The Department of Homeland Security is again moving to rescind a collective bargaining agreement with Transportation Security Administration employees, despite an ongoing court case over DHS’ prior move to eliminate the TSA union agreement.

In a Dec. 12 press release, TSA announced that a new “labor framework” would be implemented starting Jan. 11, 2026. The framework rescinds the 2024 CBA between TSA and the American Federation of Government Employees, the agency said.

TSA said the decision is based on a Sept. 29 determination by Homeland Security Secretary Kristi Noem, “Eliminating Collective Bargaining at TSA Due to its Incompatibility with TSA’s National Security Mission and its Adverse Impact on Resources, Flexibility, Mission Focus, Security Effectiveness, and Traveler Experience.”

TSA said Noem’s determination — which it did not release — “establishes that employees performing security screening functions … have a primary function of national security and shall not engage in collective bargaining or be represented for any purposes by any representative or organization.”

Noem also determined that collective bargaining for TSA officers “is inconsistent with efficient stewardship of taxpayer dollars and impedes the agility required to secure the traveling public,” according to the agency statement.

“Our Transportation Security Officers (TSOs) need to be focused on their mission of keeping travelers safe not wasting countless hours on non-mission critical work,” Adam Stahl, senior official performing the duties of TSA deputy administrator, said in the press release. “Under the leadership of Secretary Noem, we are ridding the agency of wasteful and time-consuming activities that distracted our officers from their crucial work.”

AFGE quickly criticized TSA’s announcement. AFGE represents approximately 47,000 airport screeners under the CBA.

“Merely 30 days ago, Secretary Noem celebrated TSA officers for their dedication during the longest government shutdown in history,” AFGE National President Everett Kelley said as part of a statement. “Today, she’s announcing a lump of coal right on time for the holidays: that she’s stripping those same dedicated officers of their union rights.”

AFGE noted that a federal judge earlier this year blocked DHS from dissolving the collective bargaining agreement. The union had brought the lawsuit in response to a previous determination issued by Noem that sought to dissolve the CBA.

In granting the preliminary injunction in June, the judge presiding over the case wrote that Noem’s previous attempt to dissolve the CBA “appears to have been undertaken to punish AFGE and its members because AFGE has chosen to push back against the Trump Administration’s attacks to federal employment in the courts.”

That ongoing case is currently scheduled to go to trial next September.

Kelley said AFGE “will continue to challenge these illegal attacks on our members’ right to belong to a union.” He also urged the Senate to pass the Protect America’s Workforce Act “immediately.”

TSA staff don’t have the same statutory rights as other federal employees under Title 5 of U.S. Code. But in response to longstanding concerns about TSA attrition, then-TSA Administrator David Pekoske in 2022 issued a determination that expanded collective bargaining at the agency to mirror the bargaining rights under Title 5.

TSA and AFGE then negotiated and signed a seven-year collective bargaining agreement last year. The agreement established a streamlined process for grievance and arbitration, expanded official time, fewer restrictions on sick leave, increased uniform allowances and opportunities for local collective bargaining.

In a statement today, AFGE Council 100 President Hydrick Thomas called the decision to revoke the CBA a “slap in the face” to TSA employees

“Prior to having a union contract, many employees endured hostile work environments and workers felt like they didn’t have a voice on the job, which led to severe attrition rates and longer wait times for the traveling public,” Thomas said. “Since having a contract, we’ve seen a more stable workforce, and there has never been another aviation-related attack on our country.”

In its statement, TSA said that agency policy will govern “employment matters previously addressed by the 2024 CBA, and TSA policy will provide for alternative procedures to ensure that employee voices are heard and that legitimate concerns are resolved quickly.”

The post DHS moves to eliminate TSA collective bargaining agreement, again first appeared on Federal News Network.

A former Accenture employee has been charged with allegedly misleading federal officials about the security of a cloud platform used by the Army and other agencies.

In an indictment secured by the Justice Department this week, Danielle Hillmer was charged with multiple counts of fraud over allegations that she concealed a cloud platform’s noncompliance with security controls required by the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP).

DoJ’s press release on the indictment states GSA’s Office of the Inspector General has been involved in the investigation.

The indictment doesn’t identify the cloud platform or company that Hillmer worked for at the time of the alleged fraud and obstruction. DoJ’s allegations cover a period between March 2020 and November 2021.

But Hillmer’s LinkedIn shows that during the time in question, she worked for Accenture Federal Services as “lead, cloud managed services” and “business and system owner, cloud management platform services.”

A copy of Hillmer’s LinkedIn profile, which was taken offline this week, shows she left Accenture in December 2021 and was most recently a “senior product manager for public sector” at SentinelOne.

“As previously disclosed in our public filings, we proactively brought this matter to the government’s attention following an internal review. We have cooperated extensively with the government’s investigation and continue to do so,” an Accenture spokeswoman told Federal News Network. “We remain dedicated to operating with the highest ethical standards as we serve all our clients, including the federal government.”

In an Oct. 12, 2023, filing with the Securities and Exchange Commission, Accenture referenced how it made a voluntary disclosure to the government that initiated a DoJ investigation “concerning whether one or more employees provided inaccurate submissions to an assessor who was evaluating on behalf of the U.S. government an AFS service offering and whether the service offering fully implemented required federal security controls.”

“AFS is responding to an administrative subpoena and cooperating with DOJ’s investigation,” AFS wrote at the time.

A spokesman for SentinelOne noted that Hillmer left her position at the company this past August and said DoJ’s allegations have “nothing to do with her work at SentinelOne.”

“In her previous role at SentinelOne, she was not involved in any compliance related work for FedRAMP or any other program,” the spokesman added.

The indictment alleges that in March 2020, Hillmer sought to “uplift” the cloud platform in question from a FedRAMP Moderate to a High authorization, driven by recently awarded Army contracts that required FedRAMP High.

DoJ alleges that Hillmer ignored warnings from a fellow employee and an outside firm that the cloud platform wasn’t compliant with security controls required for a FedRAMP High authorization.

For instance, the indictment alleges that Hillmann was aware that system administrators could access the cloud platform without “necessary” multifactor authentication controls in place.

DoJ alleges Hillmer “concealed known issues” from assessors and authorizing officials, as well as submitted materials to FedRAMP and the Joint Authorization Board “knowing they contained materially false and misleading representations about the platform’s architecture, implementation of security controls and risk posture.”

In July 2021, the FedRAMP program granted the cloud platform a FedRAMP High provisional authority-to-operate (P-ATO), according to DoJ’s indictment. It says at least six departments and agencies, including the Army, used or planned to use the P-ATO to obtain authorizations for cloud products and services. The contracts or subcontracts involved were valued at more than $250 million, according to DoJ.

The criminal charges against Hillmer carry heavy weight, with the wire fraud charge alone carrying a maximum of 20 years in prison.

Lawyers representing Hillmer didn’t respond to an emailed request for comment.

The case is notable, as DoJ has increasingly pursued legal action to enforce federal cybersecurity requirements. DoJ’s Civil Cyber-Fraud Initiative has resulted in multiple False Claims Act settlements with companies for allegedly failing to meet contractual security requirements.

However, a criminal case targeting an individual employee for allegedly misrepresenting security controls will be closely watched in the FedRAMP community.

Most conversations around the cloud security program in recent years have focused on streamlining the FedRAMP process, which is often considered a barrier to agencies accessing new technology.

The post FedRAMP at the center of DoJ’s latest cyber fraud allegations first appeared on Federal News Network.

The Cybersecurity and Infrastructure Security Agency doesn’t want to leave companies hanging when they reach out to CISA with an important innovation or technology development.

That’s a key reason why CISA earlier this month launched an Industry Engagement Platform, referred to as the IEP. The website provides an external portal where companies, nonprofits, academia and others can sign up to share information with the agency.

“We want deep engagement with the private sector technology innovators, and it can sometimes be hard to schedule meetings with the government or share what you’ve been working on,” Bob Costello, CISA’s chief information officer, said in a recent interview with Federal News Network.

Costello said CISA started work on the platform earlier this year with the goal of improving that process. He said the design of the IEP is based on widely used tax preparation services, with easily fillable fields and the ability to suggest meeting times with CISA staff across different divisions, depending on the topic.

“What we’re going to see first and foremost is hopefully shifting to the left or a shorter time period from when a vendor contacts us, to us expressing interest in the scheduling of that meeting, because we have the system handling all of that,” Costello said.

He said the new platform augments the more traditional ways CISA engages with outside organizations, such as requests for information or industry days. The goal is also to help smaller companies get in touch with the agency.

“I do see it as advancing our transparency and accessibility to working with us,” he said. “So much innovation happens in the private sector, as well as in research labs and elsewhere. But we really want to hear from all those innovators that maybe sometimes just don’t even know how to contact us.”

The new platform should also eventually give CISA a wealth of analytics on companies, technologies and sectors it engages with, Costello said. Tracking that engagement over time should also help the agency, he added.

“Maybe one group’s interested, or we see something here, but it’s not quite ready for an investment,” Costello explained. “Come back and talk to us in six months, and then we’re able to actually kind of track that progress in the system as well, too. I think that that’s very helpful overall to that business relationship that we have with industry.”

The cyber agency, which provides a range of cybersecurity and infrastructure services to government and industry, is interested in hearing about innovations in IT and security controls, data analytics, post-quantum security and artificial intelligence.

As the CIO, Costello said he’s particularly interested in automated testing solutions.

“There’s a lot of good work being done on automated testing of IT solutions. Automated or AI-based red teaming of systems is very interesting to us,” he said. “And not just vulnerability scanning, but helping to determine if your system or asset is actually vulnerable to the vulnerability that that’s being disclosed, or if you have other compensating controls in place that make it so that patching within 10 minutes is not really required … That’s the next generation of understanding how we do vulnerability management.”

Meanwhile, the engagement platform is a step toward eventually needing just one account to work with CISA, Costello said. Right now, the agency’s various cybersecurity services, for instance, all have different sign-up portals.

The agency also runs a voluntary cyber incident reporting portal. But under a rule scheduled to be finalized next May, thousands of companies across critical infrastructure sectors will be required to report cyber incidents to CISA, markedly increasing the number of reports the agency will receive.

“We are hoping to come in time where reporting to CISA or sharing information to CISA can happen across automated systems, while always maintaining that capability for a human to share information with us,” Costello said. “I’d really like us to start driving in [fiscal] 26. and we have a lot of really great ongoing initiatives, to get to that more automated sharing of large scale information.”

The post CISA looks for ‘deep engagement’ with innovators via new platform first appeared on Federal News Network.

The Pentagon is taking a major step forward in modernizing how it addresses cybersecurity risks.

Defense Department officials have emphasized the need to move beyond “legacy shortcomings” to deliver technology to warfighters more rapidly. In September, DoD announced a new cybersecurity risk management construct to address those challenges.

“The previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements,” DoD wrote at the time. “These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field.”

Weeding through legacy manual processes

The legacy of manual processes has built up over decades. Jason Venner, a solutions sales director at Diligent, said agencies have traditionally relied on people and paperwork to ensure compliance.

“It’s no one’s fault,” Venner said during Federal News Network’s Risk & Compliance Exchange 2025. “It just sort of evolved that way, and now it’s time to stop and reassess where we’re at. I think the administration is doing a pretty good job in looking at all the different regs that they’re promulgating and revising them.”

Venner said IT leaders are interested in ways to help streamline the governance, risk and compliance process while ensuring security.

“Software should help make my life easier,” he said. “If I’m a CIO or a CISO, it should help my make my life easier, and not just for doing security scans or vulnerability scans, but actually doing IT governance, risk and compliance.”

Katie Arrington, who is performing the duties of the DoD chief information officer, has talked about the need to “blow up” the current RMF. The department moved to the framework in 2018 when it transitioned away from the DoD Information Assurance Certification and Accreditation Process (DIACAP).

“I remember when we were going from DIACAP to RMF, I wanted to pull my hair out,” Arrington said earlier this year. “It’s still paper. Who reads it? What we do is a program protection plan. We write it, we put it inside the program. We say, ‘This is what we’ll be looking to protect the program.’ We put it in a file, and we don’t look at it for three years. We have to get away from paperwork. We have to get away from the way we’ve done business to the way we need to do business, and it’s going to be painful, and there are going to be a lot of things that we do, and mistakes will be made. I really hope that industry doesn’t do what industry tends to do, [which] is want to sue the federal government instead of working with us to fix the problems. I would really love that.”

Arrington launched the Software Fast Track initiative to once again tackle the challenge of quickly adopting secure software.

Evolving risk management through better automation, analytics

DoD’s new risk management construct includes a five-phase lifecycle and then core principles, including automation, continuous monitoring and DevSecOps.

Arrington talked about the future vision for cyber risk management within DoD earlier this year.

“I’m going to ask you, if you’re a software provider, to provide me your software bill of materials in both your sandbox and production, along with a third-party SBOM. You’re going to populate those artifacts into our Enterprise Mission Assurance Support Service,” she said. “I will have AI tools on the back end to review the data instead of waiting for a human and if all of it passes the right requirements, provisional authority to operate.”

Venner said the use of automation and AI rest on a foundation of data analytics. He argued the successful use of AI for risk management will require purpose-built models.

“Can you identify, suggest, benchmark things for me and then identify controls to mitigate these risks, and then let me know what data I need to monitor to ensure those controls are working. That’s where AI can really accelerate the conversation,” Venner said.

Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.

The post Risk and Compliance 2025 Exchange: Diligent’s Jason Venner on moving beyond manual cyber compliance first appeared on Federal News Network.

The Cybersecurity Maturity Model Certification program is officially off the ground.

CMMC is the Pentagon’s program to evaluate whether defense contractors are following requirements for protecting controlled unclassified information. The cybersecurity requirements, based on National Institute of Standards and Technology controls, have been in Defense Department contracts since 2016.

It took years for CMMC to become a reality. But the final rule to implement CMMC into contractual requirements took effect Nov. 10.The rule establishing CMMC as a program had already gone into effect last year.

DoD has a phased implementation plan for the program. During Phase 1, over the next year, the department will largely require CMMC self-assessments from contractors. But DoD programs have the discretion to require Level 2 CMMC third-party assessments over the next year as needed.

Tackling third-party CMMC assessments

During Phase 2, starting next November, those third-party assessments will become standard in applicable contacts.

Those third-party assessments are a key facet of the CMMC program and its goal to ensure defense contractors follow cybersecurity requirements.

The Cyber Accreditation Body is responsible for authorizing the CMMC third-party assessment organizations (C3PAOs) that will carry out those independent assessments. And Matthew Travis, CEO of The Cyber AB, said work is well underway to building out the scaffolding that will support the CMMC program.

“If there’s any remaining skepticism of whether or not the department was serious about this conformity regime, you can now just look at the Code of Federal Regulations and see both rules there,” Travis said during Federal News Network’s Risk & Compliance Exchange 2025. “Now, the real challenge is to scale the ecosystem.”

‘Impending bow wave’

So far, just under 500 defense contractors have voluntarily achieved a Level 2 CMMC certification, Travis shared.

But the Pentagon has estimated that the requirement for a Level 2 third-party assessment could apply to as many as 80,000 companies as CMMC is phased in.

“I am concerned about the impending bow wave that I think we’ll see in demand,” Travis said.

Some C3PAOs already have a backlog of assessments that stretch into next year.

“Now is the time to move if you’re ready,” Travis added. “People are going to start racing to the checkout line, and it’s going to be a wait. So move now if you’re ready, and if you’re not ready, get ready, because the sooner you do it, the sooner you’ll be able get a slot.”

Among the voluntary Level 2 assessments that have occurred to date, Travis said “false starts” have been an issue for some organizations.

“We heard frequently from the C3PAOs that they had to call it off mutually once the organization seeking certification realized all the things that they hadn’t fully done,” Travis said. “And the C3PAO said, ‘We might want to pause here. Go back to work and call us when you’re ready.’ ”

Travis said the 110 requirements required under Level 2 go beyond technical controls.

“It does require an organizational commitment,” he said. “There are physical security requirements, there are training requirements that human resources has to be involved in. There are leadership requirements in terms of resourcing.”

Another key lesson gleaned from early assessments is the need for companies to understand their external service providers. Travis said most organizations rely on cloud service providers or managed service providers for many IT and cybersecurity needs.

But whether they’re a CSP or an MSP — and to what extent they are involved in an organization’s handling of controlled unclassified information — are crucial questions in a CMMC assessment.

“Knowing who’s helping you and knowing your organization is fully committed are probably the two biggest takeaways that we’re hearing from industry,” Travis said.

CMMC’s ‘long pole in the tent’

The Cyber AB, through its no-cost contract with the Pentagon, is responsible for authorizing C3PAOs and certifying the people who conduct CMMC assessments.

Travis said there are just under 600 certified CMMC assessors today. Half of them are eligible to lead assessment teams.

But to meet the envisioned scale of the CMMC program — evaluating tens of thousands of defense contractors annually — Travis estimates there’s a need for between 2,000 and 3,000 assessors.

“That’s the most important part of the ecosystem that has to be grown. … That’s a long pole in the tent,” Travis said.

Initially, the challenge to building a pool of assessors was DoD’s drawn out rulemaking process: There was no financial incentive to become an assessor with no CMMC requirements on the horizon.

But Travis said the challenge now is getting CMMC assessors through the process quickly enough as DoD phases in the requirements. The process of becoming an assessor involves training, exams and passing a Tier 3 DoD background investigation, which is equivalent to being investigated for a secret-level security clearance. Those investigations can often take months.

Travis said assessors don’t necessarily need to start with a technical background. He pitched it as a “great way for folks to get engaged in cybersecurity.”

“Whether it’s a full time job or a side hustle, these assessors are going to be in demand,” Travis said. “And so the compensation that goes with it, I think, is compelling. We are encouraging folks, if they haven’t considered entering into the CMMC program, think about becoming an assessor.”

Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.

The post Risk & Compliance Exchange: Cyber AB’s Matt Travis on scaling the CMMC ecosystem first appeared on Federal News Network.

Investigators at the Office of Special Counsel returning to their jobs earlier this month would likely have been greeted with multiple Hatch Act complaints after a wave of alleged partisan political messaging by federal agencies during the shutdown.

Throughout the 43-day shutdown, multiple agencies posted messages on their websites blaming the shutdown on the “radical left,” “Democrats” and other politically tinged phrases.

Those actions immediately drew multiple Hatch Act complaints. The 1939 law restricts political activities by federal employees and is intended to ensure the nonpartisan administration of government programs.

The Education Department also changed furloughed employees’ out-of-office email replies to blame the shutdown on “Democrat senators.” A federal judge earlier this month found that the agency had violated employees’ First Amendment rights. Education was forced to change the out-of-office reply shortly before the shutdown ended.

“In this compressed timeframe, we haven’t seen this level of potential Hatch Act violations with regards to just changing emails, publishing these notices on the government websites and engaging in this partisan messaging,” Michael Fallings, managing partner at law firm Tully Rinckey, told Federal News Network.

The use of federal agency websites for such messaging was also a novel development in the long-running evolution of the Hatch Act.

Kedric Payne, who helped represent Education Department employees as vice president, general counsel and senior director of ethics at the Campaign Legal Center, said the shutdown messaging “could have been a test run of what may happen during the election year.”

“You could imagine a situation where, during the election year, there may be similar banners, similar email statements and other communications coming from the agencies that are partisan,” Payne told Federal News Network. “If there are no consequences for what happened during the shutdown, there’s not a real threat for the agencies to limit themselves on violating the Hatch Act or First Amendment rights.”

Office of Special Counsel role

OSC is responsible for investigating Hatch Act complaints. But most OSC staff were furloughed through the shutdown. Out of the agency’s 122 employees, just 17 were kept onboard, according to the OSC shutdown plan. Those excepted staff were primarily focused on handling whistleblower disclosures “involving a substantial and serious risk to public health or safety or those requiring emergency action to protect property.”

Multiple nonprofit organizations publicized their Hatch Act complaints. The total number of Hatch Act complaints received by OSC isn’t public, and OSC didn’t respond to a request for comment.

But given OSC’s relatively small staff, the backlog of work due to the furlough, and the large number of known complaints, Fallings expects the Hatch Act cases will likely face delays. OSC typically takes 120 days to conduct preliminary reviews, but there isn’t a statutory deadline for completing Hatch Act investigations.

“I think what OSC would do is try to figure out which complaints may have the most proof of a violation, and pursue those,” Fallings said.

In his opinion siding with Education Department employees and their union, District Judge Christopher Cooper referenced the Hatch Act and pointed to the executive branch’s “multifront campaign to assign blame for the government shutdown.”

“It began by plastering politically-charged language on official public websites,” Cooper wrote. “Apparently, that wasn’t enough. The department waited until its furloughed employees lost access to their email, then gratuitously changed their out-of-office messages to include yet another partisan message, thereby turning its own workforce into political spokespeople through their official email accounts. The department may have added insult to injury, but it also overplayed its hand.”

While the case ultimately hinged on federal employees’ First Amendment rights, Payne said Cooper’s ruling “recognized the spirit of the Hatch Act and its role in making sure that you don’t have government employees saying something that would be considered partisan.”

With OSC having primary responsibility to enforce the Hatch Act, legal experts are closely watching what happens next with the shutdown complaints.

If OSC finds a Hatch Act violation occurs, it can bring the case before the Merit Systems Protection Board. The penalties for a Hatch Act violation can include removal from federal service, a reduction in grade, debarment from federal employment for up to five years, suspension, reprimand or a civil penalty of up to $1,000.

But OSC itself has also been at the center of the Trump administration’s efforts to rein in independent agencies. Trump earlier this year fired Special Counsel Hampton Dellinger with no explanation, drawing a short-lived legal battle.

And Trump’s nominee to replace Dellinger recently withdrew from consideration after offensive text messages came to light.

Jamieson Greer, the United States Trade Representative, is currently dual-hatted as acting Special Counsel.

“In the past, the Office of Special Counsel has been very thorough releasing opinions that give clear guidance on what activities are or are not violation of the Hatch Act,” Payne said. “But we’re not clear whether or not this agency will do that this time.”

The post What happens next with shutdown Hatch Act complaints? first appeared on Federal News Network.

The Office of Management and Budget has released some funding for the Council of the Inspectors General on Integrity and Efficiency, after an earlier decision to effectively defund CIGIE led to the shuttering of multiple Office of Inspector General websites.

OMB apportioned just under $4.3 million for CIGIE, according to an announcement from Sens. Chuck Grassley (R-Iowa) and Susan Collins (R-Maine). The pair of senators had pushed OMB to release funding for CIGIE and the Pandemic Response Accountability Committee.

“We are pleased that following our continued outreach, OMB is releasing the funding that Congress provided for CIGIE to continue its vital work,” Grassley and Collins said. “This action, building on OMB’s earlier decision to release funding for PRAC, ensures that these important oversight entities can remain focused on delivering the accountability American taxpayers deserve. Our oversight of the administration’s actions, and CIGIE’s work, will continue.”

Grassley and Collins added that the funding will last CIGIE through Jan. 30. OMB is also conducting a “programmatic review of CIGIE’s activities,” they said.

OMB did not immediately respond to a request for comment. The Washington Post first reported on the funding decision.

In late September, OMB decided not to apportion funding for CIGIE in fiscal 2026, despite funds being available through the shutdown. Tammy Hull, the acting chairwoman of CIGIE, informed lawmakers of OMB’s decision, warning that the shuttering of the council would “result in the loss of shared services and cost-efficiencies” that support 72 offices of inspectors general across government.

On Oct. 1, multiple agency IG websites went offline due to the funding decision. CIGIE provides hotline capability and website services for 28 OIGs through Oversight.gov.

As of Tuesday afternoon, Oversight.gov was back online after being down for nearly seven weeks.

Congress created CIGIE in 2008 to professionalize the IG community. In addition to providing web and hotline services, CIGIE also conducts training, develops quality standards, and serves as an accountability function within the OIG community through its Integrity Committee.

But Trump administration officials have accused IGs of corruption, without offering evidence.

“Inspectors general are meant to be impartial watchdogs identifying waste and corruption on behalf of the American people,” OMB spokesman Armen Tooloee said in September regarding the original decision to defund CIGIE. “Unfortunately, they have become corrupt, partisan, and in some cases, have lied to the public. The American people will no longer be funding this corruption.”

President Donald Trump fired 17 IGs at the outset of his second term, in a move a federal judge later ruled to be illegal because he didn’t provide the required notification to Congress.

CIGIE in the recent past has also drawn the ire of conservative groups that view it as part of the “administrative state.” In a 2023 lawsuit, lawyers for Department of Homeland Security Inspector General Joseph Cuffari argued that CIGIE’s Integrity Committee was “a threat to the Constitution.” The Integrity Committee was investigating Cuffari’s actions as IG, including his handling of a review into deleted Secret Service texts from the Jan. 6, 2021 Capitol riot.

The post OMB reverses course on defunding CIGIE first appeared on Federal News Network.

The Federal Communications Commission is set this week to vote on reversing cybersecurity rules for telecommunications providers that were put forward following the sweeping “Salt Typhoon” hacks.

The FCC’s meeting on Thursday includes plans to consider an order to rescind a ruling and proposed rules published in the waning days of the Biden administration. The January ruling requires telecom operators to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act.

But current FCC Chairman Brendan Carr argues that ruling “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”

The proposed order would rescind the January ruling and withdraw proposed cybersecurity rules for telecom operators.

Instead, the FCC “should instead continue to pursue an agile and collaborative approach to cybersecurity through federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement,” according to a factsheet on the order of reconsideration.

‘Worst’ hack ever

The Salt Typhoon campaign was revealed in 2024. It involved penetrating hacks into U.S. telecom networks and others across the globe. The hackers were reportedly able to target the communications of political figures and government officials, including then-candidate Donald Trump and running mate JD Vance.

U.S. officials have said Chinese-government sponsored hackers are behind the campaign. Senate Intelligence Committee Ranking Member Mark Warner (D-Va.) has described it as “the worst telecommunications hack in our nation’s history.”

The Cybersecurity and Infrastructure Security Agency has since said the Salt Typhoon campaign overlapped with global threat activities targeting multiple sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks.

“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” CISA wrote in a September advisory. “These actors often modify routers to maintain persistent, long-term access to networks.”

In rolling out the January rules, Biden administration officials argued they represented a “critical step to require U.S. telecoms to improve cybersecurity to meet today’s nation state threats, including those from China’s well-resourced and sophisticated offensive cyber program.”

However, the FCC’s current leadership says the rules misinterpreted the law and “unnecessarily raised and purported to resolve issues that were not appropriate for consideration in the absence of public input.” The FCC’s factsheet also references the commission’s “recent engagement with providers and their agreement to take extensive steps to protect national security interests.”

In an October letter to the FCC, lawyers representing several telecom associations argued that the January ruling “would significantly undermine” public-private partnerships. They argued that telecom providers had voluntarily collaborated with federal agencies to investigate Salt Typhoon and adopted stronger cybersecurity measures.

Warner and Sen. Ron Wyden (D-Ore.) are also pressing the Department of Homeland Security to release an unclassified 2022 report on security vulnerabilities in the U.S. telecom sector. They argue that by not releasing the report, DHS is undermining public debate over how to best secure telecom networks in the wake of Salt Typhoon.

“The Salt Typhoon compromise represents one of the most serious espionage campaigns against the communications of U.S. government leaders in history, and highlighted important gaps in our nation’s communications security – in some cases, with providers ignoring basic security precautions such as credential re-use across network appliances and failure to adopt multi-factor authentication for highly privileged network administrator accounts,” Warner and Wyden wrote in a recent letter to DHS and the Office of the Director of National Intelligence.

Meanwhile, the House on Monday passed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act.” The bill would establish a joint interagency task force to address China-linked cyber threats, including Salt Typhoon. The task force would be led by CISA, with involvement from the Justice Department, the FBI and several sector-risk management agencies.

The post FCC to vote on reversing cyber rules adopted after Salt Typhoon hack first appeared on Federal News Network.

The Department of Homeland Security is giving $10,000 bonuses to transportation security officers who demonstrated “exemplary service” through the government shutdown.

Homeland Security Secretary Kristi Noem announced the bonuses during a press conference in Houston, Texas, today. She highlighted the “tens of thousands of individuals who stepped up and continued to serve” at the Transportation Security Administration despite receiving no pay through the 43-day shutdown.

Asked whether she was referring to those who did not call out sick or stay home, Noem said, “that’s not necessarily the parameters.”

“We’re going to look at every individual that did exceptional service during this period of time when there were so many hardships,” Noem said.

DHS did not immediately respond to questions about who qualifies for the bonuses. TSA employs approximately 50,000 transportation security officers, meaning a bonus for every officer would cost roughly $500 million.

In a press release, DHS said it’s paying for the bonuses using carryover funds from fiscal 2025.

Disruptions to air travel began to grow in the final weeks of the shutdown. Security lines began to grow longer as some TSA officers called out. Meanwhile, flight delays and cancellations grew as air traffic controllers at the Federal Aviation Administration began calling out of work amid multiple missed paychecks.

Noem’s announcement comes after a Truth Social post by President Donald Trump earlier this week, in which he raged at air traffic controllers who took time off during the shutdown. Trump also announced $10,000 bonuses for controllers who “didn’t take any time off for the ‘Democrat Shutdown Hoax.’”

Transportation Secretary Sean Duffy said he agreed with Trump’s idea for a $10,000 bonus for air traffic controllers who had no missed days of work. But Duffy also offered a reprieve for some employees who missed days during the shutdown.

“We have some controllers who were put in a very difficult position,” Duffy told a Wisconsin TV station on Tuesday. “They’re young. They don’t make a lot of money when they first start out. They can make some good money later in their careers, but when they start out, they’re not making a lot. They may be the sole source of income, and they were confronted with a real problem.

However, Duffy also vowed to target “continual bad actors” during the shutdown.

“If they started to take time off because the shutdown was an excuse for them, we’ll take a look at those people, and we’ll work with the union and see what an appropriate response from the FAA will be,” he said.

The post DHS announces $10K shutdown bonuses for some TSA officers first appeared on Federal News Network.

Congress has temporarily extended a landmark cyber information sharing law, but industry representatives and cyber experts are urging lawmakers to act quickly to enact a more long-term solution.

The continuing resolution signed into law Wednesday night extends the provisions of the Cybersecurity Information Sharing Act of 2015 through the end of January. The law had expired Oct. 1.

CISA 2015 provides privacy and liability protections to encourage companies to share data about cyber vulnerabilities and threats. Cybersecurity leaders say those protections provide a critical underpinning to facilitate collaboration across government and industry.

Despite the temporary reprieve, the path forward for a long-term CISA 2015 extension in Congress remains unclear, with divergent reauthorization bills in the House and the Senate.

The White House has called for a “clean” 10-year reauthorization of CISA 2015. But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has opposed efforts to move forward such a bill in the Senate.

The long-term extension of the information sharing law, meanwhile, remains a chief concern for the technology industry.

Mike Flynn, senior vice president of government affairs for the Information Technology Industry Council, called the short-term extension “a step in the right direction.”

“Without a long-term CISA 2015 fix, cybersecurity stakeholders will continue to face uncertainty and questions that will undermine the network of information-sharing organizations and programs that have been built over the last decade,” Flynn said in a statement.

Henry Young, senior director of policy at BSA The Software Alliance, said he hopes to see a “sense of urgency” in Congress to extend the law long term.

“While we’re pleased that the law is hopefully going to be extended, we remain concerned that if the CR lapses, we’ll return to a world where cybersecurity information sharing is slowed or stopped, and that really leaves everyone at risk,” Young told Federal News Network.

CISA 2015 lapses

When the law lapsed Oct. 1, some cyber policy experts worried industry would stop sharing information about cyber threats affecting their products or networks.

But Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said information sharing between government and industry was “holding steady” through the end of October.

The cooperation “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” Andersen told reporters at the Palo Alto Networks public sector conference in Tysons Corner, Va., on Oct. 30.

“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen added.

While companies continued to share information during the lapse, Young said the process slowed down.

“It started to slowly reintroduce the legal review into each one of these individual decisions, which isn’t going to necessarily stop all information sharing, but is going to slow it, and it also might reduce it in increments,” Young said.

“People wanted to work together and continue to share information, and they did, to some extent, but it also created more risk for them to do,” he added.

Cynthia Kaiser, former deputy director of the FBI’s cyber division and now senior vice president of Halycon’s Ransomware Research Center, said the lapse showed the need for a long-term solution to reauthorizing the law.

“It’s critical that protecting cybersecurity information sharing is considered a priority in Congress upon the government’s reopening in order to maintain a strong national security posture,” Kaiser said.

Debate in Congress

While Congress has just over two months to extend the law, the path forward for reauthorization remains murky.

In September, the House Homeland Security Committee passed the Widespread Information Management for the Welfare of Infrastructure and Government Act. The bill was led by Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.).

Garbarino’s bill would extend the CISA 2015 protections for another 10 years, while updating definitions to account for advances in artificial intelligence. It would also require the Department of Homeland Security to improve its outreach on emerging cyber threats.

In a statement released after the House passed the CR, Garbarino called for reauthorizing multiple expired DHS authorities, including CISA 2015.

“With the federal government reopening, I look forward to continuing this Committee’s important work alongside our colleagues in both the House and Senate to find long-term solutions for reauthorizing these vital DHS authorities, bolster our nation’s cyber defenses, maintain President Trump’s secure borders, and ensure the safety of America’s skies and the traveling public,” Garbarino said.

It’s unclear, however, if and when Garbarino’s bill will be called for a vote on the House floor.

In the Senate, meanwhile, Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-Mich.) and Sen. Mike Rounds (R-S.D) have put forward a bill that would extend CISA 2015 for an additional 10 years without modifying the provisions in the law.

“This short-term extension is an important stopgap, but it is set to expire in just two months unless we pass bipartisan legislation to provide more long-term certainty,” Peters said in a statement. “That’s why I’m pushing to pass my Protecting America from Cyber Threats Act with Senator Rounds, which would renew these critical protections for a full decade so that companies know they can count on them in the event of a cyberattack.”

A HSGAC aide said Peters “remains committed to getting this across the finish line and will continue working with colleagues across the aisle to make sure these protections are fully restored.”

However, Paul has blocked efforts to pass a “clean” CISA 2015 extension. He has pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.

Paul has said the agency’s work in that area infringed on free speech rights. Cyber experts counter that reauthorizing the CISA 2015 law has nothing to do with CISA the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.

Officials have also lamented how the shared names between the information-sharing law and the cyber agency has muddied the waters in the debate over reauthorizing the law.

“They happen to share that same acronym, which is a fluke,” White House National Cyber Director Sean Cairncross said at the Palo Alto Networks conference last month.

A key question is whether the White House will throw its weight more forcefully behind any congressional efforts to reauthorize the bill. In public comments, Trump administration officials have advocated for a 10-year reauthorization without further modifications to the law.

“It’s a common-sense law,” Cairncross said. “The White House is pushing for a 10-year, clean reauthorization of this authority. It’s something that we want to see done. It’s important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that’s vital.”

The post Congress extends CISA 2015, but path to long-term reauthorization remains murky first appeared on Federal News Network.