The Wrap: Pentagon Olympus Lookahead; GAO Scorches DoD Business IT; FedRAMP for GenAI?

Welcome to The Wrap for Friday, July 12!

?

From the newsroom at MeriTalk, it’s the quickest read in Federal tech news. Here’s what you need to know today:

?

Pentagon Olympus Lookahead

The Defense Department (DoD) is gearing up for a September rollout of its Olympus managed cloud environment, has a beta tester lined up, and a waiting list of testers ready to go after that, Dave Lago, J9 Hosting and Compute (HaC) Olympus Directorate product manager at the Defense Information Systems Agency (DISA) told MeriTalk in an exclusive interview posted today. Please do click through to the whole talk where Lago talks about the planned flavors of the Olympus offering, current testing schedules, and how to overcome the challenges of multi-cloud environments.

?

FedRAMP for GenAI?

Does the Federal government need a program like the Federal Risk and Authorization Management Program (FedRAMP) – which is used to evaluate cloud security – to measure the risks of generative AI technologies that government agencies want to use? That’s one line of discussion from Michael Boyce, director of the Department of Homeland Security’s newly-established AI Corps, who talked about AI risk evaluations at a Carahsoft event on Thursday in D.C. “There’s a desire to have almost like a FedRAMP-like process for the AI specific risks of generative AI,” said Boyce, who also talked about how that idea fails to mesh with an Office of Management and Budget (OMB) policy document released?earlier this year on Federal agency AI use. “I think the OMB memo doesn’t envision that part,” he said, adding, “the OMB memo envisions that it will be more pushed to the individual agencies for those AI-specific risks.” The reason for that, he offered, “is because we don’t have a centralized mechanism for managing all operational risks across the government.”

?

GAO Scorches DoD Business IT

The Government Accountability Office (GAO) did not mince words in its latest report out this week that surveys the Defense Department’s development of business-focused IT systems and finds that the effort is producing some systems that are late to arrive and are underwhelming versus expectations. “DoD spends a lot of money on IT systems. But a lot of these systems are late and don’t meet expectations. They’ve taken some steps to improve what they’re doing, but there’s really a lot more that they can do,” said GAO IT and Cybersecurity Director Vijay D’Souza, during a?recent episode?of GAO’s Watchdog Report Podcast. Key nuggets: GAO looked at 21 DoD IT business programs and reported mixed results in meeting performance goals. DoD mandates that programs track at least five key metrics covering customer satisfaction, business results, financial performance, and innovation. But only four of the 21 met all performance targets, ten met at least one, and one met none, while six programs failed to report any data. The report also found that of the 21 programs, ten actively develop software “but only six adhered to the agile and iterative methods recommended by the GAO,” the watchdog agency said.

?

Tougher Research Security

The White House Office of Science and Technology Policy (OSTP) put out the word this week to Federal research agencies that they need to improve research security and better protect U.S. research and development (R&D) work from foreign adversaries. Those directions came in a July 9?memo from OSTP Director Arati Prabhakar who said the Biden administration wants to “make sure that institutions of higher education and other research institutions recognize the altered global landscape and fulfill their responsibilities as the first line of defense against improper or illicit activity.” Among other requirements, the OSTP memo says that higher education institutions need to implement a cybersecurity program consistent with the CHIPS and Science Act’s?cybersecurity resource. For research institutions that are not higher education institutions, Federal research agencies will require them to implement a cybersecurity program “consistent with another relevant cybersecurity resource” – such as one maintained by the National Institute of Standards and Technology (NIST).

?

Once again, let’s “call IT a day,” but we'll bring you more next week. Until then please check the MeriTalk breaking news website throughout the day for the latest on government IT people, process, and policy. And finally, please hit the news tip jar [with leads, breaking news, or simply your two cents] at [email protected].