A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.

The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.

In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.

Challenge and Opportunity

While the compliance methodologies that currently comprise the ATO process contribute to managing security and risk, the process itself causes delays to the release of new systems. This perpetuates risk by extending the use of legacy—but often less secure—systems and mires agencies with outdated, inefficient workflows. 

To receive an ATO, government product owners across different agencies are required to demonstrate compliance with similar standards and controls, but the process of providing statements of compliance or “System Security Plans” (SSPs) is redundant and siloed. In addition, SSPs are often hundreds of pages long and oriented toward one-time generation of compliance paperwork over an outdated, three-year life cycle. There are few examples of IT system reciprocity or authorization partnerships between federal agencies, and many are reluctant to share their SSPs with sister organizations that are pushing similar or even identical IT systems through their respective ATO processes. This siloed approach results in duplicative assessments and redundancies that further delay progress. 

The next administration should shift from static compliance to agile security risk management that meets the challenges of the ever-changing threat landscape. The following Plan of Action advances that goal through specific directives for the Office of Management and Budget (OMB) Office of the Federal CIO (OFCIO), General Services Administration (GSA), Technology Transformation Service (TTS), and other agencies.

Plan of Action

The Office of Federal Chief Information Officer (OFCIO) should serve as the catalyst of several of activities aimed at addressing inefficiencies in the ATO attainment process. 

OFCIO should draft an OMB Compliance as Code Memorandum that initiates two major activities. 

First, the Memorandum will direct GSA to create a Center of Excellence within the Technology Transformation Service (TTS). The goals and actions of the Center of Excellence are detailed under “Action Two” below. Second, the Memorandum should require Cabinet-level agencies to draft brief “exploration and implementation plans” that describe how the agency or agencies might explore and adopt compliance as code to create efficiencies and reduce burden.¹

OFCIO should offer guidance for the types of explorations that agencies might consider. These might include:

• The integration of development, security and operations (DevSecOps)² in major systems to allow for the automated validation of security controls.
• The identification of a pilot system or application within each agency that can be leveraged for the conversion of SSPs into a machine-readable format that allows for experimentation with compliance automation.
• The appointment of a single, accountable leader within each agency to guide and oversee compliance as code explorations as well as provide regular reporting to agency Chief Information Officers.

During the plan review process, the OFCIO should collaborate with the Resource Management Offices (RMOs) at OMB to identify agencies that offer the most effective plans and innovations.³ Finally, OFCIO should consider releasing a portion of the agency plans publicly with the goal of spurring research and collaboration with industry.

The General Services Administration should create a Cybersecurity Compliance Center of Excellence. 

OMB should commission the creation of a Cybersecurity Compliance Center of Excellence at the General Services Administration (GSA). Joining the six other Centers of Excellence, the Cybersecurity Compliance Center of Excellence (CCCE) would serve to accelerate the adoption of compliance as code solutions, analyze current compliance processes and artifacts, and facilitate cross-agency knowledge-sharing of cybersecurity compliance best practices. In addition, OMB should direct GSA to establish a Steering Committee representative of the Federal Government that leverages the expertise of agency Chief Information Security Officers (CISOs), Deputy CISOs, and Chief Data Officers (CDOs) as well as representatives from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

The CCCE Steering Committee will research potential paths to propagate compliance as code that are not overly burdensome to agencies, deliberate on these initiatives, and guide and oversee agency innovations. The ultimate goal for the Steering Committee will be to devise a strategy and series of practices to increase compliance as code adoption via the Cybersecurity Compliance Center of Excellence and OMB oversight. 

The following sections detail potential opportunities for CCCE Steering Committee investigation and evaluation:

Study IT System Acquisition Rules for Vendor Compliance Information. The Steering Committee should review existing acquisition guidance and consider drafting a new acquisition rule that would require software vendors to provide ATO-relevant, machine-readable compliance information to customer agencies. The data package could include control implementation statements, attestation data and evidence guidance for the relevant NIST controls.⁴ In addition, the new system and process improvements should be agile enough to allow the incorporation of controls unique to a particular application or service.

Shifting the responsibility of managing compliance information from agencies to vendors
saves time and taxpayer dollars spent in the duplicative discovery, creation, and maintenance
of control implementation guidance for common software. The rule would be doubly
effective in time saved if the vendor’s compliance data package has common reciprocity
between agencies, allowing for faster adoption of software government wide.⁵ Finally, the
format of the data package should be open sourced, fungible and accessible.

Examine and Improve the Utility of System Security Plans (SSPs). System Security Plans are the baseline validator of a system’s security compliance and a comprehensive summary of an IT system’s security details.⁶ OMB and the CCCE Steering Committee should direct agencies to investigate the reusability and transmutability of System Security Plans (SSPs) across the Federal Government. A research-focused task force, composed of federal data scientists, compliance subject matter experts, auditors, and CISOs, should research how SSPs are utilized and draft recommendations on how best to improve their utility. The research task force would collect a percentage of agency SSPs, compare time-to-ATOs for various government organizations, and develop a common taxonomy that will allow for reciprocity between government agencies.

Create a Federal Compliance Library. The Steering Committee should investigate the creation of an inter-agency Federal Compliance Library. The library, most likely hosted by NIST, would support cross-agency compliance efforts by offering vetted pre-sets, templates, and baselines for various IT systems. A Federal Compliance Library accelerates the creation and sharing of compliance documentation and allows for historical knowledge and best practices to have impact beyond one agency. These common resources would free up agency compliance resources to focus on authorization materials that require novel documentation.

Explore Open Security Controls Assessment Language (OSCAL). The Steering Committee should explore the value added by mandating the conversion of agency SSP components to machine readable code such as Open Security Controls Assessment Language (OSCAL).⁷ OSCAL allows for the automated monitoring of control implementation effectiveness while making documentation updates easier and more efficient.

Conclusion

Federal compliance processes are ripe for innovation. The current system is costly and perpetuates risk while trying to control for it. The Plan of Action detailed above creates a crossagency collaborative environment that will spur localized innovations which can be tested and perfected before scaling government wide.

Summary

The next administration should help local communities reassert control over police use of surveillance technology. It should support legislation requiring that the use of all federally- funded surveillance technology be approved by local elected representatives through a public process, and that this use be constrained by a formal policy delineating the situations in which it will be used, how the data it generates will be handled and secured, and how its effectiveness will be evaluated. If new legislation is not forthcoming, then the next administration should empower local initiatives through a pledge program in which leading local law enforcement authorities voluntarily agree to take these steps.

Today local law enforcement agencies obtain cutting edge — and potentially intrusive — surveillance equipment without the knowledge of elected leaders and the general public, sometimes leading to a rejection of the technology once the public discovers it. In Oakland, for example, following a council review that lasted only two minutes, the city created a data integration center that networked together all of its existing surveillance infrastructure. Once the public learned of the center, protests broke out and council meetings were flooded with angry residents. The backlash was so severe that the city ultimately largely gutted the center, even though millions in federal funding had already been spent on its development.

Federal funding is a major driver of uninformed and undemocratic adoption of surveillance technology at the local level. The Federal Government funds billions of dollars in grants to local law enforcement agencies, money that can then be used to purchase surveillance equipment. But the government does not take steps to ensure that local elected representatives and members of the public are involved in decisions about what technologies are acquired, or that protocols are developed to constrain how the technologies are used.

The Federal Government has a responsibility to intercede to make sure that local elected representatives are aware of and have control over how federally-funded surveillance equipment is used in their communities. Transparency is particularly important for surveillance technology because this equipment is often invisible. People cannot challenge deployment of surveillance technology in court or through public processes if they do not know about it. Moreover, surveillance technologies can be invasive, with potentially harmful effects on civil rights and liberties. Particularly given today’s high level of concern over policing practices, the Federal Government should not be undermining the ability of local communities to assert democratic control over their police departments.

Some cities and counties have passed ordinances requiring that their law enforcement agencies seek approval to deploy surveillance technology, demonstrating the feasibility and desirability of such measures. But with some 18,000 law enforcement agencies nationwide, only the Federal Government can implement a solution at scale.

Summary

American society urgently needs to address structural disparities in the criminal-justice system. One important disparity—which is both easily mitigated and generally unrecognized—is the asymmetry of information access granted to prosecutors and defendants. Prosecutors can easily access digital records that establish guilt. But defendants are far less empowered to access digital records that prove innocence.

Privacy laws are a key source of this disparity. The Stored Communications Act (SCA), for instance, permits law enforcement—but not defense investigators—to access certain evidence from Internet companies. Fortunately, there are two straightforward policy solutions to this problem. First, new federal privacy legislation should include language requiring symmetric information access for defendants. Second, the Department of Justice should adopt a new interpretation of the SCA to protect fairness in criminal proceedings.

Summary

Everyone hates cookie notifications, click-thrus, and pop-ups. While cookies give the web more functionality, their excessive use and attendant consent system can interfere with user experience and raises serious privacy concerns. The next administration should commit to finally resolving these and related issues by creating a digital privacy task force within the White House Office of Science and Technology Policy (OSTP). The task force would coordinate relevant agencies—including the Federal Trade Commission, Federal Communications Commission, and Department of Commerce—in working with Congress, state actors, and European Union partners to develop meaningful data-privacy protections.

Summary

As the United States continues to grapple with unprecedented economic, health, and social justice crises that have had a devastating and disproportionate effect on the very communities that have long struggled most, the next administration must act quickly to ensure equitable recovery. Improving economic mobility and increasing equity in communities furthest from opportunity is more urgent than ever.

The next administration must work with Congress to quickly enact a new round of recovery or stimulus legislation. State and local governments, school systems, and small businesses continue to struggle to respond to COVID-19 and the economic and learning losses that have accompanied the resulting closures. But federal resources are not unlimited and there is little time to spare – communities need positive results quickly. It is imperative, furthermore that the administration ensures that the dollars it distributes are used effectively and equitably. The best way to do so is to use existing evidence and data — about what works, for whom. and under what circumstances — to drive recovery investments.

Fortunately, the federal government has access to unprecedented evidence and data tools that can increase the speed and effectiveness of these urgent recovery and equity-building efforts. And where evidence or data do not exist, this unique moment affords an opportunity to build evidence about what does work to help communities recover and rebuild.

Thus, one of the first priorities of the next administration’s Office of Management and Budget (OMB) should be helping agencies develop their capacity to use existing evidence and data and to build evidence where it is lacking in order to advance economic mobility across the country. OMB should also support federal agency efforts to assist state and local governments to build and use local evidence that can accelerate economic growth and help communities recover from the current crises.

Specifically, OMB should issue guidance directing federal agencies to: 1) define and prioritize evidence of effectiveness in their grant programs to help identify what works, for whom, and under what circumstances to advance economic mobility post-COVID; 2) set aside 1% of discretionary funding for evidence building, including evaluations, technical assistance and capacity building; 3) support state and local governments in using recovery funding to build their own data, evidence-building and evaluation capacity to help their communities rebuild; and 4) require that findings from 2021 evidence-building activities be incorporated into strategic plans due in 2022.

Summary

Open-source investigations and public interest research using platform data (e.g., Facebook, YouTube) have enabled the collection of evidence of human rights atrocities, identified the role of foreign adversaries in manipulating public opinion before elections, and uncovered the prevalence and reach of terrorist radicalization and recruitment tactics. Nascent data privacy legislation such as the EU General Data Protection Regulation and the California Consumer Privacy Act have placed increased pressure on platforms to restrict third party access to data. In an overly cautious interpretation of these laws, platforms are increasingly restricting third-party access to the data they collect. In doing so, platforms shield themselves from public scrutiny and accountability.

To support transparency and accountability of platforms, the next administration should work with Congress to ensure that any new data privacy legislation proposed at the federal level does not inadvertently block the ability of third parties to gain access to platform data for open-source investigations and public interest research. The White House Office of Science and Technology Policy should take the lead by convening a workshop among key actors to make progress on these goals. Out of the workshop, a federal working group should be formed to develop principles and operational guides to support ethical third-party access to platform data, including the formation of technical standards to ensure data privacy and security.

Summary

Modern civil rights challenges are technically complex. Today, decisions made by algorithms, rather than people, limit opportunities for historically disadvantaged groups in critical areas like housing, employment, and credit. The next administration should establish a broad, new task force, led by the U.S. Chief Technology Officer (CTO), to address issues at the intersection of civil rights and emerging technologies. The task force should encourage federal agencies to prioritize regulatory and enforcement activities where tech and civil rights overlap, and to increase temporary exchanges of staff between agencies to facilitate cross-pollination of civil rights and tech expertise. The Administration should also prioritize appointment of key agency personnel who are committed to addressing tech/civil rights challenges.

Summary

Young people today face surveillance unlike any previous generation, at home, at school, and everywhere in between. Constant use of technology while their brains are still developing makes them uniquely vulnerable to privacy harms, including identity theft, cyberbullying, physical risks, algorithmic labeling, and hyper-commercialism. A lack of privacy can ultimately lead children to self-censor and can limit their opportunities. Already-vulnerable populations—who have fewer resources, less digital literacy, or are non-native English speakers—are most at risk.

Congress and the Federal Trade Commission (FTC) have repeatedly considered efforts to better protect children’s privacy, but the next administration must ensure that this is a priority that is actually acted upon by supporting strong privacy laws and providing additional resources and authority to the FTC and support to the Department of Education (ED). The Biden-Harris administration should also establish a task force to explore how to best support and protect students. And the FTC should use its current authority to increase its understanding of the children’s technology market and robustly enforce a strong Children’s Online Privacy Protection Act (COPPA) rule.

In his posthumous op-ed, House Representative John Lewis wrote, “Democracy is not a state. It is an act,” and challenged all Americans to “do [their] part to help build…a nation and world society at peace with itself.” In our generation, where technology is integrated into virtually every aspect of public and private life, preserving the American democracy must involve ensuring that digital tools and platforms are employed in service of our communities, facilitating the productive and equitable exchange of information and opportunity, rather than being hijacked to sow misinformation and discord. In recent months, we have observed ample examples of both cases. Young Americans are using technology to raise awareness of ongoing racial justice issues, which have led to significant policy shifts. However, at the same time, members of the public are sharing falsehoods about the COVID-19 global pandemic, costing lives and extending economic devastation.

To ensure that upcoming generations can positively leverage online spaces and rise above the ever-present call to division, digital citizenship—encompassing the critical competencies to discern fact from fiction, navigate relationships, and use technology to champion change—must be fostered, beginning in our schools where students already engage with technology regularly. The work to develop digital citizens and future leaders is underway in several states and districts, and there exists numerous ways that the federal government can supply further momentum—setting a national vision around digital citizenship, building the capacity of educators, and strategically investing necessary funds.

Summary

Section 230 has been the subject of bipartisan criticism in Washington, with both President Trump and former Vice President Biden arguing that the controversial law should be revoked. As the election has approached, a flurry of legislative proposals have taken aim at the law.

This paper argues that the Biden-Harris administration should take a more targeted approach, focusing on changes that will deter some of the most harmful forms of speech while also preserving the features of tech platforms that are essential to online expression. Specifically, the next administration should modernize federal criminal law for the digital age to prohibit problematic online speech like voter suppression and incitement to riot, require platforms to comply with court orders to remove illegal content, define what it means for a platform to “develop” content, work with platforms on reporting options that will facilitate individual accountability, and incentivize platforms to share data that will inform future product design and policymaking.

Summary

Fragmented federal program structures and laws create enormous barriers to effective coordination across government agencies and levels of government. The next administration can advance the nation’s health and economic well-being and improve the effectiveness of taxpayer investments by creating the enabling conditions for federal, state, and local decision-makers and managers to adopt modern data analytics tools and practices.

Note: As a working paper, this draft is still under development. The author invites your feedback and comments, which can be sent to info@dayoneproject.org.

Summary

The Biden-Harris Administration should aim to make the United States a world leader in privacy-preserving machine learning (PPML), a collection of new artificial intelligence (AI) techniques capable of providing the benefits of machine learning while minimizing data-privacy concerns. By some estimates, improvements to the speed, accuracy, and scale of AI could augment global GDP by 14%, or $15.7 trillion, by 2030. Yet Americans fear that expansion of AI will have moderate to severe negative consequences. They are particularly concerned about the privacy implications of how companies and agencies use personal data to generate new developments. To assuage these concerns, this proposal recommends targeted initiatives for the Biden-Harris Administration to bring PPML techniques to maturity, including

1. Investing in PPML research and development.
2. Identifying compelling opportunities to apply PPML techniques at the federal level.
3. Creating frameworks and technical standards to facilitate wider deployment of PPML techniques.