July 19, 2015
Vol. 19, Issue 6
ACM Washington Update
ACM Washington Update recaps ACM's initiatives in the U.S. technology policy arena monthly. Please forward this newsletter to friends and colleagues in the computing community. View more details on each item below, as well as on the blog. Follow USACM on Twitter and Facebook.
White House officials urge more computer scientists to come work in government and to apply their skills to shaping computing-related policy decisions.
OPM announced hackers accessed the database containing personal data from security background investigations of roughly 25 million Americans.
The EAC announced the members of the renewed Technical Guidelines Development Committee, which will begin work on the next generation of voluntary voting system guidelines.
NIST is accepting public comments on a draft framework for addressing privacy risks in federal information systems.
The U.S. Department of Commerce is accepting public comments on proposed changes to definitions used in export regulations. The revised definitions address encrypted content.
NTIA invites businesses, organizations, and individuals to participate in a new multistakeholder process on drone privacy, transparency, and accountability.
NTIA invites businesses, organizations, and individuals to participate in a new cybersecurity multistakeholder process on vulnerability research disclosure.
ACM Distinguished Member nominations are due by August 3.
In this month's Communications of the ACM magazine, White House Office of Science and Technology Policy (OSTP) Deputy Director Thomas Kalil and former OSTP Assistant Director for Robotics and Cyber Physical Systems Vijay Kumar urge computer scientists to come work in government as a way of advancing and shaping public policy in computing research and education.
Computer scientists possess the specialized expertise that enables them to provide the input for well-informed policy recommendations and decisions, particularly when the policy issues are complex or highly technical.
"Computer scientists and engineers can have a huge impact on the future of the field and the future of the U.S. By serving in the government, they can design and launch new research initiatives, inform IT-related policy decisions, and serve as a catalyst for public-private partnerships involving government, industry, and academia," they write.
"Whether you are in industry or in academia, a student or a professional, we urge you to reach out and connect with federal government agencies whose missions are aligned with your interests."
Thinking of taking a more active role in public policy? Agencies offer a range of opportunities, ranging from short-term appointments to long-term career positions.
Read the full article: The Future of Computer Science and Engineering is in Your Hands
to the top
The Office of Personnel Management (OPM) announced hackers accessed the personal data from security background investigations of roughly 25 million Americans. Two separate but related breaches disclosed information about employees, applicants, spouses, and co-habitants of applicants. The database contained sensitive information, including social security numbers, passwords, and 1.1 million fingerprints.
The breaches led to the resignation of OPM Director Katherine Archuleta, the appointment of OMB Deputy Director Beth Cobert as the new OPM Acting Director, several House and Senate hearings in Congress, a White House instruction to federal agencies to improve cybersecurity immediately, a "flash audit" by the OPM Inspector General that raised "serious concerns" about a proposed computer systems upgrade, and an OPM report outlining 23 actions that it will take to improve cybersecurity. OPM also will hire an outside cybersecurity expert by August 1.
OPM is sending notification letters to affected individuals and will be providing credit and identity theft monitoring and protection services. OPM is establishing a call center to respond to questions.
Additional Congressional hearings are expected in the fall.
to the top
The U.S. Election Assistance Commission announced the members of the renewed Technical Guidelines Development Committee (TGDC). The Committee will hold its first meeting on July 20-21 at the NIST headquarters in Gaithersburg, Maryland to begin the process of moving forward with the next generation of voluntary voting system guidelines.
The 15-member advisory committee provides assistance with the development of voluntary voting system guidelines. The members are jointly appointed by the EAC and the Director of the National Institute for Standards and Technology (NIST). It includes representatives from the EAC, NIST, the U.S. Access Board, the National Association of State Election Directors, and standards setting organizations. Four technical experts also serve on the committee. NIST Director Willie E. May serves as the Chair.
A live webcast will be available.
to the top
The National Institute of Standards and Technology (NIST) is accepting public comments on a draft report, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The document describes privacy engineering objectives and a privacy risk model. Comments are due by July 31.
Commentators are asked to provide input on:
Read the report: Privacy Risk Management for Federal Information Systems
Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy?
Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel?
Do the privacy engineering objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies' privacy goals and requirements?
Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
Does the equation to calculate the privacy risk of a data action seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks? The equation of privacy risk is expressed as the product of two factors: the likelihood of a problematic data action multiplied by the impact of a problematic data action. Data actions are defined as "information system operations that process personal information."
to the top
The U.S. Department of Commerce's Bureau of Industry and Security is accepting public comments on proposed revisions to definitions in the Export Administration Regulations (EAR). The proposed rules contain a new provision relevant to cloud, email, and other third-party digital services. Comments are due by August 3.
The rules recognize and clarify for the first time an explicit exemption for encrypted transfers of technology or software when it is unclassified and secured using end-to-end encryption. The announcement states that the current regulations do not make "any distinction between encrypted and unencrypted transfers of technology or software for control or definitional purposes." The proposed rules explain that encrypted transfers would not pose a national security risk because they are "not readable" until decrypted by the recipient.
The encryption would need to be compliant with FIPS 140-2 and NIST guidance on what would constitute sufficient security. The revised definition would allow the use of "similarly effective cryptographic means," but the burden would be on the company to show why and how the alternative encryption method provides sufficient security. Commercial providers would not be allowed to decrypt or store decrypted information until after the recipient decrypts it.
A related change would be to add new language to the definition of "export" to address decryption because it would make the information accessible: e.g., releasing or otherwise transferring decryption keys, network access codes, passwords, or software that would allow access to other technology in clear text or software.
Another proposed change is to move the section on the export of encryption source code and object code software to a newly created section to make it clearer when an "export" occurs.
to the top
The National Telecommunications and Information Administration (NTIA) invites businesses, organizations, and individuals to participate in a new multistakeholder process on drone privacy, transparency, and accountability. The goal is to produce a set of best practices for the commercial and private use of drones, known as unmanned aircraft systems (UAS).
President Obama called for the initiation of this multistakeholder process in a Presidential Memorandum released earlier this year on the same day as the release of the FAA's proposed regulations for non-hobby or non-recreational operations of drones. The President called for the multistakeholder process to promote the responsible commercial and private use of drone technology and to develop a framework that considers the implications for privacy, civil rights, and civil liberties.
The objectives for the first meeting on August 3 are to:
NTIA also will hold meetings on September 24, October 21, and November 20. All the meetings will be held in Washington, D.C. The meetings will be webcast. NTIA will post the agenda and additional information in advance of the meetings.
Review the regulatory environment for commercial drone operations
Discuss the current and near future commercial uses of drones
Discuss what issues might be raised by the technology
Identify which issues could be acted on by the group
Establish working groups (tentative)
Identify concrete goals and work plans (tentative)
to the top
The National Telecommunications and Information Administration (NTIA) invites businesses, organizations, and individuals to participate in a new cybersecurity multistakeholder process on vulnerability research disclosure. The process aims to leverage and build on existing multistakeholder cybersecurity efforts and to produce an actionable voluntary outcome, such as high-level principles that shape future policy and inform best practices.
"The goal of this process will be to bring together security researchers, software vendors, and those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information," said Assistant Secretary for Communications and Information Angela Simpson.
NTIA will lead the new initiative in partnership with the Internet Policy Task Force.
The first meeting will be held in September in San Francisco, with the exact date to be determined. The meeting will be webcast. NTIA is accepting expressions of intent from stakeholders interested in participating in the process.
to the top
ACM is accepting nominations for the ACM Distinguished Member grade. The Distinguished Member grade recognizes up to 10% of the top ACM members, with at least 15 years of professional experience that had significant accomplishments or impact in the computing field. The grade has three categories: Distinguished Educator, Distinguished Engineer, and Distinguished Scientist, recognizing achievements in different areas. Nominations for each category are considered separately.
Distinguished Members will receive a certificate and a specially annotated ACM membership card. Distinguished Members will be announced online and in the Communications of the ACM magazine.
Nominations for ACM Distinguished Member are due by August 3.
to the top
About Washington Update - ACM Washington Update is produced by the ACM Public Policy Office. It highlights activities of the ACM U.S. Public Policy Council (USACM) and the ACM Education Policy Committee (EPC), as well as other events in Washington that affect the computing community.
About USACM - The ACM U.S. Public Policy Council (USACM) is the focal point for ACM's interactions with U.S. government organizations, the computing community, and the U.S. public in all matters of U.S. public policy related to information technology.
About EPC - The ACM Education Policy Committee (EPC) engages policymakers and the public on public policy issues that relate to computer science and computing-related education, including the importance of high-quality education at all levels to the labor market and the economy.
Views expressed are not necessarily those of ACM. To send comments, please write to firstname.lastname@example.org.
To subscribe to ACM’s Washington Update newsletter, send an e-mail to
email@example.com with "subscribe WASHINGTON-UPDATE "First Name" "Last Name" (no quotes) in the body of the message.
To unsubscribe, simply include the "SIGNOFF WASHINGTON-UPDATE" command in an email to
If in the future you would like to re-subscribe, please enter your address at:
You can also subscribe or unsubscribe by clicking the links on the right-hand column of the web edition of this newsletter.
to the top