Summary

Science and technology (S&T) must play a prominent and strategic role at all levels of United States foreign policy. On Day One, the Biden-Harris Administration should reinvigorate and reassert U.S. strength in science, technology, and data-driven decision making. S&T issues at the Department of State (Department) have historically been concentrated into specific offices and personnel, which has constrained the use of S&T as a tool to advance U.S. foreign policy goals. On Day One, the Administration can better identify, allocate, and elevate S&T issues and personnel throughout the Department. Building and rewarding diverse teams with the right mix of skills is good management for any organization, and could create significant progress toward breaking down the silos that prevent the realization of the full benefits of the S&T expertise that already exists among U.S diplomatic personnel.

A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.

The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.

In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.

Challenge and Opportunity

While the compliance methodologies that currently comprise the ATO process contribute to managing security and risk, the process itself causes delays to the release of new systems. This perpetuates risk by extending the use of legacy—but often less secure—systems and mires agencies with outdated, inefficient workflows. 

To receive an ATO, government product owners across different agencies are required to demonstrate compliance with similar standards and controls, but the process of providing statements of compliance or “System Security Plans” (SSPs) is redundant and siloed. In addition, SSPs are often hundreds of pages long and oriented toward one-time generation of compliance paperwork over an outdated, three-year life cycle. There are few examples of IT system reciprocity or authorization partnerships between federal agencies, and many are reluctant to share their SSPs with sister organizations that are pushing similar or even identical IT systems through their respective ATO processes. This siloed approach results in duplicative assessments and redundancies that further delay progress. 

The next administration should shift from static compliance to agile security risk management that meets the challenges of the ever-changing threat landscape. The following Plan of Action advances that goal through specific directives for the Office of Management and Budget (OMB) Office of the Federal CIO (OFCIO), General Services Administration (GSA), Technology Transformation Service (TTS), and other agencies.

Plan of Action

The Office of Federal Chief Information Officer (OFCIO) should serve as the catalyst of several of activities aimed at addressing inefficiencies in the ATO attainment process. 

OFCIO should draft an OMB Compliance as Code Memorandum that initiates two major activities. 

First, the Memorandum will direct GSA to create a Center of Excellence within the Technology Transformation Service (TTS). The goals and actions of the Center of Excellence are detailed under “Action Two” below. Second, the Memorandum should require Cabinet-level agencies to draft brief “exploration and implementation plans” that describe how the agency or agencies might explore and adopt compliance as code to create efficiencies and reduce burden.¹

OFCIO should offer guidance for the types of explorations that agencies might consider. These might include:

• The integration of development, security and operations (DevSecOps)² in major systems to allow for the automated validation of security controls.
• The identification of a pilot system or application within each agency that can be leveraged for the conversion of SSPs into a machine-readable format that allows for experimentation with compliance automation.
• The appointment of a single, accountable leader within each agency to guide and oversee compliance as code explorations as well as provide regular reporting to agency Chief Information Officers.

During the plan review process, the OFCIO should collaborate with the Resource Management Offices (RMOs) at OMB to identify agencies that offer the most effective plans and innovations.³ Finally, OFCIO should consider releasing a portion of the agency plans publicly with the goal of spurring research and collaboration with industry.

The General Services Administration should create a Cybersecurity Compliance Center of Excellence. 

OMB should commission the creation of a Cybersecurity Compliance Center of Excellence at the General Services Administration (GSA). Joining the six other Centers of Excellence, the Cybersecurity Compliance Center of Excellence (CCCE) would serve to accelerate the adoption of compliance as code solutions, analyze current compliance processes and artifacts, and facilitate cross-agency knowledge-sharing of cybersecurity compliance best practices. In addition, OMB should direct GSA to establish a Steering Committee representative of the Federal Government that leverages the expertise of agency Chief Information Security Officers (CISOs), Deputy CISOs, and Chief Data Officers (CDOs) as well as representatives from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

The CCCE Steering Committee will research potential paths to propagate compliance as code that are not overly burdensome to agencies, deliberate on these initiatives, and guide and oversee agency innovations. The ultimate goal for the Steering Committee will be to devise a strategy and series of practices to increase compliance as code adoption via the Cybersecurity Compliance Center of Excellence and OMB oversight. 

The following sections detail potential opportunities for CCCE Steering Committee investigation and evaluation:

Study IT System Acquisition Rules for Vendor Compliance Information. The Steering Committee should review existing acquisition guidance and consider drafting a new acquisition rule that would require software vendors to provide ATO-relevant, machine-readable compliance information to customer agencies. The data package could include control implementation statements, attestation data and evidence guidance for the relevant NIST controls.⁴ In addition, the new system and process improvements should be agile enough to allow the incorporation of controls unique to a particular application or service.

Shifting the responsibility of managing compliance information from agencies to vendors
saves time and taxpayer dollars spent in the duplicative discovery, creation, and maintenance
of control implementation guidance for common software. The rule would be doubly
effective in time saved if the vendor’s compliance data package has common reciprocity
between agencies, allowing for faster adoption of software government wide.⁵ Finally, the
format of the data package should be open sourced, fungible and accessible.

Examine and Improve the Utility of System Security Plans (SSPs). System Security Plans are the baseline validator of a system’s security compliance and a comprehensive summary of an IT system’s security details.⁶ OMB and the CCCE Steering Committee should direct agencies to investigate the reusability and transmutability of System Security Plans (SSPs) across the Federal Government. A research-focused task force, composed of federal data scientists, compliance subject matter experts, auditors, and CISOs, should research how SSPs are utilized and draft recommendations on how best to improve their utility. The research task force would collect a percentage of agency SSPs, compare time-to-ATOs for various government organizations, and develop a common taxonomy that will allow for reciprocity between government agencies.

Create a Federal Compliance Library. The Steering Committee should investigate the creation of an inter-agency Federal Compliance Library. The library, most likely hosted by NIST, would support cross-agency compliance efforts by offering vetted pre-sets, templates, and baselines for various IT systems. A Federal Compliance Library accelerates the creation and sharing of compliance documentation and allows for historical knowledge and best practices to have impact beyond one agency. These common resources would free up agency compliance resources to focus on authorization materials that require novel documentation.

Explore Open Security Controls Assessment Language (OSCAL). The Steering Committee should explore the value added by mandating the conversion of agency SSP components to machine readable code such as Open Security Controls Assessment Language (OSCAL).⁷ OSCAL allows for the automated monitoring of control implementation effectiveness while making documentation updates easier and more efficient.

Conclusion

Federal compliance processes are ripe for innovation. The current system is costly and perpetuates risk while trying to control for it. The Plan of Action detailed above creates a crossagency collaborative environment that will spur localized innovations which can be tested and perfected before scaling government wide.

Summary

Across the U.S., there are approximately 2,000 makerspaces and Fab Labs where makers with a broad and diverse set of skills have developed innovative approaches to solving pressing problems in their communities. The next administration should implement a Maker-In-Residence (MIR) fellowship program that allows federal agencies to leverage the incredible skills and knowledge of the American maker community to address complex problems specific to their missions.

Implementation of the MIR fellowship program would enable American makers and innovators to:

1. Contribute their knowledge and unique and diverse skill sets to fulfilling the missions of federal agencies while learning first-hand about federal policy and the policymaking process
2. Utilize their learnings to solve complex societal problems and affect policy change in their local communities.

Summary

The Federal Government should further invest in, support and scale four existing approaches to building local skills and vibrant, self-sufficient local economies by coupling localities’ needs with workforce development and small-scale manufacturing. This is achieved by scaling local programs and initiatives which harness the Maker Movement, a community-driven, grassroots effort to enable people to design, prototype and manufacture projects, solutions and products.

Specifically, the Federal Government should:

• Leverage makerspaces and Fab Labs as local sites for preparing the current and future workforce through real-world maker-centered learning and Employer Validated Training Programs.
• Build the “MakerNet” to connect employers with skilled talent.
• Cultivate makerspaces as engines for small businesses.
• Launch FabCity America to challenge cities to make what they consume.

By harnessing early successes from across the country, these policy solutions can rapidly stand up localized programs to immediately support more American communities grappling with skills shortages. This need is exponentially more critical in the face of COVID-19, as 80% of U.S. manufacturers have articulated that their business will be financially affected by the pandemic and 53% require a change of operations, including the increased use of automation technologies.

Summary

NASA should invest in a comprehensive program to answer one of humanity’s biggest questions: “Are we alone?”

The United States has the scientific and technological prowess to find possible evidence of past or present life in our solar system. Over the last decade, the space science community has discovered Earth-like planets around other stars. The United States has launched Mars 2020—its first astrobiology mission to Mars. The Perseverance Rover will seek signs of ancient life and is part of the initial Mars Sample Return campaign. And, in the coming decade, we are poised for exponential growth in the technology, planetary science, and astrophysics components of the search for life.

Establishing a formal Astrobiology Program Office at NASA would better elevate, coordinate, and guide what could be the agency’s most important mission. Notably, there are currently no NASA programs on astrobiology that integrate across the Astrophysics and Planetary Science divisions in NASA’s Science Mission Directorate along with the technology investments of NASA’s Space Technology Mission Directorate. NASA has no astrobiology czar.

Astrobiology is a relatively modern scientific field of study that has been enabled by a suite of robotic space missions and next-generation telescopes. We now have the potential to reveal new insights into the fundamental nature of life across the universe and our own planet.

Summary

This transition document provides over 25 actionable recommendations on the future of the United States Patent and Trademark Office (USPTO), in order to support future federal leadership and enable their success. The document is the result of collaboration between the Day One Project and a group of veteran policymakers who convened virtually to produce recommendations related to the following three categories:

1. Identifying specific policy and governance ideas that can be pursued in the first days and months of the next administration.
2. Gathering “lessons learned” from those who have previously served in government to learn from past challenges and better inform future initiatives.
3. Understanding key science and technology staffing and “talent” needs, and related challenges for the USPTO that can be addressed in the next administration.

The document also includes a cover memo which highlights some of the overarching key considerations for the future of the USPTO.

Contributors

• Margo A. Bagley
• Sharon Barner
• Brian Cassidy
• Colleen V. Chien
• Mark Allen Cohen
• Ayala Deutsch
• Ben Haber
• Philip G. Hampton
• Justin Hughes
• David J. Kappos
• Quentin Palfrey
• Arti K. Rai
• Teresa Stanek Rea
• Robert L. Stoll
• A. Christal Sheppard
• Saurabh Vishnubhakat
• Stephen Yelderman

Summary

To address the massive unemployment caused by the COVID-19 pandemic, the Biden-Harris administration should establish a Digital Work Projects Administration (D-WPA), creating government-funded jobs that people can perform from their own homes or other safe locations. Inspired by the Depression-era Work Projects Administration, or WPA, the modern D-WPA would put millions of unemployed Americans to work serving the public good and speeding the country’s economic recovery.

In the D-WPA, work will be digital instead of physical. Digital tools allow many jobs to be done from anywhere good internet access is available. D-WPA participants could work safely and effectively no matter how long the pandemic limits in-person employment. Working remotely, D-WPA participants could help combat the COVID-19 pandemic and mitigate its economic and societal impacts. At the same time, participants would learn, practice, and improve digital skills of increasing value in the modern workforce.

The D-WPA should be established within the Department of Labor, with sufficient funding to put up to 4 million Americans back to work quickly and safely. Funds for this program should be requested in the next COVID-19 recovery package. In the meantime, existing DOL employment and training programs could be used to support an initial cohort of workers for the D-WPA, demonstrating proof of concept while efforts are underway to secure full funding. The D-WPA should create both public- and private-sector positions supporting the national response to the pandemic’s health and economic impacts.

Summary

The next administration should help local communities reassert control over police use of surveillance technology. It should support legislation requiring that the use of all federally- funded surveillance technology be approved by local elected representatives through a public process, and that this use be constrained by a formal policy delineating the situations in which it will be used, how the data it generates will be handled and secured, and how its effectiveness will be evaluated. If new legislation is not forthcoming, then the next administration should empower local initiatives through a pledge program in which leading local law enforcement authorities voluntarily agree to take these steps.

Today local law enforcement agencies obtain cutting edge — and potentially intrusive — surveillance equipment without the knowledge of elected leaders and the general public, sometimes leading to a rejection of the technology once the public discovers it. In Oakland, for example, following a council review that lasted only two minutes, the city created a data integration center that networked together all of its existing surveillance infrastructure. Once the public learned of the center, protests broke out and council meetings were flooded with angry residents. The backlash was so severe that the city ultimately largely gutted the center, even though millions in federal funding had already been spent on its development.

Federal funding is a major driver of uninformed and undemocratic adoption of surveillance technology at the local level. The Federal Government funds billions of dollars in grants to local law enforcement agencies, money that can then be used to purchase surveillance equipment. But the government does not take steps to ensure that local elected representatives and members of the public are involved in decisions about what technologies are acquired, or that protocols are developed to constrain how the technologies are used.

The Federal Government has a responsibility to intercede to make sure that local elected representatives are aware of and have control over how federally-funded surveillance equipment is used in their communities. Transparency is particularly important for surveillance technology because this equipment is often invisible. People cannot challenge deployment of surveillance technology in court or through public processes if they do not know about it. Moreover, surveillance technologies can be invasive, with potentially harmful effects on civil rights and liberties. Particularly given today’s high level of concern over policing practices, the Federal Government should not be undermining the ability of local communities to assert democratic control over their police departments.

Some cities and counties have passed ordinances requiring that their law enforcement agencies seek approval to deploy surveillance technology, demonstrating the feasibility and desirability of such measures. But with some 18,000 law enforcement agencies nationwide, only the Federal Government can implement a solution at scale.

Summary

American society urgently needs to address structural disparities in the criminal-justice system. One important disparity—which is both easily mitigated and generally unrecognized—is the asymmetry of information access granted to prosecutors and defendants. Prosecutors can easily access digital records that establish guilt. But defendants are far less empowered to access digital records that prove innocence.

Privacy laws are a key source of this disparity. The Stored Communications Act (SCA), for instance, permits law enforcement—but not defense investigators—to access certain evidence from Internet companies. Fortunately, there are two straightforward policy solutions to this problem. First, new federal privacy legislation should include language requiring symmetric information access for defendants. Second, the Department of Justice should adopt a new interpretation of the SCA to protect fairness in criminal proceedings.

Summary

The current Administration has adopted a high-profile approach to space issues. It established a National Space Council, chaired by the Vice President and including various senior members of the Executive Branch. The Council authored multiple Space Policy Directives for Presidential signature on a variety of topics—NASA’s exploration efforts, bolstering the commercial space sector through regulatory streamlining, space traffic management, and the establishment of a Space Force. These efforts were individually laudable but lacked the cohesion of a grand strategy for envisioning America’s future in space.

Several cases illustrate this point:

• A proposal to return to the Moon by 2024 electrified the imagination of many, but if theonly acceptable path to success lies through such inordinately expensive and perennially delayed projects as the Space Launch System or Orion crew vehicle, how could such a challenging schedule goal conceivably be met?
• An ever-increasing population of orbital debris threatens commercial, civil, and defense spacecraft alike, yet the obvious agency choice for dealing with the issue—the Federal Aviation Administration—was passed over in favor of the Commerce Department’s Office of Space Commerce, which has little experience or historical association with the problem.
• While a space-focused arm of the Defense Department can act as an advocate and steward for critical national space priorities, the new U.S. Space Force has focused almost exclusively on operations and protection of legacy satellites and systems at the expense of fielding a new, more resilient space architecture.

Summary

Prevention plays a crucial and underappreciated role in our health system. To improve health outcomes and bring down costs, it will be important to establish a better balance between preventive measures and drug treatments. The next administration should provide incentives to healthcare providers that scale up—and reduce costs of delivering—preventive interventions with demonstrated efficacy. Currently, the U.S. Department of Health and Human Services (HHS) sets broad standards regarding managed care contracts. But states have considerable latitude. States can set income eligibility criteria, define services, and set alternative payment methods with Managed Care Organizations (MCOs). And in just the last few decades, Medicaid programs have been almost fully privatized: MCOs now cover over 85% of the Medicaid population. Because of the existing patchwork of insurance programs and state rules, it is important that regulations set minimum national standards to ensure that health care is accessible and affordable for those who need it the most. Particularly important to this effort are non- distortionary prices and reimbursement policies.

For a few decades, policymakers have, with bi-partisan consensus, moved away from a fee-for-service (FFS) system whereby providers are paid for service delivery and toward capitation and pay for performance (p4p) models. While these models offer significant improvements over FFS models, each involves risks of incentivizing non-optimal care and expenditures if they are not structured carefully. When paying capitation rates, bonuses adjusting for population risk alone should be avoided as this incentivizes an increase in diagnoses without necessarily improving care. Either all health care payments should be p4p, or a p4p component should be added to the capitation base. Pharmacological interventions should also be included in the overall provider reimbursement structure to align reimbursement incentives with health outcomes. Healthcare providers will then determine the right mix of services. Furthermore, while p4p is generally a good idea (i.e., hospitals and MCOs are rewarded for decreasing the number of avoidable hospital readmissions), if this metric is not applied homogeneously across all services, this payment structure significantly hampers the provision of preventive services.

Summary

Everyone hates cookie notifications, click-thrus, and pop-ups. While cookies give the web more functionality, their excessive use and attendant consent system can interfere with user experience and raises serious privacy concerns. The next administration should commit to finally resolving these and related issues by creating a digital privacy task force within the White House Office of Science and Technology Policy (OSTP). The task force would coordinate relevant agencies—including the Federal Trade Commission, Federal Communications Commission, and Department of Commerce—in working with Congress, state actors, and European Union partners to develop meaningful data-privacy protections.