The draft policy outlines a series of actions to empower Federal agencies to leverage AI to improve government services and more equitably serve the American people. Below are the top 10 most pressing questions for the Federal senior technology officials that will play an instrumental role in the policy’s future implementation.
1. What is in OMB’s proposed AI policy?
The draft guidance outlines three pillars to advance the responsible use of AI in government and proposed agency actions as outlined in the below table.
Pillar | Examples of Proposed Agency Actions |
---|---|
Strengthen AI Governance | Designate Chief AI Officers holding primary responsibility for coordinating their agency's use of AI, promoting AI innovation, and managing risks from the use of AI. |
Advance Responsible AI Innovation | Remove barriers impacting responsible AI use and development of agency AI strategies for achieving enterprise-wide advances in AI maturity |
Manage Risks from the Use of AI | Adopt minimum AI risk management practices for AI uses that impact rights and safety |
Read additional details in the AI Implementation Guidance Fact Sheet.
2. What will Chief AI Officers be responsible for? How will the newly created Chief AI Officer role interact with CIOs, CDOs, and CTOs?
Chief AI Officers (CAIOs) will hold primary responsibility in their agency for coordinating their agency’s use of AI, promoting AI innovation in their agency, and managing risks from their agency’s use of AI. Agencies have flexibility to either create a brand-new position to fill this role or designate an existing official to perform the Chief AI Officer’s responsibilities—provided the official has significant expertise in AI. For CFO Act agencies, the CAIO must be a position at the Senior Executive Service, Scientific and Professional, or Senior Leader level, or equivalent. In other agencies, the CAIO must be at least a GS-15 or equivalent.
Cross-cutting work such as AI governance and risk management cannot be performed in a vacuum; Chief AI Officers will need to coordinate with other relevant officials, such as agency CIOs, CDOs, and CTOs. This is necessary for a number of reasons, but importantly, many existing teams already maintain the authorities, resources, and expertise to carry out the responsibilities identified for the Chief AI Officer. CIOs, CDOs, and CTOs will remain deeply involved in the strategic planning for, acquisition of, and delivery of AI within their agencies. The role of the Chief AI Officer will not replace their work, but rather, fill the gaps that such roles were not designed to address. This includes efforts to mitigate algorithmic discrimination and establish processes for individuals to appeal harms caused by government AI.
3. How should CFO Act agencies ensure their AI Governance Body is sufficiently engaged with existing senior forums?
OMB’s draft memorandum would require CFO Act agencies establish AI Governance Boards to convene relevant senior officials at least quarterly to govern their agency’s use of AI. AI Governance Boards must be chaired by the Deputy Secretary, or equivalent, and vice-chaired by the agency’s Chief AI Officer. The board must also include appropriate representation from senior agency officials responsible for elements of AI adoption and risk management.
Agencies would have the option to convene a new senior-level body or expand the remit of an existing governance body to meet the AI Governance Board requirements. Many agencies already convene senior officials to discuss issues tangential to AI, such as IT modernization, data governance, and privacy. Some agencies have also established groups dedicated to AI governance and innovation specifically. Rather than set up a separate body, agencies can leverage existing mechanisms—if they choose— easing the burden for implementation.
4. Will my agency need to implement the identified AI risk management requirements every time AI is used?
No. AI has been increasingly integrated in benign software applications and everyday consumer products, such as noise-cancelling headphones and auto-correcting text messages. OMB’s proposed AI risk management requirements are only triggered when government AI use cases meet the definition for safety-impacting or rights-impacting. The draft policy takes a risk-based approach to managing AI harms, ensuring agency resources are well spent on AI use cases that pose the greatest risks to the rights and safety of the public. As a rule of thumb, when AI is used to control or meaningfully influence the outcomes of consequential actions or decisions, agencies will need to implement the memorandum’s risk management requirements.
5. How do I know if my use case impacts rights or safety?
OMB’s draft memorandum identifies two broad categories of AI:
These categories are further expanded upon in subsection 5(b) of the guidance, where OMB identifies specific purposes for which AI is automatically presumed to be safety-impacting or rights-impacting. This list is intended to reduce uncertainty—both for agencies and for the public—on when additional safeguards are warranted.
6. How will OMB’s AI risk management requirements feed into my agency’s Authorization to Operate process?
AI is software and therefore, it is still subject to an agency’s authorization process for information systems. OMB Circular A-130, Managing Information as a Strategic Resource, directly and indirectly tasks agency CIOs with the responsibility to assess information systems for security and privacy risks. However, OMB’s draft guidance identifies a new category of risk to consider: risks from the use of AI. This primarily includes risks related to efficacy, safety, equity, fairness, transparency, accountability, appropriateness, or lawfulness of a decision or action resulting from the use of AI to inform, influence, decide, or execute that decision or action.
When looking at the memorandum’s proposed AI risk management requirements, agencies would be directed to use existing processes wherever possible, like the Authorization to Operate process, to assess, manage, evaluate, and continuously monitor this new category of risk from the use of AI. This means when agencies review safety-impacting or rights-impacting AI via their ATO process, the Authorizing Official should collaborate with the Chief AI Officer and other appropriate AI oversight officials to assess the types of risks identified in this memorandum and ensure compliance.
7. What will this policy mean for agencies’ use of generative AI?
It is critical to ensure that the use of generative AI will not cause undue risk to the public. Agencies must ensure that adequate safeguards and oversight mechanisms are in place before generative AI is used. For example, in line with EO 14110, agencies should explore limited access policies to specific generative AI services based on specific risk assessments rather than implementing across the board bans. Additionally, some agencies have already established guidelines and limitations on the appropriate use of particular AI-enabled technologies, such as for facial recognition. Similar guidelines can be written for the responsible use of generative AI.
8. What resources will be made available to help agencies with implementation?
EO 14110 identifies a few actions that will directly assist agencies with implementation of OMB’s memorandum, once finalized. This includes:
9. Would this draft policy apply to contractors?
Yes. The guidance will apply to any development, use, or procurement of AI by the Federal government or on its behalf, and pursuant to EO 14110, OMB will issue further guidance focused specifically on contractors in the coming months.
10. What happens next?
OMB collected public comments and will be reviewing recommendations on regulations.gov and publishing the comments. The next draft of the policy will be shared with the interagency council established in subsection 10.1(a) of EO 14110 before the policy’s final issuance. The final guidance is due within 150 days of the order.
]]>Overview
The Delivering a Digital-First Public Experience guidance establishes the foundation for an improved digital experience when the public interacts with the government’s products and services. The guidance identifies seven digital experience pillars and the specific actions and standards that agencies must take to accelerate the design, development and delivery of modern websites and digital services. The key pillars are:
Together, these pillars represent the path towards a truly simple, seamless, and secure digital-first public experience. And to deliver it, we must take a whole of government approach. To our industry partners, these pillars represent the government’s requirements. They aren’t optional; we must - and will – implement them.
This means not building duplicative, stand-alone websites, micro sites, and digital services that are not integrated into an agency’s primary domain, digital product, or customer journey. Agencies should continue to build custom web applications that are designed with the requirements in the DX memo, like using the U.S. Web Design System.
We need solutions that will meet agencies where they are and deliver these outcomes. It will take us all working together – across government and industry – to deliver the digital experience the American public expect and deserve.
Calls to Action
CIO Community: Read and be an ambassador of the guidance. Ensure your digital teams are taking steps to implement the near-term actions required over the coming months.
Federal Employees: Read the guidance and be empowered to drive change in your agencies to deliver a better digital experience for your friends, neighbors, and communities.
Industry Partners: Read the guidance and pitch solutions that will help your agency customers be compliant. Do not pitch what we don’t need.
]]>One consistent theme you’ll hear from NIST and other cybersecurity experts is how human psychology can be exploited by cyber criminals to compromise our accounts. However, research into how we interact online has shown us several straightforward steps we can take to minimize the risk of common behaviors proven to be insecure.
Over the last few years, we’ve seen this research help us better understand one of the first things that comes to mind when we think about online safety–passwords. Previously, the conventional wisdom was to create passwords using special characters, capitalization, numbers, letters, and a variety of arbitrary rules including forcing you to change your password multiple times per year. Research shows each of us did the same thing in response–re-used passwords or created variations of the same password because we’d been asked to memorize dozens of unique passwords for every site, log-in, or application.
Our natural instincts created a weakness in our online security and cyber criminals took advantage. Research on the use of passwords has demonstrated the inherent weakness in expecting users to memorize arbitrarily complex passwords, and the importance of using multi-factor authentication (MFA) to safeguard our private information. Importantly, our thinking has evolved around this topic, and we’ve identified the following practices to better protect ourselves:
These security practices can be combined with others, like updating software and recognizing phishing, for a more secure online experience. I encourage you to take a few minutes to set up a password manager and enable MFA for all your important online accounts.
]]>The day-long event held at the Frances Perkins Building in Washington, D.C., brought together executives, technologists, and government leaders from nearly 30 federal agencies. More than 1,800 people attended in person and virtually.
Purpose: Impact Through Innovation
New technologies and solutions developed by federal agencies have a direct impact on agency mission outcomes and the lives of the American public. In order to drive change, we must do it together and that is why the Federal CIO Council sponsored this event — it’s a forum to bring technologists together to share information and best practices for the betterment of the public.
”We need to be open, transparent, and willing to share information. The tech is not slowing down. We need to be speeding up.” — Clare Martorana, Federal CIO at the Office of Management and Budget.
The technology expo featured hands-on exhibits from 14 agencies, keynote speeches by Congressional representatives and federal leaders, and presentations on a variety of trending technology topics including fraud detection and prevention and innovations in cybersecurity. Several agencies were recognized for their great work in technology. The awards included:
Digital Transformation: Better Service to the Public
During the conference, panelists from the Department of Labor, U.S. Department of Agriculture, AmeriCorps, and Postal Regulatory Commission shared how they have driven transformation as a result of the Technology Modernization Fund.
“We are showcasing how the Federal Government is using technology to improve mission delivery and provide the digital experience the American public deserves. At the Department of Labor, as a result of the Technology Modernization Fund investments, we have expedited the processing of work visa certifications and increased data sharing with other government agencies. These are just two examples. We are consistently working on modernizing IT, reducing technical debt, and improving the end-user’s experience.” — Gundeep Alhuwalia, CIO of the Department of Labor.
Panelists also discussed the impact Digital Transformation has on public facing services highlighting one use case from the Department of Veterans Affairs. “When we realized we needed to turn around the mirror not to face us, but to face the customer that we were trying to serve, then all of the transformation happened. When we just heard what the veterans wanted, it broke down the silos we had internally and we were able to all get aligned and deliver for veterans. Digital Transformation is utilizing technology that is simple, seamless, and secure to deliver services to the public. There is the people and the process part of this as well that I think is a really important component of Digital Transformation because, if you are not bringing the people along on the journey, just delivering technology solutions is not going to net you the benefits you anticipate.” — Clare Martorana
“Digital Transformation is not about just implementing technology. It’s about fundamentally reshaping organization culture, processes, and the mindset to have a digital-first approach. I think this digital-first approach is about the fact that everything is available on devices now and that experience is what our citizens want and expect. This requires leadership, vision, but really it’s about mission-driving technologies. In my 38 years across seven agencies, this has always been about mission and mission first. It’s also having a strategic vision and innovation. We have to innovate because our technology not only automates inefficient processes faster, but digital transformation offers you a way to reengineer those processes.” — Sonny Bhagowalia, CIO of the U.S. Customs and Border Protection with the U.S. Department of Homeland Security.
AI Helping Employees Work Better
Several speakers agreed that Artificial Intelligence (AI) is the biggest force multiplier for mission delivery in the coming future.
“AI gives us the opportunity to bring people into higher value work. It’s incumbent upon us as leaders to train those folks. So, we can say, ‘Okay. We are going to replace some part of your job or maybe all that you are doing with technology and we’re going to give you something more valuable to the organization or to the public.” — Ann Dunkin
”We are thinking about the opportunity – the dirty and dangerous work, the mundane work – that can be accomplished using AI. I’m really excited about seeing ways people across government and the private sector are going to be utilizing these technologies in order to make simple things easier to complete. Thinking about ways we can use this technology to be more predictive and be helping us so you can say, such as at (Veterans Affairs), ‘If you applied for these benefits, did you know you are also eligible for these other things?’ Hopefully, we will be able to utilize this to drive down the time tax and the burden on humans in order to do things that are of higher value. It’s definitely aspirational.” — Clare Martorana
“AI is going to pervade everything we do. The golden rule that we have is that the agent or the officer is still the person in charge and the AI is the assist.” — Sonny Bhagowalia
Continue to Collaborate
Closing out the event, speakers encouraged attendees to continue sharing their success stories with each other and partner together to discuss the challenges of today and tomorrow and share information and resources.
“Continue the relationships you made today. Continue to reach out. And continue to learn what your colleagues are doing and what you can do to grow and learn from them. Technology is an enabler of our success, and the challenges have to do with people, process, and culture. Those are also our solutions – people, process, and culture – to make us a better world, a better organization.” — Ann Dunkin
]]>Imagine moving to the next level of your career by meeting semi-monthly for one year with other rising leaders in the government fields of Technology, Data, Human Capital, Finance, and Acquisition. Together, you will brainstorm ideas, such as how to strengthen your career trajectory and expand your network. The idea is simple but the positive impact each class of Fellows has on each other is dramatic.
“I’d describe it as a leadership and development program that brings in speakers to discuss various topics that are critical to understanding how to be a great leader and implement practices that create a comfortable, inclusive environment. It also teaches you how to be your ‘PR’ person, for lack of better words. However, it’s what you make of it. You have to immerse yourself in the material and get in engaged in order to get the most benefit.” - Jordyn Taylor, a Privacy Liaison and Information Security Officer for the Environmental Protection Agency, CXO Alumnus
The CXO Fellows Program offers training that will enhance performance in your current role as well as help direct your career with a leadership perspective. The topics discussed by Fellows are chosen specifically to prepare rising leaders for new challenges in their professional lives and to spark innovation within government.
“CXO Fellows Program is a great opportunity to view the Federal Government from the vantage point of 35,000 feet. You see how the President’s Management Agenda provides the overarching umbrella of agency activities that will deliver an exceptional customer experience to the American citizens. Additionally, the CXO Fellows Program allows you to meet other individuals in federal service and develop a bond for future collaborative efforts.” - Arthur D. Allen, Project Manager at the Department of Veteran Affairs, CXO Alumnus
CXO Fellows will learn new leadership skills, but more importantly they will learn how to put those skills into action. After all, an effective leader needs to be a great motivator and the ability to motivate others comes from having great people skills. This cross-functional community gives rising leaders the chance to share problem-solving strategies and build relationships by participating in speaker series, development seminars, and networking events.
“An opportunity to receive guidance and make connections to propel your career in the Federal Government. The first stop if you see yourself as a future leader.” - Mark Trupiano, IT Specialist for the Department of the Treasury, CXO Alumnus
The CXO Fellows Program is a great opportunity to invest in yourself and all it will cost you is your time, focus, and commitment to grow. Find out more about the program and how to apply here.
]]>Small agencies often have unique organizational structures that do not follow the traditional staffing model for IT administration. For example, small agencies may not have a full suite of IT leadership roles or even a designated CIO. In some scenarios, executives may fulfill multiple roles in IT management while in others executives may have diverse backgrounds outside of the IT space.
Small agencies shoulder the same responsibilities as large agencies with respect to IT responsibilities and implementation. This handbook provides a general approach to the comprehensive management of an agency’s IT portfolio, including an overview of foundational elements and principles to establish and maintain reliable, secure, and effective IT operations and services. Due to the diverse nature of small agency staffing, the handbook uses the term IT Executive to refer to the individual at the agency with the primary responsibility for IT management and the standard duties of a federal Chief Information Officer (CIO). The ultimate responsibility for managing IT, data, and information security is with the agency head.
The Federal Small Agency CIO and IT Executive Handbook aims to:
This handbook is designed to supplement the existing Federal CIO Handbook and other role-specific guidance documents. The handbook contains substantial contributions from the federal community and small agency representatives and leaders. Although targeted towards small Federal agencies, we feel the contents of this document can benefit anyone within the Federal IT community as well as state and local governments. We encourage you to take a look today!
Sincerely,
Chris Chilbert
Chief Information Officer
Consumer Financial Protection Bureau
Tony McDonald, CIO, OMB
Chief Information Officer
Office of Management and Budget
Managing and addressing fraud is critical to protecting our taxpayer resources and is a critical responsibility of the Federal Government. However, agencies vary in their ability to manage fraud risk. Ann Dunkin, CIO of the Department of Energy (DOE), opened the symposium with a call to action for participants and added, “Let’s not reinvent the wheel, but rather share best practices and solutions. We want to identify key points of contacts and experts in this space. So, let’s not be afraid to collaborate. We want to understand where gaps remain, and where technology solutions may be required.”
Increasing Collaboration Through Public-Private Sector Conversation
The symposium was designed to educate, inform, and enlighten participants on where fraud challenges have been addressed and how similar solutions could be applied at their organization. Agency representatives from the Social Security Administration (SSA), National Science Foundation (NSF), and the Internal Revenue Service (IRS) stressed the importance of documenting and sharing these techniques across the Federal Government and bringing people together to have focused discussion on specific mission challenges.
They informed attendees of the numerous cross-government fusion centers, such as the IRS Information Sharing and Analysis Center, where leads and patterns regarding fraud can be shared among members. Speakers reinforced the need for participants to view fraud as a cybersecurity threat as it may put all American’s data at risk.
Driving Action Through Data
Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to establish a national Health Care Fraud and Abuse Control Program (HCFAC). The scale and complexity of healthcare operations have attracted fraud and abuse. In 2019, federal law enforcement charged 35 people associated with telemedicine companies and cancer genetic testing laboratories (CGx) with fraudulently billing Medicare more than $2.1 billion for these CGx tests, this has been compounded by imperfect markets and state level differences.[1]
Representatives from the Drug Enforcement Agency (DEA), Health & Human Services-Office of the Inspector General (HHS-OIG), Centers for Medicare & Medicaid Services (CMS), and Department of Justice (DOJ) addressed how they are combating fraud with detection, prosecution, prevention, and impact.
They showcased how the departments are coordinating efforts around fraud detection and how they are using technology to bridge the gap between mission and impact. Once fraud, waste, or abuse are detected, DOJ and HHS must decide how to intervene. Given the limited resources available, participants heard how technology serves as an enabler to drive effective and efficient decision making. By using data analytics to identify patterns and trends, resources are better allocated across organizations.
Key Comments and Closing
“My hope is to crowdsource on these issues we are all talking about today and work together as we start this journey. We’re still in the discovery phase. We’re still trying to strike that right calibration in terms of what we want.” – Stephen Kucharski, Acting Chief Information Officer for the Small Business Administration.
“A great takeaway from this conference is the need for blameless post-mortem (discussions) and giving people the opportunity to fail. That’s how we actually learn as individuals. Getting this community together is the first step in driving our problem sets to solutions.” – Chris Brazier, Acting Deputy IT Director & Chief Technology Officer for the Defense Threat Reduction Agency.
“The challenge is how to stay nimble. The adversaries that all of us are facing are innovative. We need to be (more) innovative.” – Dr. Naomi Adaniya, Chief Data Officer for the Drug Enforcement Agency.
It’s imperative to get the best of the public and private sector together to have conversations and break down silos. In order to get different results, everyone must start thinking differently and this event was about just that. The CIO Council thanks all of those who joined. Stay tuned for future symposiums and if you have any questions, please contact ciocouncil.support@gsa.gov.
Most people accessing services online have relied exclusively on passwords to protect their accounts, yet passwords have proven to be a weak link on their own due to the sheer number we are asked to memorize and how effective computer programs are at cracking passwords. This is where MFA helps overcome these inherent weaknesses and better protect us all. Adoption of a second authentication factor increases confidence that the right individual is accessing the right system or service.
Typically, the second factor we use is “something we have,” such as our smart phone with access to email or an authenticator app, a smart card (e.g., a Personal Identity Verification (PIV) card or Common Access Card (CAC)), or a token that generates a unique code based on a complex algorithm. More companies and organizations are offering MFA as an option by emailing you a code or using an authenticator app. In the spirit of Cybersecurity Awareness Month, if you have not done so already, I encourage everyone to set up MFA on all online accounts. It only takes a moment to do so and is one of the most consequential steps each of us can take to protect ourselves online.
Also, be sure to check out the Cybersecurity Awareness Month resources available from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) for more advice on how to protect yourself online. Lastly, please remember to “See Yourself in Cyber” because ultimately, cybersecurity begins with each of us doing our part.
]]>Launched last year, the U.S. Digital Corps is a two-year, full-time opportunity housed at the General Services Administration (GSA) for early-career technologists to start their careers working on high-impact projects across the federal government — including in cybersecurity.
Jamila Crawford, a U.S. Digital Corps Fellow at the Cybersecurity and Infrastructure Security Agency (CISA), shares her journey working in cybersecurity and her current work at CISA.
What made you consider public service?
My undergraduate degree is in Sociology and my studies focused largely on social change and human behaviors, so I knew even in school that I wanted to work with the public in some way. Four months after completing my degree in 2015, I began working in public service at the state level with the Georgia Department of Corrections. Shortly after starting, I was sure I wanted to remain in public service in the long term.
The impact you’re able to make in government — whether it’s protecting the community, ensuring that technology works to get the job done, or developing policies that will benefit the public — makes public service unique and worthwhile. I often reflect on my past roles and those whose paths I’ve crossed since starting in public service seven years ago, and I can honestly say the feeling from doing meaningful work is long-lasting.
What was your path to the U.S. Digital Corps?
My professional career started as a state of Georgia felony probation and parole officer and I later transitioned to the federal government as a U.S. Pretrial Investigations Officer for the U.S. District Courts. While working as an officer, I was particularly interested in the intersection of technology and crime and specifically how technology is used to commit criminal acts, like human trafficking and identity theft. My interest in cybersecurity was sparked when I completed a cybercrime investigations course. Shortly after that, I enrolled in school to complete my Master’s in Cybersecurity. After so many “no’s” and a hunger for an opportunity to enter a technology role, I took a leap of faith and left law enforcement to work as an Information Technology Student Trainee for the Bureau of Prisons, a term-limited, one-year appointment.
With only three months left in my trainee position, I learned about the Digital Corps and I immediately thought to myself “this is perfect.” I’m a career changer, and that is something the Digital Corps appreciates — unique professional experiences and transferable skills. The opportunity that the Digital Corps offers to make an impact so early in your career is not that common for those of us working in the federal government, as most positions require extensive years of experience. The Digital Corps was the chance I’ve longed for - to work in cybersecurity in the federal government.
Can you tell us a bit about the project you are currently working on?
I work with the Cybersecurity and Infrastructure Security Agency (CISA), a component of the Department of Homeland Security. For context, CISA leads the nation’s cybersecurity efforts to protect our cyber and physical infrastructure and also offers cyber services to federal, state, local and tribal agencies. I work in the Cybersecurity Shared Services Division and am tasked with validating cybersecurity services using risk and resilience assessments to ensure compliance with EO 14028 and applicable standards such as the National Institute of Standards and Technology (NIST) and ISO Control Frameworks. The validation process is used to reduce the risk and threat profiles of Federal Civilian Executive Branch (FCEB) agencies.
Currently, I am working on validating the Protective Domain Name System (DNS) Service “ProtDNS,” a DNS firewall service that will be used by all FCEB agencies to defend against malicious cyber activity. The DNS service features include enhanced threat intelligence, zero-trust alignment, and real-time alerts that will safeguard the federal enterprise.
What do you like about working in the federal government?
To me, working in the federal government is an opportunity to make an impact on a large scale. Whether you’re in emergency response, technology, legal, or law enforcement, the work you do makes a difference in the lives of so many people.
]]>