of interest between former Pentagon officials and the company’s cloud rival Amazon Web Services. Despite their belief that there was no conflict of interest, attorneys called it a “moot” argument “now that Microsoft, not AWS, has been awarded the JEDI contract.”

“Oracle requested that AWS be eliminated from the JEDI competition … and DoD has effectively granted this relief, albeit for different reasons, by the award to Microsoft,” the attorneys wrote.

No ‘speculative contingencies’

AWS, having lost to Microsoft, is waging its own protest of the contract, claiming political influence caused DOD to commit “egregious errors” in its evaluation of bids. But according to U.S. attorneys, the AWS case has no effect on Oracle’s protest.

“AWS’s protest of the award to Microsoft does not keep these issues live,” they say. “The Government intends to defend its award to Microsoft. Accordingly, the possibility of AWS’s protest resulting in the procurement being re-opened is speculative at best, and “speculative contingencies” do not keep a case live absent evidence that they are of “immediacy and reality.”

Finally, the attorneys also look to amend the record for one part of Oracle’s case that the lower court agreed with, though not enough to rule in favor of the company. The Court of Federal Claims, despite denying Oracle’s protest, found DOD’s JEDI acquisition “flawed” in its justification for a single-award acquisition.

The court “misinterpreted that exception,” the attorneys wrote. And even if the higher court were to find JEDI’s single-award justification at odds with federal acquisitions law in this case, it wouldn’t change Oracle’s shot at an award, they said, because whether it’s one award or multiple, it doesn’t change the fact that Oracle failed to meet DOD’s basic security needs.

“The requirement to have FedRAMP Moderate authorization in October 2018, which the trial court correctly determined to be enforceable, prevented Oracle from being eligible to compete, not the decision to award a single JEDI contract,” the argument says.

Meanwhile, AWS’s protest in the Court of Federal Claims is still early on. DOD and Microsoft have agreed to hold off on work under JEDI, with the exception of “initial preparatory activities,” to let the federal claims court settle AWS’s dispute until Feb. 11. Therefore, the court and parties involved will likely work to move quickly through the protest to prevent any further stay in work under the contract.

And DOD and Microsoft have indeed begun “preparatory” work. They kicked off discussions about work under the contract Dec. 11-13. CEO Satya Nadella and members of the Microsoft Azure and public sector teams met with DOD CIO Dana Deasy and other senior defense IT leaders.

Deasy also detailed recently that the department is working to build out JEDI’s unclassified enclave over the next months, followed by the secret portion about six months later. JEDI will have 14 early adopters, he said, including the Joint Artificial Intelligence Center, U.S. Transportation Command, U.S. Special Operations Command and the Navy — but he stopped short of naming the rest.

Personal CDM data could be used ‘inappropriately’ when integrators are involved

There’s a risk personally identifiable information inadvertently obtained by integrators providing Continuous Diagnostics and Mitigation (CDM) capabilities to small agencies is used inappropriately, according to a Department of Homeland Security assessment.

A December DHS privacy impact assessment found that the CDM platform for smaller agencies exposes personal data to third-party contractors operating that cloud-based shared service.

DHS launched CDM in 2013 to provide federal, state and local agencies with tools to track and respond to cybersecurity incidents faster.

Generally, larger federal agencies deploy CDM capabilities themselves, and the Cybersecurity and Infrastructure Security Agency that oversees the program for DHS only has access to summary-level data pushed to the federal dashboard.

But the CDM Shared Service Platform (SSP) makes tools available to non-CFO Act agencies via third-party contractors, and those integrators do have the potential to access personal data collected through operations and maintenance. Currently, ManTech holds the contract to provide the shared service.

As a mitigation, integrators are prohibited from using or sharing data collected with CISA in their task orders, but that’s not a guarantee, according to DHS.

“As a contractor to CISA, the integrator is required to conduct its activities in accordance with DHS requirements, including having all contract staff complete privacy training,” reads the assessment. “Full disk encryption has been implemented across the entire shared service platform to meet applicable data-at-rest requirements.”

The platform also collects logs at the operating system and application levels, which all users are prevented from erasing.

The CDM SSP’s authority to operate expires March 28, 2021.

DHS also assessed the CDM Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm used to score agencies cyber risk and found the measure doesn’t introduce new privacy risks to the federal or agency dashboards.

DHS conducting market research for cloud-based vulnerability disclosure platform

The Department of Homeland Security is interested in acquiring a platform that third parties can use to report vulnerabilities in government systems.

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information recently via the General Services Administration to identify potential vendors who can provide “a software-as-a-service web application that serves as the primary point of entry for vulnerability reporters to alert the government of potential issues on federal information systems for those agencies that participate in the platform.”

The need for such a platform comes with the recent release of a draft for DHS Binding Operative Directive 20-01, which “will require each federal agency to publish a vulnerability disclosure policy (VDP).” But very few civilian agencies actually have such programs.

CISA will manage the central vulnerability-reporting platform, and agencies can use it as shared service as they’d like. Because participation is voluntary, the RFI says, “the platform needs to scale to support a potentially varying number of agencies at any time.”

In the end, it will be the responsibility of the agencies to remediate any vulnerabilities shared on the platform.

CISA wants a platform that can screen, validate and track submitted reports, provide for communication between the individual issuing a report and the agency, issue metrics on vulnerabilities, and alert all parties when actions are taken.

The agency also wants the platform to include the options for agencies to provide bug bounties — financial rewards for reporting vulnerabilities.

GSA and DHS may decide to hold one-on-one meetings with vendors to discuss responses to the RFI.

Responses are due Jan. 15.

Pentagon’s JAIC needs industry help for humanitarian assistance, disaster relief

The Department of Defense kicked off 2020 conducting market research for artificial intelligence solutions to support humanitarian assistance and disaster relief.

The General Services Administration’s Federal Systems Integration and Management Center (FEDSIM), on the behalf of DOD’s Joint Artificial Intelligence Center (JAIC), issued a request for information on AI and emerging technologies to enable the JAIC’s national mission initiative for humanitarian assistance and disaster relief, namely through drone-based search and rescue missions during events like wildfires, hurricanes and floods.

The program “is primarily interested in industry solutions that deal with drone platforms, sensors, edge AI processing, and detection algorithms/models as well as the training data and pipelines that together could provide the capability to fly to a pre-determined location/area, find people and manmade objects (through onboard edge processing), and cue analysts to look at detections sent via a datalink to a control station,” says the RFI. “The Government desires an end-state environment where human-resources are not required to constantly watch the sensor, but they can be cued to respond when something of interest is identified.”

The RFI goes on to spell out specifically what the JAIC would like to see in things like sensors, drones and onboard edge-processing. JAIC is also “interested in drone manufacturers and AI/software companies joining forces to develop a drone that is capable of edge processing to detect humans and manmade objects at sea or on land and sending this information to analysts. Humans and manmade objects will need to be labeled through multiple visual conditions including haze, clouds, salinity, various temperatures, worldwide climates (maritime to desert), fire, and other obstacles.”

In late 2019, the JAIC began running tests using AI in humanitarian assistance and disaster relief applications. The tests were said to involve flying video cameras over wildfires with an automated visualization algorithm detecting where flames are moving in the frame.

Lt. Gen. Jack Shanahan, leader of the JAIC, said in September that he was “optimistic that 2020 will be a breakout year for the department when it comes to fielding AI-enabled capabilities.” Since then, however, the RAND Corp. came out with a congressionally required report that was critical of the JAIC, saying the center is ambitious but it will need more resources and organizational support to scale AI across the department.

Delay of sexual harassment claims system highlights congressional office’s lack of IT strategy

The Office of Congressional Workplace Rights lacks an IT strategic plan, which could delay upgrades — as was the case with its electronic system for securely making discrimination and harassment claims.

According to a recent Government Accountability Office report, the congressional office has been shoddy with planning for and managing its IT modernization to support the employment rules it enforces for more than 30,000 legislative employees.

The Congressional Accountability Act of 1995 Reform Act, passed in 2018, required the office to revise its claims process in response to increased awareness of workplace sexual harassment. One of the Reform Act requirements was to create a secure, electronic claims reporting system, dubbed SOCRATES, which became operational June 26 — seven days late.

While no claims were filed during the delay, congressional staff was confused by the delay because OCWR failed to use project schedules to manage SOCRATES and other IT requirements, according to the report.

GAO found OCWR made revisions to system architecture up to three weeks before its June 19 deadline and signed an interagency agreement for hosting SOCRATES with the Library of Congress a day before. But congressional staff was left in the dark.

OCWR cited problems with a fillable PDF form for electronic claims refreshing without saving user information if not submitted within a certain timeframe, as well as congressional staff requesting form revisions.

The office plans additional cybersecurity activities and IT upgrades, but none have project schedules, according to GAO.

“OCWR officials reported that they will be developing an IT strategic plan. However, as of October 2019, they were unable to provide additional documentation or a timeline for completion,” reads the report. “Without IT strategic planning, OCWR may be less able to set forth a longterm vision of OCWR’s IT environment and measure progress in carrying out its strategic initiatives.”

OCWR has yet to complete Reform Act requirements to create a permanent records program for claims and track and report data and assessments.

In the first case, the office doesn’t even have the policies and procedures in place to ensure claims records remains confidential when stored in multiple locations, according to GAO. The office reported scanning paper records to create electronic files and hiring a contractor in September to further develop the program.

GAO found another aspect of strategic planning being neglected is recruitment and retention of mission-critical IT staff.

“If OCWR does not continue to strategically assess and manage its human capital needs, it could again find itself with IT or other skills gaps that could negatively affect its ability to meet its mission,” reads the report.

GAO recommended the executive director of OCWR work with staff to develop an IT system projects schedule, address risks tied to maintaining a permanent records retention program, develop performance measures, collect data on education efforts, develop an IT strategic plan, and incorporate human capital management. OCWR agreed with the six recommendations.

Salesforce’s IT exec on making emerging tech more accessible

The total economic impact of Salesforce Case Management Solutions for government

The need to improve customer service and customer experience (CX) has never been more important, especially for the public sector. Government organizations around the world are turning their intentions toward delivering experiences that stakeholders come to expect from the commercial sector.

Read the full report.

Salesforce commissioned Forrester Consulting to conduct a Total Economic Impact study to examine the potential ROI government organizations may realize by deploying the Salesforce case management solution. To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed six government customers from national, state and local government with years of experience using Salesforce case management solutions.

Find out more.

Learn more about Salesforce and trailblazers in government.

How platform services bring grantees and grantors together

One of the most important functions in government is to make grant awards to provide public services and stimulate economic growth. All constituents involved in a grant want what’s best for their end-customers. Students, farmers, veterans, low-income families, researchers and others receive services through grant structures vital to the overall health of our communities, economy, and national interests. By creating a unified experience for grantors, grantees are not only able to expedite funding to organizations that execute on mission, but also allow their grants management teams to improve, measure, and track how customer experience impacts performance.

Ramani Vaidyanathan, SVP, Customer Experience, Salesforce

Currently, grants management processes involve high administrative burden throughout the lifecycle. Grantees today spend way too much time in the application process and, often, require technical assistance both during the application process and reporting their performance when needed.

And grantors engage in complex tasks to perform eligibility checks followed by award/post-award management tasks, many of which require integration to legacy systems and data.

The current maze of policies, procedures, systems and teams involved in grants management  drives the importance of delivering a transformed customer experience to those in the grants community. Hence a customer-centric approach to grants management requires collaboration and information-sharing amongst grantors and grantees to drive efficiency and more impactful outcomes.

A recent Forrester study cites savings of about $36M in taxpayer dollars that resulted from agencies’ ability to consolidate efforts and scale, using insights and improved collaboration, across a variety of use cases. Further, the same report highlighted an enterprise collaboration service manager from a national defense department that spoke to the fact that streamlined workflows enabled to increase the volume of casework they could take on thus significantly increasing program impact. 

Here are a few ways to align grantors and grantees for an enriching customer experience.

Establish communities

Seamless engagement means grantor staff and all types of grant recipients, from large organizations to individual citizens, access the right set of information and functions on the channels they prefer. Internal and external communities may be separately established to serve the program constituents. While internal community allows the grantor staff to see a consistent and holistic view of all interactions, service items, etc., the external applicant and recipient community would benefit from collaboration and exchanging best practices on how to fill out the grants application package or to submit performance reports. In a nutshell, establishing a grants community would drive more informed collaboration, expedite the submission application process, help organizations steer towards standardization of performance reports and ultimately elevate the customer experience.

Dissolve system latencies

Many grants processes take months, from designing and announcing grants to monitoring awarded contracts. Most current grants management lifecycle involve disparate systems for pre and post-award activities, ranging from planning grants budgets to measuring performance reporting. Wouldn’t gaining real-time visibility to grants data across the lifecycle increase grantor productivity by empowering them to make quick, data-driven decisions and help execute the program more effectively? That’s where API-led connectivity plays a key role in integrating legacy systems and CRM data; bridging gaps between activities and updates with real-time information, thus eliminating system latencies. 

Automate processes

On top of the ability to quickly develop new apps, the right cloud platform allows you to streamline and automate processes using out-of-the-box SaaS solutions. Grants staff may focus on higher value tasks and priorities by allowing the platform to:

These practices are proven to lower administrative costs that, in turn, can help grantors translate taxpayer dollars into mission impact.

Finetune performance

Everyone involved in grants management wants to accomplish the mission goals set within the contract but mapping program outcomes back to funding allocations often proves difficult. Both primary and secondary recipients tend to lack clarity on performance measures and would benefit from a reporting template. Communication and data are key. With the advent of advanced analytics and technologies such as machine learning and natural language processing, grantors can now identify the most optimal KPIs culled from their best performing programs to measure against upcoming grant programs and further communicate them to the applicant community during the solicitation phase. Doing so early would help all constituents to anticipate, adjust, granularize and digitize program outcome metrics to measure milestones equitably and effectively. 

Conclusion

To comply with the CAP (cross-agency priority) GOAL #82 – “Results Oriented Accountability for Grants Management” – agencies must consider how best to leverage advanced technology platforms. Running the business functions of the grants management lifecycle on a cloud platform will help agencies to deliver program results with better transparency, accountability, effectiveness and, most importantly, drive better customer experiences. Choosing the right platform will:

Learn more about Salesforce and trailblazers in government.

GSA pushes forward with ban on Huawei, ZTE in 2020

The Federal Acquisition Service’s first refresh of its consolidated schedule will include the ban on contracting with vendors tied to Chinese tech companies Huawei and ZTE via the supply chain.

While the refresh is slated for Jan. 15, agencies have until Aug. 13 to comply with the ban laid out in Section 889(a)(1)(B) of the National Defense Authorization Act of fiscal 2019, according to a notice from the General Services Administration, which oversees FAS.

The refresh will make updates to the System for Award Management allowing vendors that indicate they don’t use telecommunication components covered by the ban to skip an offer-by-offer representation — reducing their administrative burden.

On Aug. 13, GSA implemented the first interim Federal Acquisition Regulation under NDAA Section 889(a)(1)(A). That rule prohibits agencies from directly procuring technology or services with “substantial or essential” covered telecom components — those from Huawei, ZTE and several other companies connected to the Chinese government.

GSA, the Department of Defense and NASA posted the second interim rule to the Federal Register on Dec. 13 for public comment through Feb. 11.

But already large and small telecom, IT, cybersecurity, real estate, and construction companies have expressed concerns GSA’s broad definition of what’s covered could make it hard to schedule contracts.

“Indeed, the breadth of the [interim rule]’s requirements create significant obligations for federal contractors,” read the U.S. Chamber of Commerce’s comments. “The rule subjects businesses to an untested compliance regime, raising understandable concerns from many in industry about the effectiveness of their due diligence programs.”

The supply chain is deep, and government solutions often consist of layers of software obtained through open-source or commercial licenses. Without a safe harbor in the statute or interim rules for simply trying their best to comply, prime contractors will need to take additional steps to certify suppliers — or risk a False Claims Act suit.

Industry wants a better definition from GSA of what products are covered, what subsidiaries and affiliates of Huawei and ZTE are off-limits, and a comprehensive framework for self-attestation within the supply chain that remains cost-effective.

“A misrepresentation could give rise to civil and even potentially criminal liability. Yet the interim rule fails to resolve key ambiguities in Section 889, such as the basic definition of ‘covered telecommunications equipment’ and whether the required representations must include a statement about the provisos in Section 889(a)(2),” wrote Huawei in its comments. “Failure to define these key terms leaves the regulatory scheme unduly vague—and that vagueness certainly becomes unlawful when combined with the representation and reporting requirements.”

Currently, e-commerce portals, vehicle fleets, building thermostats, and security cameras could all require certifications under the broad interim rule. And already about 20 additional companies have been identified as being covered by Section 889.

Companies concerned they won’t be compliant by the August deadline can apply for a waiver that expires on Aug. 13, 2021, but that requires producing a full supply chain layout and phase-out plan.

The 2019 NDAA isn’t the only vehicle the federal government has used to forbid agencies from working with Chinese companies like Huawei. In May, President Donald Trump also issued an executive order intended to prevent U.S. companies from using telecommunications technology made by firms that are beholden to foreign adversaries. The Commerce Department then in November outlined how it might broadly implement that order.