The Department of Housing and Urban Development is looking for a new chief information officer. HUD is now one of five major agencies looking for a new technology leader.

But unlike the departments of Defense and Health and Human Services, and the Small Business Administration and the Centers for Medicare and Medicaid Services, the HUD CIO didn’t actually leave the agency to create the job opening.

Beth Niblock, who has been CIO since July 2021, moved to a new position as senior advisor for disaster management. The reason for the opening is purely political. HUD decided to move the CIO’s position back to a career one from a political one.

“[O]ver the past few years, HUD leadership determined the department would be best served by having a career CIO to ensure steady and consistent leadership, and to better position the department to deliver high-quality, transformative solutions enabling HUD to deliver on its mission,” said a HUD spokesperson in an email to Federal News Network.

HUD posted the CIO job on USAJobs.gov in mid May and applications are due today. In the meantime, Sairah Ijaz will step in as the acting CIO until a permanent career leader is selected.

Political CIOs close to leadership?

The decision by HUD to transition the CIO position back to career from political isn’t that unusual.

Over the course of the last 28 years — January 2026 will be the 30^th anniversary of the Clinger Cohen Act — several agencies ranging from the departments of Commerce, Energy, Treasury and Transportation as well as the Environmental Protection Agency and others have flipped the position back and forth between career and political to suit the needs of the leadership.

But HUD’s decision brought up a long-standing and healthily-debated question of whether CIOs, especially at this point in time of history where technology is at the center of every agency’s mission, are better off being political appointees?

To many, the answer continues to remain as it has for the last almost 30 years: It depends. But what has become clearer than ever is the role of managing, implementing and securing technology puts the CIO and deputy CIO on a higher plane across all agencies. Thus, requiring the federal community to continually re-ask the political appointee question.

“How the agency positions the CIO’s role in theory versus practice for the best possible function is really a question of how the head of the agency and the culture of that agency sets that role up for success,” said Dan Chenok, the former Office of Management and Budget official who helped with the Clinger-Cohen Act and now executive director of the IBM Center for the Business of Government. “Given the ubiquity of technology today, what is the right balance? My own personal view is a political CIO is more likely to be close to the head of the agency, and a career deputy CIO gives you continuity.”

Finding that seat at the table

But that closeness doesn’t always result in a CIO’s success.

If you look at the January 2024 Federal IT Acquisition Reform Act (FITARA) scorecard as one measure of CIO effectiveness, agencies with career CIOs versus those with politically appointed ones faired about the same. Agencies with political CIOs — the departments of Defense, Energy, Homeland Security, Veterans Affairs and HUD — received the same mix of “B” and “C” grades as those with career CIOs.

Simon Szykman, the president and founder of Cambio Digital Transformations and former Commerce Department CIO, said the role of the CIO is inherently not one that strongly aligns with any political ideology.

“Ideally it should not be necessary to make a CIO political appointment in order for that person to support the agency mission, or even the political leadership’s agenda,” he said. “However, the flip side to the argument for career CIOs is that no CIO will be successful if they don’t have that proverbial seat at the table. They need to be able to operate, influence and impact decisions at the senior-most levels. It can be a challenge for career senior executives to fully operate as peers to political leadership, and this challenge can be dependent on agency culture as well the leadership tone set higher up in the administration.”

Many times an agency hires a political CIO because the secretary wants a specific person in that role. That was the case, for example, with Steve Cooper, when he worked at Commerce from 2014 to 2017.

For other agencies like VA, Congress required the position be presidentially appointed and Senate confirmed — one of the few that requires Senate confirmation.

HUD’s great strides

But even then, there is no guarantee of success.

“Moving the CIO to political or a career position is situational and based on the candidates available and what’s going on at the agency at that moment,” said Margie Graves, a former deputy CIO at DHS and federal deputy CIO and now a senior fellow at IBM’s Center for the Business of Government. “A lot of times the decision to bring on a political CIO may be because the secretary wants a specific person on board to do something specific. I would advocate for choosing the best person for the moment. It’s really no different than what you’d do in private sector. And the times I’ve see the decision fail is when the person has no background in the technology management discipline and no expertise. I saw a couple of those at DHS.”

Graves added, at least for the CFO Act agencies, she would prefer to have someone in the C Suite who is “hearing” those political conversations as opposed to someone who is relegated as an “outsider.”

HUD’s reason for moving the CIO back to a career position is not entirely clear. The spokesperson said Niblock and her team have made “great strides over the past few years” to modernize the technology and improve the cyber posture of the agency’s infrastructure. But the spokesperson seems to insinuate there may be some bumpy roads ahead.

“However, HUD’s IT only received 0.5% of the department’s fiscal 2024 budget, which is one of the lowest percentages across cabinet level agencies. HUD is continuing to work with its federal and congressional partners to build on the progress of the past several years, while also continuing to pursue the ability to leverage various funding flexibilities that other agencies are able to leverage, including a working capital fund for its IT needs,” the spokesperson said.

HUD’s IT budget for 2024 is $641 million, of which it is spending only $94 million on development, modernization and enhancement projects. The agency requested $540 million for IT in 2025.

The post Political vs. career: Role of CIO remains unsettled first appeared on Federal News Network.

The Army tackled one of its toughest challenges: Creating a common operating picture for all of its allied partners.

The recent Yama Sakura 85 exercise demonstrated how the Army, the Australians and the Japanese could securely share information by using an architecture based on zero trust principles.

Col. Rett Burroughs, the chief information officer & G6 for the Army’s I Corps, said over the course of the 10-to-12 day training event last December, the Army successfully brought their allied leaders onto a single and secured network at the tactical edge.

“What we are looking at is properly being distributed across the entirety of the Pacific. We could have a command and control node anywhere in Australia, Thailand, Philippines, Japan, Korea, Hawaii, Guam or Alaska, and back here at Joint Base Lewis McChord, Washington so that now every node has roles and responsibilities. How do we ensure that conductivity happens across all of those different nodes that are very disparate and spread out? And then how do we leverage the technology of transport to ensure that we’re getting applications all the way to the edge?” Burroughs said on Ask the CIO. “We spent months preparing to ensure we had right safeguards in place. In its simplest form, in the application for the warfighter, which is definitely my area of concern, it brought the Australians and the Japanese together because before it was the Australians and the Americans, and then it was the Americans and the Japanese. The Australians couldn’t be in the same Tactical Operations Center as the Japanese. Now we have the ability for the first Australian division commander to talk directly with senior generals from the Japanese Ground Force Command.”

Burroughs said in previous exercises, the Americans and Australians would talk, and then the Americans and Japanese would talk, with the Army acting as the “go-between” for the Australians and Japanese. And Burroughs readily admits everyone knows what happens when you play the game of telephone.

“Our goal here was to establish one common operating picture and the ability to voice video chat, and share specific information,” he said. “The application of this proved critical in the ability for staff to make informed recommendations, and for commanders to make informed decisions. We weren’t just slinging all this data just because commanders need and want everything.”

Broader application than just the Army

The success of the Yama Sakura 85 exercise proved this shared network and zero trust concept for more than just the Army, but any federal organization can take the basic concepts to create a common operating picture.

John Sahlin, the vice president of cyber solutions for General Dynamics-IT, which supported the Army with integration expertise, said these same approaches could help agencies such as FEMA, which has to create shared networks to help cities or states recover from disasters.

“I’ve been fascinated by this problem set ever since I deployed for the Hurricane Katrina relief efforts back about 15 years ago. We started thinking about a military mission for that humanitarian assistance effort and it turned very quickly into an interagency and even local government support mission,” Sahlin said. “We had good communications. We had a good sight picture. We had good mapping data, which nobody else in the area did. We had to quickly share that data with first responders, the local hospital, the parish sheriff, non-government organizations like the Red Cross. I think that these are lessons of zero trust at the tactical edge for information sharing to inform that on scene commander, are lessons that can be learned, not only for the military at the tactical edge, but for any organization that has field-deployed, forward-deployed organizations that need to share data to execute a mission rapidly and make those changes dynamically with first responders with interagency support, things like that.”

Burroughs added this approach of creating a distributed network supported by zero trust tools isn’t just important for the tactical edge, but for Army commanders in garrison or commands who have to coordinate with the National Guard or local first responder communities or anyone outside of the service.

“Now we don’t have to have these disparate networks that do not talk to each other because of classification and policy, which you clearly went through during the Katrina catastrophe,” he said. “Now what we’re doing is we’re taking need to figure this out on the fly out during a catastrophe. We’re actually getting ahead of it now by addressing it before the next catastrophe. So when something does come in competition or crisis, we’re actually able to deal with it in a methodical way instead of reacting.”

Shift toward data-centricity

In many ways what Burroughs and Sahlin are describing is how the Army, and really every agency, must be more of a data-centric organization.

Lt. Col. Roberto Nunez, the chief of signal services support for Army I Corps, said the implementation of zero trust capabilities forces the end users to shift that data culture because they have to tag and label information much more specifically and consistently.

“You can say ‘all right, here’s all my data that I want to share, all my users that are also tagged and labeled as well as what they’re authorized to use and what they cannot use. Therefore, you can plug in with other mission partners to share that information and you can create that common environment moving forward, whether it’s joint coalition, at least from a DoD point of view,” he said. “If you want third parties to join in, whether it’s corporate America, academics, other organizations or other government agencies, you can do that if everything’s data-centric, labeled and tagged accordingly. This is what is great about zero trust.”

Burroughs said planning for the next Yama Sakura 87 exercise in December already is underway. But he said these capabilities aren’t turned on during the exercise and then turned off. The network is always on and therefore the Army is always iterating how to make secure information sharing better, faster and easier.

Chief Warrant Officer 4 Phil Dieppa, a senior services engineer for Army I Corps, said what the Yama Sakura 87 exercise and other demonstrations have shown the service that the “come as you are” model works because of the zero trust capabilities.

“The great thing about zero trust is that we don’t trust anything until we explicitly have that conversation and say that ‘I trust you.’ Once we do that, then we can start communicating and making those services available one at a time,” he said.

The post How the Army is always testing, training on zero trust first appeared on Federal News Network.

The Grants Quality Service Management Office over the last year helped several micro agencies buy award management services.

This pilot was part of how the QSMO is crawling before it tries to walk or run with larger agencies.

Andrea Sampanis, the acting director of the Grants Quality Service Management Office in the Department of Health and Human Services, said the procurement pilots with AmeriCorps, the Inter-American Foundation and the Northern Border Regional Commission opened the door to bigger possibilities to modernize federal grant services.

“We worked with them to explore the vendors on our Catalog of Market Research, making sure they were ready to meet their needs and helping to support them through the procurement process,” Sampanis said on Ask the CIO. “IAF and NBRC are live, on target and on budget, which is not an easy thing to do. AmeriCorps is expected to go live this fall. Huge kudos to these three agencies, as they were prepared to be good customers, willing to accept the system as-is and supported by great leaders in their chief information officer and chief procurement offices.  Their grants teams came together to support a great vendor product from our Catalog of Market Research.”

While the AmeriCorps, the Inter-American Foundation and the Northern Border Regional Commission are considered micro agencies, the amount of money each of them awards through grants is anything but small. Sampanis said the AmeriCorps is more like a medium-sized agency when looking at the amount of money it awards through grants. In fiscal 2024, for example, the agency expects to award $577 million in grants.

The Inter-American Foundation and NBRC are much smaller with IAF, awarding about $145 million and about $50 million in grants, respectively.

Grants QSMO aims to speed acquisition

While these three agencies don’t reach the billions HHS or the Education Department or the NASA hand out, Sampanis said demonstrating how the procurement assistance pilot works opens the door to improve and expand the QSMO’s efforts.

The QSMO marketplace current has approved seven grants management system providers and is in the middle of conducting market research to expand its services.

“We have one quote that says having access to Grants QSMO market research puts you 1,000 steps ahead in your procurement. It’s our goal to speed up the acquisition process and give agencies more buying confidence as they are pursuing a vendor on our catalog.  The vendors on our catalog are selected to support meeting grants standards and align to 2CFR 200 requirements,” Sampanis said. “It just lets them really focus their attention on a fewer number of providers to really say, ‘Hey, this solution is purpose built for grants. It’s an award management solution that is software-as-a-service and very configurable.’ It should feel easy. They don’t have to go and renegotiate a contract.”

The QSMO also works with the agency’s CIO and security leadership, helps develop performance work statements and serves as advisors during the entire acquisition phase.

“I always encourage agencies to meet with all the vendors on our Catalog of Market Research to understand what’s out there and share their specific needs. I think they learn a lot about themselves by talking to the vendors,” Sampanis said. “I helped them all the way through the pilot because I’m learning a lot. Every time I hear a contracting officer ask a new question, I think, ‘hey, that’s something I need in my catalog because that’s true.’ I always say our goal is to speed up an agency’s acquisition and give them buying confidence.”

HHS has led the Grants QSMO since January 2021 and has been building its services over the last few years.

With the Office of Management and Budget finalizing the update to the governmentwide grants guidance under 2 CFR earlier this year, standardizing certain key areas like notices of funding opportunities and overall trying to expand access to more than $1.2 trillion in grants and cooperative assistance agencies pay out each year, Sampanis said the QSMO is ready to expand its services and offerings.

Two common drivers of grants modernization

Having that baseline understanding and confidence in the marketplace is a key factor in success, said Wagish Bhartiya, the chief growth officer for REI Systems, which helps agencies modernize their grant systems.

Bhartiya said there are two basic drivers of grant modernization. The first is budget and second is technology.

“There has been a greater focus on budget and how much of our budget goes towards grant funding and how that funding is being deployed? How much of that is serving management processes, some of the overhead aspects of grant management, which will exist inherently, versus how much should be deployed into the community? That analysis, I think, is getting more acute,” he said. “The technology itself has evolved and shipped in a way that, I think, is much more possible now to be thoughtful about performance and mission. The technology is enabling some of this some of these questions to be asked because we now have the potential and the power to look at it for the first time.”

These two big trends are part of how grants providers are shifting their mindsets away from being so compliance focused to spending more time and money on measuring and ensuring outcomes.

“There’s all these dollars flowing through our grant programs so we need to start to think just as much about the downside, protecting from a compliance and a risk mitigation perspective, as the upside into the mission impact in terms of what are the tangible and successful outcomes,” Bhartiya said. “The other big theme is customer experience and user experience, and now the grantee experience.”

He said this updated point of view is part of why many grant providers are more willing to change today than ever before. He said this means the singularity of the way grants management worked over the last few decades is going away.

“Every grant program thinks they’re a snowflake and they think they’re special or unique and actually bespoke. But when you zoom out, you see that actually 85% of what a grant making agency does is essentially the same in the core lifecycle design,” he said. “Convincing them that they don’t need to make everything bespoke and tailored to the Nth degree because they can leverage best practices, use what’s worked for other agencies because there’s a chance to reduce the burden on their staff and on the recipient community is part of the challenge.”

Bhartiya added that the benefits of an end-to-end system, that’s in the cloud are becoming more clear to agencies.

The post Grants procurement pilots demonstrate speed to modernization first appeared on Federal News Network.

Sherman has accepted a position as dean at the Bush School of Government at Texas A&M University, the same institution he graduated from in 1992 before becoming an Army air defense officer. He’ll start that position on Aug. 1, the school said in a statement.

“The spirit of service and focus on preparing students for the future they instilled in the school will be our guiding light as we look to the challenges the next generation of leaders will face,” Sherman said. “Liz and I are excited to get back home to College Station and beginning this next chapter in our lives.”

Defense officials did not immediately announce who would succeed Sherman in the DoD CIO role. One likely candidate, at least on an interim basis, would be Leslie Beavers, the office’s current principal deputy.

In a statement, Defense Secretary Lloyd Austin credited Sherman with leading the department through several major technology advancements over the past two and a half years, including a restructured cybersecurity approach through DoD’s first-ever zero trust strategy.

“Mr. Sherman has been a steadfast advisor and an innovative leader who has helped the department adopt and utilize modern information technology to keep our country safe,” Austin said. “His technical expertise has proven invaluable in tackling a variety of digital challenges. His focus on mission readiness has ensured that each of the services is equipped with both the capabilities and the digital workforce necessary for modern warfighting.”

Sherman spent most of his federal civilian career in the intelligence community, starting as an imagery analyst. He worked his way up through the IC over the next 20 years, including positions as the CIA’s deputy director for open source intelligence, and eventually as the IC’s chief information officer. He joined DoD as its CIO in December 2021.

At Texas A&M, Sherman will succeed retired Gen. Mark Welsh, a former Air Force chief of staff, as the Bush School’s dean. Welsh now serves as the president of the university.

“When President Bush laid out his vision for the Bush School of Government and Public Service and the importance of preparing new generations of dedicated public servants, he thought of people like John Sherman,” Welsh said. “John is a true public servant, having worked in government service his entire career, including 25-plus years in the U.S. intelligence community. He’s built an incredible professional reputation as a leader in public service and national security, but maybe more importantly, for how he treats others.”

The post DoD CIO John Sherman to step down at end of June first appeared on Federal News Network.

Through the pandemic, the IRS learned it can move with urgency. And now that the emergency has subsided, Nancy Sieger, the former IRS chief information officer, believes that lesson isn’t going to waste.

Sieger, who will retire on June 1 after more than 40 years of federal service, including the last one as the Treasury chief technology officer, said IRS is building on the IT modernization lessons learned over the past few years.

“I think technologists saved the day during the pandemic. As the IRS CIO, I had the opportunity to lead IRS efforts to ensure that services to the public were handled in the most efficient way possible. If you think back to that time, businesses shut down, cities were practically shut down, and our economy was suffering and human beings were suffering. IRS focused really hard to issue three rounds of Economic Impact Payments. I am most proud of how IRS leadership and employees rallied to get money to the people in this country who needed it the most,” Sieger said during an “exit” interview on Ask the CIO. “We had a principle that any new technology would be built in a modernized way. We were really good at relying on the older systems and delivering fast. One of the opportunities we had with the Economic Impact Payments, looking to the future, feeling like IRS might be called upon again to do something similar. We had to challenge ourselves to say that may be easy and fast to build upon old operations, but how do we do this in a modernized way so that it’s repeatable? There were three rounds of payments, each round of payments came faster and faster, culminating within 24 hours. The Economic Impact Payments and that processing were built using new tools, new testing methods, new quality assurance processes and built in a modernized way. If IRS has to do that again, the strong foundation will be there.”

Sieger said it took constant reminders to build the confidence of the developers and engineers to the point where she and then-IRS Deputy CIO Kaschit Pandya, who is now the agency’s CTO, met daily with the technology workers who were writing code and analyzing it.

“We often had to say to our folks, ‘no, no, you have my permission to do it this way. Not [the old] way. It was risky. We managed those risks,” she said. “But ultimately, it resulted in little-to-no rework. I would say to you, on behalf of Kaschit and myself, the hours we spent with a team doing this the way it needed to be done was very fulfilling.”

IRS can accept, manage risks

That experience has helped the IRS continue to launch modern services, such as the direct file application, launched in March across 12 states. The IRS said the direct file pilot helped more than 140,000 citizens file their taxes online and for free.

There are plenty more opportunities for the technology development lessons learned from the pandemic to continue to spread across the IRS. Commissioner Danny Werfel told lawmakers in April that the tax agency needs $104 billion for a multi-year modernization effort.

Sieger said the experience over the last three-plus years taught the IRS it can accept and manage risks differently than before.

“We took a lot of risks. We weighed those risks. We said, ‘the worst thing that could happen is this. What are we going to do when that happens?’” she said. “I think our greatest opportunity is not forgetting how we did that, and bringing that forward into future operations. I’m trying not to say don’t be risk averse, but I’m going to say it. Don’t be risk averse and accept measured risk; know what could happen, know how you’ll adapt, but let’s face it, in our personal lives, especially in the technology space, how many of us get an update on our smartphone that didn’t work. But we know the next day it will be updated and fixed. Now I am not suggesting something so aggressive in government. But I am suggesting that we look back to how the government served this country during the pandemic and bring some of those skills and learnings forward to be even more effective and efficient in government service.”

One of the biggest reasons for the IRS’ success, beyond the urgency of the moment, was the top-cover leaders gave the developers. Sieger said helping employees reduce the fear of failure and ensuring they know they are not going to be left behind should something go wrong was a huge factor in the agency’s success.

“At the time, it was Commissioner Charles Rettig who was constantly keeping his hand on the pulse of the employees, working with Treasury to ensure that we were delivering the payments and processing tax returns and the IT workforce knew they had support. They were constantly asked, ‘What do you need?’ Sometimes they would tell us what they needed. Sometimes, I saw what they needed, and they wouldn’t ask. There was a particular weekend where the team was working really hard,” she said. “This was not a case of the workforce being hesitant to do new things. This was a case of the workforce having the skills they needed to do this in the most elegant way, and once leadership let them know — from Commissioner Rettig through the different deputy commissioners to myself and all the front line executives at the IRS who helped them — they were able to get things done and help the country. It was an example of coming together at the right time in the right way for the right outcome.”

The post How the pandemic changed IRS technology for good first appeared on Federal News Network.

The Marine Corps is close to testing out a key piece to its upcoming Fighting Smart concept.

As part of its goal to create an integrated mission and data fabric, the Marines will pilot an application programming interface (API) standard to better connect and share data no matter where it resides.

“Really over the next 12 months, we hope to have the autonomous piece of this API connection implemented in our environment in what we call the common management plane that allows us to execute enterprise data governance where we can then use the capabilities rather than the native capabilities within our environment to develop those data catalogs, to tag data, to track the data from its lineage from creation all the way to sharing and destruction within our environment and outside of our environment,” said Dr. Colin Crosby, the service data officer for the Marine Corps, on Ask the CIO. “We’re working with what we call the functional area managers and their leads on the data that they own because this is all new in how we’re operating. I need them to help me execute this agenda so that we can then create that API connection.”

Like many organizations, mission areas own and manage the data, but sharing because of culture, technology and/or policy can be difficult.

Crosby said the API connection can help overcome many of these challenges.

“Our first marker is to have a working API connection on test data. Once that happens, then we’re going to start accelerating the work that we’re doing,” he said. “We’re using logistics data so what we’re doing is using a dummy data, and we’re going to pull that data into our common management plane, and then from that CMP, we want to push that data to what we call the  online database gateway. Then, by pulling that into the OTG, we can then push it into the Azure Office 365 environment, where we can then use that data using our PowerBI capabilities within our environment.”

Testing the API before production

Once the API connection proves out, Crosby said the goal is to push data into the Marine Corps’ Bolt platform, which runs on the Advana Jupiter platform.

He said there is a lot of excitement from logistics and other mission areas around the Marine Corps to prove this API connection technology.

“As we get more comfortable moving forward, then we will bring on the next, what we call, coalition of the willing. As of now, we have a line because we have other organizations now that are like, ‘we want to be a part of this,’” Crosby said. “The training and education command is ready to go. So we’re excited about it because now I don’t have to work that hard to get people on board and now I have people knocking on my doors saying they are ready to go.”

Crosby added that before the API connection goes live with each new organization, his team will run similar tests using dummy data. He said building that repeatable process and bringing in some automation capabilities will help decrease the time it takes to turn on the API tools for live data.

Without these new capabilities, Crosby said it takes weeks to pull CSV files, thus delaying the ability of leaders to make decisions.

“With the API, we’re going to near-real time type of pull and push, which is speeding up the decision cycle,” he said. “Then there are opportunities to expand on that by building applications that will aggregate data and then being able to look at data to check the maintenance on equipment, and then it’d be a little bit easier to understand what we need and when. The goal is to shrink that decision cycle a little bit.”

The API connection tool is one piece to the bigger Marine Corps effort to create an integrated mission and data fabric. Crosby said that initiative also relies on the unification of the Marine Corps enterprise network to bring the business side and the tactical side together into one environment.

“The fabric is a framework and approach of our environment today and how we want to connect our environment in an autonomous fashion using APIs, so that we can pull data and we can share data, regardless of the cloud environment that it’s in, regardless of whatever database structure the data resides in,” Crosby said. “It allows us to be flexible. It allows us to scale and to really push data and pull data at a speed that we’ve never done before. What I love about the fabric is it really gets to that decision making. It allows our commanders to make sense and act within real or near real time.”

The post The Marine Corps’ plan to further breakdown data siloes first appeared on Federal News Network.

Federal News Network has learned Caron is heading to a new job in industry. The specifics about where he is going is unknown. His last day at ITA will be May 31.

Caron, who is well-known on the federal speaking circuit, has been the ITA CIO since February 2023.

Before that, he was the CIO for the inspector general office at the Department of Health and Human Services and worked for the State Department for 18 years, including the last two years as director of enterprise network management.

Caron also has played a big role in helping drive the development of zero trust concepts through the CIO Council’s Innovation Counsel for Zero Trust.

During his time at ITA, Caron focused on moving ITA to a more modern network and security infrastructure. For example, he implemented phishing-resistant multifactor authentication, in part, by sending each of ITA’s employees a “YubiKey” authentication device to meet MFA requirements.

“So we’re taking a lot of steps, we’re looking at some identity management things in order to mature identity management and automate our processes around that as well,” Caron said during a January 2024 panel.

He also has focused on ensuring ITA is managing its data so it’s protecting its most important and valuable data as part of its zero trust implementation.

Additionally, Caron said because ITA has been 100% in the cloud for several years, he has focused on understanding the costs of using cloud services and how to manage those costs.

“In the wake of the pandemic and the subsequent move to work from home, Gerry Caron was the right kind of leader at a critical time. Gerry helped galvanize the entire federal government around actual use cases for zero trust,” said Tom Suder, president of ATARC. “The effort led directly to several Technology Modernization Fund awards to agencies, specifically for zero trust that have been the model for funding cybersecurity.”

DISA executives move into new roles

Over the last few weeks, there also has been a few other noteworthy changes in the federal technology community.

Let’s start with the Defense Information Systems Agency where Sharon Woods, who led the agency’s hosting and compute center for the last almost three years moved to new role at the agency. She is now leading DISA’s Endpoint Services and Global Service Center.

“We deliver networking and endpoint solutions at all classification levels to the Department of Defense. This is a crucial mission, connecting the department’s globally dispersed workforce, from the Pentagon to the edge, with unified communications,” Woods wrote on a post on LinkedIn. “Incorporating my experience with cloud technology, I hope to drive modernization and propel J6 forward as the premier communications provider to the department.”

In her place, Jeff Marshall, who has been vice director of the hosting and compute center since February, is now acting director.

During her tenure as the head of the HACC, Woods helped usher the Joint Warfighting Cloud Capability (JWCC) through the implementation phase, launched DISA’s own hybrid cloud instance, called Stratus, and led the effort to provide a DevSecOps platform, called Vulcan, for DoD users.

Bill Dunlap, the acting deputy chief information officer for the information enterprise at the Defense Department, said on Tuesday at the AFCEA Enterprise IT Day that the defense agencies and military services have made 84 awards under JWCC worth more than $634 million.

Marshall joined DISA in February after spending the last 20-plus years in industry. He also served in the Army for 13 years before moving to industry.

New cyber execs at CTIIC, EX-IM Bank

Moving to the intelligence community, the Cyber Threat Intelligence Integration Center (CTIIC) hired Chris Zimmerman as its first director of the Office of Strategic Cyber Partnerships.

In that role, Zimmerman will “further the integration of commercial cyber threat intelligence in the IC and take an innovative approach to partnering with the public and private sector,” Laura Galante, the director of CTIIC and the IC Cyber Executive, said in a statement.

Zimmerman comes to CTIIC from industry where he held leadership positions with Symantec, FireEye, Palo Alto Networks, Cylance and, most recently, as President of FedStarts, LLC, where he led the deployment of software technology to enable stronger cyber defenses.

Finally, the Export-Import Bank has a new chief information security officer and new chief privacy officer. Darren Death joins the agency after spending the last nine years as the vice president of information security and CISO for ASRC Federal.

Death has worked in and out of government during his career, including stints at FEMA, the Library of Congress and the Air Force.

He also is active with cybersecurity education groups like InfraGard MD and is a fellow with the Institute for Critical Infrastructure Technology (ICIT).

The post ITA CIO Caron moving on to industry first appeared on Federal News Network.

Over the last decade, the Centers for Disease Control and Prevention’s website became bloated, making information hard to find.

An 18-month long effort, called Clean Slate, helped the CDC cut the digital fat by 65%.

Carol Crawford, the director for digital media at the CDC, said the agency used a customer-first approach to modernize its website, which relaunched yesterday.

“It was a complete overhaul of the whole user experience, and of course, a new look and feel,” Crawford said on Ask the CIO. “Coming out of the pandemic, we really looked at what we wanted to improve and what we wanted to do different. This went also along with CDC’s moving forward effort and, combining that, we launched what we call ‘Clean Slate’ and a big cornerstone of that project was starting over with a clean slate for CDC.gov. So that meant we were able to reduce about 65% of our content, which gave us more time and more energy to put toward improving the content that we had. We made a number of other updates that we thought would better improve the experience on CDC.gov.”

Crawford said some of changes to the website are basic like ensuring consistency in formats on all pages. Other changes are focused on the user such as CDC added page summaries to the top of every page so the citizen can quickly see if the page meets their needs.

“We’ve also really streamlined the navigation. We call it content first navigation that will guide a user through the journey of the content that they’re looking for,” she said. “ We organize the content by three primary audiences just to make it a little easier to spot the content that is just for just for you, or just for what you you’re looking for. And of course, we worked on the readability and the scanability of the pages on your desktop, mobile, iPad device. We’ve improved the fonts, for example, to make it easier to skim, kept our page length shorter, so that you can read quickly, and there is so much more.”

No IT upgrades needed

One factor that made the website revamp a little easier was the CDC didn’t have to upgrade the underlying technology.

Crawford said this let the CDC improve the existing technology stack, adding functionality like using metadata to automate pages where they used to manually update pages.

“We’ve expanded our application programming interface (API) use. We’ve expanded our data functionality and data visualizations,” she said. “We’re thinking about using AI, machine learning, natural language processing and some generative AI to really think about how to improve the quality of our content.”

Through a series of surveys and other feedback approaches, the CDC found that citizens and other users were “overwhelmed” by the amount of information on the website. Crawford said that stopped users from finding what they needed.

“We evaluated are these pieces of content that a user needs or ever looks for, are these old content and a number of other criteria, and really, it allowed us to just keep our highest performing content and the content that people really need each day,” she said. “We really looked across our site to see where we could improve on duplicate content. We definitely looked at what people were getting from other servers or sites, but we also looked internally, like many people, we also had duplicate content that we wanted to fold together and make it easier for people to find it all in one place on our site.”

The CDC’s website revamp comes as the Office of Management and Budget is emphasizing specific improvements across all agencies. Just recently, OMB said the Digital Experience Council completed the first federal website inventory and found more than 10,000 across the government. Clare Martorana, the federal chief information officer, said recently through this inventory, agencies will have a better idea of their entire ecosystem and what they need to do to secure it and improve the user experience.

The inventory is part of a bigger effort to improve the digital experience of users through the requirements laid out in OMB’s September memo and the 21^st Century IDEA Act.

OMB also recently issued new guidance for how agencies should improve accessibility under Section 508 requirements. The December memo, the first from OMB in more than a decade, requires agencies to design and develop “accessible digital experiences,” by taking a number of steps.

CDC kept users front, center

Crawford said CDC used the U.S. Web Design System standards and leaned into human centered design tactics.

“We worked together across all of our communicators at CDC. The entire group in my digital media division worked on this project along with our CDC.gov web council,” she said. “Human Centered Design was absolutely the cornerstone of what we’re doing. We made every decision thinking about what the users needed. We did extensive research on our audience needs. We included many steps during the process to collect information from our audiences. This included surveys, lots of user testing, things like a new rate this page feature. We also introduced a beta preview so that we could get lots of feedback from users and all in all we received about input from about 6,000 users so evolving, the audience was central to what we did.”

Like all agencies, the CDC had to take steps to make sure it was serving its diverse customer base. Crawford said that meant narrowing down their content around three particular audience areas:

• The general public
• Healthcare providers
• Public health professionals

“We’ve tested specifically with those groups, and then with a lot of diversity within those groups,” Crawford said. “We had to work across every content type CDC had and create ways that we knew would work for people. This meant engaging with people in the programs, the needs for audiences around flu might be different than the needs around audience around an injury topic, so we had to really work collectively. They have done the hard work of rewriting and reformatting content based on these best practices and the results of our testing.”

Going forward, Crawford said CDC will continue user testing and collecting user feedback. She said the agency is considering at least quarterly user testing with real people on the site as well as pop-up and email surveys.

The post CDC cuts the digital fat as part of its website redesign first appeared on Federal News Network.

CISA confirmed his last day will be in June, but didn’t say exactly when. A CISA spokesperson didn’t say who would be acting in his place after Goldstein leaves. Matt Hartman serves as Goldstein’s deputy.

Goldstein joined CISA in February 2021 from the private sector where he was the head of cybersecurity policy, strategy and regulation for Goldman Sachs.

In his role at CISA, he oversaw an assortment of initiatives to protect and strengthen federal civilian agencies and the nation’s critical infrastructure against cyber threats.

CISA Director Jen Easterly praised Goldstein’s contributions over the last few years.

“I could not be prouder of the work that Eric Goldstein has done to move CISA forward as an agency. He has helped catalyze a shift across the agency to data-driven risk reduction and built an inclusive team that has enabled CISA and our partners to confront the serious cyber threats facing our country,” Easterly said in a statement. “Under Eric’s superb leadership, we pioneered new models of operational collaboration, reshaped our ability to detect and address cyber risks and shifted the balance toward building technology that is secure by design. I consider myself fortunate to be Eric’s teammate and know that he will carry his dedication to a secure and resilient nation forward in his next adventure.”

Federal cyber leaders on the move

Goldstein’s decision to leave government comes two days after Chris DeRusha, the federal chief information security officer, announced his decision to move on.

The departures of DeRusha and now Goldstein are also causing several other changes across CISA. Mike Duffy, the associate director for capacity building in the cyber division, is taking a detail to be the acting Federal CISO. On top of Duffy’s leaving, even for a short time, CISA has also seen several other senior cyber leaders head out the door, including Sean Connelly, who led the federal zero trust and Trusted Internet Connections efforts.

Among his accomplishments during his time at CISA include leading an effort to create the first ever CISA cyber strategic plan last summer, which he said will fundamentally shift the way the agency works, how it prioritizes resources and how they work with their stakeholders.

During his tenure, CISA issued seven emergency cyber directives for agencies, including one in April around Russian hackers taking advantage of a Microsoft vulnerability, to address immediate threats.

Another big focus over the last three years was the Federal Enterprise Improvement Team (FEIT), which the agency funded through a portion of the $650 million CISA received under the American Rescue Plan Act of 2021.

This was Goldstein’s second stint in government. He worked from 2013 to 2017 at CISA’s precursor agency, the National Protection and Programs Directorate, in various roles including policy advisor for Federal Network Resilience, branch chief for Cybersecurity Partnerships and Engagement, senior advisor to the assistant secretary for cybersecurity and senior counselor to the undersecretary.

CNN first reported Goldstein’s departure.

The post Second senior cyber leader this week to exit federal service first appeared on Federal News Network.

The Department of the Air Force’s chief information officer’s strategy to increase the capabilities of its airmen and women and guardians is centered on increasing the use of cloud services.

Venice Goodwine, the Air Force’s CIO, said the cloud cannot be thought of as just for business applications. The lines between the back office and the tactical edge have blurred, she said.

“I’m expanding the cloud from NIPERNet [unclassified network] to SIPRNet [classified network] and also having all those capabilities as well in that cloud on both sides. As we think about the different classifications, how do we get there with those same human-to-human capabilities are important?” said Goodwine said at the recent AFCEA NOVA Air Force IT Day, an excerpt of which was played on Ask the CIO. “The other thing when I’m thinking of the cloud, it’s an investment. But I’m also going to create the transparency that we haven’t seen before in the cloud. Now when I think financial operations in the cloud, I now can talk to my system owners about their investment in the cloud, tell them when to pay for reserve instances. I could talk to them about how can they make adjustments in their investment based on the usage or their computing and storage? I didn’t have that visibility before.”

The Air Force is planning to have a single tenet for Office 365 on the secret side, which is different than what the service did with its unclassified version, which had multiple tenets

Several other military services and agencies also have rolled out O365 on the secret side recently.

“What’s important for my cloud strategy is making sure that I have cloud at the tactical edge. That’s my reliance on commercial cloud services at the edge because if I’m going to have decision advantage, I have to make sure that the data is available. The data needs to be where the warfighter is and the data needs to be in the cloud,” Goodwine said. “I don’t intend to put the data in the continental United States (CONUS) when I’m fighting in INDOPACOM. I need the data there. But then I also need the cloud at the edge. I need the data at the edge. I need artificial intelligence to make sense of the data. And it needs to be trusted. So all the attributes, you talk about data, I need all of that there. So it’s not just enterprise IT. It is it for the warfighter. That’s my mantra and you’ll hear me say that all the time and my team speak that same language.”

Air Force expanding virtual environment

The Air Force continues to mature its approach to buying cloud services. Goodwine, who became the CIO in August, said the Joint Warfighting Cloud Capability (JWCC) remains the first option of where to buy cloud services, especially for new workloads. But, she said, those workloads and applications will remain in the CloudOne platform.

The Air Force is working on a new solicitation for CloudOne, called CloudOne Next.

The Air Force released its request for information for CloudOne Next in September and just in March, it offered more details on its acquisition strategy.

The Air Force expects to release three solicitations for CloudOne Next in the third quarter of 2024 and make the award in the fourth quarter of this year. It will be three single-award blanket purchase agreements on top of the schedules program run by the General Services Administration.

As part of this cloud expansion, Goodwine said the Air Force is developing a virtual environment to make it easier to access applications in a secure way.

“If you’re on your home computer, you have a Mac, you can go to portal.apps.mil and you can access your O365.You can be as productive as you need to be. There is no need for you to VPN in and you can use your home network,” she said. “You want to be able to access your OneDrive, all your apps and email, you can do that today. You only VPN in because you’re trying to get to some shared drives that we’re going to shut down eventually anyway. So really, those are the things that we already have in play that we should take advantage of, especially now that we’re in a hybrid environment. As we move forward, yes, understanding the work that’s done, the hours required to do that work so that we can make better investment decisions about the technology that we want to use, so I do think there’s a connection between technology and people hours.”

Additionally, Goodwine said the Air Force will expand its “Desktop Anywhere” initiative beyond just the Air Force Reserve Command.

“It now has an Impact Level 5 authority to operate, and we’re going to move it [off-premise] so we’re expanding that. We’ll have the ability to do more of these virtualized environments,” she said. “From a cybersecurity perspective, it’s a great idea because I just reduced my attack surface and from a productivity perspective, it’s absolutely faster, better, cheaper, and it now really allows you to be mobile, which is what I want my workforce to be the airmen and guardians.”

The post Air Force increasing cloud capabilities for the warfighter first appeared on Federal News Network.

Brian Epley, the principal deputy CIO at the Energy Department, will be the new technology leader at Commerce, Federal News Network has learned.

Epley replaces Andre Mendes, who left in in January to join Tarrant County, Texas to be its CIO. Epley will join Commerce on June 3.

Epley joined Energy in September 2022 as its principal deputy CIO and previously worked at the Environmental Protection Agency for six years as the deputy CIO and as the deputy assistant administrator for administration and resources management.

Multiple emails to Commerce seeking comment were not returned.

Epley has been in and out of government for his entire career. He served as the Homeland Security Presidential Directive-12 (HSPD-12) program director at the Department of Veterans Affairs from 2005-2007. He worked as a program manager at Northrop Grumman and CSC, and worked as a consultant for North Highland and for his own company InterSolve-IT.

During his time at Energy, Epley has led the CIO office’s day-to-day operations and assisted with the formation of the office’s strategic direction for the protection and modernization of IT, cybersecurity and data usage across the DOE enterprise.

Over the last two-plus years, Epley also led several specific IT initiatives. He helped moved the department forward to modernize its network and telecommunications infrastructure through the Enterprise Infrastructure Solutions (EIS) contract from the General Services Administration. In its April 2024 report, GSA says Energy has moved more than 80% of circuits to its new contract.

Additionally, Epley lead the effort to develop an artificial intelligence sandbox to safely test out capabilities and tools and led the recent project to establish a five-year enterprise license with Microsoft that is costing the department 19% less than previous contracts.

A third big focus areas for Epley over the last few years has been to update the Energy Department’s five-year IT strategic plan, which hadn’t been updated since 2022, and play a significant role in hiring the CIO office’s senior leadership team.

In coming to Commerce, Epley inherits a $2.9 billion IT budget, according to the Federal IT Dashboard. Of that, $2.1 billion is considered operations and maintenance or about 72% of all spending.

The dashboard also shows most of Commerce’s 98 major IT investments are in good shape, with 78 receiving a “green” rating, meaning low risk of failure. On the most recent Federal IT Acquisition Reform Act (FITARA) scorecard, Commerce earned a “C” grade, receiving low scores on its cybersecurity, transition to the EIS contract and its adoption of cloud computing requirements.

Epley also inherits a Commerce IT modernization strategy that has been focused on moving to software-as-a-service (SaaS) and a troubled financial management modernization project.

The post Energy deputy to take over as new Commerce CIO first appeared on Federal News Network.

The Office of Management and Budget confirmed DeRusha is leaving. Federal News Network also has learned that Mike Duffy, the associate director for capacity building in the cyber division at the Cybersecurity and Infrastructure Security Agency at the Homeland Security Department, will take over on an acting basis.

“Since day one of the Biden administration, Chris has been instrumental in strengthening our nation’s cybersecurity, protecting America’s critical infrastructure, and improving the digital defenses of the federal government,” said Clare Martorana, the federal chief information officer, in an email statement to Federal News Network. “I wish him the best, and know he will continue to serve as a leading voice within the cybersecurity community.”

Duffy will begin his detail next week, according to an internal email obtained by Federal News Network.

DeRusha joined OMB in January 2021, coming over from the Biden presidential campaign. He also worked as CISO for the state of Michigan and spent five years at DHS and two years as a senior cyber advisor for the White House.

OMB didn’t say when DeRusha’s last day would be nor where he is heading next.

“From the beginning of the Biden-Harris administration, and even before, Chris DeRusha has been a steady, guiding leader. As Deputy National Cyber Director with ONCD – while continuing his excellent work as federal CISO – he has been a trusted and valued partner,” said National Cyber Director Harry Coker, Jr., in a statement to Federal News Network. “Chris’s keen insights, experience, and judgement have been integral to the work we’ve done and what we will continue to do to strengthen our nation’s cyber infrastructure. I’m grateful for his commitment to the American people and to the Biden-Harris Administration.  All of us at ONCD wish him the very best in his next chapter.”

DeRusha has played a key role in advancing many of the White House’s cyber priorities, including the writing of and the implementation of zero trust strategy, and overseeing the federal agency responsibilities outlined in President Joe Biden’s cyber executive order, particularly around software security and applying phishing resistant multi-factor authentication.

Ross Nodurft, the executive director of the Alliance for Digital Innovation (ADI), an industry association and a former OMB cyber chief, said DeRusha’s impact across the government has been significant.

“Chris DeRusha, his teams at OMB and ONCD, and his partners at CISA and across the CISO community have made significant strides in making our federal government more secure and resilient. In many cases, Chris has guided federal agencies into security postures and architectures that are ahead of many commercial companies,” Nodurft said. “He has driven governance processes that prioritize risk management and helped make cybersecurity a consideration in the beginning of technology decisions as opposed to a bolted on afterthought.  The government will miss his leadership, energy and vision.  ADI is thankful that Mike Duffy will be stepping in to keep up the drumbeat of cybersecurity and zero trust implementation and modernization.”

Over at CISA, Duffy said Shelly Hartsook, the deputy associate director, would be taking over for him on an acting basis. During his tenure at CISA, Duffy took on several large priorities, including modernizing the continuous diagnostics and mitigation (CDM) program, helping agencies implement the zero trust maturity model and helping to stand up and advance several cyber shared services for agencies.

Duffy said in his email to staff that it was an “honor to answer the call” to be acting federal CISO and advance the administration’s cyber priorities during this time of change.

“Mike Duffy will do an outstanding job as the acting federal chief information security officer.  As associate director here at CISA, he has spearheaded efforts to evolve and operationalize our Continuous Diagnostics and Mitigation program, unveiled a new enterprise-wide approach to operational cybersecurity alignment, and led the expansion of CISA’s cybersecurity shared services to critical infrastructure,” said CISA Director Jen Easterly in a statement. “Mike’s vast experience, strong partnership acumen, and strategic approach to federal cybersecurity will make for a seamless transition and continue to drive sustained progress across the federal government.”

A former government official, who didn’t get permission to speak to the press, said Duffy is an excellent choice to be the acting federal CISO.

“I can only think of a few people who can hit the ground running as quickly and efficiently as Mike will in his role as acting federal CISO,” the former official said. “From continuing the modernization of the federal enterprise to collaborating with both domestic and international, private and public partnerships, increasing the focus on critical infrastructure and securing elections, Mike is well-positioned to lead the office.”

This story will be updated as more details emerge.

The post Federal CISO DeRusha leaving first appeared on Federal News Network.

• The Army's Chief Information Officer continues his march to revamp technology policy, with two new ones on tap in the coming months. The Army's next set of policy updates are around generative artificial intelligence and large language models, and the continuous authority to operate. Leo Garciga, the Army CIO, said the GenAI and LLM policy is weeks away. "It's really going to be focused around mostly data protection, and what we think the guardrails need to be and what our interaction between the government and industry will look like in this space," Garciga said, adding that the continuous ATO policy will focus on six critical controls. It is expected out later this summer.
  (Next Army IT policy update: GenAI, C-ATO - AFCEA NOVA)
• The Defense Innovation Unit launched a new emerging technology portfolio, which will focus on technologies including quantum, hypersonics, advanced materials and propulsion, microelectronics, nanotechnology and additive manufacturing. The portfolio will coordinate closely with National Security Innovation Capital, which funds companies developing emerging hardware technologies. This is DIU’s seventh portfolio. The portfolio’s first solicitation is already live.
  (DIU launches new emerging technology portfolio - Defense Innovation Unit)
• The Office of Personnel Management is brainstorming ways to make in-office work more appealing to federal employees. Things like special in-person events, team building activities and strategic planning sessions could help ensure in-person work makes sense, OPM Acting Director Rob Shriver said. At the same time, Shriver said OPM is also focused on bringing more attention to employees’ mental health and wellness, especially now in a hybrid work environment. OPM is looking to bridge together in-person opportunities and mental health awareness in the hopes of improving the overall employee experience.
  (From burnout to balanced: A conversation with the nation’s doctor - Office of Personnel Management)
• A watchdog report said breakdowns in leadership led to the Department of Veterans Affairs paying nearly $11 million in bonuses to career executives not eligible to receive them. VA’s inspector general office said the department gave critical skills incentives to more than 180 executives. But Congress authorized those incentives to retain in-demand workers, such as police officers, housekeepers and food service workers. VA said more than 90% of critical skills incentives went to eligible recipients and that it continues to recoup bonuses it shouldn’t have awarded.
  (VA improperly awarded $10.8 million in incentives to central office senior executives - VA OIG)
• The Federal Deposit Insurance Corporation (FDIC) is in need of "cultural and structural change" to reverse years of workplace harassment, discrimination and other interpersonal misconduct. Those are the findings of the Special Review Committee of the FDIC’s Board of Directors. The committee issued the report in late April, as requested by the FDIC board, after a scathing Wall Street Journal story in November found systemic problems with the workplace culture. In the report, the committee made seven recommendations, including developing a more transparent and timely process for communicating about workplace investigations, and implementing leadership and management training focused on creating a working environment that is psychologically safe.
  (Special committee concludes FDIC needs cultural, structure changes - FDIC.gov)
• DoD’s new software acquisition pathway has gone some way toward speeding up software development, but Defense officials said the procedures have not taken off as quickly as they hoped. To help speed up adoption, the assistant secretary of Defense for acquisition is standing up a cadre of software experts. Their job will be to consult with program managers on how to use the software pathway and adopt agile methodologies. Congress first ordered the creation of that team in the 2022 Defense authorization bill.
  (DoD stands up ‘SWAT team’ to help speed software acquisition - Federal News Network)
• Federal records requirements for UFOs are coming. The National Archives and Records Administration released guidance for information needed to create and manage the unidentified anomalous phenomena (UAP) records collection. The 2024 National Defense Authorization Act required NARA to establish the collection to make federally held information about unidentified aerial phenomena available to the public. Agencies have until October to review, identify and organize each UAP record in its custody for disclosure and transmission to the National Archives.
  (National Archives releases guidance on unidentified anomalous phenomena - National Archives and Records Administration)
• An in-depth Air Force study to Congress recommends moving all National Guard space missions into the Space Force. But pushing against the move are all state governors, a bipartisan group of 85 lawmakers and the Air National Guard. The 2024 defense bill required the Pentagon to examine the feasibility of giving the Space Force its own Guard component, leaving things as they currently are, or moving Guard space units to the Space Force. The study found that overall costs for all options are about the same and that the Air Force has the capability of executing any of those options.
  (Air Force study recommends moving Guard units into Space Force but opposition mounts - Federal News Network)

The post Army CIO Leo Garciga continues his march to revamp technology policy first appeared on Federal News Network.

OMB last week officially created the replacement for the Joint Authorization Board (JAB), called the FedRAMP Board. The new board will provide executive oversight and governance of the program.

An OMB spokesperson says the board, which is made up of seven people, including legislatively-mandated representatives from the General Services Administration, and the departments of Defense and Homeland Security, also includes representatives from the Department of Veterans Affairs (VA), the Department of the Air Force, the Cybersecurity and Infrastructure Agency (CISA) and the Federal Deposit Insurance Corporation (FDIC). Experts from GSA, DoD and DHS made up the JAB from the start.

“One of our key priorities in selecting members of the FedRAMP Board is to strike the right balance between retaining experience and institutional knowledge from agencies that were part of the Joint Authorization Board (JAB) while also including diverse agency viewpoints into the FedRAMP strategic setting process,” said Drew Myklegard, deputy federal chief information officer in OMB, in an email to Federal News Network.

New policy still in draft

OMB initially introduced the idea of the FedRAMP Board as part of its draft policy update released in October. The spokesperson didn’t offer any insight to when the OMB would issue the final memo.

But Federal CIO Clare Martorana said the new memo and related efforts come at a key time for FedRAMP, which is relying on guidance that is more than 10 years old.

“This is a pivotal moment to evolve the FedRAMP Program, aligning it with the dynamic cloud landscape of today and tomorrow,” Martorana said in a statement. “Our schedule included time for an inclusive and collaborative policy design process, where we actively solicited feedback from government agencies, industry, and the general public. By considering diverse perspectives, OMB will help to ensure that our new policy will stand the test of time.”

The Office of Information and Regulatory Affairs in OMB’s Regulations.gov website shows Martorana’s office received 290 comments on the draft guidance.

GSA today also added another piece to the FedRAMP revamp, making changes to the membership and chairperson of the Federal Secure Cloud Advisory Committee (FSCAC), which are effective May 15.

The FSCAC advises FedRAMP on the adoption, use, authorization, monitoring, acquisition and security of cloud computing products and services.

GSA named Larry Hale, GSA’s deputy assistant commissioner in the Office of Information Technology Category Management in the Federal Acquisition Service, the new chairman, and added two new industry members and extended two current committee members.

GSA established the FSCAC, which will hold its next meeting on May 20, in February 2023. Its recommendations complement the FedRAMP Technical Advisory Group, an advisory body of federal technical experts, as well as the FedRAMP Board.

Chairperson, vice chairperson to be named

While OMB sorts through the comments on the draft FedRAMP memo, it went ahead and replaced the JAB with new members.

OMB says the board CIOs, chief information security officers (CISOs) as well as a deputy CIO, whose focus is in engineering, and CISA’s technical director for cybersecurity.

OMB and GSA will each designate a non-voting member to be chairperson and vice chairperson of the board, who will manage its overall agenda.

The spokesperson said one of the board’s first actions will be to approve a charter that will finalize details around terms. In general, all members of the board will serve time-limited terms and are expected to rotate over time. DoD, DHS, and GSA will consistently have representation on the FedRAMP Board, as established by the FedRAMP Authorization Act.

The spokesperson says the board will have similar responsibilities as the JAB such as reviewing and approving FedRAMP policies and requirements. It will oversee the overall health and performance of FedRAMP, and will work within the federal community to expand the authorization capacity of the FedRAMP ecosystem

The board, however, is not expected to participate in the approval of individual authorization packages.

“We are currently planning the inaugural FedRAMP Board meeting.  The FedRAMP Roadmap and feedback from the Federal Secure Cloud Advisory Committee (FSCAC) will inform the board’s overall agenda,” the OMB spokesperson said. “The FedRAMP Board’s early priorities will include ensuring a smooth transition from the JAB and its provisional authorizations and any work in progress that directly affects customers, engaging with the federal community to increase the number of FedRAMP authorizations performed by one or more agencies, and working with the FedRAMP program to support updated performance metrics, greater consistency across authorization processes and continuous monitoring, and other FedRAMP roadmap initiatives.”

The post OMB forms replacement for FedRAMP JAB first appeared on Federal News Network.

Over the last six months, agencies inventoried over 10,000 public-facing federal websites and identified their top websites with the most user traffic.

This may have been the first time agencies completed such a website inventory as it was part of the requirements under the Digital Experience (DX) memo from Office of Management and Budget released in September.

Clare Martorana, the federal chief information officer, said over the last few decades as agencies have launched federal websites or web pages, it wasn’t always based on standards or even using a .gov domain.

But now with the inventory and the strong encouragement in the Digital Experience memo to use the U.S. Web Design System standards, Martorana said agencies will have a better idea of their entire ecosystem and what they need to do to secure it and improve the user experience.

“Part of what we’re working on with our agency partners is they’re scanning those websites, they’re understanding what are.gov domains. Oftentimes, agencies have .edu and sometimes they have .com sites. We’re looking across this ecosystem, making sure that they have the tools in place to be able to do that work. Then we do talk to them, and share best practices,” Martorana said in an interview with Federal News Network on Ask the CIO. “We stood up recently the DX Council, which is taking a lot of working groups that have already existed in government for many years, with really passionate federal employees that have been doing this work, bringing them together and then sharing some of these insights so that we can go on this journey together.”

Martorana said NASA, for example, used a new scanning tool to find more and more websites used by the public and their science and research communities.

“They’re sharing with the DX Council and the community, so that other agencies that might not be quite as far along are able to learn from that and talk to those people, figure out what tools that they’ve used, and then that’ll benefit the other agencies as we move forward,” she said.

The DX Council, which launched in February, includes a Digital Experience Delivery Lead from each agency. The council serves as the primary interagency advisory body for assisting in the governmentwide implementation of the 21st Century IDEA and related digital experience activities.

Driving accessibility through standards

One of the council’s focuses is helping agencies take more advantage of the U.S. Web Design System standards.

Robin Carnahan, the administrator of the General Services Administration, said agencies using the design standards average about 1 billion page views a month.

“What that does is make sure government websites are accessible to everyone,” Carnahan said. “Our job is to come up with a system that is easy to adopt and integrate into their existing functionality. I think that this has been around long enough and proven out enough that folks are ready to say, ‘yes.’ But there’s still more to do. We’ve got a big percentage using the system, and now I’m encouraged the state governments are using it, local governments are using it. I’d encourage international folks to take a look at it, too. It’s all open source and reusable. In fact, like, we ought to do more of that.”

Carnahan said the continued growth of Login.gov is another example of the sharing of tools and capabilities to make digital services better and easier to use. She said about 40 agencies and 50 million active users are taking advantage of the shared service. GSA announced in April it would start a pilot in May to allow individuals to verify their identity online using facial recognition technology that meets standards set by the National Institute of Standards and Technology’s 800-63-3 Identity Assurance Level 2 (IAL2) guidelines.

“We want to continue to build on Login.gov, and expand the use of that, expand our ability to do facial matching because that’s the thing that many of our customers are looking for, in a way that’s equitable, and in line with our values as a country,” she said.

The policies from OMB and tools from GSA all come together when the U.S. Digital Service helps agencies modernize applications and services.

USDS, SSA case study

Mina Hsiang, the administrator of the USDS at OMB, said her team has worked on 20 projects across a dozen agencies over the last few years.

She said a project USDS worked on with the Social Security Administration to improve the agency’s website is good example of all of the tools, policies and processes coming together.

“They didn’t have a ton of monitoring on the back end to figure out what are people actually doing. What pages are they stuck on? Where transactions fill up? We helped them implement screeners for example. So some people can get their new social security card online, some people cannot; you could go through the entire process of trying to apply for it only to discover that you are not eligible for it. So we helped them to understand what are the high volume transactions, to make it easier upfront for someone to have an early interaction that helps them understand [if they are eligible],” Hsiang said. “We did that using infrastructure that came from GSA, and helping work with the security team to identify what are the top priority transactions that we need to simplify.”

USDS helped SSA implement US web design standards so citizens found the website language easier to understand. She said her team also put in place monitoring tools to create a continuous feedback loop to continue to improve the user’s experience.

Martorana said successes like SSA and USDS are helping to show both what can and should be done, and there are tools and help out there.

“We have to make sure these teams have all of those capabilities available to them. It’s really important in the 21st century, as we’re working with these modern tools and trying to meet customers’ expectations, we are utilizing products and services that are instant, accessible and trusted. So we are working really hard together as a team to make sure that we’re meeting that mark,” said Martorana, who also recently issued a six-month update on the progress against the digital experience memo.

Hsiang added the opportunity for large-scale transformation is here for every agency ranging from the IRS to the Centers for Disease Control and Prevention to the Department of Veterans Affairs, and every other agency.

“We try and focus on the projects that can have the largest impact for our investment in them. Some of that is about the criticality of the service for individuals and their circumstances, and some of that is about the longevity of the change,” she said.

The post A new push by OMB to get a handle on 10,000 federal websites first appeared on Federal News Network.