At the beginning of 2017, the ITIF (Information Technology and Innovation Foundation) released a report that benchmarked 300 federal websites in four areas: page-load speed, mobile friendliness, security and accessibility. Some sites fared better than others, but the report highlighted that our federal sites have a ways to go (DigitalGov included) in these areas. Looking at these four metrics is important as they directly impact our customers’ first perceptions of the quality of our government’s digital services.
Over a year ago, I wrote about the potential of new chatbot blockchain digital autonomous organizations. I was excited about the possibilities of how the emerging technologies of chatbots and blockchains would merge to create the digital autonomous organizations and what this could mean for delivering government services. Since then, 2017 has being called the “Year of the Chatbot” because of the rapid advances in artificial intelligence (AI) and the explosion of tools that make it easy to create chatbots.
Joel Minton, a member of the U.S. Digital Service, is working with GSA’s Technology Transformation Service as the director of login.gov. Tom Mills is the Chief Technology Architect at U.S. Customs and Border Protection. In early April, the U.S. Digital Service and 18F launched login.gov, a single sign-on solution for government websites that will enable citizens to access public services across agencies with the same username and password. Login.gov is currently in action at the U.
Categorizing and Describing Cybersecurity Work for the Nation The National Initiative for Cybersecurity Education (NICE) is pleased to announce the release of Special Publication 800-181, the NICE Cybersecurity Workforce Framework. This publication serves as a fundamental reference to support a workforce capable of meeting an organization’s cybersecurity needs. It provides organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by Category, Specialty Area, and Work Role. It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.
Information systems—from communications platforms to internet-connected devices—require both security and privacy safeguards to work successfully and protect users in our increasingly complex and interconnected world. Toward these ends, the National Institute of Standards and Technology (NIST) has issued a new draft revision of its widely used Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. Developed by a joint task force consisting of representatives of the civil, defense and intelligence communities, the draft fifth revision of SP 800-53 (8.
Amidst the chaos of an active shooter event, preparedness is key to a seamless, swift and effective response—and a new video game funded by the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate and the U.S. Army Research Laboratory just might do the trick. Enhanced Dynamic Geo-Social Environment, or EDGE, is a virtual training platform, available now to all response agencies nationwide. Built on the Unreal Engine, it allows responders of all disciplines to assume discipline-based avatars and simultaneously role-play complex response scenarios.
I recently had the chance to talk with the legendary Vint Cerf, one of the founding fathers of the internet. We had a wide-ranging discussion about the past, present and future of the internet, network security and what it would take to successfully, safely and reliably merge the digital and physical worlds, a concept known as the “Internet of Things,” or IoT. As its name suggests, the internet of things will connect all kinds of things, bringing us a wealth of data about, well, everything that we can use to improve our lives.
In today’s digital world, it’s imperative that government agencies safeguard citizens’ physical and electronic security. In the world of Federal IT, adopting and advancing cybersecurity can’t be accomplished in one day, or by one agency. Federal agencies must work together to tackle complex problems and stay ahead of evolving network threats. The Federal Identity, Credential, and Access Management (FICAM) team helps agencies enable the right individual to access the right resource, at the right time, for the right reason.
Like any newer technology, cloud computing has faced adoption challenges. IT managers understand the huge potential efficiency improvements and savings that cloud computing can bring to their agencies, but also have questions about security, compatibility, and funding. With these concerns and without a clear path to cloud computing, many agencies continue to maintain on-premises solutions. However, the costs of legacy systems are expensive, and this is a particularly important issue in a budget-constrained environment.
If you’re a program manager or a federal web developer you’ve probably been given a seemingly simple task: Create a basic website as part of a new initiative at your agency. The hardest part is often not crafting the content or designing the prototype, but getting the security and privacy compliance in order to launch and maintain the actual website’s compliance status. For that work, you might have to hire a contractor or put extra strain on your agency’s web team.
18F Editor’s note: This is a guest post by Karim Said of NASA. Karim was instrumental in NASA’s successful HTTPS and HSTS migration, and we’re happy to help Karim share the lessons NASA learned from that process. In 2015, the White House Office of Management and Budget released M-15-13, a “Policy to Require Secure Connections across Federal Websites and Web Services”. The memorandum emphasizes the importance of protecting the privacy and security of the public’s browsing activities on the web, and sets a goal to bring all federal websites and services to a consistent standard of enforcing HTTPS and HSTS.
We wanted to share some high-level guidance for CSPs and 3PAOs we created with the JAB teams to provide insight into the different roles and responsibilities for 3PAOs and CSPs in our authorization process. These roles and responsibilities were created and refined over the last year as we refined the JAB’s authorization process through FedRAMP Accelerated. The CSP’s role (189 kb PDF, 1 page) in the JAB authorization process is to ensure their service offering meets the NIST/FedRAMP requirements through the implementation and documentation of security controls.
On May 9, we took a big step toward creating a bug bounty program for our agency by issuing an award to HackerOne for a Software-as-a-Service bug-reporting platform. The TTS Bug Bounty will be a security initiative to pay people for identifying bugs and security holes in software operated by the General Service Administration’s Technology Transformation Service (TTS), which includes 18F. This will be the first public bug bounty program run by a civilian agency, and follows in the footsteps of the Hack the Pentagon and Hack the Army bug bounty programs run by the Department of Defense.
Recently a segment on my favorite morning news program stopped me in my tracks. The young and attractive hosts (why are they always so young and attractive?) were demonstrating new appliances including a smart refrigerator. The fridge was equipped with all kinds of high-tech features including touch screen displays, a camera inside that allows you to see the contents and Wi-Fi connectivity. You can see inside your fridge while grocery shopping, how convenient!
The Department of Homeland Security (DHS) has submitted a report to Congress that details current and emerging threats to the Federal government’s use of mobile devices and recommends security improvements to the mobile device ecosystem. The DHS Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology and its National Cybersecurity Center of Excellence. Mandated by the Cybersecurity Act of 2015, the “Study on Mobile Device Security” relied on significant input from mobile industry vendors, carriers, service providers and academic researchers.
Effective May 15, 2017, GSA’s DotGov Domain Registration Program will begin providing HSTS Preloading services for federal agencies. HSTS stands for HTTP Strict Transport Security (or HTTPS, for short). This new service helps ensure that visitor communication with .gov websites is not modified or compromised, and hostile networks cannot inject malware, tracking beacons, or otherwise monitor or change visitor interactions online. As part of this new service, any federal government executive branch .
To folks new to government, one of the most surprising differences between our work and work in the private sector are the barriers in accessing commercially available software, and commercially available Software-as-a-Service (SaaS) in particular. There are good reasons for these barriers: the government places premiums on considerations such as security, privacy, accessibility, license management, and competition. It takes great care to work within those considerations while also providing digital teams with great tools to get work done.
The Information Technology & Innovation Foundation (ITIF) recently published a report, Benchmarking U.S. Government Websites, that looks at the performance, security, and accessibility of the top 297 government websites. ITIF is a think tank in Washington, D.C. whose mission is to formulate, evaluate, and promote policy solutions that accelerate innovation in technology and public policy. Over the past 90 days, government websites were visited over 2.55 billion times. According to the Analytics Dashboard, 43.
HTTPS is a necessary baseline for security on the modern web. Non-secure HTTP connections lack integrity protection, and can be used to attack citizens, foreign nationals, and government staff. HTTPS provides increased confidentiality, authenticity, and integrity that mitigate these attacks. In June 2015, the White House required all new federal web services to support and enforce HTTPS connections over the public internet, and for agencies to migrate existing web services to HTTPS by the end of calendar year 2016.
Summary: Building on efforts to boost Federal cybersecurity & as part of National Cybersecurity Awareness Month, today we’re releasing a proposed guidance to modernize Federal IT. America’s spirit of ingenuity and entrepreneurship created the world’s most innovative economy and keeps us dominant in today’s digital age. Indeed, in 1985 about 2,000 people used the Internet; today, 3.2 billion people do. What started out as a useful tool for a few is now a necessity for all of us—as essential for connecting people, goods, and services as the airplane or automobile.
In December, I plan to write two postings detailing a scenario analysis for the next ten years of the Federal government’s data technologies. Governments are on the cusp of amazing technological advances propelled by artificial intelligence, blockchain technologies, and the Internet of Things. Also, governments will face new challenges such as the recent global cyber attack that took down Twitter and Netflix. I want to invite you, the reader, to also send in your predictions for the future of Federal government data.
These days, when you turn on the news you almost always see another hack, leak, or breach putting sensitive information at risk. But we’ve been focusing on keeping federal agency information systems secure for a long time. For October’s Cybersecurity Awareness Month, the WatchBlog takes a look at federal cybersecurity challenges. What is the threat? Cybersecurity incidents can pose serious challenges to personal privacy and security as well as the economy and national security.
Summary: The Office of Management and Budget is releasing updated guidance on the role and designation of Senior Agency Officials for Privacy. The digital economy has transformed how citizens interact with their Government. Government services related to immigration, student loans, health insurance, and veterans’ benefits are just a sample of the services now available online. By leveraging technology and innovation, the Administration is significantly improving the Federal Government’s ability to provide better citizen-centered services and helping Americans engage with their Government in new and meaningful ways.
On September 8th, the General Services Administration (GSA) held a Technology Industry Day to talk to industry leaders about the products and solutions developed by our agency and to hear feedback on how we can better engage industry. We’re thrilled that more than 300 members of the technology industry in person and via the live stream were able to join us for this first step towards a closer partnership and more open lines of communication about how we can work together to transform federal technology.
No Longer an Idea of the Future, Artificial Intelligence Is Here and You Are Probably Already Using It
It might surprise some of you to know that artificial intelligence (AI) is already in use and a routine part of our daily lives, but we leverage this technology when we use our smartphones or other devices to ask Apple’s Siri, Microsoft’s Cortana, Google Now, or Amazon’s Alexa a question to get the facts or data we are looking for. Using your voice, you can say, “Where’s the nearest gas station?
This is the final post in the 5-part series, The Right Tools for the Job: Re-Hosting DigitalGov Search to a Dynamic Infrastructure Environment. Federal websites are required to implement DNSSEC, which relies on knowing exactly what server is responding to a request. In Amazon Web Services (AWS), the problem of unreliable servers is solved by Elastic Load Balancing (ELB). An ELB containing one or more servers is presented to the world as a single hostname — say, usasearch-elb.
Many of our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns. This week’s tips come from FedRAMP’s Accelerated event. Read the full list of questions asked during FedRAMP Accelerated here. Send potential tips and questions that you would like published as a tip [via email].
Summary: Today, OMB is releasing an update to Circular A-130, the Federal Government’s governing document for the management of Federal information resources. Today the Office of Management and Budget (OMB) is releasing an update to the Federal Government’s governing document for the management of Federal information resources: Circular A-130, Managing Information as a Strategic Resource. The way we manage information technology (IT), security, data governance, and privacy has rapidly evolved since A-130 was last updated in 2000.
The mission of U.S. General Services Administration (GSA)’s Integrated Technology Services (ITS) is to deliver best value technology solutions to the government and the American people, and one of the most critically important capabilities that our nation currently needs is strengthened cybersecurity. We have been working with numerous other federal agencies to ensure that the government has the tools and know-how it needs to protect our systems, data, and information.
Augmented Reality games have existed for years, but have mostly failed to catch a mainstream audience; Pokémon Go just changed all that this weekend. The game that launched early this month has exploded in popularity and is close to surpassing Twitter in daily active users, according to Forbes’ Jason Evangelho. “The data gets even more staggering. As of 48 hours ago, Pokémon GO was installed on 5.6% of all Android devices in the United States, and is installed on more Android phones than Tinder (insert “Pokémon is now more popular than sex” joke here),” he cited.
It is at the intersections of fields where you find the most fascinating and innovative concepts. Recently, a conference on “Open Human Resources and the Cognitive Era” explored the use of chatbots and blockchain technologies in human resources. Human Resources (HR) is quietly undergoing a revolution as many HR practitioners are transforming HR by using open source concepts. It is fascinating to see how cognitive technologies and cloud technologies are changing HR from a transactional and compliance function to an essential strategic organizational asset.
Internet strategist Mary Meeker delivered her 2016 Internet Trends report this month, and there are several key takeaways for government agencies to consider and continue tracking as our connected world continues to evolve: Mobile phone adoption and Internet growth is meeting saturation. Incremental global growth will continue (especially in India, which she called out for their wild expansion) but especially for Americans, most people that want to be on the Internet can be on the Internet.
Last week I spoke at a White House event, “Opportunities & Challenges: Open Police Data and Ensuring the Safety and Security of Victims of Intimate Partner Violence and Sexual Assault.” This event brought together representatives from government agencies, police departments, and advocacy groups to discuss the potential safety and privacy impact of open police data initiatives. The White House launched the Police Data Initiative last year, encouraging police departments to make data sets available to the public in electronic formats that can be downloaded, searched, and analyzed.
It’s Saturday night: Do you know what your mobile app is doing? Securing your mobile device is hard (no matter what day of the week). And there are numerous threats that can be posed by the apps on your device: an app could be spying on you, stealing your money, stealing data or reconfiguring the settings on your device. Security and privacy are part of the six Mobile User Experience Guidelines developed by the MobileGov Community of Practice.
As we move into 2016, here are 10 trends I foresee flourishing around mobile, technology and government: The mobile-majority tipping point in government. Many agencies are already past this point, but as a whole, government websites are still desktop-majority, with 66% of people accessing federal websites via desktop and 34% on mobile. In 2016, the double-digit mobile growth will continue to accelerate and surpass 50% for almost all agencies. (Much of the Web passed this point last year or in 2014, btw).
As we look ahead to 2016, we wanted to take a minute to look at our most popular content in 2015 and reflect on our second year. This was a big year for DigitalGov as we saw our session traffic nearly double and our weekly and daily email subscribers increase by 15%. DigitalGov was also named as a 2015 must-read blog by FedTech magazine, which is due to the great contributions from our guest authors, representing 42 agencies and departments across the federal government!
Government agencies need to make sure their mobile websites and native apps don’t become one of the estimated billions of applications that end up in the app graveyard. The need for digital products to work better is not new in the federal government. Resources like the Digital Playbook and Public Participation Playbook have had impact helping agencies become user-friendly and both of these resources note the importance of developing usable products for mobile users.
With the release of a new dashboard to measure best Web practices in the federal government and the establishment of a government-wide HTTPS Only Standard, the time to make the switch to HTTPS has arrived. Agencies have until December 31, 2016, to make the switch. The move to HTTPS is not only happening in government; it is also becoming the standard in industry as well. Firefox and Chrome have begun taking actions to phase out HTTP to make browsing more secure.
Sharing Social Media Strategies: The National Strategy for Trusted Identities in Cyberspace Program Office
Creating a tweet, posting a photo, or updating a status may take mere seconds. However, a well-thought-out social media strategy is needed for long-term success. In fact, the recently released U.S. Public Participation Playbook mentions strategy in its very first play: clearly define and communicate your objectives. Knowing what you hope to accomplish and how you want to get there is imperative, and social media is no exception.
Data. Security. Privacy. These are the cornerstones of many discussions concerning technology. The security of citizen information when interacting with the federal government will be increasingly important as we progress into the future. A few agencies have begun to use Hyper Text Transfer Protocol Secure (HTTPS) in lieu of the standard HTTP. For these agencies, this transition to HTTPS is seen as a step in the right direction and is one way for the government to address the security of citizen information.
Today, people rely heavily on insecure and inefficient means to access federal government applications to conduct business (i.e., they depend on usernames and passwords to log into federal agency services online). Users are required to create and manage several online accounts for different applications, which can become a nuisance, difficult to manage, and creates administrative burden for the organization. Additionally, with the abundance of these weak credentials (i.e., usernames and passwords that are easy to hack and difficult to trust), organizations – including the federal government – are left with minimal confidence in a user’s identity.
When browsing the various APIs offered by the federal government, you may have noticed that developers need to sign up for an API key. You may have also noticed that the documentation tells app developers to access the API using specified methods. Along with these two requirements, federal API creators have several ways to provide secure APIs for app developers and the general public. In this posting, I will describe how federal APIs are kept secure.
In 1995, the World Wide Web, which had been fairly niche up until then, attracted mainstream attention. What followed were 20 years of business and social innovations in how we humans chose to use the web at work, school, at home, and with our friends. The web and its “Web 2.0” successor allowed us to access, provide, remix, and exchange information in ways previously limited by time and space.
Ghosts. Ghouls. Zombies. Multi-stakeholder content audits. This Halloween there is no shortage of terrors lurking to keep federal Web managers up all night, and our work is largely done in one of the scariest domains of all: cyberspace. Every moment of every day, a vast system of computers and networks are actively working to support virtually every aspect of modern life, and along with it creating opportunities for Internet trolls, goblins, and other nefarious villains to target and exploit all manner of personal and professional information.
Security, consolidation, cloud services and enterprise portfolio management top the list of critical state CIO priorities in 2014, according to state information technology leaders surveyed by the National Association of State Chief Information Officers (NASCIO). The prioritized rankings of strategies and technologies reflect voting by state CIOs and are available for download at www.nascio.org/publications/ This year, NASCIO’s annual top 10 ranking shows IT security strategies and tools are at the forefront of discussion around the states, with ‘Security’ topping the list of Priority Strategies, Management Processes and Solutions and ‘Security Enhancement Tools,’ such as continuous diagnostic monitoring, coming in second among Priority Technologies, Applications, and Tools.
Cloud Computing enables convenient, on-demand access to, and rapid deployment of, shared computing resources such as networks, servers, storage, applications, and services. Plan What is the Cloud? Is Cloud Computing for you? What types of services does Cloud Computing support? Types of Cloud environments Implement Learn steps to acquire, manage, and secure your agency in the cloud Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service (PDF, 963 KB, 44 pages, February 2012) Security authorizations for Cloud providers (FedRAMP) Improve Learn more about U.
Security testing is used to ensure that a mobile product does not pose a threat to agency IT systems and databases. In addition, privacy testing ensures that an app does not put the user’s personally identifiable information into a compromisable position. This article was developed as part of the Mobile Application Development Program. See our general guidelines to testing article for more resources on mobile product testing. Government Guidance Please coordinate with your ISSO when creating mobile or digital products.
Like website development, API security revolves around three stages—planning the API, testing the API, and monitoring the API after it has launched. The planning stage requires those involved to conceptually map several design decisions and the impact that they will have on security. The second stage applies your agency’s security program to the API release candidate. Lastly, the third step integrates your API in your agency’s continuous monitoring frameworks.
To enhance security, Twitter now offers two-step verification. The release of the new feature follows several high-profile account breaches – including a false tweet sent from the Associated Press’s Twitter account in April. If you chose to enable the two-step verification feature, Twitter sends a text message with a unique code to a cell phone that must be entered to continue the login process. This extra step is simple and provides another important layer of protection for your account.
[Editor’s note: Please watch the Jan. 15 , 2015, webinar onHow Government Can Prepare for and Respond to Social Media Hacks. on our Youtube channel] The hacking of an Associated Press news account on Twitter this week, and its fallout, underscored the need for agencies to prepare for similar obstacles. Especially in public service, misinformation from rogue accounts can create damaging impact. Following these steps can help you mitigate the risk of not only rogue posts from your own account, but also respond to rogue posts from outside accounts that could harm your mission.