FCW Insider: Nov. 29

If you're a fed waiting for the Merit Systems Protection Board to rule on your case, you'll have to wait a little longer. The organization has been without a working quorum since January 2017, and has built up a backlog of almost 1,600 cases. A bid to move the nominations of the proposed chair, vice-chair and a member failed a Senate committee on Nov. 28. Chase Gunter has the story.

The Secret Service wants to tap facial recognition to alert agents to the presence of known threats around the White House complex. The protective agency launched a test on Nov. 19 that will feed closed-circuit TV through a facial recognition algorithm using Secret Service volunteers as test subjects. There's no word on when such a system might go live, but the first phase of testing is set to wrap up next August. Adam Mazmanian has more.

The Treasury Department has publicly flagged cryptocurrency addresses associated with two Iranian individuals indicted for their role in a worldwide, multimillion dollar ransomware campaign. This marks the first time U.S. law enforcement has singled out crypto addresses for sanctions. Derek B. Johnson reports.

A former top cyber official at the FBI says weaker laws around encryption won't help law enforcement and could result in unacceptable collateral damage to industry and data security. Derek has more.

Quick Hits

*** A cyber-hygiene "credit score" is in the works for federal agencies -- but don't expect to see a public report card anytime soon.

Continuous Diagnostics and Mitigation Program Manager Kevin Cox said at FCW's Nov. 28 CDM event that the Agency-Wide Adaptive Risk Enumeration (AWARE) Algorithm is already ingesting data, and the plan is to put it "fully into production heading into FY2020." 

The relatively slow rollout is to ensure the data being crunched by the algorithm is accurate, Cox told reporters after his speech, and that agencies are confident the resulting scores "reflect the reality of their systems."

For now, AWARE simply shows how an agency compares to the cross-agency average. "But at the end of the day," Cox said, "we don't want to grade on a curve." 

"I don't know that we're going to get to an A-B-C-D-F framework," he said, "but we want to at least get to a set of ranges where agencies know that they should aim for this range for their score."

Even when AWARE moves into production, the risk scores still may not be public, Cox said, as they could effectively steer adversaries to the most vulnerable agencies.

The peer pressure that comes with scorecards can be valuable, he noted, and "we want to be as transparent as possible, but we don't want to put the agencies at risk. So we have to find that balance."

Cox also said that every CFO Act agency is now rolling up data to the federal dashboard, and that 16 non-CFO agencies are doing so through the CDM program's shared services platform. 

*** Cyber Command's warfighting platform has cloud troubles.

The command said it won't be able to deploy its big data platform capabilities without added engineering expertise, analytical development and software license renewals, according to a Nov. 26 FBO posting. The Big Data Platform is part of the newly awarded warfighting platform, Unified Platform, and the technology license for the component responsible for configuring and operating it, the Rapid Analytic Deployment Management Framework, is set to lapse. Enlighten IT Consulting currently holds the license, and unless its renewed, Cyber Command won't be able "to transition the BDP from the Amazon Web Services (AWS) GovCloud environment to a USCYBERCOM AWS GovCloud environment," according to the notice. 

*** The Department of Health and Human Services released draft guidance for how healthcare providers can more easily implement electronic health records and other health IT.

"Strategy on Reducing Regulatory and Administrative Burden Relating to the Use of Health IT and EHRs," attempts to make the process more simple by making it easier for doctors to input information into EHRs during patient visits, reduce the regulatory reporting requirements for healthcare providers and by improving "the functionality and intuitiveness (ease of use) of EHRs."

This draft outlines more than 40 different recommendations. These recommendations include the development best practices for clinical documentation in EHRs, improving how data is presented in EHRs, creating design standards, increasing training and exploring new approaches through pilot programs. The draft is open for public comment until Jan. 28, 2019.