The votes are in for the 2025 FedScoop.

See the winners!

Report: Federal websites ‘most improved’ for security and privacy best practices

Federal agencies led all other sectors in the Online Trust Alliance’s annual audit of websites for consumer protection, data security and privacy practices.

A subsidiary of the global nonprofit Internet Society, OTA analyzed more than 1,200 mostly consumer-facing websites and found federal agencies’ most improved with 91 percent making its honor roll. The average for all sectors was 70 percent qualification, the highest proportion in the audit’s 10-year history driven by improvements in email authentication and session encryption.

On the flip side, privacy statements improved little with most organizations scoring below 50 percent — often due to undefined data sharing with third parties.

“Looking forward, there are many opportunities for organizations to limit the impact of massive data breaches and stop questionable data collection and tracking practices,” reads OTA’s report. “Many site owners now prevent users from using known breached username/password pairs and are implementing multi-factor authentication to limit the impact of breached passwords. Similar capabilities are also being incorporated into browsers.”

Most browsers also now incorporate ad and tracker blocking of some kind, filling a void left by many sites, according to the report.

Among federal agencies, the Federal Emergency Management Agency’s website received the top score for the sector and was among 11 other agencies whose sites placed in OPA’s top 50: the Department of Agriculture’s Food Safety and Inspection Service site; the Department of Health and Human Services’ Medicare and Healthcare.gov sites; the Department of Treasury; Federal Communications Commission; Federal Trade Commission; General Services Administration; National Oceanic and Atmospheric Administration; Office of Personnel Management; Securities and Exchange Commission; and U.S. Coast Guard.

For the third year running, federal sites’ security scores led all other sectors. The federal sector led in internet protocol version 6 adoption at 46 percent of sites.

But federal agencies and internet service providers were least likely to articulate what data they collect on their sites and why at 90 percent, and only 38 percent of federal sites included a way to contact the agencies’ data protection officers.

White House wants federal AI investments coordinated with upcoming guidance

Agencies should expect a series of guidances on artificial intelligence in the coming months, a White House official said Thursday, and they should prepare to coordinate their AI research and development with the Trump administration’s overall strategy.

A new version of the National AI R&D Strategic Plan is coming out later this spring, said Lynne Parker, assistant director for AI in the White House Office of Science and Technology. Also coming is an Office of Management and Budget memo to agency heads on approaches to foster industry innovation, she said.

The group behind the strategic plan — the AI R&D Interagency Working Group within the White House’s Select Committee on AI — is focused on ensuring that agencies are all on the same page when it comes to R&D investments in the emerging technology.

Parker’s comments come as Congress prepares to allocate fiscal 2020 spending for federal R&D. In February, the president issued an executive order on maintaining U.S. leadership in AI that prioritized such investments, respective to agency missions. AI is one of the few areas that would not see cuts under Trump’s budget.

“It’s true that there were [proposed] cutbacks overall in R&D,” Parker said Thursday at a National Academy of Public Administration event in Washington, D.C. “But AI was protected.”

The budget proposal seeks $850 million for AI R&D across four agencies: the Department of Energy, National Science Foundation, National Institutes of Health, and National Institute of Standards and Technology. And that figure doesn’t include Department of Defense unclassified AI investments or the Defense Advanced Research Projects Agency’s AI Next Campaign, Parker said.

Beyond the government

Trump’s executive order also directed the creation of a guidance helping agencies consider regulatory and non-regulatory approaches for removing barriers to private sector innovation. The Office of Information and Regulatory Affairs within OMB is working with the Office of Science and Technology Policy on just such a memo to agency heads, a draft of which is due this summer, Parker said.

Regulations for an AI tool used to detect a fracture in an X-ray image should be different than those for an unmanned aerial vehicle or algorithm determining loan eligibility, she said, and agencies still have to think about protecting civil liberties, privacy and national security.

“We think at the administration level that in some sense it’s unethical to not allow people to have access to all the great advantages of AI, but that of course has to be balanced with those cases where it will hurt people,” Parker said. “So we want to have a risk-based approach. All AI is not the same.”

“Maybe not every use of AI has to be transparent as every other use,” she added.

Federal agencies are at various stages of introducing AI into the workforce and change management—the process of acclimating employees to automation’s effect on their roles and responsibilities—is really left up to the organizations, said Karen Shrum, principal of government and public sector at Ernst & Young, who co-authored NAPA’s new report on AI.

By 2022, AI could displace as many as 75 million jobs and create 133 million new ones—a net gain of 58 million jobs, according to the World Economic Forum.

“The pace at which these changes are going to happen, the agency needs to be extremely agile,” Shrum told FedScoop after the event.

That’s especially challenging considering agency heads aren’t necessarily digitally native, she added.

Agencies are expected to work with the National Council for the American Worker to reskill employees with respect to AI, and the NSF is investing in its Future of Work at the Human-Technology Frontier effort to understand the socio-technological landscape and create new tech augmenting performance, Parker said.

“We as a nation have to be competitive,” said Alan Shark, executive director and CEO of the Public Technology Institute, who also co-authored NAPA’s report. “There is a race going on right now to grasp artificial intelligence for the best students, the best technology, the best understanding so that we remain in control.”

The CIA is going to launch an Instagram account

The Central Intelligence Agency will soon be doing it for the ‘gram.

The agency’s Office of Public Affairs is “getting ready” to launch an account on the popular photo-sharing app Instagram, Director Gina Haspel said Thursday during a public appearance at Auburn University.

“Oh, it’s a brave new world,” moderator Lt. Gen. Ronald L. Burgess, now Auburn’s chief operating officer, said in reply. The audience laughed.

This is not the CIA’s first foray into social media. “CIA does have a Twitter account,” Haspel said. “There are some people still around the agency that really don’t know what that is.” The agency also has a presence on Facebook, the social media giant that now owns Instagram, and it shares a whole lot of maps on Flickr.

A number of federal agencies are active on Instagram — Transportation Security Administration is renowned for its pictures of the craziest things people try to get through security checkpoints; the IRS shares weird stock art with tax messages. The Department of Interior, with its access to stunning photos of America’s public lands, has been very successful in gaining a following on the platform.

But for a spy agency, being on social media sharing photos may seem a little counterintuitive. “We try to be as open as we can,” Haspel said. But she admitted that, when its your job to collect secrets, this can be hard.

Yahoo News national security reporter Jenna McLaughlin pointed out that the U.K.’s Government Communications Headquarters (GCHQ) is also on Instagram. The intelligence agency posted its first photo in October 2018.

FedScoop reached out to the CIA for comment on what the agency hopes to accomplish through this new social channel.

Air Force launches S&T strategy led by new CTO position

The Air Force issued a strategy Wednesday for its science and technology efforts through 2030 “and beyond” with a focus on moving more quickly to adopt breakthrough technologies.

The plan serves as a new roadmap for the service’s use of science and technology to make sure it’s a step ahead of near-peer threats.

“This strategy isn’t just a list of technologies. Our approach will be to predict where adversaries cannot easily go and make sure the Air Force gets there first,” said Secretary Heather Wilson, who is leaving the job in May.

The strategy’s executive summary echoes that need for speed: “Rather than reacting to others’ advances, the Air Force will set an unmatched pace. Instead of looking at where potential adversaries are heading, the Air Force scientific and technical enterprise will predict where adversaries cannot easily go and then ensure the Air Force gets there first.”

Leading the effort will be a new chief technology officer who will “will guide strategic scientific and technical decisions, prioritize activities, and coordinate across the Service to effectively convert scientific and technical investments into new disruptive capabilities.”

The new role will be “analogous” to the type of CTO role seen in the commercial world, the plan says.

“A Chief Technology Officer would provide a strong voice within Air Force Headquarters and could prioritize and coordinate science and technology across the Service to support the mission, from early-stage research, through developing new concepts, through experimenting and prototyping, to transitioning mature technologies into the Air Force acquisition system,” it reads. “A unified voice at a senior level in the Service could ensure that technology investments produce transformational new capabilities and inform policy and doctrine to shape the missions ahead.”

The Air Force already has two CTO roles: Frank Konieczny, in the CIO’s Office, and Paul Antonik, in the Air Force Research Lab. It’s unclear how this new role might affect those positions, though Wilson has said Konieczny’s role is more specifically cyber-focused and that a “design agent” is working to tailor the role to the Air Force’s needs.

Overall, the report is broken down into three lines of effort:  Develop and Deliver Transformational Strategic Capabilities, Reform the Way Science and Technology Is Led and Managed, and Deepen and Expand the Scientific and Technical Enterprise.

Specifically, it highlights five capabilities the service will look to prioritize over the next decade on:

• Global persistent awareness which may include advances in “multimodal sensing” and developing new laser and multistatic radars.
• Resilient information sharing, which may include developing mesh networks and “agile systems with real-time spectrum awareness.”
• Rapid, effective decision-making which may include advances in artificial intelligence, machine learning and predictive data analytics.
• Complexity, unpredictability, and mass, which may include upgrades to multi-domain command and control, developing low-cost air and space platforms and other advances.
• Speed and reach of disruption and lethality, which may include hypersonic flight, scramjet propulsion and a new generation of smart munitions and tools for cyberwarfare.

There’s an added “emphasis on hard-to-crack efforts related to multi-domain warfare,” an Air Force release says. It also refocuses about 20 percent of S&T spending on “on path breaking ‘Vanguard’ projects.”

This plan advances a preceding strategy from the 1970s that called for S&T to drive “unprecedented force multiplication advantage to our military.”

“While force multiplication is still a key component of our technology advantage, the vision of this Strategy is an Air Force that dominates time, space, and complexity in future conflict across all operating domains to project power and defend the homeland,” it says. “This means that it operates at an unmatched pace of action, achieves unparalleled reach of awareness and effect, and harnesses the power of complexity to enhance resilience in contested environments and impart overwhelming confusion on adversaries. Air Force science and technology will drive the transformational operational capabilities that will make this vision a reality.”

New chief technology officer in at DHS

Brian Teeple has taken over as chief technology officer at the Department of Homeland Security.

He was previously acting deputy CIO for command, control, communications and computers and information infrastructure capabilities under the Department of Defense CIO. In that role, he advised on the integration of DOD communications and infrastructure programs and managed policy and strategy efforts around communications for nuclear and non-nuclear strategic strike and integrated missile defense.

Teeple has also served within the National Reconnaissance Office and the now-defunct Office of the Assistant Secretary of Defense for Networks and Information Integration, as well as worked at the Raytheon Company.

Kevin Wince had been serving as acting CTO of DHS since March 2018 but will end his tenure at the agency April 26 as deputy CTO and chief enterprise architect. Wince is leaving DHS to become the vice president of technology solutions and planning at Navy Federal Credit Union.

IARPA wants AI to keep its eye on that construction project

Data on construction projects can serve to tell countries and companies alike a lot about what’s happening in the world. But what if there’s just too much data?

The intelligence community’s Intelligence Advanced Research Projects Activity is looking to build automated tools that will keep proverbial “eyes” on construction projects across the globe.

The agency recently posted a draft of the broad agency announcement it plans to release for the Space-based Machine Automated Recognition Technique (SMART) project. The goal is to “develop tools and techniques to automatically and dynamically execute broad-area search (BAS) over diverse environments to detect construction… using time-series spectral imagery.”

“Over the coming decades, U.S. and foreign governments, and the commercial sector will continue to pioneer the use of space-based remote sensing to characterize, understand, and predict variability and trends on Earth’s surface for both research and applications,” the draft document reads. “To date, the volume of [geospatial intelligence data] continues to grow, while analysts struggle with the volume, variety, and velocity of space-based data to support local, regional, and national decision-making.”

SMART will help, IARPA imagines, by taking some of the burden off human analysts.

IARPA plans to run the SMART project over four years and in three phases — the first two being 18 months long each and the last being one year. The agency is very supportive of companies teaming up to combine expertise in a wide range of areas like high performance computing, AI, image processing, earth sciences and more — all of which could be useful in the development of SMART.

IARPA is accepting comments, questions and suggestions from industry interested in the draft broad agency announcement through May 10. The agency says it “does not anticipate” responding to these questions and comments publicly though.

Federal Cyber Reskilling Academy begins with plans to expand

The first cohort of the Federal Cyber Reskilling Academy has only just begun training, and already the government is looking at ways to expand.

More than 1,500 government employees applied for 25 spots to learn cyberdefense analysis skills full time, so the Federal CIO Council funded five additional virtual training spaces.

“We expect the virtual training will be a good alternative for agencies to offer their employees for future cohorts,” said a senior administration official.

On April 15 accepted students started a three-month, three-course training curriculum at no cost.

First up is CyberStart Essentials to build computer, hardware, network, and security fundamentals by discussing the interaction between CPU and memory, network protocols and core internet infrastructure. After that is SEC401 on security essentials and SEC504 on hacker tools, techniques, exploits and incident handling.

While the first cohort was restricted to federal employees without any IT experience, the second will be open to all feds, with applications made available in late spring.

Cybersecurity jobs aren’t guaranteed post-graduation, but graduates will be able to apply for cyber positions within federal agencies with help from the program team.

President Trump’s Management Agenda and more recently the Government Reform Plan both called for reskilling employees — whose functions have become less relevant due to automation — to fill cybersecurity jobs. The Office of Management and Budget, which partnered on the academy, and Department of Homeland Security were required to establish reskilling work plans by the first quarter of fiscal year 2019 and provide quarterly updates.

DIU seeks commercial solution for processing and distributing satellite data

The Department of Defense wants to be able to get important satellite data to warfighters on the battlefield in a format that is actually useful and actionable. So the Defense Innovation Unit (DIU) is calling on industry to help out.

In a current commercial solutions offering, DIU lays out the requirements for the ideal solution.

DIU wants the prototype to integrate with the Defense Advanced Research Project Agency’s Blackjack project, in which the DOD is aiming to augment its National Security Space presence by utilizing commercial low Earth orbit satellites. “Currently, there are no established gateways or processes to ingest data collected from DARPA’s BLACKJACK-capable spacecraft and distribute that data through a commercial gateway and seamlessly deliver it to a location in theater that needs it most on timescales that matter without significant human-machine interface and latency,” the commercial solutions offering reads.

So DIU is seeking companies that can help develop this capacity — both through ideas for the process and through the actual hardware and software systems needed to execute on it.

Interested companies have until April 22 to respond to the CSO. DIU encourages companies to team up if necessary to meet all the requirements of the opportunity.

DIU’s acquisitions process runs on other transaction agreements (OTAs) as a way to do iterative contracting. The OTA authority, which has existed for decades but was expanded in the 2016 National Defense Authorization Act, allows DIU to grant relatively small contracts for the development of prototypes and then follow on with an additional contract for production if and when the pilot is successful.

The innovation group also provides training for acquisition officials from other areas of the DOD on how to use OTAs through HACQer, a rapid acquisition training program. DIU recently chose its 2019 HACQer cohort.

Microsoft says it’s close to Secret-level cloud authorization

Microsoft is another step closer to being able to host the federal government’s Secret-level data in its Azure Government commercial cloud, a move that will make it a stronger competitor for some of the government’s highest-profile ongoing cloud procurements.

The company announced Wednesday that it has launched Azure Government Secret, an offering that meets Department of Defense Impact Level 6 cloud hosting capabilities. With an IL6 authorization, Microsoft would be able to work with some of DOD’s and the intelligence community’s most sensitive data up to a Secret level — something that, to this point, only Amazon Web Services has achieved.

But Microsoft isn’t completely there yet. Azure Government Secret is in what the company calls “private preview and pending accreditation.” Asked to elaborate that qualification, a Microsoft spokesperson said, “Private preview is evaluated on a case by case basis for existing Microsoft customers as Azure Government Secret is pending accreditation. At this time, we are working closely with our government partners to achieve accreditation.”

Microsoft didn’t detail the timeline of that accreditation. But until that time, it seems customers can only test the new offering in “private preview.” In October, the company said it would achieve IL6 by the end of the first quarter of 2019.

Azure Government Secret is built around two separate hosting regions 500 miles apart, “providing geographic resilience in disaster recovery (DR) scenarios and faster access to
services across the country,” Lily Kim, Azure Global general manager, wrote in a blog post.

“[T]he Azure Government Secret regions are built to maintain the security and integrity of classified workloads while enabling fast access to sensitive, mission-critical information,” the post says. “These dedicated datacenter regions are built with additional controls to meet the regulatory and compliance requirements for DoD Impact Level 6 (IL6) and Director of National Intelligence (DNI) Intelligence Community Directive (ICD 503) accreditation.”

Microsoft also announced the expansion of coverage up to DOD Impact Level 5 — for highly sensitive and controlled but unclassified information — to all of its Azure Government regions.

Microsoft’s progress in achieving IL6 authorization slightly narrows the lead AWS has as the only vendor able to provide Secret-level cloud capabilities to the DOD, intelligence agencies and others. It’s currently down to just Microsoft and AWS in the bidding for the Pentagon’s Joint Enterprise Defense Infrastructure (JEDI) cloud, a $10-billion contract that would require IL6  and Top Secret cloud offerings, the latter of which, again, only AWS currently is authorized to provide. There’s also DOD’s $8 billion Defense Enterprise Office Solution (DEOS) procurement for cloud-based communications and collaboration tools up to IL6, and the CIA is in the very stages of developing a contract a next-generation intelligence community cloud environment that will deal with Top Secret information.

Inside the National Guard’s annual ‘Cyber Shield’ drill

This story first appeared on CyberScoop

Prior to the 2018 midterm elections, multiple states activated their National Guard forces to protect the vote from cyberthreats. It was a big step for the Guard’s role in national cyberdefense, and an annual drill held by the Guard made it more effective.

In Illinois, for example, the National Guard’s participation in the cybersecurity drill meant that “when the midterm 2018 elections came around and it was time for us to work together, those relationships were already there,” said Brig. Gen. Richard Neely, the Illinois National Guard’s adjutant general.

That exercise, known as Cyber Shield, is now in its eighth year and taking place through April 20 at Camp Atterbury in Indiana. What started as a simple red-and-blue-team affair has grown into an 800-person event that reflects the greater role the Guard is playing in national cyberdefense.

In an earlier iteration of the exercise, “our offensive piece wasn’t very strong,” Col. Terry Williams, deputy commander of the Virginia Army National Guard’s 91st Cyber Brigade, said at a press briefing last week. “We would actually just drop the injects into the [cyber] range –  the blue teams couldn’t see how we got there.”

Now, the red-team participants have to “actually show the trail of how they got in [to a network] and what they are doing so that our defensive forces can do the forensics piece,” she said.

National Guard units from 40 states are participating this year, along with people from the private sector and federal agencies like the FBI and National Security Agency, according to Williams. Participants are tested on their ability to detect suspicious activity on a network, such as a rogue device beaconing out information, and lock down unauthorized access to that system.

“It’s a collective training event for us, so it will enhance our warfighting skills. And that’s very important to us,” said Brig. Gen. Jeffrey Burkett, vice director of domestic operations of the National Guard Bureau, told reporters.

The National Guard’s role in the digital domain has grown in the last few years as federal and state officials have thought more about maximizing available resources for cyberdefense. A 2016 report from a White House cybersecurity commission singled out the Guard for having “a talent pool that can be regularly trained, equipped, and called on” to defend against hacking.

The 2018 midterm elections proved to be an inflection point. In Washington State, for example, National Guard members who worked for Amazon or Microsoft by day were on call to help with election security.

The Guard is trying to build on that momentum with Cyber Shield. When not on federal orders, Guard units are at the disposal of states. That makes them well positioned to respond to breaches in their backyards, which is motivating them to hone their incident-response capabilities.

George Battistelli Jr., a cybersecurity program manager at the Army National Guard who also helped planned the drill, said the exercise scenario has tried to keep up with real-world events.

“The attacks tend to change,” he said. “We used to have attacks that were very noisy. Now we have attacks that are going over encrypted channels. So as the adversary changes their TTPs [tactics, techniques, and procedures], we change our TTPs.”

Asked for more information on the exercise scenario, Battistelli, Jr. declined to go into detail in an unclassified setting. “It is safe to stay that it emulates adversary behavior that you’ve probably seen in the news from other nation-states,” he said.

Military officials see Cyber Shield as a key piece of the digital maturation of the Guard, which expects to have more than 3,800 cybersecurity personnel by 2022.

“The National Guard is getting into the cyber business with the Department of Defense, and we’re trying to determine where it makes sense to place units and how we can partner with defense on the Air Force side and the Army side in growing cyber capability,” Burkett said.