This page is not built out yet. If you are seeing this page, please contact an administrator.

How Spectro Cloud’s PaletteAI Secure helps agencies scale AI securely, compliantly, and confidently

The rapid rise of AI is transforming enterprise applications and infrastructure at incredible speed. It is reshaping the marketplace of tools, software, and hardware, from sovereign clouds to the edge.

From a toolchain perspective, the AI ecosystem is exploding. Thousands of offerings are emerging, with more introduced every day. Additionally, developers are rapidly updating their software to support AI. According to Gartner, 80% of applications are expected to be rewritten to embed AI over the next several years.

On the hardware and infrastructure front, the story is the same. Massive GPU investments and rising AI infrastructure costs dominate budgets. Yet many GPUs sit underutilized due to over-provisioning and inefficient resource sharing.

For government agencies and regulated industries, this complexity makes it harder to maintain strict compliance, data sovereignty, and Zero Trust security standards, making the path to scalable, secure AI even steeper.

Team friction and ‘shadow IT’

Every team involved in AI initiatives faces pressure to prove value fast. Yet the drive for innovation from AI practitioners often clashes with IT’s need for visibility, compliance, and control — especially in government and regulated industries where security and accountability are critical.

This tension often leads to Shadow IT – ad hoc deployments outside enterprise guardrails – creating fragmented security, data risk, and limited visibility for platform and governance teams.

Design patterns such as AI factories and secure multi-tenancy are emerging to restore order, but implementing them securely and at scale remains difficult given the diversity of AI use cases and rapid tool evolution. For government and regulated sectors, the stakes are even higher: breaches, misconfigurations, or model exposure can have mission-level consequences. Compliance frameworks like FIPS 140-3 and Zero Trust are not optional, they are essential.

So… what’s the answer?

Organizations need a unified foundation that brings together platform and practitioner teams in one place. A solution that accelerates innovation while maintaining control and compliance.

The right tool must deliver speed and flexibility for AI teams while ensuring the visibility, policy enforcement, and governance IT requires.

In short, agencies and enterprises need a secure AI platform that can operate across any environment, data center, edge, or cloud, with the same level of assurance, compliance, and performance.

And this is exactly what Spectro Cloud delivers with our new PaletteAI and PaletteAI Secure platforms.

Meet PaletteAI Secure

PaletteAI Secure is a new platform from Spectro Cloud for deploying and managing secure AI workloads at scale. It creates a unified environment for both platform and practitioner teams, combining speed, security, and policy-driven governance across every layer of the AI stack.

PaletteAI Secure gives enterprises a consistent, repeatable foundation for building AI environments. It connects the full lifecycle: design, deploy, and manage across data center, cloud, and edge.

Platform teams use PaletteAI Studio, a specialized interface inside PaletteAI Secure, to design and publish AI stack templates pre-integrated with NVIDIA AI Enterprise components such as NeMo, NIM, DOCA, and Run:ai. These templates include the full infrastructure stack—operating system, Kubernetes, networking, and more—providing a consistent base for AI workloads.

Practitioners can customize and deploy these templates within approved guardrails, accelerating innovation while maintaining compliance and operational consistency.

Built-in automation handles provisioning, scaling, and updates, while unified governance and observability deliver visibility across environments.

PaletteAI Secure adds hardened security and compliance layers, FIPS 140-3 validation, and zero-trust enforcement at the infrastructure level.

PaletteAI Secure provides the foundation for building secure AI factories, enabling organizations to apply consistent Zero Trust controls and policy enforcement as they scale AI production across data centers, edge, and sovereign clouds.

Platform teams define compliant blueprints spanning every layer of the stack: FIPS-validated OS and Kubernetes, secured storage and networking, and trusted AI tools.

AI teams deploy freely within those secure boundaries. This design provides freedom with governance, giving regulated organizations the ability to scale AI confidently without compromising compliance.

Multiple layers of security and compliance

FIPS compliance

PaletteAI Secure adheres to FIPS 140-3, the standard for cryptographic security, and a mandatory requirement for sensitive government data workloads. Every layer, from the operating system to the workload, uses validated encryption modules and meets strict auditing requirements. This ensures that AI data remains secure from ingestion to inference, maintaining confidentiality throughout the AI lifecycle.

Zero Trust AI

PaletteAI Secure implements Zero Trust principles across the AI stack, ensuring that access is always verified and data is continuously protected. Using NVIDIA BlueField DPUs and the DOCA Platform Framework (DPF), the platform enforces isolation and encryption. These technologies help maintain strict boundaries between workloads and networks, providing consistent security and compliance for AI environments across all deployment locations.

SAINA: Secure AI-Native Architecture

Spectro Cloud’s Secure AI-Native Architecture (SAINA) defines how Zero Trust is implemented across PaletteAI Secure. Building on the same NVIDIA BlueField DPU and DOCA Platform Framework (DPF) foundation, SAINA acts as a guiding framework that unifies security, governance, and performance for deploying secure AI factories.

It turns Zero Trust principles into practical outcomes—isolating workloads, verifying access, and protecting data throughout its lifecycle. SAINA also enables secure multi-tenancy and network isolation, ensuring users and workloads remain isolated even in shared environments.

For government and defense organizations, it delivers consistent, compliant, and resilient security across data centers, edge, and sovereign clouds.

Backed by a proven security heritage

The U.S. military, defense, and government agencies have long trusted Spectro Cloud. PaletteAI Secure builds on the legacy of Palette VerteX, which powers secure Kubernetes management in classified and FedRAMP-authorized environments.

Spectro Cloud’s compliance portfolio includes FIPS 140-3 (certificate #5061), DoD STIG, ISO 27001:2022, and SOC 2 Type 2 certifications.

These credentials demonstrate its commitment to protecting critical workloads across sectors such as defense, healthcare, and energy. Trusted by security-driven organizations worldwide, Spectro Cloud delivers consistent protection for regulated and tactical deployments alike.

Learn more

To learn more about PaletteAI Secure, its security certifications, and the full range of compliance and security features it offers, visit palette-ai.com/secure.

Fix the Foundation: How Hybrid Cloud and Trusted Data Enable Government AI

By Dario Perez, VP Federal Civilian and SLED, Cloudera

Artificial intelligence presents a transformative opportunity for government, from enhancing national defense readiness to improving citizen services and enabling data-driven decision-making at scale. However, to move from promising pilots to scalable, mission-aligned deployments, agencies must focus on what lies beneath the surface: trusted data and infrastructure.

Cloud adoption has been underway in the Federal government for over 15 years, and every agency has made meaningful progress. However, as the Forrester State of Cloud in Government, 2025 report highlights, realizing the expected value of cloud remains a significant challenge. While many agencies have migrated workloads to the cloud, environments often remain fragmented, hybrid strategies are underdeveloped, and legacy systems continue to limit how data is accessed, analyzed, and secured. These gaps directly undermine an agency’s ability to make data actionable, especially at the scale and speed that AI demands.

At the same time, expectations from agency leadership are rising. CIOs and IT teams face growing pressure to demonstrate meaningful operational returns on AI investments – quickly. But AI isn’t a box to check or a tool to bolt on. It requires a deliberate, step-wise approach rooted in three fundamentals: clearly defining the mission problem; ensuring access to accurate and trusted data; and modernizing the infrastructure to enable secure and reliable access to data wherever it may be.

To enable mission-based AI decision making, government agencies must rethink their modernization strategies. In practice, that means developing and implementing a data strategy that encompasses both cloud and on-premises data centers into integrated hybrid multi-cloud environments.

This approach shifts agencies from fragmented datasets to governed, action-ready data ecosystems, taking one-off pilots and transforming them into AI deployments that directly support core agency goals.

Hybrid Multi-Cloud: The Foundation for Modernization and AI Readiness

Managing agency data via a single pane of glass through a hybrid multi-cloud environment is no longer a compromise – it’s a strategic enabler. Today’s tools provide the flexibility and control needed to manage data as a critical strategic asset without disrupting operations.

For government agencies, hybrid multi-cloud offers a practical and scalable path to AI readiness by:

Enabling gradual modernization. Keep mission-critical processes as they are and make incremental movements without disrupting continuity.
Staying in compliance. Agencies can’t afford downtime or risks to the data assets in their care. A hybrid cloud strategy aligns with security and compliance mandates, including FedRAMP and DoD IL5/6.
Offering strategic roll-out. A hybrid cloud strategy allows agencies to prioritize and deploy workloads across on-prem, public cloud, and edge environments as needed.

Early adopters have already leveraged hybrid multi-cloud environments for various agency use cases, including:

Accessing real-time analytics in field operations, ensuring that agencies are aligned, synced, and acting on the best available information.
Training AI models in multi-cloud environments, offering controlled visibility far beyond what was possible when data was siloed and hard to access.
Maintaining operational continuity across disconnected or contested networks, powering confidence and resilience across the board.

By designing infrastructure with hybrid multi-cloud in mind, agencies can ensure interoperability, scalability, and resilience – all key attributes to realizing their AI-driven missions. To scale AI beyond prototypes, the public sector needs more than cloud capacity. They need control and clarity.

Trustworthy, Reliable Data: The Core Enabler of AI Readiness

Once the infrastructure is in place, the next imperative is ensuring the data is usable, trusted, and well-managed. Poor data quality, governance gaps, and silos are still among the top barriers to successful AI deployment because AI outputs are only as strong as their inputs.

As such, for AI to work at scale, government agencies need to prioritize:

Comprehensive audits. Who accessed the data, including when, why, and how. Tracking data lineage and ensuring accuracy is possible through metadata and audit tools.
End-to-end traceability. Where did the data come from, and were any filters, parameters, or prioritizations added along the way? If so, can they be trusted and defended? Modern data “lakehouses” are the preferred architecture for AI as they support unified structured and unstructured data and streaming data across environments and support AI training without forcing risky or inefficient data movement.
Visibility through a single pane of glass. Accounting for distributed data means they need observability and control from a unified point.

With well-governed, high-quality data, agencies reduce the risk of model drift, bias, or unreliable insights, and increase their ability to confidently act on AI outputs. But as AI expands across mission-critical functions, data security becomes the thread connecting every part of the infrastructure.

Security and Trust: The Prerequisite for Cross-Domain AI

Before full deployment at scale, government agencies must review touchpoints and patch vulnerabilities. Public trust and mission success both depend on building AI that is not only powerful, but also secure by design.

That means:

Adopting zero-trust architectures that enforce strict identity and access controls, even inside the perimeter.
Encrypting all data, regardless of whether it’s at rest and in motion, while applying segmentation to reduce the blast radius in the event of a breach.
Building secure-by-design AI pipelines that allow for testing and deployment while offering a way to monitor for drift.

In a crisis, there’s no time to engineer collaboration on the fly. Secure cross-domain interoperability must be built in from the start. By bringing AI to the data, instead of moving data across environments, agencies reduce exposure while preserving speed and mission relevance.

AI is reshaping how government agencies operate, but only if the foundations are solid. Success depends not on speed, but on sequencing: modernizing infrastructure, governing data, and securing every layer of the AI pipeline.

Agencies that take a step-wise, mission-aligned approach – starting with hybrid cloud, followed by trusted data practices and secure data access – will be best positioned to scale AI effectively. This isn’t just about technology. It’s about transforming how government agencies deliver value, build public trust, and advance their missions.

With a thoughtful roadmap in place, AI can move from isolated experiments to enterprise-wide transformation.

New Google Workspace Cost-Saving Offer Available for U.S. Federal Government

By: Tony Orlando, GM Specialty Sales, Google Public Sector

Government agencies rely on IT providers to provide secure, compliant, and efficient technology to help complete their vital missions. At the same time, cost-savings and productivity are taking center stage. These priorities – lower cost with better security and productivity – may seem at odds, but with the right cloud provider, they don’t have to be.

Starting April 10, 2025, we are offering Google Workspace at a significant discount for U.S. federal government agencies. Workspace is a FedRAMP High authorized communication and collaboration platform that includes familiar apps, such as Gmail, Drive, Docs, Meet and more. Workspace comes with the best of Google AI, including Gemini and NotebookLM, at no additional cost, and is infused with efficient, time-saving features, such as real-time collaboration. Hundreds of thousands of personnel across the Department of Energy, the Air Force Research Laboratory, and others have access to Workspace to enhance their productivity and collaboration. Now, with Gemini being the first AI assistant to receive FedRAMP High Authorization, Workspace is also paving the way for federal agencies to leverage state-of-the-art AI capabilities in a compliant manner.

Read on to learn more about how Google Workspace could help Federal agencies potentially save up to $2 billion over the next three years with government-wide adoption, while offering improved security and enabling greater productivity.

Cutting costs

Consistent with the U.S. General Services Administration’s strategy of treating the government as a single buyer, we have launched a temporary discount of 71% off the current Multiple Award Schedule (MAS IT) pricing for a bundled offering of Google Workspace Enterprise Plus and Assured Controls Plus, ensuring federal agencies of all sizes can access volume-based pricing. This pricing is effective until September 30, 2025.

Improving security

Workspace has a unique approach to ensuring that cost and productivity are addressed with security top of mind. First, it delivers a secure, reliable, and compliant cloud infrastructure for all customers, ensuring that government agencies receive the same benefits, capacity, and features at the same pace as commercial customers. Second, Workspace can nullify classes of attack vectors since it doesn’t require client desktop apps or on-premises software. And third, Workspace is built-in with AI defenses that leverage threat signals from billions of endpoints and Google’s vast threat intelligence. The result? Workspace blocks more than 99.9% of spam, phishing attempts, and malware, and comes with a 99.9% uptime SLA.

Supercharging productivity

Workspace is highly interoperable with other software tools, leading to faster deployment and increased productivity —including an estimated 30% improvement in collaboration. Designed for the cloud, Google Workspace is intuitive, reducing time to configure workstations by up to 90%, as well as facilitating simplified user onboarding and training.

Additionally, with Gemini in Workspace apps and the Gemini app having achieved FedRAMP High authorization, federal agencies can get more done with AI without additional costs for AI add-ons or subscriptions. Workspace with Gemini dramatically accelerates the creation and sharing of emails, documents, and even transcribed meeting notes. Users can save an average of 105 minutes per week generating text, summarizing content and automating tasks. Critically, 75% of daily Gemini users say it also improves the quality of their work.

Increasing efficiency

Workspace has long been a trusted partner to federal agencies, enabling efficiency through ease of collaboration and communication. Working with the Air Force Research Laboratory since 2021, Workspace has been able to create “a flexible, synergistic enterprise that capitalizes on the seamless integration of data and information through the use of modern methods, digital processes and tools and IT infrastructure.”

We are committed to ensuring the public sector can benefit from Google’s latest AI, innovations, and technologies, freed from redundancy or vendor lock-in.

Learn more about how Google Workspace can help your agency accelerate mission impact. Register now for digital access to Google Cloud Next ’25 to watch keynotes and explore sessions on-demand.

Reinventing FedRAMP in the Age of AI

By David Appel, Vice President of U.S. Federal at AWS

For more than a decade, Amazon Web Services (AWS) has been at the forefront of enabling government agencies and their partners to deploy secure cloud services through the Federal Risk and Authorization Management Program, known as FedRAMP. This program provides a standardized compliance approach to U.S. federal government agencies as they adopt secure cloud solutions. AWS was the first cloud provider to achieve FedRAMP High authorization, and we supported Congress in codifying the FedRAMP program into law in 2022. Today, AWS has over 130 approved services at the High baseline and over 150 at Moderate.

The General Services Administration (GSA) recently announced FedRAMP 20x, a new compliance model aimed at modernizing the program through updated security practices. Over the past few months, experts from across AWS participated in industry working groups with other cloud providers, security experts, and agency representatives to share best practices and help shape implementation standards.

As GSA and federal IT security leaders continue reforming the program, they should consider the following recommendations:

Automate everything that can be automated. We are pleased to see GSA aim to automate compliance procedures everywhere possible. AWS is architected to be the most secure and flexible cloud environment available today. Our services already meet the rigorous security requirements set by FedRAMP, enabling our U.S. federal customers and our extensive partner network to confidently deploy cloud for mission-critical operations. By emphasizing real-time compliance verification and automated control validation, AWS can continue to be a strong partner to our government customers in continuing to deliver solutions at scale with the highest security standards.

Enable startups and new innovation. AWS supports FedRAMP 20x’s direction toward modernizing cloud security authorization, particularly through the initiative to recognize existing frameworks, which we believe will accelerate adoption for startups and AI providers. By acknowledging certifications like SOC 2 Type II, which already validates controls for security, availability, and confidentiality over an extended period, providers can leverage these existing assessments toward FedRAMP authorization. This approach eliminates redundant documentation, creates a more efficient path to authorization, and lowers barrier to entry for innovative cloud solutions while maintaining rigorous security standards.

Authorize secure, innovative AI. The use of AI, including Generative AI, is becoming an increasingly important tool that can help the government do more with less, thereby increasing the efficiency of service delivery to citizens while keeping cybersecurity a top priority. Through FedRAMP’s new proposed notification-based approach for significant changes, we believe that cloud providers will be able to rapidly deploy AI updates and improvements without lengthy approval processes. By significantly reducing compliance times for software services, these changes can help the federal government adopt AI solutions faster and tap into cutting-edge AI and machine learning tools for mission use. And by doubling down on proposed reforms, FedRAMP can help close the gap between a commercially deployed solution and one that is available for government use.

We believe the changes proposed by GSA, if implemented, could benefit both government and the citizens it serves. FedRAMP can further enable federal agencies to meet compliance requirements and enhance their security while realizing cost savings and greater speed and efficiencies.

We look forward to working with GSA to continue this momentum. We have been supporters of the program since its inception, and we are excited to be part of its future. By continuing to enhance FedRAMP’s security while expanding its offerings to our partners and government, we can continue to power the next generation of government innovation.

Balancing Security and Efficiency: The Federal IT Dilemma in the AI Era

By Erich Kron, security awareness advocate at KnowBe4

The federal IT landscape is undergoing a significant transformation. Budget constraints and staffing reductions are pushing agencies to do more with less. For chief information officers (CIOs) and senior policymakers, the challenge is clear: maintain operational excellence and strong cybersecurity defenses while embracing tools that boost efficiency and watching the budget. Enter artificial intelligence. It is both a powerful ally and a new threat vector.

The Fiscal Reality: Less Money, Fewer People

Across federal agencies, tightening budgets are becoming the norm. Mandates to streamline operations are happening while dealing with workforce attrition due to retirements and hiring freezes. This leaner operational model places enormous pressure on IT leadership. Maintaining the same, or even increasing, levels of security and performance with fewer resources requires a new way of thinking.

Agencies are beginning to adjust by automating routine tasks, optimizing service delivery, and consolidating infrastructure. But efficiency gains alone don’t eliminate risk. In fact, if not carefully implemented, they can introduce new vulnerabilities. This is not a new battle, funding is almost always tight in governmental agencies at all levels, however the focus on cost cutting and reducing the size of government has introduced some significant new hurdles.

Threat Landscape: Shifting Risks, New Motivations

Cyberthreats have evolved beyond opportunistic ransomware and other malware. Nation-state actors, cybercriminal syndicates, and hacktivist groups now pursue broader goals: data theft, surveillance, disruption, and even political leverage. Federal systems – which are repositories of sensitive personal, operational, and national security data – remain high-value targets.

AI adds a new twist to this already complex threat matrix. It’s not just a tool for defenders; it’s becoming a weapon for attackers:

Data Exploitation at Scale: With AI, adversaries can quickly analyze massive datasets from public breaches to craft highly targeted phishing or social engineering campaigns.
Deepfake Deception: Fake audio and video are being used to impersonate trusted voices in virtual meetings or approval workflows, enabling financial fraud or data exfiltration.
Automation of Malice: AI-driven malware can adjust its behavior in real time, evading traditional signature-based defenses.

AI on the Defense: Smarter Shields

Despite the risks, the same technology also provides federal IT leaders with unmatched advantages:

Threat Detection and Response: AI enhances anomaly detection, enabling agencies to identify suspicious activity sooner and react much faster.
Automated Triage: Routine alerts can be analyzed, filtered and escalated more accurately, allowing overburdened security teams to focus on the highest-priority incidents.
Predictive Insights: Machine learning models can forecast potential vulnerabilities based on system behaviors and historical data.

Navigating the AI Paradox

CIOs must strike a delicate balance. Embracing AI is not optional. It is essential that AI be employed in order to survive in today’s cyber and budgetary climate. But as adoption grows, so does the attack surface. That’s why a layered security approach is more critical than ever:

Human + Machine: Security awareness must evolve. AI-powered threats demand an educated workforce capable of spotting deception, especially in high-stakes environments. A robust human risk management program is needed to address the threats from social engineering and human error.
Policy and Governance: Clear guidelines on AI use, ethical boundaries, and incident response protocols are essential to avoid misuse and ensure accountability.
Cross-Sector Collaboration: Federal agencies cannot do it alone. Sharing threat intelligence and aligning strategies with private sector counterparts can help mitigate systemic risk.

The Road Ahead

There is no silver bullet, but there is a path forward. By investing in both technology and people, and adopting a realistic mindset about efficiency and security trade-offs, federal CIOs can lead the way through this transition. Considerations must be made about the most efficient use of AI in their environments and where human oversight should be in place. AI is not the enemy, but ungoverned, it could become one.

Erich Kron is a security awareness advocate at KnowBe4. He is a veteran information security professional with over 25 years of experience in the medical, aerospace manufacturing, and defense fields, an author, and a regular contributor to cybersecurity industry publications. He is the former security manager for the US Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP, and many other certifications.

Meeting Evolving State and Local Cyber Threats

By John Evans, Field Chief Technology Officer, State & Local Government, World Wide Technology

It was previously assumed that nation-state actors primarily targeted federal agencies or major enterprises for their national secrets or big-ticket data, rather than investing the time, money, and resources attacking smaller organizations like local or even state governments.

In recent years, however, attacks against these agencies have increased, signaling a shift in the entry points threat actors are targeting. Last year’s attacks on U.S. critical infrastructure by Volt Typhoon suggest this switch has been in the works for considerable time.

These attacks will continue to increase in complexity and volume, especially as AI removes barriers by requiring less time and fewer resources to deploy complex tactics. It is therefore necessary for state and local government IT leaders to assess their current security architectures to ensure they are fully fortified and prepared to mitigate these growing threats.

Challenges in Bolstering Security

While cyberattacks against state and local governments grow in volume and complexity, agencies are conversely facing staffing shortages and budget constrictions, making it challenging for them to detect these threats and take appropriate action. AI complicates this issue further, as it helps malicious actors broaden their scope of targets with minimal resources while decreasing their time to attack.

Federal support through agencies like the Cybersecurity and Infrastructure Security Agency (CISA) has previously bridged this gap for many state and local agencies by providing real-time advisories and guidance on persistent and upcoming threats. However, as federal security initiatives shift, and with some federal grants set to sunset in 2027, many agencies are exploring how to take greater responsibility in detecting and responding to malicious actors.

Tips for Developing Robust Security Architectures

While it’s tempting to match growing threat complexity with new and intricate defense plans, state and local agencies must first focus on getting the basics right if they want to stay ahead of hackers. Vigilant cyber hygiene initiatives must take center stage, including:

Developing full visibility across the IT system: All agency employees must understand the importance of collaboration with the IT team, as well as their responsibility to use technology correctly and safely. Training and security literacy are important, as employees need to understand how to incorporate cybersecurity early into projects and how to report suspicious activity

Ensuring network protocols aren’t exposed to the internet: This prevents unauthorized access to internal systems and data from the start, eliminating a top attack vector.

High patch efficacy: When vulnerabilities are detected, IT teams must be able to quickly and effectively patch systems and software to reduce the risk of exploitation.

Complete and tested backups: Owning full and recoverable backups can avoid severe disaster if a hacker seizes control of systems or data – especially when it comes to ransomware.

Requiring multifactor authentication (MFA) for everything: The added verification measures of MFA make it much more difficult for hackers to access systems.

How Public-Private Partnership Can Help

Private partners can help fill gaps in security caused by a lack of internal resources, staffing, and visibility across the IT ecosystem. Additionally, as technology like AI continues to grow in ubiquity, complexity, and demand, services like World Wide Technology’s Advanced Technology Center provide agencies with a sandbox for testing, developing and integrating solutions before fully investing in deployment, saving money and ensuring new tools are compatible with existing infrastructure.

Looking ahead, attacks on state and local agencies likely won’t slow down. By keeping a pulse on the evolving security landscape and fortifying the basics of their cybersecurity architectures, agency IT leaders can stay ahead of these sophisticated threat actors and protect sensitive citizen data.

AI Is the Solution to Stop AI Data Theft

By Fadi Fadhil, Field Chief Information Officer at Palo Alto Networks and former CIO for the City of Minneapolis

For many years, data retention has been a defensive game. To keep data safe, organizations have needed to protect their systems from outside cybersecurity threats like malware, phishing attempts, and ransomware attacks. This focus on guarding against intruders has spurred the creation of new systems that monitor cyberattacks and implement zero trust architecture, thereby helping prevent theft of critical or sensitive data.

But what if the biggest threat isn’t coming from outside intruders, but instead from the actions of your own employees?

When employees use new AI tools that promise to make them more efficient or productive at work, there’s no firewall system to prevent the sharing of data – knowingly or not – with bad actors embedded within these programs. This type of data theft happens without leaving any obvious trace – not only delaying organizational response but eliminating the chance to get that stolen data back.

Take school systems, for example. Schools across the country are consistently working with less funding and fewer staff than in the past. Stretched thin by competing demands on their time, an administrative employee at a high school might use a large-language model AI tool to help sort student demographic data to save time. What they may not know or remember is that the web-based AI tool they are using is not a part of the schools’ IT environment – meaning this student data is being shared with a third party that has no obligation to follow the school’s data guidelines. Students’ addresses, health records, grades and other identifying information are all at risk of being stolen by a threat actor.

As scary as it sounds, that’s the reality both public and private sector organizations across the country are facing with the rise of third-party AI tools. According to a recent Gallup poll, up to a third of U.S. employees are using AI in at least some of their work. That’s tens of millions of workers feeding possibly proprietary data into unknown third-party applications outside of their organization’s IT infrastructure, often without realizing how their inputs will be viewed, used, sold, or even stolen.

In the cybersecurity space, we recognize this phenomenon as “Silent AI,” or the hidden vulnerabilities associated with employee use of third-party AI tools. While uses for these tools may seem innocuous and even beneficial, like helping employees create to-do lists or organize information visually for ease of reading, they require users to share sensitive data outside of cybersecurity perimeters that IT departments can track. The use of AI programs has truly become the Wild West, and most organizations don’t have a sheriff. Once that data is outside of an organization’s systems, there’s no way to get it back.

The solution for Silent AI is to identify data sharing before it happens. Organizations need to have a solid understanding of which AI programs their employees are using so they can monitor what information is coming in and out of their networks. This can’t be accomplished with a patchwork of cybersecurity protections – rather, organizations must be able to look at their entire network to properly manage vulnerabilities.

But solving for Silent AI isn’t just about technology. Organizations both public and private also need to make a much larger investment in employee training around the risks associated with AI, including both the sharing of confidential information, and how this information can be an attack vector for more traditional forms of cyberattacks. And while employees can be a vulnerability themselves in cybersecurity systems when they make data sharing errors, employees can also be leveraged as a strength in developing a culture of vigilance around responsible, sanctioned use of AI tools that limit exposure to threat actors.

Addressing Silent AI doesn’t mean giving up on AI technologies altogether. These are important, useful tools that have very quickly become part of our everyday working experience and have made organizations more efficient. Instead, IT leaders and cybersecurity professionals need to set clearer parameters for which AI tools are safe to use, and how to use them. Then, they need the technology in place to monitor compliance with those policies and minimize risks.

The cybersecurity industry is already working on solutions. In my role as Field CIO, one of my department’s main goals is to help IT departments sleep at night by creating a holistic approach to their organization’s cybersecurity plans. We work with organizations to create comprehensive monitoring systems for their networks that can track whenever data leaves and who receives it. Because many of these systems are automated – using AI to track AI – IT infrastructure can detect or shut down sensitive data sharing almost immediately.

AI can be a silent threat, but there are still ways to manage its risks. As CIOs and CTOs across the country grapple with the consequences of using AI, cybersecurity systems need to be a part of their organizational policies. With the proper monitoring tools in place, the public sector can become more efficient and cut costs using AI while still protecting critical data.

Enhancing U.S. Government Operations with AI and Human-Centered Design

By Dan Coleman, General Manager Federal Civilian at Microsoft

Federal agencies are reimagining how they serve citizens and support their workforce by adopting unified digital platforms and AI-powered tools that foster collaboration, streamline workflows, and elevate service delivery.

These technologies are empowering government employees to focus on mission-critical initiatives by automating repetitive tasks and delivering real-time, data-driven insights –improving both employee experience and public outcomes.

From reducing administrative burdens to upskilling the workforce and enhancing interagency collaboration, the federal government is taking significant steps to create a more productive, responsive, and resilient public service environment. Agencies can apply these lessons to accelerate digital transformation while putting both employees and citizens at the center of the experience.

Empowering the Workforce with AI and Automation

Now more than ever, federal employees are expected to do more with less, while navigating outdated systems and complex procedures. However, AI is helping to change that. Agencies are leveraging AI-powered copilots to automate reporting, enhance mission execution, and streamline internal workflows. These tools serve as policy assistants, generate reports, and reduce administrative burdens, enabling employees to focus more on strategic, high-impact work.

At the same time, agencies are embracing responsible AI adoption with a focus on data security and transparency. Training and upskilling programs ensure that federal employees are equipped to use AI tools safely and effectively, building a culture of trust and continuous learning. Ultimately, these capabilities make it possible to scale innovation across all levels of government, redefining productivity and decision-making across the public sector.

Citizen Services That Start with the User

Improving the citizen experience starts with designing systems around people’s needs. Federal agencies are increasingly turning to modern digital platforms to unify services, enhance accessibility, and streamline program delivery. These platforms support data sharing and AI-powered insights, enabling agencies to make informed decisions that improve service quality and optimize limited resources.

Addressing silos within citizen-focused programs such as WIC, SNAP, TANF, and Medicaid, presents a clear opportunity to simplify service delivery. By consolidating these into a unified platform, agencies can reduce duplicative systems, lower operational costs, and make it easier for individuals to access the benefits they need. Creating intuitive digital experiences and reducing reliance on physical infrastructure also strengthens inclusivity and convenience.

Integrated Platforms for a Unified Government

Natively integrated platforms reduce complexity across IT systems. These platforms consolidate identity, security, and workflow management by streamlining operations and enabling secure, seamless access to applications and data across agencies. Unified identity management strengthens security while minimizing redundancies, and a single security architecture accelerates threat detection and remediation, reducing risks and costs tied to fragmented legacy systems.

Adopting unified platforms supports scalability, enhances governance, and allows agencies to quickly respond to evolving mission needs. Built-in automation, low-code/no-code capabilities, and cloud-based foundations give agencies the tools to modernize at scale. These environments also reduce the need for multiple vendors, simplify system updates, and lower operational costs.

Collaboration and Data Sharing as Catalysts for Innovation

Cross-agency collaboration and data sharing are essential for addressing complex challenges. When agencies operate on shared, interoperable platforms, they can pool resources, accelerate decision-making, and avoid duplication. In health, for example, integrated data sets can fuel research breakthroughs. In security, timely data exchange can help detect and prevent threats.

This collaborative approach improves the accuracy and transparency of federal reporting and strengthens public trust. It also makes it easier to distribute benefits promptly and equitably, supporting smarter policymaking and more responsive government services.

A Strategic Path to Sustainable Modernization

To fully realize the benefits of digital transformation, agencies should develop comprehensive modernization strategies that align with mission priorities and operational realities. This includes:

Adopting unified platforms that combine collaboration tools, data integration, and application development capabilities.
Prioritizing enterprise-wide interoperability to ensure seamless function of all systems, applications, and workflows.
Optimizing operational costs by consolidating IT environments and reducing dependence on standalone systems and custom integration efforts.
Enabling cross-agency collaboration by breaking down data silos and leveraging shared resources and insights.

By focusing on these strategies, agencies can build resilient systems that reduce redundancy, increase agility, and deliver better services to citizens – all while supporting a motivated and empowered workforce.

About the Author: As General Manager Federal Civilian at Microsoft, Dan Coleman is responsible for the strategic positioning and successful delivery of Cloud and Enterprise Services to Microsoft’s Public Sector customers.

How FinOps Can Help Agencies Slash Cloud Costs in 5 Steps

By Nicolas Ojeda, Technology Business Management/FinOps lead, REI Systems

William Kasenchar, principal, REI Systems

As the White House seeks to cut spending and increase efficiency, government leaders should apply FinOps principles to seize the opportunity to optimize cloud service costs. This strategy, widely adopted in the private sector, presents an opportunity to save hundreds of millions of dollars while improving operational efficiency across federal agencies.

FinOps is a framework for applying business best practices to cloud cost optimization. While conceptually simple, FinOps requires analyzing a complex mix of cloud usage patterns, multi-vendor pricing structures, contract discounts, and government procurement regulations.

Applying FinOps is particularly challenging for federal agencies due to regulatory roadblocks, shadow IT, cost transparency issues, and inefficient provisioning. Unlike private companies, agencies must comply with Federal Acquisition Regulation (FAR) policies that prevent multi-year financial commitments, limiting their ability to secure long-term cost savings.

In the private sector, companies leverage multi-year commitments to secure cloud discounts of up to 70 percent, but FAR restrictions mean that agencies can often only secure 20 percent discounts on one-year contracts. The estimated annual savings lost due to this limitation across the federal government are approximately $500 million annually.

Although changes to the FAR require congressional approval, previous attempts were met with resistance due to concerns over long-term budgeting constraints. However, the increasing emphasis on government efficiency and spending cuts creates an opportunity for policy reform, provided agencies can demonstrate tangible cost-saving benefits through pilot programs and internal studies.

5 Steps to Implementing FinOps in Government Agencies

Despite the roadblocks, there are steps agencies can take now to implement FinOps and achieve those savings and efficiencies:

Negotiate pricing similar to multi-year commitments. Even though agencies cannot sign multi-year agreements at this time, they can negotiate for equivalent pricing through persistent vendor negotiations that – under the right circumstances – leverage offers from cloud providers with discounts comparable to multi-year deals. Agencies can also demand aggregation, pooling demand from multiple organizations under a single contract to increase their leverage. In addition, they should benchmark against private sector pricing. Understanding what major enterprises pay can provide a negotiating advantage.
Right-size cloud purchases to actual needs. Agencies should thoroughly assess their actual cloud consumption to prevent over-provisioning or underutilization. Key best practices include automating cost monitoring to identify unused or underutilized resources; adopting commitment-based models such as savings plans or committed use discounts to maximize efficiency; and implementing a chargeback model where internal departments are accountable for cloud usage.
Consolidate contracts for enterprise-level discounts. Many government agencies operate in silos, leading to duplicative cloud contracts across different bureaus. By consolidating these contracts into an enterprise-wide agreement, agencies can unlock higher volume discounts, improve cost transparency and governance, and reduce administrative overhead by simplifying procurement processes.
Optimize operational FinOps practices. Beyond procurement, agencies must focus on cost governance to ensure long-term savings. Key strategies include data storage and retention policies for preventing unnecessary backups and excess storage fees; performance tuning to regularly adjust computing power to match demand; and automated provisioning tools for scaling cloud resources dynamically to avoid waste.
Leverage emerging technologies for cost efficiency. Cloud and FinOps are evolving, and agencies should harness new technologies to enhance cost savings. For example, AI-driven cost analysis using machine learning models can automatically predict cloud usage trends and recommend cost optimizations. Automated workload scaling leverages intelligent orchestration tools (e.g., Kubernetes, AWS Auto Scaling) to dynamically adjust resources to match real-time demand. And cloud-native FinOps platforms like Apptio Cloudability, CloudHealth, and AWS Cost Explorer provide real-time financial insights and governance controls.

By investing in these technologies, agencies can proactively manage cloud costs, prevent budget overruns, and increase efficiency.

Overcoming Cultural Resistance to FinOps Adoption

A significant barrier to FinOps implementation is cultural resistance within government agencies. Unlike the private sector, where cost accountability is deeply ingrained, public sector organizations often struggle with siloed decision-making that limits cross-agency collaboration, bureaucratic inertia that slows the adoption of new financial governance models, and a lack of cloud cost awareness among IT and finance teams.

To address these challenges, agencies must establish cross-functional FinOps teams composed of finance, IT, and procurement professionals. They should provide FinOps training and certification programs for government employees and implement incentive structures that reward cloud efficiency and cost-saving initiatives.

FinOps offers a proven approach for slashing cloud costs and optimizing government IT spending. These strategies allow federal agencies to modernize their cloud operations, achieve significant cost savings, and drive long-term efficiency improvements across government IT infrastructures.

Will Quantum Computing Weaken or Strengthen Cybersecurity of Federal Systems?

By Duncan Jones, Head of Cybersecurity at Quantinuum

The latest quantum computing advances announced by U.S. tech giants and China accelerate both the potential threat and potential promise of this emerging technology. Now is a good time to make the distinction between the term “securing federal systems from quantum computing” and “securing federal systems using quantum computing.” Many of the federal requirements established to date have focused on the former.

As an example, the “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” issued in January 2025 built on the requirements from National Security Memo-10 (NSM-10) which mandated the use of post-quantum cryptography (PQC) algorithms to protect government systems from the looming quantum threat. The Order mandated a timeline, among other things, for agencies to require cybersecurity products that support PQC in all of its contract solicitations.

But the Order also suggested that the “use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector” will be especially “critical to improvement of the Nation’s cybersecurity.” While actually migrating critical cryptographic systems to PQC may seem far off, quantum-enabled cybersecurity solutions are available today and also advancing rapidly.

In other words, quantum computing has both a sword and shield impact. Let’s not overlook how current quantum cybersecurity solutions can and are already shielding agency systems as we prepare for the impact of the coming quantum sword.

Potential to Weaken

Many popular encryption schemes rely on the fact that computers can easily multiply large prime numbers but cannot do the reverse – splitting large numbers into their prime factors. However, this assumption only applies to today’s classical computers. Future generations of quantum computers will be able to solve this problem easily, via a process called prime factorization.

According to a recent Deloitte report, “The security of our digital society relies strongly on cryptographic methods. Confidentiality, integrity, and authenticity of data are preserved by various cryptographic algorithms. The security of these algorithms is continually challenged by the evolution of computing power and new attack methods.”

As an example, if not protected, a quantum cyberattack on the Federal Reserve could have grave impacts to its Fedwire network, which facilitates bank-to-bank transactions. According to one report, a hack executed by a quantum computer on macroeconomic financial institutions could render an indirect GDP loss between $2 trillion and $3.3 trillion. Another report estimated $3 trillion in direct and indirect losses.

Due to the potential risks to critical federal systems, and subsequently to U.S. economic and national security, the federal government mandated in 2022 that all agencies prepare to migrate their existing cryptographic systems to quantum cryptography by 2035. Problem solved? Not likely, but a good start.

Potential to Strengthen

While the threat quantum computing poses to existing encryption methods might be the biggest challenge security leaders will ever face, leveraging quantum-based cybersecurity technologies offers significant potential to mitigate risk.

As agencies and vendor partners prepare for the transition to PQC, quantum random number generators (QRNGs) are emerging as a practical and readily deployable solution for hardening existing infrastructure. Unlike their classical counterparts, QRNGs provide truly random numbers – a crucial ingredient for robust encryption – and can be integrated into existing systems today to enhance cryptographic strength.

Quantum key distribution (QKD) remains a technology with substantial potential, though its practical application at scale is still under development. While further research and engineering are needed, monitoring its progress and understanding its potential role alongside PQC and QRNG are crucial factors.

By adopting QRNGs alongside PQC now and continuing to develop and monitor QKD, agencies can construct the strongest possible defense against evolving quantum threats.

The Role of Randomness

According to Deloitte, “Randomness is crucial in cryptography as it is used to create a wide range of security parameters as for instance, cryptographic keys. Without unpredictable randomness, an attacker could guess or predict the values of these parameters, which could compromise the security of data and communications. In other words, using a strong cryptography algorithm with a poor random number source could be the equivalent of using a strong safe but leaving the key hanging at the door.”

The generation of random numbers forms the foundation for nearly all current cryptographic processes, although the formulation of true randomness is impossible using classical hardware. Consequently, experts have linked many malign cyber intrusions and hacks to insufficiently random cryptographic keys.

QRNGs solve this problem by generating truly random numbers for encrypting messages and other cryptographic keys, using inherent quantum-physical randomness.

The Path to Quantum Safety – a Holistic Approach

Some PQC and cybersecurity companies are already introducing QRNGs to their security catalogs. In fact, top-tier network security vendors such as Palo Alto Networks have recently recognized the importance of quantum randomness by releasing an Open API framework for QRNGs, highlighting the role of randomness in an organization’s security stack today and in the quantum future.

While PQC algorithms are essential, federal agencies will benefit from a holistic approach. Just as traditional security employs defense-in-depth, quantum safety can be strengthened through complementary technologies that ensure cryptographic foundations are as strong as possible through provable randomness.

The path to quantum safety requires thoughtful implementation of available technologies while maintaining readiness for emerging solutions. Each element plays a unique role in building a resilient security posture against quantum threats.

Improving Citizen and Federal Employee Experience with Virtual AI Assistants

By Brandon Bulldis, Federal Civilian Engineering Director at World Wide Technology

From chatbots to call centers, many federal chief artificial intelligence (AI) officers have begun exploring how virtual AI assistants can improve both the employee and citizen experience. When successfully implemented, these tools have proven effective in getting citizens the swift support they need and augmenting employees’ workloads while helping to attract and retain top talent.

However, for many agencies, AI assistants are still in the early phases of adoption. Whether agencies are starting their journey or ready for more advanced models, they must consider the benefits and challenges associated with the technology, as well as their agency’s requirements and intended use cases, before they develop and deploy solutions within their organization.

Benefits of Virtual AI Assistants

Virtual AI assistants can provide citizens with quick and accurate information and even connect them with the right point of contact to assist them, creating a more personalized experience. For example, call centers that leverage natural language processing can improve operators’ workflows and help constituents get answers to frequently asked questions without needing to phrase those questions using exact key terms, streamlining their experience with the agency.

Brandon Bulldis, Federal Civilian Engineering Director at World Wide Technology

Internally, virtual AI assistants present an opportunity to narrow the government skills gap. By introducing these tools into their workflows, federal agencies can improve their recruiting power by attracting younger talent interested in the technology. Additionally, these AI solutions create upskilling opportunities for the existing workforce, helping to narrow the talent gap from within making agencies internal knowledge bases more easily digestible for the workforce.

Virtual AI assistants can also help federal employees with daily tasks, saving them critical time and enhancing productivity. By leveraging AI assistants, these solutions can augment menial tasks, such as responding to frequently asked questions and troubleshooting IT issues, returning time to employees for work that advances mission outcomes. For example, the Department of Veterans Affairs (VA) is piloting a generative AI chat interface to help employees with basic administrative work, like drafting emails and summarizing meeting notes, with early results showing 72% of users agree the tool has made them more efficient.

Challenges to Consider

Although agencies are already seeing strong benefits associated with virtual AI assistants, there are challenges chief AI officers should consider before beginning the implementation process.

Agencies are investing billions of dollars in their AI integration strategies; however, most do not have the skilled workforce to successfully develop and deploy tools like virtual AI assistants. Although the federal government has made progress in upskilling and hiring skilled talent in recent years, there is still a ways to go before IT teams have the know-how and staffing capabilities to utilize AI technology to its fullest potential.

Ensuring AI tools have access to high-quality secure data is also top of mind for chief AI officers. Without a strong data foundation, agencies will struggle to develop and deploy AI solutions that maximize outcomes for citizens and employees alike. As agencies continue to develop their data strategies, they must ensure they create the data infrastructure needed to securely support AI assistants and scale these initiatives in the future.

Additionally, while AI bias and security are a concern across sectors, federal agencies are in a unique position given the sensitivity of their data. The data that virtual AI assistants are developed with can include bias, putting citizens at risk of discriminatory outcomes. The vulnerabilities associated with these tools also create a new threat vector for malicious actors, putting citizen data and critical infrastructure at risk.

Best Practices for Deploying Virtual AI Assistants

As chief AI officers continue to develop and evolve their AI strategies, they must consider their goals and approach to security and skills training to ensure the successful deployment of virtual AI assistants.

Zeroing In on Use Case and Infrastructure: As chief AI officers look to develop and deploy virtual AI assistants, they need to evaluate whether the tools they select or build are anchored around a purpose-driven use case. For citizen services, this includes ensuring the tools are user-friendly to maximize their use and benefits. A key part of this planning, agency leaders should determine early on if the use case will focus on employees or citizens as that will help define data sources, security boundaries, and AI guardrails. Based on the intended use case, they must then determine if they plan to develop their own large language model (LLM) or partner with industry to deploy a tailored solution for their agency.

Taking a Zero Trust Approach: Agencies’ virtual AI assistants should be secured using a comprehensive zero trust framework to prevent potential LLM data leaks. This should include establishing strict access controls and identity management that align with guidelines such as the National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework. Additionally, agencies must ensure the data they are leveraging for these solutions is securely stored and accessed.

Upskilling the Tech Workforce: For agencies to maximize the impact of virtual AI assistants, they must ensure their workforce has the needed skills to successfully leverage the technology. Chief AI officers should pursue hands-on learning opportunities – including labs, research, and trainings – to help their workforce gain practical experience with the latest AI technology.

To harness the full potential of virtual AI assistants, chief AI officers must take a holistic approach to their development and deployment. By anchoring these tools around purpose-driven use cases, securing them using a zero trust framework, and ensuring teams have the skills they need to leverage the technology, agencies can improve the employee experience while accelerating citizen outcomes.

Strategies for Securing the Federal Supply Chain

By Julie McCabe, Territory Account Manager, Panasonic Connect

Cybersecurity threats to the United States government from a range of bad actors are escalating. In 2023 alone, the federal government reported more than 32,000 cybersecurity incidents – a five percent increase from the previous year.

These attacks are not only growing in volume but also in sophistication, making robust cybersecurity measures more critical than ever. Supply chain security is an important part of the cybersecurity protection process.

To address these challenges and threats, the Office of Management and Budget (OMB) has set several ambitious goals through its Zero Trust Strategy memorandum. Federal agencies are expected to meet stringent cybersecurity standards, encompassing asset inventories, phishing-resistant multi-factor authentication, and enhanced data security.

Achieving these objectives will require government leaders to adopt a proactive and comprehensive change management and adaptation approach. Adopting a zero trust approach means requiring authentication and validation from the top down. Governmental entities, suppliers, and end users all need to verify their devices and prove their identities to help prevent cyberattacks and espionage.

Building Secure Supply Chains

One key priority for federal agencies is establishing secure supply chains for hardware and software. While bad actors – state-sponsored or otherwise – pose significant risks, people within the supply chain are often the first line of defense and the biggest potential vulnerability. Simple mistakes, such as mishandling sensitive devices or inadvertently exposing systems to malware, can compromise the entire chain.

To mitigate these risks, integrating security into supply chain planning is essential. Teams must be able to quickly identify and mitigate risks, ensuring that devices and systems are safeguarded against tampering and other threats.

Adopting Zero Trust Principles

Central to the OMB’s strategy is the adoption of a zero trust cybersecurity framework. This approach operates on the principle of “never trust, always verify,” requiring constant validation of all users and devices before granting access to resources.

As Alper Kerman from the National Institute of Standards and Technology explains:

“You could be working from an enterprise-owned network, a coffee shop, home or anywhere in the world, accessing resources spread across many boundaries, from on-premises to multiple cloud environments. Regardless of your network location, a zero trust approach to cybersecurity will always respond with, ‘I have zero trust in you! I need to verify you first before I can trust you and grant access to the resource you want.’ Hence, ‘never trust, always verify’ — for every access request.”

Zero trust is not a standalone initiative. It exists as just one part of a broader compliance ecosystem that also includes other frameworks such as the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) and the NSA’s Commercial Solutions for Classified (CSfC) program.

Federal agencies must ensure devices are secure, supply chains are and stay tamper-free, and that a secure chain of custody exists for maintenance and repairs.

Planning for Real-World Scenarios

Government IT leaders must also plan and account for potential security breaches, many of which can stem from human error. Several examples include an employee accidentally leaving a work laptop at a public location such as a coffee shop, a computer with sensitive information being stolen during shipping for repairs, or a bad actor physically stealing a smartphone or tablet.

A strong zero trust strategy anticipates these scenarios and integrates solutions to minimize risks and reduce the likelihood of supply chain compromise.

For agencies managing remote or hybrid workforces, these challenges multiply rapidly. Employees often use various devices, including laptops and smartphones, in a range of different locations. To address these complexities, IT teams should prioritize technology solutions with features like:

Hardware-based encryption: Protect sensitive data while maintaining device performance. This enables secure access to encrypted drives even when moved between devices.

Multiple authentication options: Contactless and insertable smartcard readers, fingerprint scanners, and other technologies provide flexibility and security.

Asset tracking software: Helps agencies monitor device usage and respond swiftly to lost or stolen equipment.

A Path Forward

As highlighted by the OMB’s Zero Trust Strategy memorandum, protecting federal systems is a top priority. By embracing a zero trust framework and securing supply chains, technology leaders at agencies can stay ahead of increasingly sophisticated threats, ensuring sensitive data and systems remain secure while adapting to evolving challenges.

In the fight against cyber threats, a robust zero trust strategy is not just an option – it is a necessity. Zero trust and adoption of strategies like hardware-based encryption, multiple authentication options, asset tracking software, and stringent authentication protocols go a long way in increasing governmental cybersecurity. Whether a device is being sent in for repairs or being used in a hybrid workspace for the first time, smart planning and authentication helps users and helps their organizations.

Reframing the U.S. Government’s Approach to Cybersecurity Oversight

By Matthew Shallbetter, director of Strategy, Federal Civilian, at Armis

With the profusion of directives and guidance emanating from government cybersecurity oversight agencies, both houses of Congress are proposing legislation that aims to harmonize cybersecurity regulations across the federal government.

The Senate Homeland Security and Governmental Affairs Committee approved the ‘‘Streamlining Federal Cybersecurity Regulations Act” in July 2024 with bipartisan support, but the legislation stalled before full Senate approval. More recently, departing National Cyber Director Harry Coker used a January 7 farewell address to urge the incoming administration and Congress to continue to push to achieve harmonization of federal cybersecurity regulations.

While centralized cybersecurity oversight is important and often relates to critical issues, the number of directives and alerts issued can also inadvertently cause chief information security officers within federal agencies to move their focus to implementing the new policy guidance and away from basic day-to-day cybersecurity functions – tasks that may be viewed as mundane but are nevertheless essential to achieving agency goals.

Addressing this situation will require a recommitment to partnerships in cybersecurity oversight, not only on the part of oversight agencies but also end-user organizations that will need to step up efforts to collaborate with agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB).

This “all-hands” approach to cybersecurity would encompass contributions from across the government and emphasize cross-agency collaboration. It’s critical to break down the work efficiently.

Oversight agencies can start by adjusting the focus of the cybersecurity guidance and direction they provide to federal agencies to center on only the most critical issues while taking on more of the general oversight activities themselves (or delegating those responsibilities elsewhere when appropriate). Not every agency needs to request, collect and audit a software bill of materials (SBOM). Not every agency has the resources to assess the risks of quantum cryptography.

Still, CISA cannot secure the federal government alone, and agencies must not wait for CISA to do so. To secure their missions, agencies across the federal government should leverage the expertise and technology that agencies like CISA offer and combine this with their own capabilities to help modernize their cybersecurity strategies.

For example, CISA has been taking major steps to modernize the government’s Continuous Diagnostics and Mitigation (CDM) program and make it more relevant to the zero trust solutions and risk reduction efforts federal agencies are implementing. CISA is moving forward with CDM solutions that offer more agile operational tools, better and more impactful data, and simpler, real-time risk analysis. Agencies have an opportunity to integrate these capabilities to modernize their own CDM initiatives and make them a fundamental component of their cybersecurity strategies.

OMB is reinforcing this message in its FY25 Federal Information Security Modernization Act (FISMA) metrics, where agencies are not only challenged to rely on CDM capabilities for reporting their IT inventories but also to extend risk management into previously out-of-scope and undermanaged assets, such as internet of things (e.g., connected TVs, automobiles, cameras and speakers) and operational technology (e.g., building management solutions, air conditioning and heating systems, power grids, medical and lab devices). Agencies are better situated to address the threat to their citizen services from rogue devices. Aligning ratings to actionable measures provides the focus to drive funding where it is needed: delivering skills and capabilities that reduce risk.

Although agencies are poised to effectively track threats to federal government assets and devices, organizations like NIST and CISA have the resources for addressing future risks. For instance, recent guidance to agencies calls on CISOs to inventory any IT systems or assets that may contain vulnerable cryptography. Many agencies lack the time, resources and expertise to implement this guidance, and doing so would pull resources away from the nuts-and-bolts cybersecurity activities that must be undertaken by agencies every day.

Assistance with tasks like quantum algorithm audits from a designated oversight agency with in-house cybersecurity expertise would result in greater immediate protection by allowing agency personnel to focus on the most imminent threats while giving them a boost in preparation for future threats like quantum computer attacks.

At the agency level, cybersecurity should be viewed as an inherent part of doing business, not just for delivering services but also for quickly scaling resources with collective knowledge through collaboration with CISA and other agencies. While it won’t happen overnight, agency CISOs can make this a reality during their tenure if they actively engage in the process.

Shallbetter previously served as director of security design/innovation at the Department of Health and Human Services.

Three Steps Agencies Can Take to Meet Government’s AI Requirements

By John Dvorak, chief technology officer, public sector, Red Hat

Using AI safely and effectively is an open-ended challenge and government agencies can easily get overwhelmed with trying to develop AI strategies, hire or contract teams of data scientists, onboard chief AI officers and so on. But starting to build an AI strategy doesn’t have to be overly complicated. Here’s how agencies can start to create an effective and compliant AI program in three steps, using many of the same processes and principles they’ve been using for application development.

Consider Open Source Large Language Models

Commercially available large language models (LLMs) can pose challenges for government agencies. For example, proprietary models make it difficult to know what data was used to train the model and what biases and decisions were injected into the training process. They also may require transferring data to a hosted service, challenging data privacy and security. Meanwhile, restrictive licensing and limited customization can limit how government organizations use LLMs in production systems.

Government agencies should consider using fully supported, indemnified and open source-licensed LLMs as a foundation for building and tuning their own models. LLM families like IBM’s Granite, for example, are released under an open source license and can help agencies address their data sovereignty and privacy requirements by avoiding lock-in to proprietary models while allowing them to host the models within their own environment. Further, agencies can use open source community projects such as InstructLab to capture agency skills and knowledge into multiple, focused language models that can be used as building blocks for agentic or compound AI systems or at the network edge.

Additionally, agencies should consider bringing their AI-driven applications and models to their data, employing cloud, on-prem and/or edge hosting solutions that aim to reduce transmit time and improve time-to-value. According to Gartner, 55 percent of all data analysis by deep neural networks will occur at the point of capture in an edge system by 2025. By bringing AI to the data, agencies can perform data analysis at the point of collection while maintaining sovereignty of their data collections.

Focus on Reliability and Data Quality

Reliability and data quality are core components of the Government Accountability Office’s AI Accountability Framework. Reliability and quality are achieved by using accurate and current data and placing parameters around how that data is trained to filter out biases that could lead to incorrect or misleading recommendations (e.g., AI hallucinations).

To ensure data integrity and accuracy, agencies must consistently perform data lifecycle management, including data generation, collection, cleaning, analysis and model building. Data lifecycle management effectively protects data throughout this process, making sure that data collection and analysis remains consistent and dependable.

It’s also important to continuously monitor model performance in production. Continuous monitoring allows agencies to refine these models so they can remain trustworthy, accurate and useful.

Apply DevSecOps Principles to AI Data Pipelines

DevSecOps application development has become a standard practice within government agencies. Developers, security professionals and operations managers work together to ensure code goes from concept to production securely and efficiently.

The goal is to apply the same process and principles to AI data pipelines to facilitate intelligent application development and delivery. Fortunately, AIOps and MLOps are continuing to evolve, making this an achievable objective. Agencies can already integrate models into their application development processes to bring AI-driven applications into production faster. They can also work within the same development platform, which supports collaboration and reduces the need for additional tools or training.

Building a safe and effective AI strategy can seem daunting. However, employing an open source approach that places you in control of your data, your AI models and your application development is a practical start. Consider these steps to build an effective, practical and trustworthy AI infrastructure that delivers ROI today while protecting your future investment.

The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem

By Kaniah Konkoly-Thege, Chief Legal Counsel, SVP Government Relations at Quantinuum

A lot has taken place in the quantum industry since the National Institute of Standards and Technology (NIST) announced its selection of PQC algorithms for standardization in 2022. From technology to global policy, advancements are causing experts to predict a faster timeline to reaching fault-tolerant quantum computers. Technology advances may also accelerate the timeline for when a future quantum computer could overwhelm the encryption tools we currently rely upon to protect everything from national security information to banking and healthcare data. The newly-released NIST PQC standard s are a critical step toward protecting data in the quantum age and warrant the attention of the entire federal cybersecurity ecosystem.

Since NIST Algorithm Selection (2022): Industry Progress

Over the last decade, the quantum information science ecosystem has moved from early-stage scientific exploration and investigation into applied commercial research and development. Governments worldwide now view quantum as a strategic technology critical for both economic and national security.

As an industry composed of mostly start-ups and tech giants, several important advancements took place over the past two years. Quantum capabilities in hardware have, for certain problems, moved beyond the limit of what supercomputers can simulate; software integration has advanced quantum computing out of the current noisy intermediate-scale quantum (NISQ) level to Level 2 resilient quantum computing; and from a cybersecurity perspective, standardization of a new cryptographic system has now been released by NIST, the world’s leading standards organization.

Advancements in Global Government Investment

According to U.S. National Security Advisor Jake Sullivan, “… advancements in science and technology are poised to define the geopolitical landscape of the 21st century … Preserving our edge in science and technology is not a ‘domestic issue’ or ‘national security’ issue. It’s both.” This sentiment has been reflected by government officials all over the world. As quantum technology has advanced from the lab to the marketplace, the need to fund quantum research and commercialization, while also fortifying critical systems and data to withstand future cyberattacks from a quantum computer, has become even more stark.

The World Economic Forum estimates that governments have invested over $40 billion USD in quantum technologies as of January 2024, with over $15 billion invested by China alone. 2023 was the first year where government funding outpaced private funding in a sign that governments increasingly view quantum as an integral piece of international competitiveness from both an industrial and a military policy perspective.

The global race to lead in quantum technologies is very much ongoing. According to Sullivan, the U.S. must “… ensure that emerging technologies work for, not against, our democracies and security.” The NIST announcement is further proof that the time for governments and companies to invest in quantum solutions is now.

Advancements in U.S. Government Policy

As NIST’s initial PQC algorithm competition advanced, a myriad of U.S. government actions have been released with the goal of protecting government data and cybersecurity systems vis-à-vis fault-tolerant quantum computers:

In May of 2022, President Biden issued the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (NSM-10).
The Quantum Computing Cybersecurity Preparedness Act was signed into law in December of 2022. The Act acknowledges the threat to encryption posed by fault-tolerant quantum computers and seeks to mitigate that threat by strengthening U.S. government agency systems and instructing the Office of Management and Budget to issue further guidance one year after NIST issues its PQC standards (which imputes a deadline of August 13, 2025).
A key piece of legislation, the National Quantum Initiative Act (NQIA) enacted by Congress in December 2018, authorized over $1.2 billion to support quantum research and development. The NQIA expired on September 30, 2023, and while the NQIA Reauthorization was unanimously reported out of the House Committee on Science, Space, and Technology earlier this year, it is currently awaiting a vote in the House of Representatives and would then need to be taken up by the Senate.

While government investment does not directly equate to the regulation of quantum, it is clear that the NQIA and other government funding sources have and will continue to influence the behavior of companies in the quantum ecosystem. Government strategies and funding schemes often function as soft-law regulations that serve the purpose of signaling government priorities and guiding private investment, research initiatives, workforce development, and diplomatic decisions across the globe.

Quantum, like many emerging technologies, sits at the crossroads of technology and international relations, and the funding and scaling of quantum businesses will likely be heavily affected by geopolitics and government strategies over the coming decade.

PQC Milestone: Post-Standardization Begins

NIST’s standardization announcement on Aug. 13 marks the start of a new era, one of planning and implementation. Specifically, this milestone is critical to federal agencies and agency partners who are mandated under NSM-10 to transition to quantum-resistant cryptography by 2035. According to the mandate, some key post-standardization requirements take effect:

Federal civilian agencies must start regular reporting of timelines and plans to make the transition. Federal partners are also advised to prepare themselves to support PQC as soon as possible after the standardization takes place, according to NSA/CISA.
The Secretary of Commerce will be proposing (within 90 days) a timeline for the deprecation of quantum-vulnerable cryptography standards. The goal will be to move “the maximum number of systems off quantum-vulnerable cryptography” over the next decade.
Heads of agencies operating or maintaining National Security Systems (NSS) must submit (within one year) an initial plan to transition to quantum-resistant cryptography in all NSS.

This is more than a box-checking exercise, as these standards will take on force of law for federal agencies and agency partners who are mandated under NSM-10 to transition to quantum-resistant cryptography by 2035. Additionally, the PQC algorithms are likely to become “market standard” in the private sector and be encompassed in the definition of “adequate cybersecurity measures” in commercial contracts, audits, and due diligence exercises.

Cryptographic Agility and Resilience

The U.S. government’s quantum computing cybersecurity preparedness must remain flexible, reflecting the evolving nature of the technological breakthroughs across the industry as well as the ever-increasing capacities of threat actors who may seek to capitalize upon quantum.

PQC migration is a necessary and critical step toward protecting vulnerable digital systems from powerful quantum computers in the future. The migration to PQC will take years and a hybrid approach that utilizes today’s algorithms, such as RSA, alongside PQC algorithms is prudent to maintain adequate security should any issues arise during the PQC transition. Maintaining this cryptographic agility will be key to ensuring cybersecurity against threats, classical and quantum alike.

To achieve true resilience against quantum attacks, government agencies and private organizations should consider a layered-defense strategy that includes PQC and cybersecurity solutions that leverage quantum mechanics, such as provable quantum entropy for encryption key generation. When combined with PQC algorithms, these quantum-derived technologies can help protect against a far fuller range of threats posed by quantum computers.

The Unfunded Mandate Challenge

According to the OMB report delivered to Congress last month, the total government-wide cost required to perform a migration of prioritized information systems to PQC between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars. This total does not include funding for National Security Systems which was to be estimated separately.

Prior to the standardization, NSM-10 discouraged the procurement of any commercial quantum-resistant cryptographic solutions. Now that the initial standardization is complete, federal agencies will be authorized to procure such solutions. The question then becomes, how will these procurements be funded? It is vital for Congress to reauthorize the NQIA and to fund programs to further commercialize quantum computing while also pulling policy levers such as tax incentives, loan guarantees and strategic investments across U.S. government agencies to procure solutions to identify vulnerabilities and transition to PQC algorithms over the coming decade.

What Next and When?

Beyond the standardization of these initial PQC algorithms, NIST has made further calls for digital signature algorithm candidates, seeking to diversify its algorithms to increase the probability that these solutions will remain secure as the technology continues to develop. It will be several years before these additional signature algorithms are standardized.

While there is no set formula for assessing the risk and timing of the quantum threat, federal agencies and partners can rely on progress in the following three areas as indicators: hardware progression, error correction, and algorithm development. Given where we stand today, the need to complete agency migration to PQC to effectively protect sensitive defense and critical infrastructure systems and information needs to be prioritized, as technological developments could necessitate such quantum secure solutions sooner than 2035.

While exact timelines remain unknown, federal agencies should focus on enhancing cryptographic agility so the U.S. remains resilient against potential quantum computing threats. For the hundreds of cybersecurity partners supporting U.S. government systems, it is important to consider that those who have not yet integrated PQC algorithms to make their offerings quantum-secure should expect to have such offerings listed as vulnerable systems on inventory reports each year until they are compliant, or risk losing their government contracts.

Generative AI is Revolutionizing Federal Government Operations

By Darren Guccione, CEO and Co-Founder of Keeper Security

Generative Artificial Intelligence (GenAI) offers innovative applications that could help the federal government adapt to changing times. Some use cases are experimental, exploring new ideas, while others are already delivering positive results by enhancing human effort for difficult projects. GenAI also has the potential to streamline tedious, yet essential, tasks through automation.

Within federal agencies, pilot programs are testing how artificial intelligence that can generate content could modernize outdated processes. Some forward-thinking trials are hatching ambitious concepts by tapping into machine-learning capabilities. In some agencies, generative models have already been deployed to boost mission-critical initiatives that had become stagnant. However, one of GenAI’s most transformative uses may be automating repetitive tasks that can bog down workflows.

GenAI Enhancing Federal Operations

Within the federal government, GenAI is being utilized in various scenarios to enhance operations. It assists in deciphering complex regulatory frameworks that can be difficult to interpret. GenAI is also helping to reduce costs by optimizing processes and minimizing errors that can lead to inefficiencies. Another valuable application is retaining the knowledge of skilled civil servants approaching retirement by capturing their expertise in digital form.

For federal IT professionals, GenAI presents an opportunity to modernize outdated systems and bring emerging technologies into government operations. It represents an avenue for positive change – leveraging advanced AI to enhance efficiency and knowledge management across agencies.

Navigating Evolving Defense Cybersecurity Regulations

Regulatory frameworks in the federal sector continue to expand and evolve, making it crucial for agencies and contractors to remain up-to-date with the latest changes. This includes maintaining high levels of information security to maintain compliance with programs such as the Federal Risk and Authorization Management Program (FedRAMP), System and Organization Controls (SOC), the International Organization for Standardization (ISO), the Cybersecurity Maturity Model Certification (CMMC) and Defense Federal Acquisition Regulation Supplement (DFARS).

Recently, FedRAMP updated its guidance with new controls through NIST 800-53 Revision 5 (Rev.5), which requires cloud service providers selling to the federal government to enhance their cybersecurity practices even further. These rules present a complex landscape to navigate.

AI-Driven Compliance Assistants

A GenAI chatbot trained on regulatory frameworks can distill compliance requirements into easily digestible information. This can help users grasp the sometimes complex regulatory compliance language without needing to be experts, thus reducing the risk of non-compliance.

AI-driven compliance assistants make strategic recommendations regarding regulatory requirements, processes and practices, which help drive efficiencies. Cloud service providers in the federal marketplace would benefit from AI-driven compliance assistants as they must comply with regulatory frameworks to do business with the government.

Example: CMS Leveraging Large Language Models

The Centers for Medicare & Medicaid Services (CMS) illustrates how GenAI helps train new CMS staff in aligning and translating technical documentation from federal marketplaces with CMS accounting systems. This challenge proves daunting for new civil servants navigating the complex federal healthcare systems.

The Financial Management Systems Group / Division of Program and Data Management used a Large Language Model (LLM) to address several challenges: capturing legacy knowledge from a retiring workforce, maintaining operations during hiring freezes, training new recruits, and processing millions of claims to ensure Medicare recipients receive their benefits. Using Llama 2, Meta’s open-source LLM, the finance team obtains fast, precise information with context for the CMS consumer-facing front end.

GenAI Usage and Trust in the Government Sector

Microsoft’s Azure AI services, powered by OpenAI’s language models, now offer benefits for the U.S. government sector, indicating that AI systems will continue to streamline tasks and processes, like those faced by the CMS. In 2022, Microsoft announced plans to make Azure OpenAI Service available for U.S. government customers, bringing large language model capabilities to Azure Government cloud.

Additionally, OpenAI’s latest GPT-4 model has advanced capabilities that support its use in highly regulated environments. While many government agencies have already experimented with AI for smaller workloads, GPT-4’s enhanced performance on sensitive tasks with limited input/output data will be advantageous. GenAI capabilities can streamline numerous processes and repetitive tasks, allowing organizations to focus more on mission-critical operations.

Government technologists are exploring the use of large language models like GPT-4 to assist in drafting control language for various cybersecurity frameworks that ensure contractor compliance with standards. As a Governance, Risk and Compliance (GRC) tool, GenAI can help draft policies and interpret evolving compliance requirements. However, technology leaders and GRC staff still play crucial roles in testing, verifying and documenting the AI-assisted outputs.

Best Practices for AI Safety and Security

To ensure the safe and appropriate use of GenAI tools, agencies should implement stringent best practices for AI safety and security. Top references include the Executive Order on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence, and the NIST AI Risk Management Framework: AI RMF 100-1.

Conclusion

Government agencies are leveraging numerous use cases of GenAI technology, but only a few have scratched the surface of what’s possible. In this sector, organizations must exercise an extremely high level of caution and diligence when applying AI tools to ensure ethical and technically rigorous best practices for the safe and effective use of GenAI.

Hundreds of resources help organizations understand regulatory compliance frameworks. Zoya Schaller, CISSP, CGRC, Director of Cybersecurity Compliance at Keeper Security, used OpenAI to create a Cybersecurity Regulatory Compliance Advisor to answer questions about compliance with FedRAMP, SOC, ISO, CMMC and DFARS.

Implementing GenAI capabilities in a secure and strategic manner will be critical for long-term success and continued innovation. This will help U.S. government entities stay competitive, maintain a cutting-edge position with emerging technologies, and meet the stringent standards and practices required for the ethical and safe adoption of artificial intelligence.

While the potential benefits are substantial, the public sector’s adoption of GenAI must proceed with prudence and adherence to robust governance frameworks. Upholding the public trust through responsible AI oversight, as well as human oversight over critical processes, is paramount as these technologies are judiciously integrated into government operations.

NIST’s new PQC Algorithms and What They Mean for Federal Agencies

By: Dr. Matthew McFadden, Vice President of Cyber, GDIT

The cybersecurity landscape is evolving rapidly with last week’s release of new post-quantum cryptography (PQC) algorithms by the National Institute of Standards and Technology (NIST). These algorithms mark a critical step forward in preparing for the post-quantum era, providing a roadmap for agencies to begin their transition to quantum-resistant encryption. NIST is encouraging agencies to begin transitioning to the new standards as soon as possible.

One of the most fundamental aspects of cybersecurity is the act of encryption. Without encryption, it is nearly impossible to safeguard the protection of data – even concepts such as zero trust cannot fully protect data without it. Encryption has become second nature and a mandatory requirement within almost all cybersecurity standards today. However, the challenge now is that PQC is becoming a necessity as the threat of “harvest now and decrypt later” is emerging as a potential risk.

Almost every part of an information system depends on some form of public-key cryptography. Current algorithms for public-key cryptography are vulnerable to being decrypted by quantum computing, which has the potential to break these algorithms. This means that adversaries, if they have recorded, extracted, or stolen data, may be able to decrypt this information either now or when quantum computers become more advanced. The true capabilities of our adversaries may be uncertain, which magnifies the threat. This includes sensitive emails, websites used to transmit or store data, or even any data traversing the internet – all of which rely on the encryption provided by public-key cryptography.

Public-key cryptography is deeply integrated into agency information systems, so keeping an accurate inventory of it will be a continuous task. Agencies will need to regularly update their discovery and assessment methods and migrate systems, hardware, and software to ensure they are patched, updated, and replaced. This ongoing process will require continuous investment, which will be essential during and after the migration to meet PQC standards.

The transition of federal agency systems based on Office of Management and Budget and Office of National Cyber Director inventories is projected to cost approximately $7.1 billion between 2025 and 2035, as outlined in the OMB’s Report on Post-Quantum Cryptography. This report highlights the significant funding that may be required for agencies to move away from quantum-vulnerable cryptography. While much of the focus has been on high-value assets, non-critical functions, operational technology, and IoT devices must also be considered. Understanding and quantifying the true scope of migration is an ongoing challenge.

The OMB report outlines four key strategies for PQC to be successful:

Comprehensive and ongoing cryptographic inventory is a key baseline for successful migration to PQC.
The threat of “harvest now, decrypt later” attacks means that the migration to PQC must start before a cryptographically relevant quantum computer (CRQC) is known to be operational.
Agencies must prioritize systems and data for PQC migration.
Systems that will not be able to support PQC algorithms must be identified as early as possible.

To ensure the long-term defense of critical information systems and the data they store and process, it is crucial to implement and prioritize migration to Post-Quantum Cryptography now that the NIST-approved algorithms are available. By engaging with industry experts and leveraging the latest tools and technologies, agencies can streamline the PQC migration process. Migrating public-key cryptography to PQC will require deliberate planning, and agencies need a trusted partner to ensure their cryptography strategy is innovative and ready for the post-quantum future.

Addressing the U.S. Quantum Labor Shortage Before It’s Too Late

By Dr. Celia Merzbacher, Executive Director of Quantum Economic Development Consortium (QED-C)

There is a global race underway to lead in the critical and emerging technology (CET) area of quantum technologies. Nations are launching national initiatives and making significant investments of public funds in this area knowing that their economic and national security is at stake. Yet, without adequate talent, these initiatives will falter or fail. The competition for talent is a global competition that the U.S. can’t afford to lose.

The Quantum Labor Landscape

Occupations related to emerging technology sectors such as quantum are inherently new and are often multidisciplinary. They are characterized by a rapid growth in demand that outstrips supply, thereby creating a shortage of qualified workers.

A survey of QED-C members in early 2024 aimed to better understand current hiring trends and challenges as it relates to the shortage. Many respondents planned on hiring quantum workers in 2023, with some planning to hire up to 12. However, out of the 22 companies that responded with a hiring goal, almost 60 percent said they did not meet that goal by the end of the year. And when they did manage to hire, almost 80 percent said that it took between two and six months to fill an open position and 16 percent said it took up to a year.

The challenges to hiring talented workers remained similar to those identified in QED-C’s 2020 survey. In 2024, the largest barriers to hiring quantum talent include the following:

Lack of candidates with required/desired qualifications (61 percent of survey respondents);
Lack of candidates with the right to work in the U.S. (39 percent); and
The amount of time required to get a visa (22 percent).

67 percent of respondents agreed that it has become more difficult to recruit qualified quantum workers in the past year, and 92 percent agreed that there is a shortage of U.S. citizens and permanent residents with quantum qualifications.

Some countries have implemented programs aimed to expedite and lower barriers for skilled workers to immigrate. Canada’s Express Entry, for example, streamlines the skilled worker application management process. The target for Express Entry is 110,700 permanent resident admissions in 2024, rising to 117,500 in 2025 and 2026.

Through collective industry data and awareness efforts in the U.S., the lack of qualified talent is being recognized, and efforts to attract and retain top quantum researchers and workers are part of programs such as the National Quantum Initiative. Yet, without expediting and lowering barriers for skilled workers to immigrate, the U.S. will not be able to compete for top talent.

What is a Quantum Worker?

The occupation “quantum technologist” can be described as a technical professional with skills related to the design, research, development, production, manufacture, or sale of quantum-based hardware or software systems or critical enabling components. The skills, expertise, education or training required depends on the specific role.

As an emerging technology, advancement in quantum technologies spans from basic research at universities and national laboratories to applied research, product development and manufacture at businesses small and large. Occupations in all of these sectors are essential to U.S. competitiveness. Most positions at universities and national laboratories require a PhD and possibly post-doctoral training, in fields ranging from physics or chemistry to engineering and computer science. Jobs in industry however have more diverse requirements in terms of skills or knowledge and preferred degree.

A study based on a 2020 survey of QED-C member companies found that:

Companies in the quantum ecosystem include hardware and software developers, engineering research firms, suppliers of enabling technologies, and service providers (e.g. patent firms);
There are many different jobs or work roles;
Different jobs have different skills and knowledge requirements; and
The preferred degree for various quantum jobs ranges from associate to bachelor to master to PhD.

The study showed that most jobs do not have quantum in the title, most frequently sought skills are not quantum-specific (e.g. experience in programming or working with lasers), and most jobs do not require a PhD, a bachelor’s or master’s degree is preferred.

Addressing the Shortfall in Quantum Workers Using Schedule A

In a recent RFI, The Department of Labor (DOL) Employment and Training Administration (ETA) asked for input on how to modernize the Schedule A occupation shortage list. Schedule A is an expedited pathway to obtain permanent residency, also known as a green card. But currently, no STEM occupation is listed on Schedule A. Challenges facing the U.S. quantum ecosystem and other emerging technology sectors would be greatly mitigated if the Schedule A occupation list were updated to include those that are essential to the critical and emerging technology (CET) areas identified by the National Science and Technology Council.

With a growing proportion of U.S. STEM programs populated by international students, companies will continue to be reliant on workers who require work authorization to remain in the United States. This is a primary pipeline of top-notch talent who hopefully will become permanent residents and eventually citizens. Using Schedule A to address the shortage of qualified STEM workers, particularly for positions related to quantum, is one way that the Department of Labor could help businesses to attract and retain qualified workers.

QED-C, which partners with many government agencies, can provide information about the skills and knowledge that employers in CET industries require and regarding the supply and demand of qualified talent. At the core of a successful quantum business or a top-notch university quantum research program are talented people. There is fierce competition for qualified workers in all parts of the quantum ecosystem. Together, we must address the U.S. quantum labor shortage before it’s too late.

QED-C is an industry-driven consortium of stakeholders, managed by SRI, that aims to enable and grow the quantum industry. In accordance with the 2018 National Quantum Initiative Act, the consortium was established by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce. Today, QED-C has more than 240 members from across the quantum ecosystem, including corporations, universities, and national laboratories. More than 40 government agencies are engaged in QED-C as a means to achieve their respective missions.

How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity

By Travis Galloway, head of government affairs, SolarWinds

The threat landscape in cybersecurity continues to evolve at breakneck speed, with new challenges emerging daily. Among the most pervasive threats stem from sophisticated cyberattacks sponsored by nation-states. These attacks are a growing menace to private businesses and public agencies alike, promising severe consequences for our collective security.

Private sector businesses recognize that they can be targets of advanced nation-state hackers seeking to achieve their geopolitical goals. For instance, China has been known to engage in extensive cyber espionage campaigns aimed at stealing technology and intellectual property to overtake the U.S. economy and its businesses. It was recently reported that the Chinese-sponsored Volt Typhoon group also persistently targets vulnerabilities in critical systems like electric grids, water systems, and ports.

These evolving cybersecurity threats to our nation were a central theme at the recent SolarWinds Day: A Trusted Vision for Government IT panel event, where SolarWinds President and CEO Sudhakar Ramakrishna was joined by Congressman Raja Krishnamoorthi, D-Ill., and Christopher D. Roberti from the U.S. Chamber of Commerce.

“It’s a very scary thing if you think about it,” said Rep. Krishnamoorthi, reflecting on the growing nation-state threats facing the United States. “Operation Typhoon is meant to preposition malware in our utilities in water systems, electric grids, you name it.”

During the event, the panelists highlighted several important takeaways for shoring up our shared cyber defenses, supply chain, and other critical infrastructure. The discussion emphasized the importance of public-private partnerships, adopting a “Secure by Design” framework that ensures security is an integral part of the entire software development process, and promoting ongoing cybersecurity education to ensure all levels of an organization share the responsibility of bolstering our shared defenses.

The Enduring Importance of Public-Private Partnerships

Today, no single entity can combat sophisticated cybercriminals and nation-state adversaries alone. As the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted, a collaborative effort among governments, private entities, and individuals is necessary if we are to address ongoing cyberwarfare successfully.

“No company, no matter how big or sophisticated, has a chance against a nation-state adversary,” said Roberti. “Therefore, the U.S. government needs to use its authority and capabilities together with the knowledge and resources of the private sector to tackle the threat.”

Part of this is the increasingly popular concept of a “community vigil,” where government agencies, private sector businesses, and other stakeholders work together to create a secure digital environment. This ongoing collaboration between governments and businesses underscores the significance of community-focused strategies to enhance national cybersecurity. By fostering transparent communication and resource sharing, organizations can reinforce our collective defenses – and harness a collective intelligence much greater than what any could achieve alone.

Setting New Standards Through a Secure by Design Framework

Cyber resilience involves more than just preventing cyberattacks. It also means being able to recover quickly and having strategies in place to detect and manage any breaches. This can be achieved by embracing Secure By Design guiding principles for software security and cyber resiliency. Informed by years of experience from industry-leading cybersecurity experts, the SolarWinds Secure by Design initiative is a gold-plated cybersecurity approach to software build systems and processes that provides an effective and novel defense for thwarting advanced supply chain cyber threats.

The proactive Secure by Design approach embeds security into software systems right from the start. By addressing security early in development, organizations can mitigate risks before they progress into serious threats. There are several ways to put Secure by Design into practical use. Engaging with governmental and regulatory bodies like CISA can enhance the flow of cyber threat information between public and private sectors.

Recently, CISA introduced the Secure Software Development self-attestation form to help organizations declare their cybersecurity commitments in a standardized, formal, and consistent manner. The form serves multiple purposes: it encourages organizations to evaluate their security postures, provides valuable data for benchmarking industry standards, and fosters a transparent environment where enterprises can learn from each other’s best practices.

Integrating Cyber Resilience as a Universal Responsibility

Driving a cultural shift to a Secure by Design posture requires clear communication from the top down that cybersecurity is a shared responsibility, where everyone plays a part in safeguarding the organization’s digital assets. This means that every individual in an organization, regardless of their level of technical expertise, must be aware of their role in maintaining a secure digital environment.

“Security information should be like a utility,” said Ramakrishna. “(Something) everyone should have access to (in order) to protect themselves. It shouldn’t be the job of just a few people.”

However, for this approach to work, ongoing education on the importance of cybersecurity and the steps that can be taken to ensure its success is essential for both technical and non-technical employees. This will help promote awareness and ensure that everyone understands their role and is prepared to play it well.

For executives at the highest level, this education is essential for making informed decisions, understanding how cybersecurity affects the business as a whole, and leading by example in promoting a culture of security awareness. For technical and IT staff, continuous learning helps them stay ahead of emerging threats, understand complex security tools and technologies, and implement best practices for threat mitigation. These initiatives make cybersecurity easier for everyone, even employees in non-technical roles, to understand and stress the importance of good digital practices to reduce human error – one of the primary causes of breaches.

Moving forward, embracing all of these strategies will not only enhance our collective cyber defenses but also set new industry standards – ones that prioritize security and resiliency of the systems we all rely on. As we continue to navigate a landscape marked by the ever-growing sophistication of cyber threats, our success in safeguarding the digital world will depend on our ability to adapt, innovate, and unite under this critical common goal.

Addressing the Talent Shortage: How Digital Government Improves Satisfaction, Retention

By Kelly Davis-Felner, Chief Marketing Officer, PayIt.

Public sector leaders face ongoing challenges to do more with less, and the talent crunch is a key factor in that. So while the need to access public services continues to increase, many agencies are simultaneously struggling to meet staffing needs.

In fact, it was reported in 2023 that 650,000 public sector jobs remained vacant, impacted by the “Great Resignation” during the pandemic and the “silver tsunami” of public sector retirements that outpace hiring. And in 2022, a MissionSquare Research Institute survey revealed that 52% of state and local government employees were considering leaving their jobs.

Bridging the Talent gap with Technology

Staff vacancies can make it harder to drive modernization projects forward, as IT leadership is faced with competing priorities. Yet, government leaders have cited digital service delivery as a top priority for 2024. With increased demands, understaffed agencies find their workers feeling overworked and overwhelmed – add in the frustration of fielding support calls when technology solutions aren’t working effectively and there can be a real morale problem.

But, when technology is working well for staff, it’s a game-changer.

In fact, in a recent survey conducted by PayIt and The Harris Poll, we learned that 83 percent of respondents expect the transition to digital government to enhance or positively impact the overall job satisfaction and engagement of employees in their organization.

Reducing redundant manual tasks and providing better tools to support customers improves employee satisfaction. And, ongoing technical education and experience from adopting and using modern software makes frontline staff more valuable assets to their agencies.

Fort Smith, Ark. serves as a great example of this principle at work. “Since launching our digital customer experience – PayIt Fort Smith – we’ve been able to increase resident adoption and reduce the number of manual transactions and support calls our staff processes,” notes Maria Miller, Fort Smith Citizen Services Program Manager. “Customers are happy with the options that are offered by PayIt Fort Smith as well as the customer-friendly aspect of the experience.”

With more agency workers fulfilled in their roles, retention can be improved and residents and staff alike ultimately have a better overall experience.

How to Keep Modernization on Track

Even departments facing a worker shortage can still move to an agile, digital-first approach – and each step taken toward modernizing will make future upgrades that much easier. You can ignite a domino effect in your agency when you:

Modernize the resident interface first. Providing a way for people to self-serve frees up staff, improving the productivity of the whole team (regardless of size).
Buy, don’t build. Building in-house will take a lot of time and money, and if the department is already short-staffed, it’s probably impractical. Instead, work with a vendor and with a platform that’s ready to go and can integrate into antiquated systems – and do so quickly.
Look for a partner that can function as an extension of your team. If the agency staff is already at capacity, prioritize finding a vendor that comes armed with dedicated and specialized assistance (e.g., customer support, engineers, or other technical support).
Start small and grow iteratively. Find success in increments: digitize one service, and then add on. This approach allows you to do more with less – and each new service or feature builds on the previous launch, allowing the team to apply learnings and streamline the process.

Attracting and Retaining Talent

Investing in effective modernization efforts helps to reduce the workload, but state and local government staff are still a critical bridge between residents and the governments that serve them. So, what can governments do to ensure the “human touch” is still present and available for residents?

There isn’t a single solution that will help relieve staffing shortages, but there are a few shifts that agencies can make to attract fresh applicants (and keep experienced talent):

Highlight the pros of working in the public sector. Although the private sector often pays better, it can be mundane and unpredictable. Many people want impactful, meaningful work so they can make a difference in their communities. The public sector also tends to offer more stable careers. Lean into those themes when hiring.
Offer training and career development opportunities. A McKinsey survey reported a lack of career development opportunities as a top reason they’d leave a job. Show people that public sector jobs offer training such as conferences or technical certifications to upskill staff.
Promote flexibility and other benefits. People are looking for things like remote or hybrid roles, child-care reimbursement, great health insurance, and generous vacation time – offering such benefits can help close the wage gap.
Take equity and inclusion seriously. Multiple studies have reported that people are more productive in diverse environments – and they’re more likely to stay with a company that shares inclusive values.

How Agencies can use Digital Information to Their Advantage

The key here is consistent training and education for staff so they enhance their work with the tech solutions that governments are implementing. Upskilling or re-training staff with 21st-century skills gives the agency an edge – both in retaining talent and serving the community with modern digital services. Plus, by empowering staff with automation tools and allowing residents to self-serve, employees can devote more time to meaningful projects and programs.

According to Miller, “One of the primary benefits of taking some of the repetitive, manual tasks off our staff’s plates is that they can do what they do best: use their knowledge of the City to provide the best customer service, educate customers, and be proactive about addressing our residents’ needs — and at the end of the day, that’s why many of them came to work in the public sector.”

Here’s What We Can Learn (and Do) About Cybercrime from FBI’s Latest Internet Crime Report

By James Turgal, Vice President of Cyber Risk, Strategy and Board Relations, Optiv

The FBI recently released its annual Internet Crime Report for 2023, based on complaints received by the Internet Crime Complaint Center (IC3). The report paints a concerning picture of the cybersecurity landscape in the United States. With a record-breaking 880,418 cybercrime complaints filed in 2023, resulting in potential total losses that exceeded $12.5 billion, the need for a collective effort to strengthen national cybersecurity defenses is more critical than it’s ever been.

The 880,418 complaints are a nearly 10 percent increase in complaints received, and the $12.5 billion represents a 22 percent increase in losses suffered, compared to 2022. As alarming as these figures appear to be, they are likely much higher in reality, as there are many victims of cybercrime that don’t report to authorities. For instance, in the FBI’s report, they cite the Hive ransomware group and the fact that about 20 percent of Hive’s victims reported their incidents to law enforcement. If that 20 percent number remained consistent across the board, that would mean that there were more than 4.4 million cyber incidents in the past year. That number is simply too high.

Diving deeper into the report, there are several key areas that demand more attention if we want to bring cybercrime numbers down in 2024.

Investment Fraud Leads the Pack

Investment fraud emerged as the report’s most damaging cybercrime in 2023. Losses surged 38 percent to a whopping $4.57 billion, highlighting a troubling rise in sophisticated financial scams. This dwarfs all other cybercrimes tracked by the IC3. Business Email Compromise (BEC) scams resulted in $2.9 billion in losses, while tech support scams disproportionately impacted the elderly, resulting in $924 million in losses. Though overall losses were lower for tech support scams, the impact on individual victims, especially those with limited technical knowledge, can be devastating.

To combat these issues and improve numbers moving forward, we need a targeted approach. Investment awareness campaigns for younger adults, cybersecurity training for businesses, and tech-support literacy initiatives for seniors are crucial. Collaboration between law enforcement, financial institutions, and cybersecurity experts is also essential to disrupt fraudulent operations and hold attackers accountable. Most importantly, we all must remember that if anything seems too good to be true, it probably is. No matter the situation, it’s always better to take your time and ask people you trust before giving away your personal information.

Ransomware Back on the Rise

Following a brief period of decline in 2022, ransomware attacks came roaring back in 2023, with a 74 percent increase in reported losses ($59.6 million) and an 18 percent increase in complaints reported (2,825). These significant increases underscore the growing sophistication of cybercriminals who are exploiting a growing number of vulnerabilities for substantial financial gain. Specifically, the FBI has observed emerging trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.

Ransomware’s resurgence demands a multi-faceted defense. Organizations must prioritize layered security, implementing robust controls across email, network, data, and endpoint protection. Breaking down security silos and integrating tools with an XDR platform is essential. This holistic view allows for a deeper understanding of attacker tactics, including emerging trends like double extortion and multiplatform threats. Frameworks like MITRE ATT&CK can further pinpoint vulnerabilities, while monitoring for activity associated with common attacker tools helps detect suspicious behavior. Furthermore, regularly analyzing lessons learned and adapting your security controls is crucial for staying ahead of evolving threats.

Phishing Remains Relentless

While phishing came in 21^st on the list of most lucrative crime types, with losses totaling $18.7 million, it was once again the most prevalent cybercrime overall with nearly 300,000 complaints to the IC3 in 2023. This was almost five and a half times the second most popular complaint – personal data breaches.

This highlights the constant threat that phishing poses due to a general lack of cybersecurity awareness. We can all be vigilant by clicking with care and staying wary of suspicious emails, texts, and messages on social media, no matter where we are. To fortify our defenses, public awareness campaigns and education is key. Regular training programs can equip individuals and organizations alike to identify phishing attempts. Organizations should also leverage eLearning courses and run simulated phishing exercises to further train their employees and keep phishing top of mind. Additionally, implementing multi-factor authentication adds an extra security layer which can make a big difference. Working together – individuals, organizations, and cybersecurity experts – we can significantly reduce the effectiveness of phishing attacks.

Looking Ahead

The FBI’s report highlights the growing threat of cybercrime, but it doesn’t have to define our future. By paying closer attention to the biggest threats, prioritizing cybersecurity awareness campaigns, fostering collaboration between public and private sectors, and implementing robust security measures, we can begin to turn the tide. Let’s make 2024 the year we collectively outsmart cybercriminals and create a safer digital landscape for everyone.

James Turgal is the former executive assistant director for the FBI Information and Technology Branch (CIO). He now serves as Optiv Security’s vice president of cyber risk, strategy and board relations. James has personally helped many companies respond to and recover from ransomware attacks and is an expert in cybercrime, cyber insurance, cybersecurity, ransomware and more. James draws on his two decades of experience investigating and solving cybercrimes for the FBI. He was instrumental in the creation of the FBI’s Terrorist Watch and No-Fly Lists.

Implementing AI Assurance Safeguards Before OMB’s December Deadline

By Gaurav (GP) Pal, stackArmor Founder and CEO

In March 2024, OMB released groundbreaking new guidance in accordance with President Biden’s Executive Order on AI for the government’s safe use of artificial intelligence – the first of its kind government-wide policy on AI.

Under this new policy, government agencies must meet and implement mandatory AI safeguards that provide more reliability testing, transparency, and testing of AI systems. Agencies have to implement these safeguards by December 1, 2024.

The new mandates are designed to drive a thoughtful and considered approach to implement AI assurance safeguards and focus on the steps needed for long-lasting AI safety and development in their operations.

To meet this deadline and create long-lasting change, agencies should leverage and augment existing practices – such as the Authority To Operate (ATO) process – to add AI Assurance guardrails checking for safety, bias, and explainability in addition to confidentiality, integrity and availability. With new and emerging AI Risk Management guidance from NIST, ATOs with AI Risk Management Overlays can be applied to IT systems using AI so agencies can continue implementing safe solutions by assessing and managing risk.

New Guidance Will Lead to Safe AI Development

Over the last two years, we have seen a rapid evolution of technology with generative AI, making it imperative that the public sector catch up to this advancement for its successful and safe use.

The Biden administration and federal agencies have been making a significant effort to get ahead of advancing innovation by focusing on AI safety, development, and research. We have seen this through NIST’s AI Safety Institute (AISIC) announced in February – bringing together over 200 private sector stakeholders to help prepare the U.S. for AI implementation by developing responsible standards and safety evaluations.

NIST recently released helpful guidance designed to help manage the risks of generative AI. This guidance serves as a companion resource to NIST’s AI Risk Management Framework (AI RMF) and Secure Software Development Framework (SSDF).

What Agencies Need to do Ahead of the Deadline

Agencies should use documents like NIST AI RMF to create a risk classification methodology and create a risk baseline for conducting AI risk assessments ahead of OMB’s newly established December 2024 deadline.

To meet the ambitious deadline set forth in the new OMB guidance, agencies must take advantage of the current methodologies and frameworks in place, including NIST’s RMF and SSDF and look to implement robust test and evaluation techniques on the training data and models. Both frameworks are a good starting place for agencies looking for a high-level roadmap in AI security management.

By using a well-known RMF process to discover, classify, POAM (plan of action and milestone), and monitor the risks, leaders can quickly leverage what is available to them more efficiently and correctly for long-lasting and sustainable change.

However, current frameworks need more specific guidance and actions for agency leaders who need to implement the safeguards under the OMB framework. Leaders, including Chief AI Officers and Chief Information Officers, need to leverage additional tools, frameworks, and guidance to achieve these safeguards for the secure and responsible use of AI – adding to the complexities and challenges agencies are already facing.

Agencies should look to augment and leverage existing mechanisms to manage AI risk and enable the success of the mission to allow for agencies to reap the benefits of the Generative AI and AI/ML technologies.

With OMB’s new guidance and the subsequent deadline looming, agencies have a great opportunity to enable the mission while ensuring a safe and rights-respecting approach to be integrated into their day-to-day operations.

Over the past two years, we have seen many new frameworks that agencies can use; however, the challenge will be integrating different systems and frameworks to meet the demands of the OMB guidance by December.

The December 2024 deadline for implementing AI safeguards presents a significant challenge for government agencies. However, by leveraging existing frameworks such as NIST’s RMF and SSDF, as well as implementing an authority to operate (ATO) system for AI, agencies can work towards meeting the requirements outlined by OMB. The focus on AI safety and development is crucial, and by taking proactive measures, agencies can ensure the responsible and secure use of AI systems in their operations.

The Next AI Wave: Quantum AI

By Dr. James Matney, Vice President, Defense Strategy, GDIT

Amid all of the (well-placed) excitement around artificial intelligence, quantum AI is an emerging field that combines the power of quantum computing with AI to create new and innovative solutions for an array of complex problems.

Here’s why: Quantum computing is a method of solving complex problems in ways that classical computing cannot. Similarly, quantum AI can perform certain types of machine learning tasks much more efficiently than classical AI. By combining them, we create new and powerful capabilities.

For instance, quantum AI can train neural networks for image and voice recognition using large datasets in a fraction of the time it would take for classical AI, leading to more accurate predictions and better performance. Quantum AI can also train machine learning models on large datasets, which allows for more efficient processing of large amounts of data, which is particularly useful in machine learning applications where large datasets are common.

Early Quantum AI Use Cases Hold Insights for Agencies

Though it is in its early stages, quantum AI has the potential to revolutionize many industries, and the learnings from early industry pilots hold tremendous insights for agencies.

In finance, quantum AI can be used to analyze financial data and identify trends, which leads to more accurate predictions and better investment decisions. One can imagine the impact on, perhaps, fraud detection within agencies such as the Securities and Exchange Commission, the Internal Revenue Service, or Centers for Medicare and Medicaid Services, to name a few.

In cybersecurity, a significant concern is that quantum computers can break many of the encryption algorithms used to secure data. Quantum AI can create new and more secure encryption methods that are resistant to quantum computers. Quantum AI can also enhance network security where it can analyze large amounts of network traffic and detect anomalies that may indicate a security threat, improving the overall security of networks. Every agency has an interest in improving its cybersecurity posture and adding more dynamic detection capabilities, alongside the increasing adoption and maturation of new paradigms like zero trust.

In healthcare, quantum AI can be used to analyze medical images and identify patterns that may not be visible to the naked eye. This could lead to more accurate diagnoses and better treatment outcomes.

And in transportation, quantum AI can be used to optimize traffic flow and reduce congestion, leading to faster travel times and improved air quality. Alongside the recent multi-billion dollar investment in America’s infrastructure, implementing quantum AI to optimize that investment is a logical goal.

Preparing for Quantum AI Exploration and Adoption

No matter the agency or mission, it’s important to remember that quantum AI is not just about the technology itself. It also requires a skilled workforce capable of developing AI algorithms that can take advantage of the exponential increase in power that quantum computers bring. Already, companies and universities are increasing their focus on quantum computing and have programs directly related to quantum AI.

For example, today GDIT is actively working with universities and quantum technology companies on software skill development for developers and applying quantum AI techniques to solve real customer use cases. The most exciting part: Continued advances in quantum computing and in AI will generate progressively more sophisticated algorithms that will become more powerful and efficient, allowing for even greater performance on complex problems.

CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed?

By Tim Jones and Alison King, Forescout

The Cybersecurity and Infrastructure Security Agency (CISA) earlier this year announced that the next phase of its Continuous Diagnostics and Mitigation (CDM) program would broaden to include non-traditional technology, such as Operational Technology (OT) and the Internet of Things (IoT), in 2024.

At its 2012 launch, CDM was focused on gaining centralized visibility of traditional IT assets across civilian agencies. Since then, CDM has broadened its scope to include assets in mobile and cloud platforms, laying the groundwork for extending parity in visibility across increasingly complex environments.

While it is not news that the entirety of the enterprise needs to be taken into consideration for risk and exposure programs to be successful in the age of zero trust, it is momentous that a program as large and influential as CDM (which spans 92 federal agencies and boasts 3 million endpoints) is set to embark on securing non-traditional technology assets. So, why now, and what will it take to overcome the challenges inherent in understanding, interacting with, and protecting OT?

Why now?

While the security risks of non-traditional technology are not new, three significant factors have now come to a head, creating the perfect storm to prompt CISA to declare that the next phase of CDM will incorporate OT and IoT. Those factors are A) the knowledge gleaned from the first part of CDM, B) the known increase in threats to critical infrastructure, and C) the evolution of cybersecurity policy.

A) The knowledge gleaned from the first phase of CDM: When CISA set the initial parameters of CDM to end at traditional IT, there was recognition that the network and the endpoints extend beyond the security parameter. Through CDM’s initial exploratory work, CISA now has a dashboard with a single holistic view of what is going on across all civilian networks. Simply put, the more they see, the more they know what they don’t see on their networks, and these assets represent a growing risk that is no longer acceptable to ignore. As they build out this visibility, CDM program managers can peek at an item on IoT and realize that a subset of assets have no homes, aren’t mobile platforms, and aren’t part of the organization’s cloud deployment. This surfaces new assets and devices that may be seen and could be at risk for vulnerabilities.
B) Increased threat to U.S. critical infrastructure from adversarial nation-states:In January, the FBI warned about the growing threat of Chinese Communist Party (CCP) cyberattacks against U.S. critical infrastructure. This is just one of many recent examples of state-sponsored malicious actors targeting civilian critical infrastructure.
C) Growing cybersecurity policy: Underlying CDM’s evolution to broaden its scope to include OT and IoT is, of course, policy. The amount of cybersecurity policy and regulation that has come out under the Biden administration is unprecedented. In December 2023, the Office of Management and Budget (OMB) issued a memo outlining the 2024 reporting requirements in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). The document outlines a mandate that created a more holistic perspective on zero trust; all agencies are required to submit their annual Chief Information Officer and Senior Agency Official for Privacy metrics as well as annual reports from their respective inspectors general by Oct. 31, 2024

What will it take to make CDM’s evolution to include non-traditional technology feasible?

One part of the challenge is that OT and IoT are built differently from IT. Non-traditional technology is often assets that don‘t have agents or come from a managed service, which means a lot of custom operating systems. Another part of the problem is the abundance and longevity of non-traditional assets in federal networks. A third challenge is that broadening the scope of CDM’s purview increases the (already large) amount of asset data to track – ensuring the quality of the data is critical.

In preparation for this evolution, it is important to leverage highly scalable technology to handle the influx of new data elements. One single source of trusted data and a solution that can address all three categories of IT, IoT, and OT in a single pane of glass becomes even more critical for the successful future use of artificial intelligence (AI) or machine learning (ML) capabilities, which will depend on clean, structured data.

Once a single source of trusted data has been validated, the first step is identifying all system components. Next is prioritization of what to conquer first, depending on each asset’s risk factor, leading to the creation of a tailored zero trust strategy.

The strategy will be shaped by exploring questions such as: How large is my platform? What is on it? What’s the risk factor of each component? Once the risk factors have been prioritized, agencies will need to take the more challenging step of first making sure that the riskiest assets are not internet-exposed and then coming up with a plan to replace them.

There must be some level of accountability and manageability around those assets in the move towards zero trust, including questioning: What services are on them? What functionality they provide? What kind of data will be moving around inside the enterprise? Those are all going to be components of this evaluation around IoT and OT that CISA is calling out.

Ultimately, for the evolution of CDM to succeed, we need to foster a culture change – transitioning from blanket acceptance of the presence of, for example, the telepresence-connected video camera in the conference room to the exploration of: What’s running on that system? Is that part of my network? Have we segmented that device into a safe environment?

As we start to report back the types of assets coming into the enterprise, we need to dig beneath the surface to determine if they are going to satisfy zero trust requirements.

Tim Jones is Vice President of Public Sector Systems Engineering, and Alison King is Vice President of Government Affairs at Forescout.

Customer Expectations Require Agencies to Raise the Bar on Customer Experience, Report Shows

By Steve Caimi, Senior Principal, Product Marketing, U.S. Public Sector, Okta

As the digital revolution proceeds, public sector organizations know that delivering great digital experience is vital to building loyalty and convincing citizens that they can safely and seamlessly access government services online. Yet a new report shows that rising customer expectations are posing challenges that require new solutions from digital leaders.

To help public sector organizations gain a greater understanding of how to deliver safe and frictionless digital services, Okta surveyed more than 20,000 people worldwide in various industries about their digital experiences in the areas of convenience, privacy, and security. Okta’s Customer Identity Trends Report explores the survey results.

Survey Results

The survey’s fundamental finding: In the area of user experience, the digital era has raised the bar. People now expect seamless and frictionless digital experiences from the public sector – Federal, state, local, and tribal agencies, along with healthcare and education organizations – similar to those offered in the private sector. The report revealed that 48-60 percent of respondents would be more likely to engage public sector services online if the experience was simple and secure with frictionless login.

Across the board, the public sector faces a growing imperative to deliver safe and easy experiences. The survey also found:

Data privacy is top of mind: The report revealed that 81 percent of public sector respondents consider it important to have control over their data, especially when dealing with sensitive or private personal information.
Control is even more important than convenience: When asked to choose between the two, respondents favored maintaining control over convenience. This finding is particularly relevant in the public sector because services, such as unemployment benefits or student loans, can be attractive targets for bad actors.
Security is a top priority: The report revealed that 80 percent of data breaches can be attributed to stolen credentials. Perhaps not surprisingly, public sector users prefer dedicated login solutions that offer robust security measures.

Okta Can Help

Okta’s Identity solutions enable the public sector to strike a delicate balance between control and convenience, helping to ensure that customer privacy rights are protected while delivering smooth digital experiences. The public sector can maintain regulatory compliance, protect sensitive data, and safeguard user privacy by leveraging Okta’s Identity solutions and:

Effortlessly scale across multiple applications. The survey showed that 65 percent of people are overwhelmed by the number of usernames and passwords they need. By leveraging Okta’s robust features and scalability, organizations can expand their use of gov while ensuring security, performance, and reliability.
Deliver a secure and seamless user experience that upholds the highest standards of compliance. With Okta, your organization can maintain compliance with regulations and industry standards, ensuring the protection of sensitive data and user privacy. By prioritizing security and control, government agencies can gain the trust of those they serve while delivering services only to those who need them.
Have the same robust Identity and Access Management (IAM) solution that works with Common Access Cards (CACs) and Personal Identity Verification (PIV) Cards for federal employees. The survey revealed that 63 percent of people are unable to log into an account at least once a month because they forgot their username or password. Okta’s IAM solution is FedRAMP High and DoD IL4-authorized, providing the necessary security and compliance measures required by government agencies.

Overall, the survey revealed that people value control of their data and expect different levels of security for different online interactions. With Okta’s Identity solutions, your organization can strike a balance between data control and convenience, safeguarding user privacy while delivering seamless digital experiences. Let Okta power your organization’s digital front door with Login.gov and their 7,000+ other integration capabilities. With Okta’s help, governments can navigate the digital landscape, providing citizens with the exceptional experiences they need, enhanced by the security they deserve.

Read the Customer Identity Trends Report for a deeper dive into the survey results, and visit Okta Public Sector to find out how to get started with Okta today.

Applying for Government Benefits Shouldn’t Be Difficult When It Comes to Identity Verification

By Jeffrey Huth, Senior Vice President of TransUnion’s Public Sector business

Three senators last month introduced bipartisan legislation intended to create a better customer experience for people trying to access government services. Specifically, the Improving Government Services Act will require agencies to develop plans within a year of enactment to reduce wait times and improve digital services.

Coincidentally, TransUnion recently published a report on consumers’ experiences, preferences, and beliefs regarding enrollment in government benefit programs. The Reduce Benefit Enrollment Burdens report shows how challenging these processes can be for those accessing the customer service portals—and identifies means to address those problems.

Proving Identity Across Channels

One of the most significant areas for improvement concerns how government agencies verify identity remotely. Nearly 4 in 10 respondents (39 percent) spent 15 minutes or more trying to verify their identity when signing up for programs online. Spending 15 minutes online doing ANY form would be enough to tax a person’s patience. You can imagine the frustration that might occur regarding needed government benefits.

Additionally, constituents indicated their applications were delayed or declined due to not being able to prove their identity or eligibility online at more than double the rate that people experienced when applying through other channels, such as in-person. This helps explain why more than a quarter of people who do not apply online take that route because the process appears too difficult.

Other highlights from the survey – which polled 1,006 adults on whether they applied for government benefits in the past or might do so in the coming years – include:

While people appreciated the convenience of an online process, 23 percent of those polled could not complete their applications quickly.
There was a disconnect between expectations and reality for time spent verifying identity. Nearly 50 percent hoped to finish in under 10 minutes, but only 37 percent did.

While improving and streamlining identity verification online is critical, there is still a need for direct human interaction. The report found 60 percent of constituents will call an agency to get information about a program, while just slightly more will visit the official website (61 percent). In addition, when constituents run into problems while completing an online application, they are equally likely to call the agency for help as they are to use a digital channel, like the website chat function.

Here again, constituents expect a seamless and secure process to validate their identity in order to quickly get the help they need. These findings highlight the importance of a consistent omnichannel experience and should encourage agencies to invest in their call centers as part of their digital transformation.

What Modernization Will Require

The good news is that technology exists to securely verify identities without being overly intrusive for core entitlements and everyday benefits Americans need. Now, government agencies just need to continue in their commitment to deliver the experience that benefits program participants expect and deserve.

Among several recommendations, the TransUnion report notes a multipronged approach is most effective. Such an approach includes device reputation tracking, fingerprinting, device-to-identity linkages, and user behavior analysis. Solutions incorporating identity and device-proofing technologies are more likely to catch fraudsters early while reducing friction for legitimate benefits applicants, claimants, and recipients.

Inbound authentication solutions can help call centers reduce reliance on costly and time-consuming knowledge-based authentication while focusing fraud resources on only the minority of risky calls. These solutions reduce average call handling times, increase Interactive voice response containment, and improve the caller experience.

It’s clear that with so many more Americans connected to the web and accessing benefits via online portals, government agencies must implement more advanced identity verification methods using document validation, liveness detection, and facial matching recognition. Investing in more modern techniques for identity verification online and in the call center will pay dividends through more successful enrollment, improved citizen satisfaction, and increased program integrity.

Four Federal Software Supply Chain Security Trends to Watch

By Jeff Stewart, Vice President, Product, SolarWinds

The exponential growth of digital government has led to unprecedented security breaches across the supply chain. To address these threats, in 2021 the Biden administration enacted Executive Order 14028 intensifying scrutiny over vendors’ software supply chain. Subsequently, in 2023 the National Cybersecurity Strategy was introduced, urging software vendors to deploy greater secure software practices based on the NIST Secure Software Development Framework.

Despite these developments, a recent survey found most public sector respondents remain concerned about software supply chain security and are unsure what measures to implement to safeguard their systems.

While software supply chain security is a relatively new concept, here are four enduring trends to help agencies close the supply chain security gap and have a lasting impact on the public sector’s overall cybersecurity posture.

Making software releases faster and more secure with DevSecOps and AIOps

Today’s applications are built compositely with natively developed code integrated with third-party and open-source components, potentially creating numerous entry points for a threat actor. Unfortunately, while developers can control the things they build, they have zero control over how those applications are validated and secured.

DevSecOps and AIOps can help.

DevSecOps helps agencies break down the silos between development, operations, and security to produce faster, more secure software releases. Meanwhile, AIOps works across IT operations to help ensure software in production is operating efficiently, securely, and reliably.

AIOps works by leveraging artificial intelligence, machine learning, and predictive analytics to collect data from the entire digital ecosystem. It autonomously analyzes this data to yield deep, consolidated insights into the IT infrastructure and development process, including identifying vulnerable code.

AIOps doesn’t just find issues, it also fixes them automatically. For example, it can patch known vulnerabilities in production or deployed software. This streamlines the process for DevSecOps teams, allowing them to easily track and address security and performance problems from the source of the code to its deployment.

Meeting and exceeding compliance standards

Executive Order (EO) 14028 and other actions underscore the federal government’s commitment to leveraging its purchasing power to elevate security standards across the supply chain.

In response, agencies are increasingly looking to partner with software vendors who develop systems utilizing best practices that consistently meet or exceed NIST standards. Those practices include:

Basing the application build system on ephemeral operations, spinning up resources on-demand and destroying them when discrete tasks have been completed.
Building in parallel by utilizing isolated and distinct build environments, where numerous scans and security checks are performed before release.
Advancing beyond zero trust by adopting an “assume breach” position.
Deploying automated tools to concurrently scan for vulnerabilities throughout the development process.
Recording each build step, creating an immutable record of proof, and providing complete traceability.
And more.

Increased transparency through SBOMs

SBOMs (or software bills of materials) are a critical step forward in mitigating software supply chain risk. These documents provide a thorough overview of all components, libraries, tools, and processes used by software vendors in the build process. This transparency makes it easier for agencies to identify security risks that require patching or addressing through mitigating controls.

To date, three agencies – DoD, NASA, and GSA – have proposed new rules for federal contractors to develop and maintain SBOMs for any software used on a government contract.

Compliant vendors generate SBOM files at build time and may use them in the build process to validate that third-party dependencies haven’t changed underlying code, provide a comprehensive picture of the dependency tree available on a current build and historical basis, and perform build-time checks and enforce policies based on CVSS-scoring.

Increased observability across the supply chain

To counter security threats and increase visibility across the complex and layered software supply chain, agencies are increasingly adopting observability tools, techniques, and processes.

Observability offers comprehensive visibility into service delivery and component dependencies across the software creation and deployment ecosystem. This enables various departments within an agency, ranging from IT to development teams, to gain clearer, holistic insights into vulnerabilities for more rapid remediation. In addition, teams can leverage the integrated automation of AIOps to further boost security by reducing the opportunity for human error.

Observability solutions offer a holistic approach to identifying and addressing risks, making the future of software supply chain security significantly more promising.

Partnership is key

The four trends outlined above give federal agencies an opportunity to set a new standard for mitigating software supply chain risks. Crucially, agencies needn’t tackle this challenge alone. Software companies are actively addressing supply chain risk and can support agencies as they work to mitigate their own risks. These collaborations between the public and private sectors will be instrumental as agencies aim to meet or surpass NIST guidance for secure software development.

FedRAMP Baseline Transition Points to OSCAL-Native Tools

By Travis Howerton, Co-Founder and Chief Technology Officer at RegScale

Until recently, FedRAMP (Federal Risk and Authorization Management Program) certification was an Executive Branch mandate, but now that it has become law, it legally stands between cloud service providers (CSPs) and government revenue.

Further impacting the landscape is FedRAMP’s approval earlier this year of Rev. 5 baselines that were updated to correspond with the latest guidance from the National Institute of Standards and Technology (NIST).

According to the FedRAMP marketplace, cloud service providers including Microsoft, Amazon Web Services, and Salesforce have many existing FedRAMP authorizations at moderate and high impact levels. These authorizations, however, date back years, and for these already-certified CSPs, they are required to move from Rev. 4 to Rev. 5 Baselines.

Update to FedRAMP Rev. 5 Baselines

The FedRAMP update to the baselines is based on the National Institute of Standards and Technology (NIST) Special Publication SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.

While increasing security and privacy controls is important to address the changing threat landscape, many stakeholders are concerned about the cost of FedRAMP compliance. It can be a significant expense, particularly for smaller CSPs, making it difficult for federal agencies to find affordable cloud solutions. Compounding the challenge, the authorization process can be slow, further delaying the adoption of cloud services to meet the government’s mission-critical needs.

As organizations look at updating to FedRAMP Rev. 5 Baselines, many CSPs must make adjustments that will take time to implement, particularly for those with unique security requirements or those seeking to use cloud services in new ways to meet the changing demands of users.

A Quicker and More Cost-Efficient Transition Process

NIST developed the Open Security Controls Assessment Language (OSCAL) to provide machine-readable representations of control catalogs and baselines, system security plans, and assessment plans and results – essentially covering all aspects of the Risk Management Framework (RMF). The goal is to simplify these transitions by shifting to an Authority to Operate (ATO) as-code approach for compliance tools.

Instead of writing compliance documents in Microsoft Word and Excel Spreadsheets – a slow, manual process that does not reflect real-time changes – OSCAL-based tools enable automation, helping to address cost and accuracy concerns by accelerating the process and minimizing manual work and errors.

Authorization to Operate (ATO) Tools

An ATO is a formal decision made by a senior government official to authorize the operation of an information system on behalf of a federal agency. The agency requires an ATO to connect the CSP to the government network, while the CSP needs FedRAMP to approve the security of the cloud environment. This results in a double-edged sword for the government to enable technology in cloud environments because while it ensures that both agencies and CSPs have endeavored to secure both systems and data, it also adds complexity and bureaucracy to the cloud adoption process.

ATO tools are software applications that help automate the ATO process, saving time and resources while ensuring a consistent and repeatable certification process. These tools help streamline the assessment, accreditation, and authorization steps of the ATO process by automating many of the tasks involved in FedRAMP certification, including gathering evidence, preparing documentation, and conducting assessments.

Additionally, ATO tools provide insights into a cloud environment’s security posture, helping agencies identify and mitigate security risks. These tools also improve communication between CSPs and federal agencies, enabling them to resolve issues that emerge during certification more quickly, reducing the burden and cost of FedRAMP certifications now and in the future.

Simplify FedRAMP Certification

To address many of the concerns stakeholders have related to FedRAMP certification, CSPs should consider solutions built on OSCAL. Using OSCAL-native tools, CSPs can get to ATO faster using code and submitting packages for authorization in a machine-readable format. This enables CSPs to resolve issues early on rather than going back and forth during the authorization process and allows for automated package reviews to accelerate ATO approvals.

Considering the significant costs involved in both becoming FedRAMP certified and requirements to transition from Rev. 4 to Rev. 5 baselines, this latest revision should be an impetus for organizations to seriously consider investing in OSCAL-native tools to improve the ATO process. The threat and technology landscape continues to change, and organizations can expect future revisions and additional overlays on FedRAMP Rev. 5 baselines based on each agency’s unique requirements, particularly the Department of Defense. Adopting OSCAL-native tools can help transform the FedRAMP certification from a massive undertaking in terms of cost, time, and effort into an automated and streamlined process.

What Zero Trust Means for Modern Government: Best Practices for Key Tenets

By Patrick Tiquet, VP of Security and Architecture, Keeper Security

Over the past few years, an important cybersecurity initiative has quickly swept across U.S. federal government agencies. Like few other tech initiatives, zero trust has taken hold at warp speed, thanks to a cooperative push from various cybersecurity authorities and frameworks.

The White House Executive Order 14028, CISA’s Zero Trust Maturity Model, Office of Management and Budget (OMB M-22-09) and the DoD zero trust strategy and roadmap have coalesced to make zero trust a current reality across numerous government agencies within the span of less than two years. That’s extremely fast, relatively speaking. And for good reason: the federal push toward zero trust is critical for the development and deployment of secure and resilient next-generation technologies and infrastructure.

Zero trust is a modern security framework that eliminates implicit trust. It requires all human users and devices to be continuously and explicitly validated, and strictly limits access to network systems and data. Instead of focusing on where users are logging in from, zero trust concentrates on who they are.

The continued unification of disparate cybersecurity efforts governmentwide indicates further progress toward a cohesive approach to cybersecurity as a true economic and national security priority. As with any new initiative, however, there are challenges to adopting new solutions and processes.

To effectively meet the requirements of Executive Order (EO) 14028, Office of Management and Budget (OMB) M-22-09, the Cybersecurity and Infrastructure Agency (CISA) Zero Trust Maturity Model and the Department of Defense (DoD) Zero Trust Strategy and roadmap, all Federal civilian agencies should implement a few key best practices including:

Select FedRAMP Authorized solutions. The Federal Risk and Authorization Management Program (FedRAMP) makes zero trust possible with its secure, authorized solutions. The U.S. government created FedRAMP to achieve a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The FedRAMP marketplace is a critical resource for agencies to find and compare credible and secure authorized vendors through a trusted public-private partnership. It also ensures that the government is in lockstep with the most advanced cloud-based software and services that are driving the high-stakes capital markets. By working with FedRAMP Authorized solution providers that offer the highest levels of security and privacy, agencies can comply with federal government zero trust cybersecurity directives.

Adopt Multi-Factor Authentication (MFA). Using phishing-resistant MFA wherever available is a key directive. Agencies should add support for Two-Factor Authentication (2FA) methods such as SMS, TOTP-based authenticator apps like Google or Microsoft Authenticator, RSA SecurID, DUO Security; and FIDO2 WebAuthn devices like YubiKey.

Deploy capabilities for secure file sharing. In support of the OMB’s requirement for enterprise-wide information sharing, secure file sharing is important to enable efficient, secure, vault-to-vault sharing of stored files.

FIPS-140 Validated Encryption. FedRAMP and other federal directives mandate the use of FIPS-140 validated encryption. Ensuring the use of FIPS-140 validated encryption in your information systems will help you to achieve the best security, interoperability and compliance required by government agencies.

The Future of Cybersecurity in Government

The OMB Binding Operational Directive (BOD) M-22-09 has authoritative guidance on “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” including clarification on CISA directives for BOD 23-01. Achieving zero trust is a responsibility for every organization doing business with the U.S. government. All high-level activities conducted by federal agencies and all networked assets require it. And all benefit from the advanced protections that a zero-trust security model ensures. FedRAMP makes available the tools and technologies to take the critical step in achieving modern effective compliance with EO 14028 and CISA, DoD and OMB zero-trust directives. Organizations are empowered to participate in these shared governance models that foster a collective approach to zero-trust cybersecurity.

Four Ways to Handle the IT Funding Crunch

By Chip Daniels, Vice President, Government Affairs, SolarWinds

When the Biden administration asked Congress to approve $300 million of additional money for the Technology Modernization Fund (TMF) in fiscal year 2023 (FY2023), hopes were high that agencies would finally have the financial backing necessary to truly accelerate digital transformation. Yet, when Congress passed its $1.7 trillion government funding bill and allocated just $50 million for the TMF fund, agencies were forced to pivot.

The budget shortfall means agencies must continue to balance doing more with less while advancing mission-critical IT objectives. As they put these plans into practice, here are four strategies to help organizations move forward while keeping financial acumen top of mind.

Ensure technology investments are delivering value by linking priorities to mission outcomes

The first step in any modernization strategy is to align technology priorities and goals with desired mission outcomes. This serves two purposes:

It ensures agencies focus investments on solutions designed to yield results most important to their organizations and constituents, whether they are citizens, government employees, or mission partners.
It helps weed out solutions failing to deliver value in relation to the spend allocated.

Agencies should assess their current technology ecosystem to see if the technologies they currently use meet their needs. The assessment should analyze who uses the solutions, what capabilities and limitations the technology has, and whether the technology still aligns with the mission. For example, legacy solutions implemented years or even decades ago may no longer garner the appropriate results or value.

Automate wherever possible to deliver greater efficiency

Most agencies know about how automation can help save on IT costs, but there’s still a question of where to begin. After all, agencies are plagued by a large volume of tasks, many of which can only be managed through traditional manual processes.

Chances are, however, that a substantial number of those processes can be automated – it’s just a matter of discovering them. To do this, IT managers must carefully review existing processes and look for inefficiencies and automation opportunities.

IT monitoring is an appropriate example. Traditional monitoring usually involves multiple disparate tools, each looking for abnormalities in different areas of an agency’s digital environment. Managers must keep track of all these tools and continuously engage in context switching which can be labor-intensive and lead to errors. Additionally, this gets more cumbersome the bigger the ecosystem gets.

Automating the monitoring process significantly bolsters an agency’s security posture and ability to control the IT environment. Automation takes the onus of security and application management away from the IT team by automatically discovering and troubleshooting anomalies and initiating incident response protocols. When IT managers are not burdened with a cacophony of alerts, their teams can focus on top-priority initiatives and delivering value-added services to their agencies in a more efficient manner.

Automated monitoring is also beneficial in identifying rogue or shadow IT devices and applications and redundancies across the IT landscape.

Avoid toolset creep

Toolset creep is one of the biggest threats to an agency’s bottom line and efficiency. Toolset creep results from the collection of dozens – if not hundreds – of point-monitoring products over the years. This can include multiple tools for monitoring the performance and security of the distributed network, cloud instances, on-premises infrastructure, applications, databases, and more. Over time, the ecosystem becomes unwieldy and costly to maintain.

One of the best ways to keep toolset creep in check is through full-network observability. Observability is different from network monitoring. Observability allows IT teams to move beyond siloed views and monitoring and gain a single pane of glass view into their entire hybrid, multi-cloud, and on-premises environments. With this multi-stack visibility, IT gets a single source of truth and consolidated insights into IT operations. Observability applies cross-domain correlation, machine learning, and AIOps to yield intelligence traditional monitoring tools can’t, such as anticipating network issues or security threats for rapid remediation – ahead of any performance impacts.

With observability, agencies can also weed out unnecessary or outdated monitoring tools, lower administration overhead, and improve staff productivity.

Develop a strategically phased approach to modernization

While Congress’ decision to approve only a portion of the TMF funding proposed by the president creates budget challenges for agencies, a little planning and patience can help agencies stay within budget while forging ahead with their modernization efforts.

Rather than trying to do too much, too soon, agencies should adopt a strategically phased approach to modernization and break up their initiative into manageable chunks over the next few years. This will ensure costs stay in line while allowing agencies to stay on their digital transformation paths.

1 2 3 … 20 Next »

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.