The Wrap: Shut Down Vulnerable Software; ATO for AI?; More Details Needed for NCS

Welcome to The Wrap for Friday, February 2!

From the newsroom at MeriTalk, it’s the quickest read in Federal tech news. Here’s what you need to know today:

Shut Down Vulnerable Software

If you’re a procrastinator, now is the time to shut down software products with major cybersecurity vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive this week mandating Federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products on their networks no later than 11:59 p.m. today. This directive supersedes a Jan. 19 emergency directive from CISA, which told agencies to remediate the vulnerabilities in those Ivanti products. In the original emergency directive, CISA explained it “observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions.” Now, CISA said agencies running the affected products “must assume domain accounts associated with the affected products have been compromised.” Agencies must report back to CISA on the required actions by Monday, Feb. 5.

ATO for AI?

The Federal government is already using AI technologies, but one tech expert this week explained that it’s crucial to leverage “radical collaboration” to put a formal AI governance model in place – such as an Authority to Operate (ATO). At MeriTalk’s Accelerate AI Forum on Tuesday in Washington, D.C., Teresa Carlson – a former top executive at both Amazon and Microsoft – explained the importance of developing an ATO process for AI. “We’ve got to make sure that government has a process because we cannot fight gravity,” Carlson said. “Because of that, we have to make sure that we are working in radical collaboration between the commercial sector and public sector to ensure that we can move faster.” Carlson explained that AI is going to move much faster than cloud, so the government needs to get an AI ATO ready. “Let’s get this going. Let’s put them all in place to make sure it scales because the FedRAMP ATO took a long time,” she said, adding, “I’m excited, and I’m also very passionate about bringing in these new technologies.”

More Details Needed for NCS

The White House’s National Cybersecurity Strategy (NCS) looks to promote better security across the Federal government, but it lacks performance measures and implementation costs. That was the topline takeaway from a new Government Accountability Office (GAO) report. Implementation of the strategy is underway under the coordination of the Office of the National Cyber Director (ONCD), which produced the plan. “As of January 2024, the strategy and plan provide a good foundation, but the Office still needs to include more details in the plan to ensure that the strategy can be implemented consistently and effectively government-wide,” the Feb. 1 GAO report says. ONCD agreed with GAO’s recommendation on outcome-oriented measures but disagreed with its recommendation on estimating costs. Rep. Gerry Connolly, D-Va. – long a prime mover in Congress for improving Federal IT operations – issued a statement agreeing with the GAO report, calling the NCS a “strong first step” towards addressing cyberthreats. “As an advocate of quantitative assessments, I urge the ONCD to continue working towards developing outcome-oriented and cost-related metrics to better gauge operation results, manage outlay estimates, and inform and support future budget submission,” the congressman said.

DoI Taps Digital Experience Officer

Congrats to Andy Lewandowski, who the Interior Department tapped to serve as its first-ever chief digital experience officer – effective Jan. 29 – a department spokesperson confirmed to MeriTalk. Lewandowski came from the Office of Management and Budget (OMB), where he served as the digital experience advisor to Federal Chief Information Officer Clare Martorana since July 2021. In a LinkedIn post, Lewandowski wrote, “Together with the incredible DoI workforce, we’re going to use design and technology to improve public-facing services and customer experiences at the National Park Service, U.S. Fish and Wildlife Service (USFWS), U.S. Indian Affairs, and Bureau of Indian Affairs and across the agency – and we’ve got millions of people counting on us!”

Once again, let’s “call IT a day,” but we'll bring you more on Monday. Until then, please check the MeriTalk breaking news website throughout the day for the latest on government IT people, process, and policy. And finally, please hit the news tip jar (with leads, breaking news, or simply your two cents) at [email protected].