healthcarereimagined

On August 4, 2022, Secretary Del Toro released a Strategic Intent for Cyber Ready memorandum that provides guidance for transforming the Department of the Navy’s approach to cybersecurity by pivoting from a compliance mindset to a dynamic model rooted in the philosophy of readiness and currency. This shift to a preemptive and active Cyber Ready state builds on the DON’s Information Superiority Vision, and will improve the DON’s cyber defenses while also speeding the process of acquiring cyber secure systems.

Cyber Ready is a continuous state of cybersecurity awareness, where the right to operate is earned and managed every day. A Cyber Ready posture ensures secure delivery of information into the right hands at the right time, through the acquisition and deployment of systems that are designed to be cyber secure.

To transition from the current compliance-based approach for cybersecurity to Cyber Ready, DON will pursue the following seven lines of effort (LOEs):

1. Cyber Metrics: Measure cybersecurity holistically with a risk and readiness Zero Trust mindset. 
   
2. Build on Risk Management Framework (RMF) Reform. Accelerate the Authority to Operate (ATO) process with automation and leverage inheritance models to reduce the allocated control sets that programs are responsible and accountable for.
   
3. Cyber Currency: Move to an ongoing ATO that is maintained through Cyber Currency.
   
4. Adversarial Assessment. Adopt a “trust but always verify” mindset (leverage automated penetration testing, audits, and data from continuous monitoring).
   
5. Data Analytics: Democratize insight by providing visibility into the Cyber Ready posture to those who need to know the risks they are assuming.  
   
6. Acquisition Changes: Provide programs the tools to develop systems that are “born” Cyber Ready and remain ready through Cyber Currency.
   
7. Workforce: Deliver ongoing training to keep the acquisition and cyber workforce informed on the current processes and tools. 

Within 30-days of this memo, the DON Chief Information Officer (CIO), Deputy Assistant Secretary of the Navy for Information Warfare and Enterprise Services, and DON Deputy CIOs for both the Navy and Marine Corps will appoint leads and supporting organizations for each of the LOEs.

Read Strategic Intent for Cyber Ready.

TAGS: CISO: Cybersecurity, Cybersecurity, IA, InfoSharing, Strategy, Workforce

Related Policy

Strategic Intent for Cyber Ready

DON Migration to Windows 11 Operating System

DON Cybersecurity Manual

DON Best Practices for Public Use of Wi-Fi

DON RMF Reciprocity 

View More

Related News

Stronger Industry Engagement Needed to Bolster Cybersecurity

The DON CIO is on LinkedIn

DON Migration to Windows 11 Operating System Must Occur Prior to Oct. 2025

CNO Releases Navigation Plan 2022

Missed the 2022 DON IT East Conference?

View More

Related CHIPS Magazine

How U.S. Cyber Command, NSA Are Defending Midterm Elections: One Team, One Fight

SECNAV Visits FNMOC

CHIPS Act Advances DoD’s Emphasis on Microelectronics

CISA Releases New Insight on Preparing Critical Infrastructure for the Transition to Post-quantum Cryptography

Partnership in Action: Croatian, U.S. Cyber Defenders Hunting for Malicious Actors

View More

Related Resources

Chief of Naval Operations Navigation Plan 2022 

Featured Articles: July – Sept. 2022

PII Breach Reporting Resources 

Featured Articles: April-June 2022

DON CIO FY 22 Campaign Plan

View More

By CHRIS RIOTTAJULY 29, 2022

The cyber scores were unreliable due to incomplete data, witnesses told lawmakers.

Two things can be true about the 14th Federal Information Technology Acquisition Reform Act (FITARA) scorecard at the same time: Many federal agencies are struggling to achieve their IT goals, and the removal of certain methodologies and a lack of available data impacted scores. 

The House Oversight Committee discussed the latest scores on Thursday morning as grades were released for the 24 agencies featured in the biannual scorecard tracking progress on IT modernization efforts and federal cyber priorities. Only one agency earned an overall “A” grade, as eleven agencies received a “C+” score and seven landed in the “B” range. Eight agencies saw their scores decrease, while 15 remained unchanged. 

Chief information officers testified the vast majority of agencies suffered low or failing marks in the cyber category in part due to a lack of available data for cybersecurity cross-agency priority goals. The latest scorecard relied on incomplete data from inspector general reports as the Office of Management Budget has failed to track the metrics since the previous White House administration.

“I want to be real clear: The issue isn’t the scorecard, the issue is the data provided in order to have a score,” Rep. Gerry Connolly (D-Va.), chairman of the Subcommittee on Government Operations and an original co-sponsor of the FITARA legislation, said at the hearing. “One of the consequences, unfortunately, for the lack of data from OMB was that we had to rely only on the IG data, which is not complete.”

“As a result, every agency took a hit in the score,” he added. “But it wasn’t because there was a flaw in the design of the scorecard – it was because of a lack of compliance with the data.”

Government Accountability Office Director of IT and Cybersecurity Carol Harris agreed with those remarks and noted that the rest of the scorecard reflected an accurate representation of how agencies were progressing across categories like transparency and risk management, agency CIO authority enhancements, modernizing government technology, the transition off Networx and portfolio review savings.

Related articles

FITARA 14 sees just one overall A and stagnant grades

“I think that the challenge in this particular iteration is with cyber, because there is only one metric available for us to utilize,” she said. “I do believe that is not an accurate reflection of where agencies are at with cyber.”

Defense Department CIO John Sherman defended his agency after it received one of the lowest marks out of the entire scorecard, telling the committee: “We are better than the D+ we have on this scorecard.”

Defense earned “D” scores for its agency CIO authority enhancements and portfolio review savings, and was the only agency to receive an incomplete mark for the cyber category.

OMB “acknowledged mistakes” and agreed to work with the committee, Connolly said, hinting at a September hearing featuring the agency’s CIO to establish deadlines and ensure committee staff had the necessary data for the next iteration of the scorecard.

Harris and the panel of CIOs also offered recommendations for the next iteration of the scorecard throughout the hearing, including adding categories to track progress on the transition away from legacy systems. The committee also detailed a new data center consolidation methodology after previously announcing plans to sunset the Data Center Optimization Initiative methodology.

“It is time to shift this metric to make it more focused and relevant,” Connolly said. “While all agencies achieved their self-determined federal data center closures, a small handful of agencies have yet to complete their planned closures—even though we are rapidly closing in on the already twice extended consolidation reporting requirement date.”

The chairman added that the goal of the new metric is to “ensure agencies think strategically about their costly data center use” and “incentivize the closure of underutilized data centers.”

The committee has credited the scorecard with saving taxpayers an estimated $24 billion since it was first released in November 2015, helping agencies reduce wasteful spending while tracking progress and providing accountability on government-wide IT performance and cyber posture.

Article link: https://www.nextgov.com/cxo-briefing/2022/07/lawmakers-float-fitara-changes-after-scores-dragged-down-missing-data/375119/

August 4, 2022

Alison N. Huffstetler, MD¹; John Epling, MD, MSEd²; Alex H. Krist, MD, MPH^1,3

Author Affiliations Article Information

JAMA. 2022;328(8):707-708. doi:10.1001/jama.2022.13391

n its report Implementing High-Quality Primary Care, the National Academies of Sciences, Engineering, and Medicine called for “designing information technology that better serves the patient, family, and interprofessional care teams.”¹ The report recommended that digital health systems should be person-centered, ensure equitable access and use, and simplify the user experience, and called for vendors to be held accountable for whether their systems achieve these goals. The need for person-centered, simplified experience in digital health crosses several domains, including delivery of preventive services. Historically, digital health platforms have implemented strategies to improve some preventive health domains such as cancer screening but have not comprehensively addressed preventive services of behavioral and social needs.

To accomplish digital health goals, it is essential to adhere to several of the key principles outlined in the report. First, digital health systems need to make it easy for clinicians to deliver national guidelines and quality recommendations. While there is debate on some guidelines and quality goals, for most, there is clear agreement on what standard care should be. Digital health systems need to have these guidelines and goals embedded as standard functionality and not require local tailoring and configuration. Second, digital health systems need to make information actionable for clinicians and patients. This can occur through automated delivery of screening instruments to patients before office visits, built-in scoring of screening instruments, alerts and reminders for patients and clinicians when care is needed, and educational material to engage and activate patients.²Third, digital health systems need to be easy to use; they should be intuitive for users, easily accessible, and not require complex workflows to enter and retrieve data.

Electronic health records (EHRs) and their associated patient portals are the foundation of the digital health environment. EHRs are a powerful tool for clinicians to access patient information, document and order care, and be alerted of recommended services, including behavioral preventive health services, such as for depression, intimate partner violence, and unhealthy alcohol use. The EHR has become such an essential tool for care that much of a clinician’s patient care time is spent working in the EHR, accounting for more time than spent face to face with the patient.³ Fundamentally, this means that the content in the EHR and how it is presented to clinicians can change how clinicians care for their patients, positively or negatively. Screening for preventable conditions is necessary for high-quality care; however, behavioral and mental health screenings are less commonly addressed during clinical encounters and are underresourced in the EHR.⁴

A national quality improvement initiative to improve primary care management of unhealthy alcohol use highlights some essential changes needed from EHRs to meet the National Academies’ digital health recommendation. In this initiative, the Agency for Healthcare Research and Quality funded 6 primary care networks to provide practice facilitation for 125 practices to improve screening and counseling for unhealthy alcohol use.⁵ Unhealthy alcohol use is an important cause of preventable death. Screening and counseling are recommended by the US Preventive Services Task Force (USPSTF), are easily delivered in primary care, and have demonstrated improvements in health outcomes but are sorely underdelivered in routine practice.⁴

To date, practice facilitation has been provided to 67 practices. This included assembling practice champions to review and assess their current workflow, identification of EHR resources for delivering care, and development of a workflow to better support recommended care. Of the 67 practices, 40 had 3 versions of a large, widely distributed EHR administered by their health system. The 3 versions of this EHR had 6 different pathways to document alcohol use, using 4 different screening questionnaires, only 1 of which was recommended by the USPSTF.

No health system’s EHR scored the responses, had an alert to show the patient was due for screening, or had a feasible way for informatics staff to automate sending the screener to patients outside of a visit. In these EHRs, between 2 and 8 clicks were needed for clinical staff to administer the screening when the patient arrived for a visit and another 2 to 8 clicks were needed for the clinicians to review the information. In 1 health system, the electronic workflow was so cumbersome, taking nearly 12 clicks to administer and 12 to review, that the system implemented a paper system to deliver the service.^6,7

These examples highlight the lack of alignment between standard EHR functionality and evidence-based care. Most health systems have had to improve EHR pathways through substantial tailoring after the baseline EHR was implemented. Local tailoring is valuable and necessary for meeting the needs of communities and practices; the balance of standardization and tailoring is ambitious and critical. However, tailoring must begin from an evidence-based, guideline-driven foundation that is easily accessible. No health system would intentionally customize their EHR by requiring multiple clicks to reach a recommended screening instrument. Customization should not be required to make widely accepted, evidence-based guidelines usable by clinicians. Further, standard EHR functionality should include patient-oriented screening, ideally allowing for patients to complete screening prior to their visit, make the results easily visible to the clinician, and, importantly, score and identify the results as abnormal if indicated. This should be accomplished with a minimal amount of user effort and few clicks.

The EHR also should have programmed alerts that are automatically satisfied by patient completion and clinician review. Standard functions should include a registry to identify noncompleted screenings and to track patients who screen positive. Customization should not be required for essential functionality but should be allowed for more specific choices, eg, decisions on which recommended screening instruments to use and which educational material or local resources and programs to include. In several large EHRs, immunization alerts and smoking status reminders have been optimized to ensure quick access and ease of completion.⁸ Cancer screening alerts, such as for colon cancer, and automated completion are standard in most EHRs, but because of the complex nature of behavioral health recommendations EHRs are often inadequately structured to provide support for patient completion and improvement of patient outcomes.⁹

EHR vendors and hospital systems have worked to improve the digital health interface over the past decade. Many of the basic principles for better serving patients, families, and interprofessional care teams have been operationalized for more conventional biomedical services such as procedures and laboratory results. However, the experience with EHR-based alcohol screening highlights a large gap in EHR functionality for health behaviors, mental health, and social needs. Health behaviors, mental health, and social needs contribute more to health and well-being than conventional biomedical services,¹⁰ but clinician influence on these issues can be challenging because of inadequate identification through screening, lack of resources, and social stigma. The challenge for digital health is to account for the several components of behavioral health interventions. These preventive services are multistep processes that include screening for risks and then addressing identified needs through counseling or referral to services. The EHR must mirror the multistep process and adapt as patient data are entered to provide counseling and referral support as at-risk individuals are identified, thereby ensuring the intervention is fully delivered. Use of these tools should autosatisfy full completion of the preventive service. Behavioral health and preventive services affected by social determinants should take priority in EHR redesign. Some health systems have made great strides to customize the EHR to address social needs, but these innovations are not standard across systems.

Admittedly, addressing EHR usability and interoperability across vendors is difficult. The US Office of the National Coordinator for Healthcare Information Technology (ONC) has been assisted in this effort by the passage of the 21st Century Cures Act, which includes requirements for usability and interoperability reporting by EHR vendors. But much more can be done. The ONC current EHR certification process, currently voluntary, could be made mandatory. There could be further requirements developed as part of this certification for better standard implementation of preventive service reminders and management tools. EHR companies would then compete, not on availability of what should be basic functionality, but on usability details and client service.

A refocus is needed in digital health to a move away from best business practices that help EHR vendors and health systems and move toward best health-related practice, including delivery of behavioral health preventive services, that improves care for patients and makes work easier for clinicians.

Article Information

Corresponding Author: Alison N. Huffstetler, MD, Department of Family Medicine and Population Health, Virginia Commonwealth University, One Capitol Square, 830 E Main St, Room 637, Richmond, VA 23219 (alison.huffstetler@vcuhealth.org).

Published Online: August 4, 2022. doi:10.1001/jama.2022.13391

Conflict of Interest Disclosures: None reported.

Funding/Support: This work was funded by grant 1R18HS027077-01 from the Agency for Healthcare Research and Quality (Dr Huffstetler).

Role of the Funder/Sponsor: The Agency for Healthcare Research and Quality had no role in the preparation, review, or approval of the manuscript and decision to submit the manuscript for publication.

Additional Information: Dr Epling was a member of the US Preventive Services Task Force (USPSTF) from 2016-2020; Dr Krist was a member of the USPSTF from 2014-2019 and served as chair from 2020-2021.

References

1. National Academies of Sciences, Engineering, and Medicine. Implementing High-Quality Primary Care: Rebuilding the Foundation of Health Care. Published 2021. Accessed July 29, 2022. https://www.nationalacademies.org/our-work/implementing-high-quality-primary-care

2. Krist AH, Woolf SH. A vision for patient-centered health information systems. JAMA. 2011;305(3):300-301. doi:10.1001/jama.2010.2011
ArticlePubMedGoogle ScholarCrossref

3. Young RA, Burge SK, Kumar KA, Wilson JM, Ortiz DF. A time-motion study of primary care physicians’ work in the electronic health record era. Fam Med. 2018;50(2):91-99. doi:10.22454/FamMed.2018.184803PubMedGoogle ScholarCrossref

4. US Preventive Services Task Force. Screening and behavioral counseling interventions to reduce unhealthy alcohol use in adolescents and adults: US Preventive Services Task Force recommendation statement. JAMA. 2018;320(18):1899-1909. doi:10.1001/jama.2018.16789
ArticlePubMedGoogle ScholarCrossref

5. EvidenceNow: managing unhealthy alcohol use. Agency for Healthcare Research and Quality. Published March 2021. Accessed July 29, 2022. https://www.ahrq.gov/evidencenow/projects/alcohol/index.html

6. Huffstetler AN, Kuzel AJ, Sabo RT, et al. Practice facilitation to promote evidence-based screening and management of unhealthy alcohol use in primary care: a practice-level randomized controlled trial. BMC Fam Pract. 2020;21(1):93. doi:10.1186/s12875-020-01147-4PubMedGoogle ScholarCrossref

7. Unhealthy alcohol use: preliminary results. Virginia Commonwealth University Department of Family Medicine and Population Health. Accessed July 14, 2022. https://uauvirginia.squarespace.com/preliminary-results

8. Willis VC, Thomas Craig KJ, Jabbarpour Y, et al. Digital health interventions to enhance prevention in primary care: scoping review. JMIR Med Inform. 2022;10(1):e33518. doi:10.2196/33518PubMedGoogle ScholarCrossref

9. Guiriguet C, Muñoz-Ortiz L, Burón A, et al. Alerts in electronic medical records to promote a colorectal cancer screening programme: a cluster randomised controlled trial in primary care. Br J Gen Pract. 2016;66(648):e483-e490. doi:10.3399/bjgp16X685657PubMedGoogle ScholarCrossref

10. Braveman P, Gottlieb L. The social determinants of health: it’s time to consider the causes of the causes. Public Health Rep. 2014;129(suppl 2):19-31. doi:10.1177/00333549141291S206PubMedGoogle ScholarCrossref

Article link: https://jamanetwork.com/journals/jama/fullarticle/2795185?

By Jaspreet Gill and Andrew Eversden on August 24, 2022 at 2:16 PM

WASHINGTON and ABERDEEN PROVING GROUND, Md. — The US Army has launched a portfolio review of its entire network modernization portfolio and is looking to place “big bets” on future battlefield network technologies, the service’s No. 2 official said this week.

“It’s too early to kind of draw any conclusions,” Undersecretary of the Army Gabe Camarillo told reporters on Tuesday at Aberdeen Proving Ground. “So we’re kind of in the middle of it right now. 

“But the goal is to rationalize our investment and the requirements that we have in all of these areas, from enterprise all the way to the tactical edge. And I think if I would characterize it, the focus is on building foundational investments that are going to enable the Army to be part of the joint force and to do everything that we have to do as part of our national defense strategy.”

For several years, the Army has been working to modernize its network to be more secure and resilient as the service shifts to Multi-Domain Operations and contributes to the Pentagon’s Joint All-Domain Command and Control initiative. Network modernization is among the service’s six modernization priorities.

Camarillo did not go into depth during his comments Tuesday, during a visit to Aberdeen Proving Ground. But speaking Wednesday at a Potomac Officer’s Club event, he added that the portfolio review, which will end in the fall, will focus on four areas: network operations; cloud adoption; the transport layer, which includes tactical radios and satellite communications; and the common operating environment. The review is being led by the service’s chief information officer and G-6.  

RELATED: Army Official Predicts ‘Much More Rapid Movement’ To The Cloud Over The Next Year

“Some of the questions that we’re examining as part of the reviews include, for instance, how do we implement a hybrid and multi-cloud approach combining…private and public sector cloud computing resources to meet Army security and resilience requirements, while at the same time promoting competition among different teams?” Camarillo said.

“How do we assist our migration across the enterprise by resourcing those common services that are required to do migration activities that are absolutely essential?” he continued. “How do we work with the private sector and other agencies to develop a strategy for migrating to the cloud and deliver the developing requirements that deliver the best value and effectiveness to the Army?”

The review was prompted by the several different Program Evaluation Groups, or PEGS, in the service, which is how the Army segments its budgets, Camarillo told reporters during the Potomac Officers Club event. But the goal isn’t to reallocate funding lines within the budget or realign organization responsibilities. 

Instead, Camarillo said he hopes the review will allow the service to identify areas where it can invest in next-generation requirements and make sure the service is accelerating its efforts appropriately.

“I think what we are trying to do is look at our current requirements for many of those capabilities,” he said. “And to the extent that there is duplication, or if there are opportunities to perhaps streamline and accelerate the requirements development process so that we can get to the next-generation leap ahead, that’s what we’re looking at.” 

During his trip of Aberdeen, Camarillo received demonstrations of the network modernization work underway by the Network Cross-Functional Team, Program Executive Office for Command, Control, Communication-Tactical and PEO Intelligence, Electronic Warfare and Sensors. Camarillo told reporters that during his visit he was pushing the network team at Aberdeen to focus on future requirements and network needs.

“I’ve challenged the team here today: What can we do in terms of looking at next generation requirements? You know, big bets, whether it’s in the transport layer, all of our tactical radios, what do we need to do to get the next generation of evolution,” Camarillo told reporters before departing the installation.

Those big bets, according to a fact sheet, include increasing network resiliency, securing data, unified network operations, weaving together a data fabric and completing the service’s C5ISR Modular Suite of Standards program, a platform that will allow soldiers to plug in cards embedded with networking and electronic warfare capabilities.

IT acquisition, however, has always been a pain point for the Department of Defense and the services are always looking to find ways to speed up IT buys. To achieve the big bets, Brig. Gen. Jeth Rey, director of the Network Cross-Functional Team, told reporters Tuesday that the service needs to continue to explore new ways that acquisition process can be sped up — an area where Army senior leaders could help.

“We all have to come back to the under after today’s engagement with him: is there something we can do differently to acquire IT equipment in the processes that we currently have,” Rey said. “In the acquisition process, is there something that he can help with to put that particular technology into the hands of the user, a little bit faster? So I think we owe a ‘come back’ to him on what part of the process needs to be adjusted, or something new introduced.”

Article link: https://breakingdefense-com.cdn.ampproject.org/c/s/breakingdefense.com/2022/08/army-undersecretary-reviewing-network-modernization-portfolio-wants-big-bets/amp/

By ANNE TOOMEY MCKENNA The ConversationAUGUST 24, 2022 10:22 AM ET

The American Data and Privacy Protection Act appears to be major bipartisan privacy legislation

Data privacy in the U.S. is, in many ways, a legal void. While there are limited protections for health and financial data, the cradle of the world’s largest tech companies, like Apple, Amazon, Google, and Meta (Facebook), lacks any comprehensive federal data privacy law. This leaves U.S. citizens with minimal data privacy protections compared with citizens of other nations. But that may be about to change.

With rare bipartisan support, the American Data and Privacy Protection Act moved out of the U.S. House of Representatives Committee on Energy and Commerce by a vote of 53-2 on July 20, 2022. The bill still needs to pass the full House and the Senate, and negotiations are ongoing. Given the Biden administration’s responsible data practices strategy, White House support is likely if a version of the bill passes.

As a legal scholar and attorney who studies and practices technology and data privacy law, I’ve been closely following the act, known as ADPPA. If passed, it will fundamentally alter U.S. data privacy law.

ADPPA fills the data privacy void, builds in federal preemption over some state data privacy laws, allows individuals to file suit over violations and substantially changes data privacy law enforcement. Like all big changes, ADPPA is getting mixed reviews from media, scholars and businesses. But many see the bill as a triumph for U.S. data privacy that provides a needed national standard for data practices.

WHO AND WHAT WILL ADPPA REGULATE?

ADPPA would apply to “covered” entities, meaning any entity collecting, processing or transferring covered data, including nonprofits and sole proprietors. It also regulates cellphone and internet providers and other common carriers, with potentially concerning changes to federal communications regulation. It does not apply to government entities.

ADPPA defines “covered” data as any information or device that identifies or can be reasonably linked to a person. It also protects biometric data, genetic data and geolocation information.

ADPPA would apply to “covered” entities, meaning any entity collecting, processing or transferring covered data, including nonprofits and sole proprietors. It also regulates cellphone and internet providers and other common carriers, with potentially concerning changes to federal communications regulation. It does not apply to government entities.

ADPPA defines “covered” data as any information or device that identifies or can be reasonably linked to a person. It also protects biometric data, genetic data and geolocation information.

The bill excludes three big data categories: deidentified data, employee data and publicly available information. That last category includes social media accounts with privacy settings open to public viewing. While research has repeatedly shown deidentified data can be easily reidentified, the ADPPA attempts to address that by requiring covered entities to take “reasonable technical, administrative, and physical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device.”

HOW ADPPA PROTECTS YOUR DATA

The act would require data collection to be as minimal as possible. The bill allows covered entities to collect, use or share an individual’s data only when reasonably necessary and proportionate to a product or service the person requests or to respond to a communication the person initiates. It allows collection for authentication, security incidents, prevention of illegal activities or serious harm to persons, and compliance with legal obligations.

People would gain rights to access and have some control over their data. ADPPA gives users the right to correct inaccuracies and potentially delete their data held by covered entities.

The bill permits data collection as part of research for public good. It allows data collection for peer-reviewed research or research done in the public interest – for example, testing whether a website is unlawfully discriminating. This is important for researchers who might otherwise run afoul of site terms or hacking laws.

The ADPPA also has a provision that tackles the service-conditioned-on-consent problem– those annoying “I Agree” boxes that force people to accept a jumble of legal terms. When you click one of those boxes, you contractually waive your privacy rights as a condition to simply use a service, visit a website or buy a product. The bill will prevent covered entities from using contract law to get around the bill’s protections.

LOOKING TO FEDERAL ELECTRONIC SURVEILLANCE LAW FOR GUIDANCE

The U.S.’s Electronic Communications Privacy Act can provide federal law makers guidance in finalizing ADPPA. Like the ADPPA, the 1986 ECPA legislation involved a massive overhaul of U.S. electronic privacy law to address adverse effects to individual privacy and civil liberties posed by advancing surveillance and communication technologies. Once again, advances in surveillance and data technologies, such as artificial intelligence, are significantly affecting citizens’ rights.

ECPA, still in effect today, provides a baseline national standard for electronic surveillance protections. ECPA protects communications from interception unless one party to the communication consents. But ECPA does not preempt states from passing more protective laws, so states can choose to provide greater privacy rights. The end result: Roughly a quarter of U.S. states require consent of all parties to intercept a communication, thus providing their citizens increased privacy rights.

ECPA’s federal/state balance has worked for decades now, and ECPA has not overwhelmed the courts or destroyed commerce.

NATIONAL PREEMPTION

As drafted, ADPPA preempts some state data privacy legislation. This affects California’s Consumer Privacy Act, although it does not preempt the Illinois Biometric Information Privacy Act or state laws specifically regulating facial recognition technology. The preemption provisions, however, are in flux as members of the House continue to negotiate the bill.

https://www.youtube.com/embed/S8D7I-FGKOM?wmode=transparent&start=0The federal bill could end up preempting parts of California’s tougher state data privacy law.

ADPPA’s national standards provide uniform compliance requirements, serving economic efficiency; but its preemption of most state laws has some scholars concerned, and California opposes its passage.

If preemption stands, any final version of the ADPPA will be the law of the land, limiting states from more firmly protecting their citizens’ data privacy.

PRIVATE RIGHT OF ACTION AND ENFORCEMENT

ADDPA provides for a private right of action, allowing people to sue covered entities who violate their rights under ADPPA. That gives the bill’s enforcement mechanisms a big boost, although it has significant restrictions.

The U.S. Chamber of Commerce and the tech industry oppose a private right of action, preferring ADPPA enforcement be restricted to the Federal Trade Commission. But the FTC has far less staff and far fewer resources than U.S. trial attorneys do.

ECPA, for comparison, has a private right of action. It has not overwhelmed courts or businesses, and entities likely comply with ECPA to avoid civil litigation. Plus, courts have honed ECPA’s terms, providing clear precedent and understandable compliance guidelines.

HOW BIG ARE THE CHANGES?

The changes to U.S. data privacy law are big, but ADPPA affords much-needed security and data protections to U.S. citizens, and I believe that it is workable with tweaks.

Given how the internet works, data routinely flows across international borders, so many U.S. companies have already built compliance with other nations’ laws into their systems. This includes the E.U.’s General Data Protection Regulation – a law similar to the ADPPA. Facebook, for example, provides E.U. citizens with GDPR’s protections, but it does not give U.S. citizens those protections, because it is not required to do so.

Congress has done little with data privacy, but ADPPA is poised to change that.

Anne Toomey McKenna, Visiting Professor of Law, University of Richmond

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Article link: https://www.nextgov.com/ideas/2022/08/new-us-data-privacy-bill-aims-give-you-more-control-over-information-collected-about-youand-make-businesses-change-how-they-handle-data/376245/

Both vendors and Federal officials said today they want more visibility into the Federal Risk and Authorization Management Program (FedRAMP) process, which certifies the security of cloud technologies for Federal government use and is operated by the General Services Administration (GSA).

During FCW’s FedRAMP Summit today, Lou Giglio, head of Federal government sales at Zoom, explained that from the vendor side, communication with the Federal government in regards to the FedRAMP process can be difficult.

“If the FedRAMP office could provide a primary point of contact to someone who has no more than three to five packages in process at the time, that would sure be helpful,” Giglio recommended. “All the automation in the world is not going to solve for not having that primary POC for that information exchange.”

From the Federal government side, David Catanoso, director of the Enterprise Cloud Solutions Office at the Department of Veterans Affairs (VA) – and who is now responsible for application hosting cloud-native solutions – also agreed more visibility would be beneficial.

“From our side, more visibility into the process in terms of where a particular FedRAMP certification is in the pipeline and how soon we could expect the certification to be in place,” would be helpful, Catanoso said.

“I was talking to a vendor yesterday where we’re trying to use a technology that they’re adding to their product that we already have under contract, but we can’t use these new features until we get the FedRAMP certification,” he explained. “And so we’re trying to plan around that, but it’s kind of an unknown timeline. It’s hard for us to make plans for that. So, that would just be helpful to get more visibility into that.”

Catanoso went on to say that when it comes to the VA’s cloud-related products, one of the criteria the agency uses is whether it is FedRAMP certified or not – which further illustrates the need for visibility into the process.

“If it’s not, it doesn’t mean that we wouldn’t consider a product, but it adds time to the process and we’d have to invest resources either to potentially sponsor a FedRAMP certification or see if another agency is in the process,” he said. “That goes back to my suggestion about getting better visibility to what’s in flight, because that would help us understand where the market’s going to be in six to 12 months from now and help us plan.”

“It’s a complex process, but we try to do our best with market research to kind of be evaluating what’s out there to best serve our veterans,” he added.

Article link: https://www.meritalk.com/articles/federal-experts-want-more-visibility-into-the-fedramp-process/

By AARON BOYDAUGUST 19, 2022

Commissioners are split on whether new regulations—and even the act of gathering information on a proposed new regulation—is the right way forward.

The Federal Trade Commission is considering establishing new rules for how companies collect, secure, use and sell consumers’ data that go beyond asking users to agree to opaque and often misleading terms of service.

On Monday, the commission will post an advanced notice of proposed rulemaking, or ANPR, that outlines current consumer data issues and asks for public feedback on creating new regulations that focus on baseline privacy, data security and corporate accountability rather than user consent.

“Specifically, the commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive,” states the notice set to publish Aug. 22 in the Federal Register.

“Whether they know it or not, most Americans today surrender their personal information to engage in the most basic aspects of modern life,” commissioners wrote. “When they buy groceries, do homework or apply for car insurance, for example, consumers today likely give a wide range of personal information about themselves to companies, including their movements, prayers, friends, menstrual cycles, web-browsing and faces, among other basic aspects of their lives.”

The agency notes data collection is “an elaborate and lucrative market,” both in trading information and using it to target consumers and maximize sales and profits.

“While, in theory, these personalization practices have the potential to benefit consumers, reports note that they have facilitated consumer harms that can be difficult if not impossible for any one person to avoid,” the notice states.

And while companies are required by law to get consumers’ consent—usually through lengthy terms of service documents—necessity and fatigue often lead people to accept those terms whether or not they would like to, or even fully understand what they are agreeing to.

Further, “The commission’s enforcement actions have targeted several pernicious dark pattern practices, including burying privacy settings behind multiple layers of the user interface and making misleading representations to ‘trick or trap’ consumers into providing personal information,” the notice states. “Given the reported scale and pervasiveness of such practices, individual consumer consent may be irrelevant.”

Even harder to avoid are data uses outside of the agreed upon terms of service, whether by the company collecting the data or after it gets bundled and sold to third parties not bound by the original terms.

“These practices also appear to exist outside of the retail consumer setting,” the FTC wrote. “Some employers, for example, reportedly collect an assortment of worker data to evaluate productivity, among other reasons—a practice that has become far more pervasive since the onset of the COVID-19 pandemic.”

And the harms are real.

At the individual level, the agency cites a wealth of research showing how data collection is used to push fraudulent or harmful products and services to vulnerable users, enabling “cyber bullying, cyberstalking and the distribution of child sexual abuse material,” as well as exacerbating underlying issues such as “depression, anxiety, eating disorders and suicidal ideation among kids and teens.”

On a societal scale, “companies’ growing reliance on automated systems is creating new forms and mechanisms for discrimination based on statutorily protected categories, including in critical areas such as housing, employment and health care,” FTC wrote, citing several recent examples.

As the commission considers new regulatory options, FTC is using this comment period and an upcoming virtual public forum on Sept. 8 “to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive, as well as about efficient, effective, and adaptive regulatory responses.”

Commissions said they want to build this record as Congress debates enacting the American Data Privacy and Protection Act.

“Given the uncertainty of the legislative process and the time … rulemaking necessarily takes, the commission should not wait any longer than it already has to develop a public record that could support enforceable rules,” FTC Commissioner Rebecca Kelly Slaughter said in a statement. “Case-by-case enforcement has not systemically deterred unlawful behavior in this market. As our own reports make clear, the prevailing notice-and-choice regime has failed to protect users, and the modes by which sensitive information can be discovered, derived, and disclosed have only grown in number and complexity.”

The notice asks 95 specific questions across 11 subject areas, including:

• To what extent do commercial surveillance practices or lax security measures harm consumers?
• To what extent do commercial surveillance practices or lax data security measures harm children, including teenagers?
• How should the commission balance costs and benefits?
• How, if at all, should the commission regulate harmful commercial surveillance or data security practices that are prevalent?
• Information on collection, use, retention and transfer of consumer data.
• Information on automated decision-making systems.
• Information on discrimination based on protected categories.
• Information on consumer consent.
• Information on notice, transparency and disclosure.
• Potential remedies.
• Obsolescence of past rulemaking.

The notice also includes a rundown of how the FTC monitors and regulates these issues now and the extent of the agency’s statutory authority to make new rules in this space.

Comments are due no later than Oct. 21.

Dissenting Opinions

While the Democratic commissioners wrote statements in favor of updating data privacy rules, Republican commissioners dissented, citing potential adverse economic impacts and a preference for letting Congress legislate over administrative regulations.

“Any law our nation adopts will have vast economic significance,” Commissioner Noah Joshua Phillips wrote. “It will impact many thousands of companies, millions of citizens and billions upon billions of dollars in commerce. It will involve real trade-offs between, for example, innovation, jobs and economic growth on the one hand and protection from privacy harms on the other.”

Phillips said the proposed rulemaking is an overstep for the FTC, calling the notice for public comment an attempt to “recast the commission as a legislature,” and chided the commission for not including specifics on the “scope and parameters of what rule or rules might follow.”

“So I don’t think we should do this,” Phillips said. “But if you’re going to do it, do it right.”

The commission’s other Republican member, Christine Wilson, also dissented, preferring to see Congress pass “a sound, comprehensive and nuanced approach to consumer privacy and data security” that she says will be better for companies, consumers and the economy as a whole.

Article link; https://www.nextgov.com/emerging-tech/2022/08/ftc-considering-new-data-privacy-regulations-go-beyond-asking-users-consent/376081/

8/23/2022By: Rebecca Hill, MHS Communications

Recommended Content:Health Care Technology | Defense Health Information Technology Symposium

Gone are the days where you need a paper trail to connect with your health care. 

Advances in technology has vastly improved the accessibility to beneficiaries’ electronic health records. The Defense Health Agency is tapping into this technology to improve the patient experience by bringing together key professionals and streamlining services. 

Through a symposium for the Military Health System−and by the ongoing promotion of services and resources−DHA is putting the intersection of health care and technology at the forefront.

In August 2022, Department of Defense health care professionals met at the Defense Health Information Technology Symposium to discuss the transformation of the MHS to ensure high-quality, patient-centered care. Topics included improving virtual health, transforming health care delivery, and the future of cybersecurity.

Across the DHA, information technology systems, programs, and apps are designed to make health care more streamlined and accessible to service members and families. 

Eventually, the Department of Defense, Department of Veterans Affairs and the U.S. Coast Guard will be able to seamlessly transition your health care files throughout your service and as you transition into the VA medical system. 

“I don’t think we’ve even scratched the surface of what we can do with a single system and the benefits it will bring,” said Holly Joers, program executive officer for the Program Executive Office, Defense Healthcare Management Systems. 

Advancing Technology to Fit Patient Care

As the DOD, the VA and U.S. Coast Guard are working on a more integrated system, there are programs available right now to access records online, get answers about your health, and check on your own well-being. Here are just a few:

• MHS GENESIS Patient Portal: This electronic health record gives you 24/7 access to your information and allows you to send messages to your care team and oversee appointments. This secure site will help integrate patient care, keeping your health care professionals updated with your latest information. No matter where you are stationed in the world, MHS GENESIS will be available to you. 

“Specialists can provide care via video or other electronic media and consult with providers in theater to help facilitate care and a quicker return to duty,” Army Col. (Dr.) Robert Cornfeld, chief health information officer and pediatric gastroenterologist at Madigan Army Medical Center at Joint Base Lewis-McChord in Washington, stated. 

• Nurse Advice Linegoes tot he MHS Nurse Advice Line: With every medical issue, there are questions. By utilizing the Nurse Advice Line, you can get answers, find the proper medical treatment facilities, schedule appointments, and so much more. This option is available 24/7 through web or video chat, or phone, giving you peace of mind with sound medical advice.

Discover More with Mobile Health Apps

In addition to these DHA programs, there are DHA Mobile Apps available on your smartphone. These mobile apps can help service members and families with their health, help set goals, and stay on track. Access these apps with a tap of your finger.

• Decide + Be Ready: This app provides an interactive way for service members to learn about birth control options and help think through what is important to them about the method they choose.

• My Prosperity Plan: Set goals for your personal life, in relationships, to meet spiritual needs, and more. This app helps you reach your potential and keeps you on track.

• MissionFit: Get into shape with this 12-week exercise program! You get different options and various exercises. Video, text, and images help you through these programs.

• Visit the DHA app pageDHA Mobile App page to see the other available apps on your mobile device.

Through these events, services, and resources, the DHA is furthering their focus in integrating technology to make your lives easier. 

“DHA is pivoting to meet the digital native generation with care that meets their expectations,” said Cornfeld.

Article link: https://health.mil/News/Articles/2022/08/23/Department-of-Defense-Streamlining-Health-Tech-for-Beneficiaries

Written by Mark Pomerleau
Aug 17, 2022 | FEDSCOOP

AUGUSTA, Ga. — Army Cyber Command’s new intelligence unit blending historical military intelligence activities with commercial data and public information is providing critical insights in a rapid manner to a newly established “triad” between the service’s cyber, missile defense and special operations organizations.

Last week, the Army announced this new triad between Army Cyber Command, Army Space and Missile Defense Command and Army Special Operations Command, which aims to to deliver more options to commanders in an integrated fashion.

“Probably the biggest contribution was one being able to take a fusion of traditional intelligence and what we were seeing publicly available information, in order to inform the commander forward of what we were seeing,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said during a presentation at the TechNet Augusta conference Wednesday.

Adversaries are globally focused, and so is the Army.

“Three operational units with unique authorities and capabilities — and we see the globe,” she said. “We were seeing some things in the electromagnetic spectrum, we were seeing things in the information environment and we were able to provide that back very quickly because of the Big Data Platform and the [Cyber Military Intelligence Group], that intelligence group, being able to turn that pretty quickly.”

The Cyber Military Intelligence Group (CMIG) directs, synchronizes and coordinates intelligence support for cyber, information and electronic warfare operations while also providing support to U.S. Cyber Command and other combatant commands. It was created to perform functions not found anywhere else within the Army or intel community, and blend open source information with military intelligence.

Big data platforms exist across U.S. Cyber Command, the Defense Information Systems Agency, Army Cyber Command and the Marine Corps. They are essentially hybrid cloud environments that allow for storage, computation and analytics across networked sensors. When forces conduct cyber missions, they collect data and use high-powered analytics to make sense of it. Big data platforms do just that, but also share that analysis in an easy-to-access repository for other forces. The Army’s version is called Gabriel Nimbus.

The CMIG is already having tangible effects despite being so new.

“I have been absolutely impressed with how quickly they can take an RFI from myself or from Cyber Command on a particular subject and pull that information together into a report,” Barrett said. “You might think that serialized reporting takes a long time. These guys are turning this pretty quick. [It’s] pretty valuable.”

Article link: https://www.fedscoop.com/new-army-intel-unit-having-big-impact-on-recently-established-triad/

-In this Story- 

Army, Army Cyber Command, Army Special Operations Command, cyber, Cyber Military Intelligence Group, intelligence, Maria Barrett, Space and Missile Defense Command

By PATRICK TUCKERAUGUST 18, 2022 08:41 AM ET

The Defense Department’s current “checklist” approach can’t keep its networks safe.

Two years ago, a pair of Navy information leaders decided to attack their own networks—and not just once or twice a year during scheduled exercises, but far more frequently, and unannounced. Now they’re trying to get the rest of the Navy—and the Pentagon—to follow suit.

Their experiment showed that frequent, automated red-teaming reveals which vulnerabilities are the most dangerous, the easiest for an attacker to exploit with the highest impact—information they wouldn’t have otherwise, said Aaron Weis, the Navy’s chief information officer, or CIO, and Scott Bischoff, the command information officer at the Naval Postgraduate School.

And it’s far more effective than the way the Defense Department currently handles cybersecurity: with checklists of steps taken, patches implemented, and so on.

“It’s a very compliance-driven mentality, like an audit… and it’s wrong,” Weis told Defense One. “Cybersecurity is not a compliance problem.” 

Treating cybersecurity like a checklist does answer one question: whether the officer, team, or company charged with “cybersecurity” has done their job to some agreed-upon level of performance—basically, whether they’ve fulfilled the terms of a contract or the parameters of an assignment. It’s an approach that works well for a bureaucracy, but it’s not the best way to actually secure your networks, Weis said.

“We’ve got…15 to 20 years of track record using a compliance mentality that says it doesn’t work, right? Because we continue to be exercised by our adversaries in cyberspace,” he said.

Related articles

The US Military Should Red-Team Open Source Code

A Navy Cyber Effort Is Fixing Thousands of Holes—and Building Tech Talent

Weis says the Pentagon needs to measure its networks’ suitability for combat the same way it does for soldiers, sailors, tanks, and ships: through the concept of military readiness.

Such an approach would mean prioritizing the biggest problems first, with second-tier or complicated ones set on slower paths to fixing.

“There’s ‘ready to fight tonight.’ But if you are a carrier strike group and you’re deploying in three months, are you on a path to being ready? You manage your readiness on a day-to-day basis and it’s a function of a whole bunch of things,” he said. “Do we have the right people? Are they trained? Are they qualified, or deficient? Do we have the equipment?”

But Weis had to show that getting to a state of “readiness” in cyberspace is a matter of constant testing and drilling, not filling out compliance forms. 

He needed a safe space where he could understand readiness without exposing huge problems to adversaries or taking essential naval networks offline. He went to the Naval Postgraduate School, or NPS, in Monterey, California.

NPS’ Bischoff says the school lends itself to experimentation because it’s on the California research and education network, not a Navy network. 

“I have a lot of authorities here that other naval units wouldn’t have. It provides the Navy a small chunk of terrain here to do things,” like test new cybersecurity concepts, he said. “We have a somewhat unique terrain here to maybe take a little bit of risk on and try some things. That’s important for a STEM school, you know. We’re very research-intensive, so it’s right up our alley.”

So NPS forged a cooperative R&D agreement with Rebellion, a defense-focused software startup founded by Chris Lynch, the former head of the Defense Department’s Digital Service.

Rebellion brought in a tool called Nova that does automated red-teaming on networks. But it doesn’t just hammer away at the vulnerabilities it finds like it’s running through a checklist. 

“It can identify the system, understand its patch level, catalog its vulnerabilities according to what’s generally available, and then try to run an automated exploit against it, based on what it knows,” said Weis.

The process revealed a lot more information than just a list of vulnerabilities to be patched. They learned which vulnerabilities were the most important, the easiest to attack, which ones let the attacker gain wider network access, things they would have learned only if a real attacker was hitting the system and strategizing its next move. That means that different vulnerabilities had a priority that a checklist completely missed. 

Said Weis: “Right now, because of our compliance approach, we focus on patching every vulnerability, right?…In no particular order, by the way. We just line them up and knock them down. And what that approach…disregards is the question: Can that vulnerability actually be exploited?”

Some vulnerabilities that seemed large were very difficult to exploit, and some that seemed small were a lot more dire than their position on the checklist would indicate. Running similar experiments on actual DOD networks would probably reveal a similar result: that the Department is not managing its cyber vulnerabilities with a real-world understanding of how an attacker would actually approach the network. 

Bischoff said similar red-team experiments involving humans are great, but they happen once or twice a year. “It’s a snapshot, right. I don’t want a snapshot. I want a movie throughout the year.”

Weis said he’s building off of that experiment. 

“We’re in the process of…nominating a set of [Navy] programs that are volunteering to go first and to start to use this different approach,” he said. “We’ve been having leadership-level discussions here since kind of before the holidays last year. It started with a one-on-one with the [Chief Naval Officer] and it’s kind of moved up from there.”

Said Lynch: “Aaron [Weis] is trying to completely change what they’re doing,” not only in the Navy, but potentially across the military. 

That is going to be important if the Defense Department is going to move toward the highly-networked joint all-domain command and control, or JADC2, vision at the heart of its plans for the next decade. The more networks, computers, drones, satellites, etc.. are all linked together, the more unmanageable a checklist approach becomes. The only solution will be to assume your enormous networked war machine is under attack at its weakest points—because it is.

Article link: https://www.nextgov.com/cybersecurity/2022/08/experiment-showed-military-must-change-its-cybersecurity-approach/376003/