Census Thinks a Clippy-Style AI Assistant Could Speed Up Security Authorizations

maxuser/Shutterstock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Aaron Boyd By Aaron Boyd,
Senior Editor, Nextgov

By Aaron Boyd

|

“It looks like you’re trying to get an ATO. Would you like help with that?”

A team of innovation specialists at the Census Bureau is working to speed up the process for getting security authorizations—known as an authority to operate, or ATO—for new systems and applications. Among their potential solutions: Developing an artificial intelligence bot that offers wisdom from successful ATOs, akin to Microsoft’s much-maligned Clippy office assistant.

Security officials focused on the ATO process have long urged agencies to reuse authorizations for like-for-like systems. While leaders have said that is happening more often, program managers are often reticent to reuse an authorization that might not track exactly to the app they are standing up.

But for a given security control, there is language and considerations for how the documentation is put together that can easily be borrowed from one authorization to the next, according to the Census FISMAtic project team.

“The goal is to take all the ATOs the Census Bureau has done … and write some natural language processing tools that look through those looking for commonalities in the way responses are written,” explained Alex Cohen, program manager for Census’ Center for Applied Technology.

For example, the tool may check the response to an access control on the status of role-based authentication. If the tool finds something along the lines of, ‘Yes, this is enabled,’ which aligns with other responses that have been approved, the documentation for that control is probably sound. However, if the response is something like, ‘I don’t know what this means,’ or, as Cohen suggested, some kind of nonsense like, ‘System supports access control on a Wednesday,’ then the automated system will flag that response as unlikely to pass.

“There’s more nuance you can get into, too,” said Aidan Feldman, a Census IT specialist working on the FISMAtic project. “Even if you say, ‘OK, I’m using Amazon Web Services to do X,’ that could have been described a number of ways in past security plans. You could say, ‘Hey, it looks like you’re describing this particular product that was also described in these sorts of ways, so you might consider phrasing it like this,’” and offer examples of past responses that have been approved.

Finding usable examples to work off of can be especially difficult when it comes to ATOs, as those documents are often considered sensitive and are not easily shared, Feldman pointed out.

“The main pain point that came up was around having access to examples,” he said. “Filling out this documentation can be really challenging if you don’t have experience in it.”

If you do get access to a document that can be used as a template, they are often in PDF form and rarely machine-readable, Feldman added.

“If we can get enough data, we can create [a tool that says], ‘Hey, looks like you’re responding to [a specific security control], would you like to …’ and here are your choices. What really started this idea was Clippy for ATOs,” Cohen said, referencing an often ridiculed automated assistant included with Microsoft Office products from 1997 to 2007.

“As much as Clippy gets some real heat, it did back-format documents and provided some real help if you didn’t know what you were doing,” Cohen said. “The problem with Clippy is it annoyed people who did know what they were doing. But if you’d never done an ATO before, Clippy would be really helpful.”

Exactly what that tool will look like—and whether machine learning and artificial intelligence technologies are advanced enough to accomplish the goal—is still up in the air, according to Cohen.

“This is very preliminary stuff. But the most important finding is we need to take a look at the data,” Cohen said, which means collecting lots of sample ATOs from across Census that can be used to train a machine learning app.

“We think we’re in a good spot to solve” the problem of long lead times on ATOs, he said, “But we’re just getting started.”

And Clippy for ATOs is one of a number of potential solutions that came about as part of a user/market research exercise by the FISMAtic team that solicited feedback from public and private sector stakeholders. The team posted a summary of the responses to GitHub, though they stressed that this was not a scientific survey or an official Census document, but merely the team’s notes on preliminary research.

"Security assessments are very important but can be long and complex, resulting in frustration on both sides,” Feldman said, referencing the divide that often occurs between development and security teams. “If this project works well, this is going to really make things better for everyone.”

The FISMAtic project was born out of the Innovation and Operational Efficiency, or IOE, program, which annually polls Census employees on areas they would like to see improved, according to Program Manager Carlos LaCosta. After two weeks of submissions, the ideas are taken to internal subject matter experts, who then present the issues to an executive committee of senior leadership.

That committee picks a number of ideas to move forward—the 2019 cohort includes six projects. From there, a project team is put together and given one year to investigate the issue. If it’s something worthy of further exploration, the project can be extended for an additional two years while Census experts work on improving that pain point.

The ATO process was chosen as a 2019 project in April.

“It’s really an employee-driven innovation program here at Census,” LaCosta said.

Editor's Note: This story has been updated to correct the spelling of LaCosta's name.

NEXT STORY: Microsoft Unveils Artificial Intelligence Course for Government

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.