with-recent-federal-hiring-changes,-agencies-see-options-to-reduce-burdens-on-hr-staff

With recent federal hiring changes, agencies see options to reduce burdens on HR staff

Shortly after launching a pair of major federal hiring updates this year, the Office of Management and Budget and the Office of Personnel Management are turning their efforts to help guide agencies as they work to put those changes into practice.

Recent guidance on the federal hiring experience, as well as finalized regulations for the Pathways Program, both aim to ease common burdens on HR professionals and federal job applicants, while adding flexibility to the often slow and cumbersome federal hiring process. In practice, reshaping federal recruitment will likely take years of work. But leaders at OPM and OMB said they are starting to see early signs of promising progress.

“I think that there’s a recognition, at least amongst the crowd of HR specialists, that the work that we’re trying to do is actually trying to improve their experience as well,” Kristy Daphnis, OMB’s acting deputy assistant director for performance and personnel management, said Wednesday during a panel hosted by the National Academy of Public Administration (NAPA). “The way that the system has been set up, it has, in some cases, added to their burden. But if you put in place better assessments, better sharing of candidates, you take some of the noise out of the system, that actually reduces their workload.”

So far, Daphnis said the response has been positive from HR specialists and hiring managers in reaction to the August 2024 joint memo on the federal hiring experience. The tools that OPM and OMB put in place to help agencies take on the new hiring guidance are in large part aiming to reduce common burdens for the HR workforce.

Pooling job announcements as well as candidate assessments for specific occupations — two items that can be reused across multiple agencies and through multiple hiring announcements — will be particularly helpful for reducing “friction” for the HR workforce, Daphnis said.

“If you can get hiring managers on a better path to being more informed about the process, that also reduces HR specialists’ workload,” Daphnis added.

Federal hiring memo sets the floor, not the ceiling

The hiring experience memo from OPM and OMB isn’t trying to reinvent the wheel, but rather collect many promising practices across agencies, and encourage implementation more broadly across government. The idea is to help more agencies adopt what has already worked well in certain cases — such as pooled hiring. Ultimately, the goal is to make the process easier from three different perspectives — hiring managers, HR specialists and job applicants.

“There’s not a lot of new stuff in there, but what we’re trying to do with this memo is catalog some of the existing tools that we’ve worked really hard to get out there to these various communities, to make sense of it, and create a bit of a user guide and a platform to bring it all together in in one place,” Daphnis said. “What we have in the guidance is really meant to set the floor and not the ceiling around how agencies are approaching this.”

On top of giving recommendations to agencies to address burdens and frustrations unique to each of the three impacted groups, the guidance additionally looks at making changes to more long-term strategic workforce planning. The guidance also points to specific metrics and data that should help agencies understand how they are making progress in adapting their recruitment strategies.

“We’re looking at things like, what do applicant satisfaction survey scores look like? What is the net number of external hires that we’re bringing in from the outside? What are the transfer rates in certain functional communities?” Daphnis said. “How are we actually doing on pooled hiring actions, and how are we doing on those types of actions that are across government, where multiple agencies are making selections?”

Though the memo has only been public for a couple of months, Daphnis said she has seen agencies already taking some early steps to try to change their recruitment processes.

“Making the job titles in the actual job announcements more understandable to individuals that are reading them, by simplifying the job titles, for example,” Daphnis said.

Pathways Program updates sparking “new interest”

In addition to the hiring experience guidance, agencies are also working to adjust their approach to early-career hiring this year, as a result of updated regulations for the Pathways Program — the government’s flagship program for recruiting younger generations of talent.

Latonia Page, OPM’s deputy associate director for talent acquisition, classification and veterans programs, said the new Pathways Program regulations, finalized in April 2024, are already starting to take root at agencies.

“One of the things that we found was that the release of the [Pathways] regulations really sparked new interest from hiring managers,” Page said Wednesday during the NAPA panel. “Agencies have really taken a look at their current policies and procedures, and they’ve been able to make changes that are reflective of where we are now with the workforce.”

After the new Pathways regulations became official in June, clearing the way for skills-based hiring, higher pay and eased requirements in early-career recruitment, agencies are now facing another Pathways deadline coming up in December. They’ll have to put a policy in place for using the Pathways Program under the new regulations. Previously, agencies had to establish a memorandum of understanding with OPM to be able to use the program.

Even after agencies get those policies in place in the coming months, Page said OPM will continue working with agencies to answer their questions and clarify how the regulations should look in practice, as agencies work to implement them.

“We meet with them on a monthly basis. We connect with them through the CHCO Council — there are a multitude of avenues that we have where we talk with them about how implementation is going,” Page said.

And on the applicant end of the program, Page said the regulations overhaul “has given us increased visibility with potential applicants for the Pathways Program.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

feds-seeks-more-guidance-on-post-quantum-cryptography-transition

Feds seeks more guidance on post-quantum cryptography transition

A new survey of federal cyber experts has found most agencies are mapping out their journey to post-quantum cryptography, but many feel hamstrung by a lack of formal guidance on an initiative that’s expected to cost billions of dollars in the coming decade.

In a study released today, General Dynamics Information Technology found 50% of federal cyber experts have a strategy for post-quantum cryptography readiness, while 22% are engaged in pilot projects and 12% are preparing their workforce for a post-quantum future.

Only 17% of those surveyed responded that they had “no defined strategy” and “PQC initiatives are not currently a priority.”

But 37% of respondents also said a “lack of planning, guidance and strategy” poses a critical challenge to the post-quantum cryptographic transition.

“Agencies are looking for more clear roadmaps to make them actionable and make better progress, as well as resourcing their teams, budgets and all those things,” Matthew McFadden, vice president of cyber at GDIT, said during a media roundtable.

While no quantum computer known to exist today can break current encryption methods, cybersecurity experts are concerned adversaries could steal data today and decrypt it in the future.

A White House post-quantum cryptography report, released in July, pointed to the concern around “record-now-decrypt-later” attacks. It states that the threat “means that the migration to PQC must start well before a quantum computer capable of breaking current encryption is known to be operational.”

GDIT based its study on an online survey of 200 federal cybersecurity experts across civilian, defense, homeland security and intelligence agencies. Those surveyed were involved “in either the selection or management of firms that provide enterprise IT or digital modernization services,” the study explains. The survey was conducted this past July and August.

In mid-August, the National Institute of Standards and Technology finalized three encryption standards designed to withstand attack from a quantum computer. NIST says organizations should start adopting those standards today.

McFadden pointed out that NIST released the draft standards one year ago, meaning agencies and industry have had time to start transition preparations. The finalization of the standards serves as a “forcing function,” he added.

“Now the standards are here. They know the threshold they need to meet. And this now becomes part of compliance,” McFadden said.

Federal agencies have been working for several years on Office of Management and Budget guidance to inventory systems that could be susceptible to quantum decryption.

Following the finalization of the NIST standards in August, Federal Chief Information Officer Clare Martorana said OMB will soon issue guidance directing agencies to develop a prioritized migration plan for post-quantum cryptography.

In addition to seeking more detailed guidance, respondents to GDIT’s survey said key challenges include integrating PCQ into the cybersecurity supply chain (24%), managing enterprise-wide cryptography (17%) and insufficient automation for cryptographic management (14%).

Additionally, 48% of respondents identified the “significant impact on legacy systems” as a technical barrier. They also highlighted the implications for operational technology (29%) and the difficulties with non-centralized systems (17%).

Despite the challenges, GDIT’s study points to how 22% of agencies are already engaged in pilot projects on post-quantum cryptography. McFadden said many of the pilots are focused on areas where agencies “start small, make sure it works correctly, and then try to roll it out to the larger enterprise.”

“Those pilot projects may be, ‘Hey, do a discovery for your [high value asset] systems to help automate pulling back that cryptography,’” McFadden said. “That could mean, ‘Let’s take an application and implement the new algorithms and see how effective it is.’”

And in August, the Cybersecurity and Infrastructure Security Agency finalized plans to begin incorporating automated post-quantum cryptography discovery and inventory tools into governmentwide programs like the Continuous Diagnostics and Mitigation (CDM) capability.

But the transition to post-quantum cryptography will not be cheap. The White House report released in July estimated that the migration for “prioritized information systems” will cost the government approximately $7.1 billion between 2025 and 2035. And that estimate does not include classified systems run by defense and intelligence agencies.

GDIT’s study found just 11% of respondents had a budget allocated to the post-quantum cryptography transition, while 35% said planning and budget was “undefined.”

“We don’t know how that budget is initially being allocated,” McFadden said. “Are they from current IT investments, or is it from those HVA system budgets? There hasn’t been that top level funding yet allocated. So I think part of this is driving awareness to help provide budgets to support this at the same time.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

army-ups-its-recruitment-targets-by-thousands-in-2025

Army ups its recruitment targets by thousands in 2025

After falling short of its recruitment goals for years, the Army barely met its recruitment targets in fiscal 2024. Now, it wants to increase its recruitment by thousands of new soldiers in 2025. 

The service surpassed its goal to recruit 55,000 new soldiers in 2024 by only 300 recruits and exceeded its goal to bring  5,000 into the delayed entry program. Now, the goal is to recruit 61,000 new soldiers into the Army’s ranks in 2025 and send 10,000 people into the delayed entry program. 

“This goal is ambitious, but we believe it is achievable,” Army Secretary Christine Wormuth said during the opening ceremony at the Association of the United States Army conference Monday.

“It’s no secret that the Army — along with our sister services — has had some significant recruiting challenges. These challenges are not going away. Fewer than a quarter of Americans are eligible for military service, and fewer than ten percent of young people are interested in serving. Unemployment is at a historic low — more than sixty percent of high school graduates are going straight to college, and many young people know very little about the Army or what we offer. We had no choice but to go on a full-court press to change how we recruit from top to bottom.”

While multiple factors contributed to this year’s success, the future soldier preparatory course has been one the most effective initiatives that is helping the service to turn things around.  The program prepares recruits for basic training by helping them meet physical or academic requirements. The program has been a “huge” success — so far, it boasts a 95% success rate.

The service now has more than 11,000 people in its delayed program, partly due to the future soldier prep course, which is already giving recruiters a head start for 2025. The delayed program allows recruits to enlist and delay their active duty start date in order to finish high school or college.

“For young Americans who had the desire to join the Army but not the test scores, we created the Future Soldier Prep Course to give them a path to meet our standards. These efforts paid off in the fiscal year that just ended,” said Wormuth. 

Wormuth also touted the artificial intelligence tool the service started experimenting with to help recruiters generate refined prospect lists rather than cold-call potential prospects. The tools helps recruiters analyze large volumes of data and identify individuals who show propensity for military service. The pilot currently runs in five cities — Buffalo, New York; Sacramento, California; Homewood, Illinois; New Orleans, Louisiana; and Fort Worth, Texas. 

Madison Bonzo, the Army Recruiting Command media relations chief, told Federal News Network while feedback from the five participating recruiting companies is limited since the initiative is in its early stages, recruiters have already found the tool “promising.” 

The first wave of data analysis is expected in late Fall 2024. Based on feedback and analytics, Army leaders will determine whether the initiative should be scaled up.

“As they find new techniques that deliver results, we are going to scale them across our recruiting brigades,” said Wormuth.

Wormuth said starting in January, the service will pilot the new approach in Miami.

These recruiters won’t be in the recruiting station doing time-consuming administrative tasks.

Instead, they will spend their time out in Miami, sharing their passion for the Army with

potential new soldiers,”  said Wormuth.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

army-modernization-from-the-technology-point-of-view

Army modernization from the technology point of view

The idea of digital transformation has permeated the Army. One of the most important areas of transformation concerns acquisition and logistics. For an update, at yesterday’s Association of the U.S. Army annual confab, the Federal Drive with Tom Temin caught up with the Principal deputy assistant of the Army for acquisition, logistics and technology, Young Bang.

Tom Temin A lot is converging on this ALT domain. There’s the digital transformation effort, I think first and foremost. Just give us the 50,000 foot view of your part, the ALT part, in this whole digital transformation.

Young Bang Thanks, Tom. So I always joke that I was brought in to be the T in ALT, the technology part. And for us, when we first came in, the Army, as you know, has been undertaking the largest modernization effort in four decades. And if you think about everything these days, everything is underpinned by digital transformation. And so when I came into the role, it was awesome because I really fell into the things that I know really well. Whether that’s software, whether it’s digital engineering, whether it’s data, whether it’s AI or anything in general, that was just kind of my sweet spot. And so for us, we’ve been really driving the whole digital transformation landscape. And we’ve really actually been partnering with all of our community. So AFC is a partner in crime for us from an acquisition and acquirement standpoint. ATEC is a partner in crime for us from a testing and acquisition standpoint, as well as, if you think about it, the CIO. So the CIO and us have partnered a lot from a policy perspective, because between the two of us, I think we cover the whole landscape of the Army enterprise. And so collectively, it’s just like on the commercial side, you have like minded people that want to drive digital transformation. We’re working with the front end requirements. We’re working with our development teams and we’re working with testing. And then we have a policy that covers all of that. And I think you’ve seen a lot of our efforts really help us meet industry where they are in the middle.

Tom Temin And on the news front, you had an announcement yesterday at AUSA on cybersecurity for small business, something other than CMMC sounds like.

Young Bang Yeah, so that’s a great point. I think the Under Secretary of the Army had a really good announcement about Ncode. And if you think about that, that’s another acronym and we’ll really talk a little bit about that. But the whole purpose of that was the whole CMMC. And if you think about the complexities of CMMC, it’s really hard for some of our small businesses really to afford even the level two areas of CMMC.

Tom Temin Or even to read a 470 page rule.

Young Bang That’s absolutely true. And so we said, Hey, how do we help the industry? How do we help small businesses, specifically? How do we really offset the CMMC requirement that’s coming down for them? And so we are looking at a series of pilots, what we call cyber as a service for small business. And really Ncode stands for that. The Next-generation Commercial Operations in Defended Enclaves. It’s a long title, but it’s Ncode for short. But it really will build on our pilot. Our pilot really is about how do we provide some services for the small businesses. So we know that it’s a cost prohibitive model or it takes a lot of investment for them to do that. And we have some analysis that actually shows most small businesses, and how much revenue they get from the Army or Defense. And if you look at the business case, it’s really not worth it for them to invest literally maybe $1 million to get CMMC compliance.

Tom Temin Well beyond that, it also matches the army, matches the way they operate, because anyone starting a business today is not going to buy servers and buy discs and put in software. They’re going to use accounting personnel, whatever it is they need engineering software as a service by subscription anyway. So this kind of conforms the army to what the reality is for small business.

Young Bang That’s right. And so for the small businesses you might say, Well, if I was small business, I could just get as a service from anything. And so that’s absolutely true. But what we are working with is specifically government overwatch. So how do we also offer more for the small businesses? Because there will always be things that are inherently governmental, and should we put that ONUS on small businesses or other vendors to really provide. No, because they can’t because some of it has to be inherently governmental. And that’s why we are partnering with industry in specific small businesses. We’re looking at some of the cloud vendors and managed service providers to provide an offering for small businesses that are cost effective, as well as a government overwatch component of that. So you’ll see more details that will be publicized in the future. And again, this is just again building on what the Under Secretary just announced yesterday.

Tom Temin We’re speaking with Young Bang. He is principal deputy assistant Secretary of the Army for Acquisition, Logistics, Technology, ALT. And we’ve talked about cyber, artificial intelligence is the other big word, and it’s real. I don’t use the word buzzword for this because you see it happening. And what’s your take on the ALT as it relates to AI or vice versa?

Young Bang Yeah, we think that. So that’s a great question. So you’re probably like, why does the Army care about AI? And for us, we don’t have huge exquisite aircraft carriers or huge tankers and fighters. Our resources are people and our soldiers. And we are going to be the biggest consumers of AI. And so we don’t want to let all the other services figure it out for us. We’re going to be leaders in this space. And because, again, like I said, we’re going to be the largest consumer. So we have really looked at, how do we look at multiple things? So the CIO published a guidance on Gen AI. We’re actually encouraging our community and our environment to use and experiment with Gen AI. We’ve also done it to reinforce the security requirements. So if you have data that’s on the NIPR, keep it on the NIPR side. If you have data that’s on the SIPR, keep it on the SIPR side. And we now have actually developed pilots of Gen AI and large language models on each of those enclaves for our community to experiment, because right now the market is kind of nascent in the space, but we’re enabling our users to experiment with it, because we want that to inform our requirements so we can actually program in the Palm and request Congress more money as we fleshes out. So that’s one dimension from a policy perspective. The other areas that we’re looking at, how do we accelerate the adoption of AI from the government? And really we’re looking at what are the big obstacles that are preventing us from adopting third party generated algorithms.

Young Bang So we have an effort called #DefendAI. It’s a layered defense framework for AI. So we can look at the risk and the controls, because again, we want to be able to adopt third party generated algorithms. So we’re saying, Hey, we’ve identified about 30 different attacks. We’ve identified about 60 different controls. They’re not necessarily one for one. We want industry to help us to find more of that so then we can say, here’s the risk, here are the controls, here’s some other risk that hasn’t or needs to be addressed. And then we can collectively make an informed decision about saying, ok, this can be now put into a closed environment, this can be put into a business environment. This could potentially be put into a weapon system or a safety critical system. So it’s a better way of getting at that. So that’s the first thing. #DefendAI. The second thing is that we’re looking at another buzzword, #BreakAI. And what that means is like, how do we test and do third party generated algorithms, And so what I’m talking about is not the performance or the drift. We’re talking about software we can test because it’s deterministic. Algorithms are more probabilistic, but as we get closer to AGI, we don’t know what the intended behavior or the outcome is going to be. So how do we test for that? And so those, I think, are obstacles that are going to prevent us in the future from adopting it. So that’s why we’re tackling that now.

Tom Temin It’s almost like modeling it out into the future, what it will do as it gets modified by events and application of data, in other words.

Young Bang That’s right. And we don’t have the solutions, but we do want to push this out there because we want smart people that are thinking about these problems and work together, so we could actually have some ways to evaluate it so we can adopt it. And the last part is something we’re calling counter AI, Or #CounterAI.

Tom Temin Which might be the most important one of all.

Young Bang It is. Because a lot of times we look at things from a defensive perspective, but we also have to look at how are threats or pure threats are looking at using and employing AI so we can counter that. And if you look at that, if we could give our soldiers five seconds, a minute, five minutes, ten minutes to counter their employment of AI, we have to be able to think about those capabilities now. And then that would also lead us to get more resilient AI in our systems as well. So those are the areas that we really wanted industries help and collaboration on.

Tom Temin It strikes me you have a parallel challenge that the Missile Defense Command has. They use space as a utility, but they also have to defend space, because space is now contested where it was not, say, 20 years ago.

Young Bang That’s right. If you think about that, I use the whole sports analogies. If you play sports, you play offense and defense. And a lot of times we look at things defensively and offensively separately. And what we want to do is have everyone look and play offense and defense together. And especially in the digital transformation space.

Tom Temin And the way you describe AI and developments in AI, then really it’s a form of engineering, and it’s digital engineering because it’s purely a digital exercise. What about digital engineering in the ALT domain elsewhere? That whole digital twinning movement, is that something that coming into your work?

Young Bang Absolutely. And if you look at, guidance that’s been put out, the undersecretary signed the directive on digital engineering for the enterprise. And so a lot of people automatically just focus on the acquisition side. But the context of that is, yes, it is focus on acquisition, but it’s also focus on requirements and the testing side too. So we want to really look at it the whole lifecycle. From an acquisition standpoint, we always kind of joke. A lot of the industry is already in digital engineering and digital twins. And what we do is we ask them to say, Hey, convert your digital twin to paper so we can evaluate it, and then we’ll put it back into the digital engineer format. So we’re like, Hey, that doesn’t make a lot of sense, let’s logically, flatten that. And if you want to submit things in paper, great. But we encourage more digital models and artifacts, and send that as you already have it so we can evaluate that. More importantly, we can accelerate the lifecycle.

Young Bang So if you look at programs like XM 30, which is our absolutely man fighting vehicle or the Bradley replacement, they’re born to do engineering from the start. And they’ve actually been working with industry specifically. They’ve just finished preliminary design review all from digital artifacts, digital models in a digital engineering environment. And that really accelerated our ability to work with them to evaluate the critical or the preliminary design, and then look at things as it’s emerging, like are there too many complexities and too many interfaces? How do we shorten this? And as we work that, we can actually go down the whole lifecycle and accelerate even like parts and repair parts and manufacturing and those type of things, as well as testing. And so that’s what we’re driving across the board. XM 30 is one of our pathfinders. We have multiple pathfinders that are in there. So we can really flesh out the details of how we’re going to execute. But we’re super excited about this because, again, we’re trying to meet industry where they are versus again, asking them to convert digital back to paper, back to digital.

Tom Temin And as a final question, all of this is in the digital intelligence, artificial intelligence. Do you have the gray matter, intelligence in the staff and in the Army to support all this effort?

Young Bang Yeah, So that’s a great question. Like I said, I was brought in to put the T back in asalt. But I’m one person, I have a strong team with our DAS portion that is really driving. A lot of our PEOs are going through that digital transformation, the Odyssey, the journey on that to really upskill our workforce, bring in outside talent. But we can’t do it alone. That’s why it’s critical for industry to be helpless, to be able to partner with us, because we have no delusions. We’re not going to have all the experts. In fact, we’re going to have a smaller amount. But again, we need industry really help us and cooperate here.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

good-customer-experience-isn’t-just-good.-for-federal-agencies,-it’s-the-law

Good customer experience isn’t just good. For federal agencies, it’s the law

There ought to be a law against bad customer experience. There is a law, though, that federal agencies have good customer experience. It’s known as the 21st Century Integrated Digital Experience (IDEA) Act. How did agencies do in 2023?  The Director of Information Technology Acquisition Management at the Government Accountability Office, Carol Harris, joined the Federal Drive with Tom Temin with details.

Tom Temin I guess you are statutorily required to check on agencies and how they’re doing in this digital experience, correct?

Carol Harris That’s correct. So the Idea Act was passed in 2018. And as you mentioned, I mean that the purpose of the act is to improve government websites and its related services to enhance that customer experience. So the Act itself includes eight modernization requirements for these websites and services that agencies must follow. And so those include websites being searchable, encrypted. They also want these websites to be designed around user needs, using data, and also be mobile friendly, for example. And so as part of the act, agencies must submit five annual reports to both Congress and [the Office of Management and Budget]. So that’s one report per year between 2019 and 2023. And in those reports, agencies are required to report on their progress towards implementing those eight requirements for modernization. And so that’s the purpose of the report that we put out just recently in how agencies are doing relative to implementing the Act.

Tom Temin And how did they do relative to, say, the year before?

Carol Harris Well, the thing is, the reports varied in both content and in detail. And also, there were a lot of missing reports. So we were unable to give an assessment overall, unfortunately. But I’ll give you some details of what we did find. So the 24 CFO Act agencies submitted about 70% of the 120 total required annual reports. So those were about 84 in total. And when you break it down by agency, ten submitted all five reports. And then on the other side of the spectrum, you had four agencies submitting one or less. And then, as I mentioned, reports had varying levels of content and detail. So, for example, 18 agencies that submitted a report in 2023, only seven addressed all eight requirements. [Environmental Protection Agency and Department of Homeland Security] reports, for example, were definitely the best in show, both in terms of being comprehensive and very detailed across all eight requirements. But I will say that, for the other reports that either were missing content or just were very thin on content, that does not necessarily translate into a lack of compliance with the law.

Tom Temin Right. That’s the big question. Reporting is one thing; actually fixing your website so that they are compliant with what the law requires, that’s something else. So it’s possible to have great reports, but crummy websites and vice versa.

Carol Harris That’s exactly right. So [the General Services Administration], for instance, they didn’t mention meeting the encryption requirement in its reports because it had actually already met that requirement before [the IDEA Act] was even passed in 2018. And then [the Agriculture Department] didn’t submit any of its annual reports yet. The department did tell us that it had met or is working to meet the eight requirements through its internal web modernization initiative, which they started in April of 2020. And so, we had to dig into why is that the case? Well, agencies were lacking instruction from OMB. And also the IDEA Act itself is silent on what should be contained in these reports, as well as how agencies should be complying with these modernization requirements. So 50% of the agencies that did not submit reports in 2023, they told us that they needed more instruction from OMB.

Tom Temin That sounds a little bit like a cop out, though. ‘We need instructions from OMB before we can tell you our progress on these eight criteria which are in the law.’ Or am I being a little cynical?

Carol Harris I mean, that’s certainly the case. But the goal is to get an assessment across the government. So there is information that needs to be standardized in terms of the collection as well as the other report format and the level of detail so that as GAO or even OMB, we can weigh in in terms of taking the pulse of how the agencies collectively are doing. And so OMB did issue since the passage of the Idea Act a memo back in 2023 that came with some clarifying instructions. But unfortunately, that memo was issued in September and it had minimal effect on the annual report, which was due in December, only three months. Now, that’s probably why the agencies didn’t have a bump in terms of their 2023 report as far as the improvement in the quality and the content.

Tom Temin We’re speaking with Carol Harris. She’s director of Information Technology Acquisition Management at the GAO. And then one little detail I caught here in the report, and I’ll just quote it: “The Department of Treasury was the agency that discussed progress against the consistent requirements at the component level.” And that seems kind of crucial since, for any large department, it is the component, the major component website, where the action really happens very often.

Carol Harris That’s right. That’s right. And so having that clarity in the level of reporting and also whether it’s at the enterprise level, the department or at the component level is really important so that we get that sense of what’s going on. Because certainly you have these agencies like Department of Commerce that have critical components within them, like [the National Oceanographic and Atmospheric Administration and] the Census Bureau, for example. And we want to know how those agencies are doing or those components are doing, for sure.

Tom Temin I’m thinking of DHS, where if you want to get a trusted traveler type of card, you either have to go to [the Transportation Security Administration], or for global entry, you have to go to [Customs and Border Protection].  And that’s where people actually transact and not at dhs.gov, necessarily.

Carol Harris That’s right. Exactly. And the same can be said with the Department of State’s Bureau of Consular Affairs when you want to get a passport, or the Fish and Wildlife Service under [the Interior Department] when you’re going to these national parks. So absolutely we want to get that level of detail within the components. So OMB’s guidance that was issued in September of 2023, it is pretty good in terms of clarifying the compliance with these modernization requirements. It describes a number of actions that agencies should be performing. And so this is one of the reasons why we didn’t issue any recommendations because, number one, the sunset on these reports have already come to pass. But I think continued oversight over this guidance that OMB has issued will likely enable us as well as OMB the ability to assess the extent of progress towards delivering better digital services to the public.

Tom Temin And would it also be fair to say, and this is not strictly what you reported on, but at this stage in history, any large organization that is deploying a website is likely to have the kind of expertise behind it such that it’s trying to get best practices for any website, commercial or government?

Carol Harris Yes, for sure. OMB has its own customer experience team, which is part of a broad network of teams across the government. And so just as an example, with all of the things happening in the Carolinas and in Florida right now with the hurricanes, FEMA worked closely with OMB’s team, for example, to ensure that its delivery of the disaster assistance registration information was in line with government best practices. And FEMA also, they use Login.gov as part of that disaster assistance website to provide that secure multifactor authentication. So that’s an example of where you see that collaboration across government, to ensure that the public has a good experience online.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

endpoint-proliferation-exacerbates-old-cybersecurity-problem:-data-integration

Endpoint proliferation exacerbates old cybersecurity problem: data integration

Data integration and normalization is one of the oldest problems in cybersecurity. It’s common practice for companies that build endpoint devices — more traditionally laptops and smartphones, but increasingly also Internet of Things devices like internet-connected appliances, sensors, cameras and even medical devices — to create their own data formats. But for federal agencies and other organizations that are now collecting more data than ever before, that presents a cybersecurity challenge: How do they how can they reconcile all those disparate forms of data to tell a single story?

Elena Peterson, cybersecurity researcher at Pacific Northwest National Laboratory, said there are many approaches, but some work better than others. Normalizing all of the data, for example, requires significant processing power, is time-consuming, and simply may not be viable in real-time. But newer technologies may offer better options. For example, automation and artificial intelligence can sift through the data at much faster speeds and pull out insights, which can then be integrated to get a complete picture.

“AI certainly supports that. It can process data very quickly. It can find patterns pretty quickly,” Peterson said on Improving Cybersecurity Through Autonomous Endpoint Management. “You certainly have to be careful of the AI you use because you can spoil it in a way on accident or potentially on purpose. So like I said, there’s a bit of that cyclical nature of making sure that you’re also using A.I. that has not been, let’s say, modified for good or bad. But it can be very helpful.”

Another challenge with AI, Peterson said, is that while it has potential to supplement cyber defenders, it’s also lowering the bar for cyber attackers. AI can be used to code simple cyberattacks by bad actors who don’t actually have to know what they’re doing. It’s a dark mirror to the cybersecurity professionals who are using AI to code cybersecurity and cyber resilience into software during the development phase.

“Also, things like cloud computing and high performance computing that can bring a lot of processing to the data even closer to where the data is at,” Peterson said on the Federal Drive with Tom Temin. “If you can process some of the data at what we call the edge, a lot closer to where it’s being generated, get what you need out of it, then the amount of data you get is much smaller that you need to integrate with other data. And then that can improve your ability to analyze it quicker.”

Protecting physical devices

Peterson said critical infrastructure is another area of focus for PNNL. The challenge there is that some of that infrastructure, like at power and water plants, is several decades old and was never intended to be secure, because it was never intended to be connected to the internet. That sometimes requires a new approach.

When trying to secure legacy infrastructure devices, Peterson said the go-to option is to upgrade them, or at least their IT systems, so that they can take advantage of newer cybersecurity protections. But sometimes, it’s easier to install an intervening technology between the device and the network, so if the device gets compromised, the bad actor can’t use it as a vector into the main systems.

“Trying to protect everything at the edge is our first order, then using zero trust principles for anything that might get through, it doesn’t get through too far,” she said. “A lot of work we do is in what we call resilience, which is the idea of, if somebody does manage to get in, we can continue the mission that we have, maybe keeping the power going in a power plant, but still defend the attack that’s happening. There’s a lot of interesting ways to do that, just depending on the situation.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

what-contractors-need-to-know,-now-that-the-cmmc-rule-is-finalized

What contractors need to know, now that the CMMC rule is finalized

After years of cogitation, the Defense Department has finalized one of two big rules for its Cybersecurity Maturity Model Certification System (CMMC). It shouldn’t be a surprise to anyone, least of all the tens of thousands of affected contractors. Yesterday we heard from the Professional Services Council with an industry-wide take on CMMC. For a close-up look, the Federal Drive with Tom Temin spoke to procurement attorney Eric Crusius of Holland and Knight.

Tom Temin And Eric, this is one of two rules that they have finalized. The other rule comments are closed now, but that’s not finalized. So what did they finalize? What can industry see now that they know is gospel with respect to CMMC?

Eric Crusius That’s right. The rule that was finalized will lay out the entire CMMC program. So it’s going to kind of lay out how everything’s going to work. As you may say, how the sausage is made in the sausage factory, so to speak. All those kind of details about how this is going to work. That’s the rule that was finalized. And I think that is a really important part of this process because it lays out to contractors what they have to do and we have a better idea about when also.

Tom Temin Right. But this is not specifying what will be in contracts for contracting officers, right? So does it really have any meaning at this point?

Eric Crusius So it’s this huge ship without an engine, it’s there. We know what’s in the ship. We know where it’s going to go. We know the different parts of it. We don’t know — the engine hasn’t started yet to get it to port. That DFARs rule is kind of like the engine that will get it to port; that’s not finalized yet. But there’s far fewer details in that rule because it’s really just the smaller rules that go into contracts. The real meat of CMMC is now finalized and out.

Tom Temin I guess it’s fair to say, to summarize all of this, that people have known CMMC was coming now for several years and even though now it’s December that you have to get that certification from a [CMMC third party assessor organization (C3PAO)], you probably knew about this and it shouldn’t be a mad scramble if you’ve done your homework and kept an eye on this.

Eric Crusius What [the Defense Department] has said throughout the final rule, what they released, it was not just the rule itself, but a response to comments. Commentary kind of really gives DoD’s feelings and positions on these different issues. And one thing they’ve said consistently up to this point and within this rule time and time again is that these requirements have been around for the last seven years or so. Contractors have had a long time to get up to speed with protecting controlled unclassified information (CUI). This should not be a heavy lift for those contractors who have done what DoD expects them to do. It’s easy to disagree with that in some respects, especially new entrants to the marketplace. Smaller contractors also have concerns about the cost of this, but DoD has really thought that, ‘hey, this has been a requirement for a long time. All we’re asking to do is verify, to show us that you’re doing what you’ve said you’ve been doing for the last number of years.’

Tom Temin And I guess you could argue that these are controls, the specific cybersecurity controls themselves — aside from compliance with CMMC — is something you probably should have anyway if you are a defense contractor or if you simply value your company and want to keep cyber hackers, etc. out of it.

Eric Crusius I mean, compliance with these controls does not guarantee that you won’t have a cyber incident, but it’s sure as heck going to help prevent cyber incidents from happening. So even without the CMMC requirement, I think for a lot of contractors it’s a good idea. These nation states that are watching us closely, like China, they know the smallest companies out there in our supply chain, if they have valuable information. And they know that they are generally a weaker link. And if you own one of those companies, it really is a good idea to protect yourself because a cyber incident that goes the wrong way could mean the end of a business. So it’s an expensive investment to make, but I think it’s a business necessity as well.

Tom Temin And what do we know about the capacity of the assessors, the third party organizations? Are there enough of them out there, do we know? Do they have the capacity to maybe take on an onslaught of requests for certifications?

Eric Crusius That’s a that’s the million dollar question right there, maybe billion dollar question. But right now there are between 50 and 60 assessors out there that are capable of doing assessments. A lot of them have multiple assessment teams. So maybe there’s 100 assessment teams out there that could do assessments right now. Obviously, there are 76,000-plus companies that will need to get an assessment. But DoD’s hope is that rolling this out in stages will lessen the immediate impact, although I do think early on, once the DFARs rule comes out especially, there’ll be a little bit of a rush on the bank where contractors will just want to get assessed because they want to protect themselves. Because even though this is rolling out in phases, we don’t know exactly when the contract that that contractor has will need to get assessed. Right. They haven’t identified specific programs that are going to come first. So if I own a business that is wholly reliant on DoD contracts. I’m not going to wait. I’m just going to go and get my assessment. So that way, if an opportunity comes up that I want that requires an assessment or the work I’m working on now that’s going to be up for renewal next year is going to require an assessment, that I’m prepared to do so.

Tom Temin And if a company is assessed and certified as compliant with the controls required under CMMC and something happens bad in the cyber domain, they get attacked or something or they lose data. And it turns out that control wasn’t really in place. Who’s to blame? The assessor that said it was, or the company that thought it was?

Eric Crusius This segment’s an hour right?

Tom Temin Right. Well, yeah, I realize this could be opening up a whole channel, but it seems like that question is going to come up, I think, at some point.

Eric Crusius I think so. And I think that’s going to be very factually specific on the circumstances. Why was that control not identified as being not met? It could be that the contractor did something to obfuscate that control, perhaps, or maybe the assessor just kind of messed up. A lot of what DoD has been doing now with with various cyber incidents, they haven’t looked to punish contractors that have had cyber incidents. They’ve worked to kind of discover what’s going on so we can fix it so we don’t have this spread across the defense industrial base. And that’s going to change at some point where they’re going to say, ‘okay, you’ve had enough time to kind of get up to speed here,’ but I hope if something like that happens, it’s not the result of a missed control. It’s just that the hackers knew a better way to build a mousetrap, so to speak.

Tom Temin Yeah, there’s no guarantees in any of this, I guess.

Eric Crusius No guarantees. But certainly there are going to be instances, like you said, where a control was not met. There was a mistake made by an assessor or some kind of obfuscation by the contractor and DoD is probably going to want to find out which one it is, because if an assessor is doing something wrong, they’ll want to know that so that they can course correct for that assessor at least. Or assessors maybe that have the same idea.

Tom Temin And what’s the expected timeline for the second rule that will operationalize it with DFAR changes? I mean, you’ve characterized it as a ship without an engine. I look at it more as all the train cars are lined up now, the locomotive is backing down the track to hook up to that train and yank it along.

Eric Crusius I think they’re both great analogies there. So we now have comments that have been submitted for this. I really think they’re going to move quickly with this. I could see this final rule coming out the end of Q1 of 2025, the DFARs rule, and that’ll get this whole ball rolling. They didn’t waste any time. This rule, that part 32 rule, which is now finalized, over 400 pages long, it took them less than a year to get it out the door from proposed rule to final rule with hundreds of comments. Here we have a much simpler rule that will bring in far fewer comments. I don’t think it’s going to take them long at all to kind of go through those comments, adjudicate them and issue a final rule that’s largely consistent with the rule, the proposed rule that’s already out there.

Tom Temin Far fewer comments, pun not intended.

Eric Crusius Not intended in this instance.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

fewer-seasonal-hires-at-usps-this-holiday-season

Fewer seasonal hires at USPS this holiday season

  • The Postal Service is planning to make fewer seasonal hires for the holidays this year. USPS expects to make 7,500 temporary hires for its busy year-end peak season. USPS made about 10,000 seasonal hires last year. The agency said it doesn’t need to surge up staffing around the holidays because it’s converted many of its pre-career employees to career positions in recent years.
  • In Alaska, Hawaii and U.S. territories, agencies are consistently struggling to hire and retain federal workers. A new report from the Government Accountability Office said that’s due to a combination of factors, like a high cost of living and limited options for childcare. On top of that, GAO found that some feds are running into difficulties getting relocation incentives from the government. GAO said agencies that are trying to recruit in those states should look at ways to implement more workforce flexibilities.
  • More employees at the Department of Labor will soon see changes to their in-person work requirements. Labor employees outside the nation’s capital will have to report to the office at least five days per two-week pay period, beginning Dec. 1. The changes come after many other agencies have implemented new return-to-office requirements for their workforces. But the American Federation of Government Employees, the union representing those workers, is raising concerns about the negotiations process. They’re asking department leaders to bargain in good faith over return-to-office policies.
  • A State Department modernization panel is coming into focus with White House appointees. President Joe Biden intends to appoint four members to the State Department’s Commission on Reform and Modernization. All his intended picks are former State Department officials with decades of experience. One of them briefly served as coordinator for the State Department’s investigation into cases of so-called Havana Syndrome. Lawmakers created the panel in fiscal 2023. The commission has 18 months to examine the challenges of modern-day diplomacy and issue a final report to Congress and the President.
  • The Office of Information and Regulatory Affairs (OIRA) is developing guidance for agencies to make sure they handle commercially available information containing personally identifiable information safely and securely. In a new request for information, OIRA is seeking comments from industry, agencies and other experts on how best to mitigate risks of artificial intelligence systems using this commercial data. OIRA outlined 14 questions, including about agency transparency and processes in handling this data, to consider as part of this RFI. Responses to the RFI are due by mid-November.
  • The National Archives and Records Administration (NARA) previews a new strategic plan. NARA plans to embrace a digital future under its forthcoming strategic plan. National Archivist Colleen Shogan laid out her priorities for the new strategy in a framework document released last week. Shogan said the Archives needs to develop the infrastructure required to support a growing body of electronic records. NARA also plans to adopt artificial intelligence and machine learning to improve data management and boost access to records. And Shogan also wants the Archives to focus on improving the user experience.
  • A leading defense industry group is taking a close look at the Pentagon’s recently finalized Cybersecurity Maturity Model Certification (CMMC) rule. Aerospace Industries Association President Eric Fanning said AIA is still reviewing the final rule. But he called for the Defense Department to balance security with the need to minimize barriers for industry. Fanning also called on DoD to improve the identification of sensitive data that would trigger CMMC requirements. While the Pentagon has finalized the CMMC program rule, it doesn’t plan on finalizing the corresponding contract requirements until next year.
  • The Army set an ambitious goal of bringing 61,000 new recruits into its ranks in 2025. The service also wants to bring 10,000 recruits into its Delayed Entry Program in 2025. Army Secretary Christine Wormuth said the “goal is ambitious, but it is achievable.” In fiscal 2024, the Army recruited 55,300 new soldiers, barely surpassing its target. It also exceeded its goal to bring 5,000 new soldiers into the delayed entry program. Currently, the service has about 11,000 people in the program, giving recruiters a head start for fiscal 2025.
  • Since becoming operational in December 2023, the Army’s Office of Special Trial Counsel has reviewed 3,300 investigations, referring 67 cases to court-martial and prosecuting 32 cases, with 29 resulting in convictions. The office handles 13 serious offenses under its jurisdiction. Starting in January 2025, sexual harassment will be added as a covered offense, giving the OSTC the authority over those cases as well. The Defense Department also tasked the Army Office of Special Trial Counsel with preparing an annual report to Congress and prescribed approximately 45 performance measures to gather data and assess the office’s performance.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

open-season-auto-pilot?-not-for-2025

Open Season auto pilot? Not for 2025

This content was written by Serving Those Who Serve (STWS).

Serving career feds for nearly 40 years affords the opportunity for some meaningful insights.  Perhaps one that our community takes for granted the most is the value of the Federal Employees Health Benefits Program. In a world where health care choice and options seem to be shrinking, feds enjoy a robust “cafeteria plan” abounding with choice and options.

Yet, the reality we see has been a “set it and forget it” approach for most feds. Happily, this has been a serviceable strategy for much of the federal workforce, until possibly this year.

Seismic is not an overreaching word to describe the changes in the overall health insurance landscape for federal employees.

To begin we have a historic realignment in the programs available to postal employees as the FEHB plan is supplanted by the Postal Service Health Benefits Program. Not only does the pool of available carrier options shrink from 68 to 32, but new requirements for Medicare Part B enrollment are incorporated.

Add to this that the estimated average premium increase is 11.1% and the need for education and informed decision making is greater than ever.

Non-postal feds are not escaping unscathed. Your average projected premium increase is 13.5%. Keep in mind that average means that your increase may be even higher. The time to discover that is not in January of next year.

To add to the complexity for non-postal feds and retirees of Medicare age, for 2024 there were 40 Medicare advantage options to consider within the FEHB chassis.

Feeling overwhelmed yet? You are not alone.

Fortunately, at Serving Those Who Serve in addition to having decades of experience helping feds navigate the ever-growing complexities of FEHB, we are truly fortunate to have strategic relationship with some of the finest minds and authors currently writing on these topics.

Central to our educational offerings has been Ed Zurndorfer. With over 1200 articles to his credit, Ed is a towering figure in the federal benefits educational space.  So, we reached out to him for his thoughts on what makes this Open Season different.

Not surprisingly Ed has a robust slate of articles in the works leading up to and through the 2025 open season beginning on Nov. 11, 2024.

Here are the key considerations and discussion topics Ed will address:

  • With the major changes to Medicare Part D (prescription drug program) resulting from the passage of the Inflation Reduction Act of 2022, does it make sense for some feds to enroll in Medicare Part D?
  • What is Medicare Advantage and what plans are available within FEHP and PSHB?
  • Are you taking advantage of a Health Savings Account?
  • Are you considering -“total cost”- (including deductibles and co pays) when selecting your FEHB or PSHB plan?
  • What tools are available for making comparisons between available FEHB and PSHB plans?
  • Do you know what a formulary list is and why it is critically important to your prescription drug coverage decision?

If this brief list seems like a lot, have no fear. Ed will be available to explain and answer questions firsthand during multiple live webinars at www.stwserve.com.

To be as thorough as possible we at STWS are also fans of the Consumer Checkbooks Guide to Health Plans for Federal Employees. This tool has proven invaluable through the years to effectively compare FEHB and soon PSHB plans. We reached out to the man behind this outstanding tool, Kevin Moss for his tips for the upcoming open season.

Kevin shared the following pointers:

Confirm the available plans:

Use tools like the OPM comparison tool or Checkbook to see what plans are available by zip code.

Review Section 2 of your FEHB plan brochure:

This will be published each year on the site for your plan. Per Kevin  “Section 2 will alert you to important benefit changes.”

Use yearly cost estimates to narrow down plans:

What you’ll pay is more than just the annual premium.  We at STWS feel the guide is a great tool for making these evaluations.

Check providers and prescription drugs:

These are important steps in deciding to enroll in an FEHB or PSHB plan.  You can find this information on the plan website.

Here’s a link to an STWS podcast with Kevin (https://www.youtube.com/watch?v=pLfLpI70J6c) and you can read more from him on the Consumers’ Checkbook website.

Readers of this article can enter STWS and get a 20% discount on the Consumers’ Checkbooks online tool.

We extend heartfelt thanks to Ed and Kevin for being part of our mission to Reach, Teach and Serve you, the career civilian fed.

Our closing thought is this: Perhaps more than any year past knowledge and preparation are power in making the best possible decisions for you and your family this Open Season.

We are grateful to Federal News Network for helping us get this vital messaging out to you. Be sure to bookmark them as well as STWSERVE.COM.

And not to overwhelm you but Medicare’s open enrollment for 2025 runs from Oct. 15 through Dec. 7, 2024.  Lots to think about here too.

To help with your Open Season preparation, here are our upcoming webinars:

Understanding FEHB, Medicare and TRICARE for Federal Employees

Oct. 23 10:30 a.m. to 2:30 p.m. Eastern

Nov. 20 10:30 a.m. to 2:30 p.m. Eastern

Sign up for one or both, and feel free to share with your friends.   Knowledge is power and we are here to help empower YOU!

**Written by Dan Sipe. The information has been obtained from sources considered reliable but we do not guarantee that the foregoing material is accurate or complete. Any opinions are those of Dan Sipe and not necessarily those of RJFS or Raymond James. Any information is not a complete summary or statement of all available data necessary for making an investment decision and does not constitute a recommendation. Investing involves risk and you may incur a profit or loss regardless of strategy suggested. Every investor’s situation is unique and you should consider your investment goals, risk tolerance, and time horizon before making any investment or financial decision. Prior to making an investment decision, please consult with your financial advisor about your individual situation. While we are familiar with the tax provisions of the issues presented herein, as Financial Advisors of RJFS, we are not qualified to render advice on tax or legal matters. You should discuss tax or legal matters with the appropriate professional.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

new-cyber-guidance-suggests-steps-to-foil-russian-intel-threats

New Cyber Guidance Suggests Steps to Foil Russian Intel Threats

The National Security Agency announced that U.S. and U.K. authorities have released a new joint cybersecurity guidance recommending measures for network defenders to address ongoing cyber threats from the Russian Federation Foreign Intelligence Service, or SVR. 

The joint advisory listed the common vulnerabilities and exposures that SVR is exploiting through various malicious tactics, such as spearphishing, password spraying, malware deployment, cloud exploitation and living off the land, or LOTL, attacks, the NSA said Thursday.

The new eight-page joint cybersecurity advisory, titled  “Update on SVR Cyber Operations and Vulnerability Exploitation,” is co-authored by the NSA, the FBI, the U.S. Cyber Command’s Cyber National Mission Force and the U.K.’s National Cyber Security Centre, or NCSC.  

To reduce the potential SVR attack surface, the advisory suggests disabling unnecessary internet-accessible services, restricting access to trusted networks and removal of unused applications in workstations. 

Other advisory suggestions include multi-factor user authentication and regular audits of cloud-based accounts and applications 

Additional mitigation measures on Russian exploitation of cloud environments are contained in another joint cybersecurity advisory issued in February. The earlier guidance was spearheaded by the U.K.’s NCSC and supported by international partners including U.S., Canadian, Australian and New Zealand security agencies.