Quick Hits for Nov. 6

*** IBM's Watson computer is helping the National Institute of Standards and Technology generate vulnerability risk scores.

"We started it just to get familiar with AI, so we could get our hands on it, learn about it, put it in a lab and experiment," Matthew Scholl, deputy division chief of NIST's Computer Security Division, told reporters after the Nov. 2 Information Security and Privacy Advisory Board meeting. "And as we were doing it with this dataset, we said, 'Hey, this seems to be putting out results the same as our analysts are putting out.'"

The Common Vulnerability Scoring System provides risk scores to common vulnerabilities and exposures, and the analysts follow a model for how to get to these scores. This model, combined with the wealth of historic data meant the project was a perfect fit for an AI pilot.

NIST researchers have been happy enough with the results that they have begun working with the CIO's office to put it into full production. They’d like to be fully up and running within fiscal year 2019, Scholl said. For the pilot phase, NIST bought an IBM license and has a contract to work with the company on the training to make sure the data isn't biased in a way that would affect results.

"Hiring humans to keep up with the pace of increasing CVEs is not a sustainable model for the future," Scholl said.

*** While the Nov. 6 election is top of mind for most lawmakers, when the House reconvenes, the Veterans Affairs Committee is planning a hard look at the troubled electronic health record modernization program at VA. On Nov. 14, the committee will hold a hearing on the agency's progress after 180 days of the EHRM program, paying special attention to a report on the Defense Department's new health record system, which is based on the same software VA is acquiring.

*** The Office of Personnel Management is following up on changes to federal pay structures and expansion of direct hiring authority to help agencies bring in cyber and IT talent with guidance for agencies’ human resources shops.  In "interpretive guidance" issued to all agencies, OPM outlines how HR directors should identify cybersecurity positions, clarify their roles and duties and develop a cybersecurity workforce. The guidance details the competencies and tasks agencies should be looking to fill, criteria for classifying each into a general schedule position as well as how to determine pay and occupational series for cyber and IT positions.