Smarter Gov Tech, Stronger MerITocracy
Menu
This page is not built out yet. If you are seeing this page, please contact an administrator.

Getting in on the Ground Floor of the ‘New Observability’

By Ozan Unlu, CEO, Edge Delta

In fall 2022, Splunk issued its annual State of Observability Survey and Report, highlighting the increasingly critical role observability plays in enabling multi-cloud visibility and dramatically improving end-user experiences. Growth in observability – or the ability to measure a system’s current state based on the data it generates – has occurred in lockstep with cloud adoption and is viewed by many as an essential counterpart, helping IT teams overcome more complex and extensive monitoring challenges.

According to Splunk’s report, the benefits of observability are very real: organizations that are observability leaders (two years or more with an observability practice) report a 69 percent better mean time to resolution for unplanned downtime or performance degradation; and leaders’ average annual cost of downtime associated with business-critical applications is $2.5 million, versus $23.8 million for the beginner group (one year or less).

So where exactly do government IT organizations fall? Solidly in the beginner category, with 78 percent of government IT teams registering as beginners (versus an average of 59 percent across other industries). In fact, no government IT team surveyed registered as a leader.

While it may seem that government IT is trailing in observability, there’s actually tremendous upside to be had here. This is because observability, as a discipline, is undergoing a dramatic shift – spawned largely by rapidly growing data volumes –  that nascent observability practices are ideally poised to leverage. This shift entails:

  • Moving from ‘Big Data’ to ‘Small Data’ Traditional observability approaches have entailed pooling all data in a central repository for analysis, with the understanding that collecting all datasets together and correlating them can be the key to delivering the insights needed to quickly determine root causes. The problem with this approach is that traditionally all data is relegated to hot storage tiers which are exceedingly expensive, especially with data volumes exploding due to the cloud and microservices. The incidence of an IT team unknowingly exceeding a data limit and getting hit with a huge unexpected bill as a result is far more common than one would expect. To avoid this – and knowing that the vast majority of data is never used – an organization may begin indiscriminately discarding certain data sets, but the problem with this approach is that problems can lurk anywhere and random discarding may introduce significant blind spots. The solution is not to discard randomly, but rather to inspect all data in parallel, in smaller, bite-sized chunks.
  • Analyzing Data in Real-Time – Besides cost, another drawback of the “centralize and analyze” approach described above is the fact that it takes time to ingest and index all this data – time that an organization may not have if a mission-critical system is down. In spite of great technology advances, recent outage analyses have found that the overall costs and consequences of downtime are worsening, likely due in part to an inability to harness, access and manipulate all this data in milliseconds. Many data pipelines just can’t keep up with the pace and volume of data – and the more data there is to ingest, the slower these pipelines become. Furthermore, these pipelines do very little to help IT teams understand their datasets and determine what is worth indexing. This leads to overstuffed central repositories that then take much longer to return data queries, further elongating mean-time-to-repair (MTTR). With the average cost of downtime estimated at $9,000 per minute (translating to over $500,000 per hour), a much better approach entails analyzing data for anomalies in real-time.
  • Pushing Data Analysis Upstream – Analyzing data in real-time helps IT teams not just detect anomalies faster, but also immediately identify the root cause of issues, based on what systems and applications are throwing the errors. Furthermore, when data is analyzed at the source, the concept of data limits in a central repository becomes a non-issue. For organizations that want to keep a central repository, high-volume, noisy datasets can be converted into lightweight KPIs that are baselined over time, making it much easier to tell when something is abnormal or anomalous – a good sign that you want to index that data. Some organizations find they don’t actually need a central repository at all.
  • Keep All Your Data and Make it Accessible – As noted above, by pushing analytics upstream in a distributed model, an organization can have an eye on all data, even if all this data is not ultimately relegated to a high-cost storage tier. However, there are going to be times when access to all of this data is needed, and it should be accessible – either in a streamlined central repository, or in cold storage. In line with the DevOps principle of encouraging self-service, developer team members should have access to all their datasets regardless of the storage tier they’re in, and they should be able to get hold of them easily, not having to ask operations team members who often serve as the gatekeepers in the central repository model.

There’s little question that government IT teams are not as advanced as other industries when it comes to observability. This is reflected in the industry’s comparatively slow cloud adoption (on average, government IT teams report 24 percent of internally developed applications are cloud-based, compared to an average of 32 percent across other industries); and perhaps more importantly, lack of confidence. Only 22 percent of government IT teams reported feeling completely confident in their ability to meet application availability and performance SLAs, compared to 48 percent of respondents across other industries.  The good news is, with relatively few investments already made, government IT teams are in a better position to capitalize on more modern, cost-efficient and agile observability strategies – helping them increase cloud adoption while building confidence.

Comply-to-Connect is Key to Zero Trust for DoD

By Melissa Trace, Vice President, Global Government Solutions at Forescout Technologies

Research from Forescout’s Vedere Labs reveals that government organizations have the highest percentage of devices with risk. Between the explosion of remote work, the ongoing ransomware epidemic and the fact that the number of non-traditional assets – such as IoT, OT and IoMT – outnumber the volume of traditional IT assets, agencies are well aware of the need to evolve the cybersecurity of government networks. In fact, relative to the private sector, government is reportedly leading the charge in the adoption of zero trust.

The allure of zero trust methodology is the ability to restrict access to data resources by assessing user-resource connection requests in the most granular method possible. Agencies turn to the primary zero trust authority, Draft NIST Special Publication (SP) 800-207: Zero Trust Architecture  (NIST SP 800-207), which provides the following steps for introducing zero trust to a perimeter-based architected network:

  1. Identify actors on the enterprise;
  2. Identify assets owned by the enterprise;
  3. Identify key processes and evaluate risk associated with executing them;
  4. Formulate policies for the zero trust architecture candidate policy enforcement point (PEP);
  5. Identify candidate PEP solutions;
  6. Begin deployment monitoring; and
  7. Expand the zero trust architecture.

The very first steps are an undertaking for an organization as comprehensive as the Department of Defense (DoD). The DoD Information Network (DoDIN) spans thousands of networks, each with thousands of connected devices and connected systems. Simply knowing all of the IT assets on the DoDIN has always been a challenge.

Comply-to-Connect Leverages Zero Trust Principles for the DoD

The DoD launched Comply-to-Connect (C2C), one of the largest government cybersecurity efforts globally, to effectively boost its cybersecurity posture across the enterprise. C2C leverages zero trust’s least privilege principles to protect access to data resources and assets.

C2C provides the foundation of the DoD’s zero trust journey and is the next step in the evolution of security throughout the DoDIN at both the classified and non-classified levels. A major distinction between C2C and previous security programs is that C2C seeks visibility of all assets (both traditional and non-traditional). Whereas other enterprise security solutions focus on a subset of DoDIN-connected devices, C2C applies to all categories of DoDIN-connected devices: workstations/servers, mobile devices, user peripherals, platform IT devices, IoT devices, and network infrastructure devices.

Further, DoD’s C2C policy allows teams to authenticate the security posture for the endpoint of each resource prior to granting access to the network. Before access is given, all devices are examined to ascertain compatibility with organization policy. In accordance with zero trust, systems and devices are, then, only granted access to appropriate network areas. All connected devices are continually monitored with the ability to address any cyber-related discrepancies through automated action within the C2C framework.

The two main objectives of C2C are:

  1. C2C fills existing capability gaps in currently fielded enterprise security solutions through complete device identification, device and user authentication, and security compliance assessment.
  2. C2C automates routine security administrative functions, remediation of noncompliant devices and incident response through the integration of multiple management and security products and continuous monitoring.

The Importance of Visibility and Monitoring

Visibility and monitoring are prerequisites to DoD’s zero trust “never trust, always verify” authentication and compliance policies. They are also at the core of every government journey to zero trust, whether they are just beginning or have attained some level of maturity.

How Will Upcoming Cryptocurrency Regulations Affect Industry?

By Miles Fuller, Head of Government Solutions, TaxBit

The collapse late last year of FTX, one of the largest centralized cryptocurrency exchanges in the world, and the resulting contagion has garnered the interest of U.S. lawmakers and regulators. After years of talking about crypto, they now seem to be interested in more than just hinting at regulations and standards for digital assets.

That’s a good thing. Far from being limiting factors, regulations safeguard consumers’ assets, eliminate the threat of noncompliance, mitigate illegal activities, reduce transaction costs and market uncertainty, and stimulate robust business operations. They also protect investors from unwitting managers and consumers from nefarious business practices while providing clarity to entrepreneurs so products and business systems can be developed with less risk or uncertainty.

The Federal government agrees with the need for regulations for blockchain. The IRS’s recent pivot to using Congress’ term of art “digital assets” to describe virtual currency is a great example. The IRS defines digital assets as all crypto assets, including NFTs and stablecoins. Congress and the Treasury Department are merely imposing on the digital-asset ecosystem the same tax reporting rules that have long existed for traditional finance.

The agency’s position complements the requirements of the Infrastructure Investment and Jobs Act (IIJA), which details clear tax reporting rules for digital asset brokers, transfer statement reporting, and more, that were scheduled to go into effect on Jan. 1, 2023. But what will those regulations be, and how will they impact organizations engaged in the exchange of digital assets?

Lessons From Traditional Finance

In the wake of the FTX collapse, SEC Commissioner Hester Peirce stated that the crypto market needs to “take some basic lessons from traditional finance.” Fittingly, the rules imposed through the IIJA are already taking that approach in the tax world.

The rules are designed to reduce the tax-reporting burden on individuals by requiring brokers to provide easy-to-understand information about the tax impact of transactions conducted on their platforms. This information is shared with the IRS to streamline the review of tax returns filed by individuals and promote transparency and compliance.

For example, under the IIJA digital asset brokers are required to file Forms 1099 with the IRS and provide copies to customers. The forms will include specific tax information about digital asset transactions that the customer engaged in during the year.

This type of information sharing has never really existed in the digital asset space. Platform users generally do not receive any periodic statements and are only able to download data files for use in year-end tax calculations.

The new IIJA provisions completely change this and bring information reporting for digital assets in line with longstanding rules for traditional finance. Traditional financial investors receive Forms 1099 from their brokers summarizing what assets they bought and sold and the tax impact of those transactions. Digital asset investors will receive the same information.

As with securities, IIJA also requires digital asset brokers to share acquisition cost information with other brokers when assets are transferred. This allows the broker receiving the transferred asset to properly complete a Form 1099 when the asset is sold by including accurate purchase price information.

This will be a massive step toward reducing the tax-reporting burden on individuals in the digital asset space. This type of transfer reporting has been a stock market staple for more than a decade and has significantly reduced the burden of tax preparation in that space because all of the information is provided to the taxpayer from the broker. In the digital asset ecosystem, where transfers among brokers and platforms are more frequent, this type of reporting will have a similar impact.

However, certain hurdles remain.

Defining who is a Broker

One of the biggest issues is how to appropriately define who or what constitutes a digital asset broker that is subject to these reporting rules. In traditional finance, brokers are relatively easy to spot – they facilitate the transfer or trade of securities on behalf of their customers. But the digital asset ecosystem functions differently.

The nature of blockchain technology means that transactions can occur or marketplaces exist where assets are traded without the need for an actual business or individual to facilitate those transactions. In these situations, transactions are facilitated by a computer protocol that operates autonomously without any human oversight. Developers of these protocols argue that IIJA compliance is impracticable. The argument is that without any human involvement or oversight, there is no “broker” who can be held responsible for meeting the requirements.

It is unclear how the Treasury Department will address these situations or to what extent they will impose reporting requirements on platforms that operate autonomously in the decentralized finance space. This is not an easy problem to solve and regulatory overreach may negatively impact growth and development in the decentralized financial market. Of course, limiting the application of IIJA rules will be equally problematic because the goal of the regulations will not be met and taxpayers will continue to be left with limited or unhelpful information for tax purposes.

Digital Asset Functionality

Further, if an individual taxpayer personally holds digital assets and moves those holdings into and out of digital asset broker platforms, the effectiveness of IIJA reporting will be reduced, since individuals are not required to report personal transfers. However, requiring brokers to report transfers that are not sent to other brokers should help the IRS and taxpayers understand how to account for these units and properly file their taxes.

There are other IIJA requirements pertaining to the ability of digital assets to function like currency in some settings. For example, the transfer of digital assets exceeding $10,000 has its own reporting requirements that mirror the rule governing the receipt of physical cash by businesses. By imposing rules requiring the disclosure of high-value transfers of digital assets, Congress is seeking to put up informational guardrails around digital assets.

A Good First Step

While questions remain, the requirements contained in the IIJA are a first step at imposing needed regulations around digital assets. The reporting requirements will undoubtedly help the ecosystem continue to mature.

My Cup of IT: Cup Cake for Kushner?

As we tilt into this new year in the Federal IT events community, I wanted to point to the absurdity of Federal gift giving regulations.

We all know that industry’s not allowed to give a Fed food and drink worth more than $20 at one time – and no more than $50 in a year.  The General Services Administration says so right here.  Crossing that threshold constitutes bribery.

Try buying any meal for less than $25 in D.C. right now – even without the cup cakes, a simple meal has become expensive, don’t you know…?

I had to chuckle last year when we learned that Jared Kushner, the former president’s son-in-law and a key advisor during his administration, racked up a $2 billion investment from the Saudi Sovereign Wealth Fund.

That’s one helluva cup cake.

Is it not absurd that regular Federal civil servants are held to one standard, while appointed officials, when they step out of office, can accept whatever payments from whomsoever deems it in their interest to shower largesse?

Maybe it’s time to reform that $20 food and beverage limit to get in line with inflation – and maybe it’s also time to put appointees and their family members on a stricter diet?

Launching a New Era of Government Cloud Security

By Dave Levy, Vice President, Amazon Web Services

The FedRAMP Authorization Act was recently signed into law as part of the defense authorization bill, a signal that cloud technologies continue to have a permanent place in helping U.S. government agencies deploy secure and innovative solutions to accomplish their missions.

Through this legislation, policy leaders on Capitol Hill and in the Biden administration further recognize the important role that industry partners play in improving the security and resilience of government services.

Government cloud security begins with the Federal Risk and Authorization Management Program, or FedRAMP. FedRAMP is a program that standardizes security assessment, authorization, and monitoring for the use of cloud services throughout the U.S. federal government. The program was authorized in 2011 through a memorandum from the Office of Management and Budget (OMB), and the General Services Administration (GSA) established the program office for it in 2012.

Though in existence for ten years, FedRAMP had not been formally codified in legislation. In this time, we’ve seen meaningful improvements in the ways government agencies leverage cloud technology to improve how they deliver services and achieve their missions. From its adoption by the Intelligence Community to leveraging cloud technologies in its space missions, government agencies have demonstrated that cloud technologies allow them to rapidly deploy systems that are secure, resilient, and agile. Cloud technologies also allow them to do more, for less, and at a faster pace than imagined possible ten years ago.

Amazon Web Services (AWS) applauds Congress and the White House for bolstering cloud adoption and security package reuse through the FedRAMP Authorization Act, a piece of legislation led by U.S. Congressman Gerry Connolly, D-Va., to codify the FedRAMP program. With this bill signed into law as part of the National Defense Authorization Act, there is recognition for the important role that the cloud plays in securing federal systems – and the role FedRAMP plays in ensuring that security.

Safeguarding the security of our federal systems is more important now than ever. With the volume and sophistication of cybersecurity attacks increasing, coupled with evolving geopolitical security threats around the world, the U.S. Government must ensure that it is leveraging best-in-class security services to deliver its critical missions. Further, the “do once, reuse many times” ethos of FedRAMP will save money for mission teams across government as teams optimize security by leveraging existing system security packages.

Industry has a key role to play in this equation. For example, the FedRAMP Authorization Act creates the Federal Secure Cloud Advisory Committee, which would be tasked with ensuring coordination of agency acquisition, authorization, adoption, and use of cloud computing technologies. The committee will serve as a new method of formally engaging with industry partners to improve the way cloud accreditations are managed in government, and align the use of those services with agency missions and priorities. A joint group of government and industry partners such as this committee will help the FedRAMP program evolve to solve the toughest security challenges facing the U.S. government today.

Security is our top priority, and AWS has been architected to be the most flexible and secure cloud computing environment available today. Both the AWS GovCloud region, which is a region specifically designed to meet the U.S. Government’s security and compliance needs, and AWS US East-West regions have been granted FedRAMP authorizations.

AWS supports FedRAMP, as we have from the very beginning. U.S. government agencies are embracing cloud in existing programs and missions, and they are building new services with cloud technologies. Formally codifying the FedRAMP program through legislation ensures the U.S. government can leverage industry-leading cloud services, safeguard federal systems, and better support the delivery of critical citizen services in an evolving security landscape.

Dave Levy is Vice President at Amazon Web Services, where he leads its U.S. government, nonprofit and public sector healthcare businesses.

Managing IT Complexity in Federal Agencies

Despite recent progress, IT-related problems continue to hinder work at government agencies. These include data in silos across locations that complicate information-gathering and decision-making, rising cyber threats targeting employee logins, and legacy systems that don’t adapt easily to mission changes or remote work environments.

Accordingly, a recent study by Gartner found that while 72 percent of programs aimed at government IT modernization saw gains in response to the pandemic, fewer than half (45 percent) have scaled across the organizations they serve.

Fortunately, best practices and managed services can alleviate the problem. Trusted Artificial Intelligence (AI) for operations, zero-trust cybersecurity frameworks, and managed systems integration can all help, according to Aruna Mathuranayagam, chief technology officer at Leidos.

Managing IT Complexity

Mathuranayagam identifies three critical areas for federal agencies to address to streamline operations and reduce costs while increasing employee productivity and safeguarding sensitive data. These are systems integration, zero-trust cybersecurity practices, and digital user experiences.

  • Systems integration helps bridge divides across data silos without compromising security, according to Mathuranayagam. “Some of our customers are building common DevSecOps platforms so they can adopt algorithms or cloud practices quickly,” Mathuranayagam says. “The platforms are common across the different classified environments. The activities may vary within each secret classification, but they have a unified practice.” An example of where such integration can help is the National Nuclear Security Administration (NNSA), with headquarters in Washington, D.C., and eight sites across the country. Those sites have tended to manage their IT and implement cybersecurity measures in their own ways, creating silos, according to Mathuranayagam.
  • Zero trust cybersecurity represents more of an ongoing journey than a problem to be solved with off-the-shelf solutions, according to Mathuranayagam. But it is essential for safeguarding systems and data from today’s sophisticated and relentless attacks. “You have to look at how your networks are configured, how your employee authorizations are configured, how your architecture is laid out,” Mathuranayagam says. “It’s a complete transformation of your philosophy and how you have been providing security to your users, to your customers, to your stakeholders.”
  • Digital user experiences are often given less attention in IT transformations. However, they are vital for streamlined operations and productivity, according to Mathuranayagam. That’s because well-designed interfaces and workflows reduce the burden on users so they can work with minimal friction.

Bringing these focus areas together in a managed enterprise cybersecurity model will result in safer, more efficient, and less costly IT, according to Mathuranayagam. She cites Leidos as a vendor providing a unique toolset and deep experience for meeting the challenge.

Managed IT and Security from Leidos

AI plays a starring role in IT managed by Leidos. “What Leidos has built in the last ten years of research and development from supporting a wide range of customers across the Department of Defense, Department of Energy, federal civilian agencies, and the intelligence community, is something called trusted AI,” Mathuranayagam explains.

Trusted AI developed by Leidos depends on a framework known as the Framework for AI Resilience and Security, or FAIRS. The system lets organizations gather data across systems for deep analysis while enhancing security.

The benefits of using FAIRS include reduced cognitive workload through automation and the surfacing of insights from data across systems. “It can identify patterns that we as humans cannot identify in terabytes or petabytes of data across different sources,” Mathuranayagam says.

For example, AI-driven data analysis can spot trends in help tickets. Analysis of ticket types, frequency of tickets, and peak times for tickets can lighten the load for tech support teams. “You can start observing the tickets and extract patterns,” Mathuranayagam says. “And then you can write rules-based algorithms to autonomously respond to certain tickets or implement practices to eliminate a percentage of them.”

In the realm of security, although no single solution can check the “zero trust” box, trusted AI and managed services from Leidos can give agency IT leaders confidence on the journey.

Mathuranayagam explains that Leidos helps organizations understand their IT environments through complete visibility of all assets, identifying any security gaps. From there, Leidos experts help teams build multi-year roadmaps and acquire the expertise and technologies they need, all of which can aid agencies in reducing digital complexity and risk while advancing their missions.

To learn more, visit leidos.com/enabling-technologies/artificial-intelligence-machine-learning.

Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection

By Petko Stoyanov, Global Chief Technology Officer, Forcepoint

Many Federal agencies are considering investing in zero trust network access (ZTNA) solutions. But not all ZTNA applications are equal, and it’s important agencies invest in ZTNA solutions that will allow them to align and meet the “Optimal” stage outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model guidelines.

In CISA’s view, Optimal protection includes continuous validation and inline data protection. Traditional ZTNA architectures do none of these; rather, traditional ZTNA provides encrypted tunnels, just like Virtual Private Networks (VPNs) but on an application-specific level. They do not incorporate essential elements like machine learning (ML), data-centric encryption, or real-time risk analysis, which significantly elevate agencies’ protection levels based on what they transfer.

To achieve Optimal status, agencies need more than just a renamed VPN. Just as they modernize their cybersecurity approaches, they must modernize their zero trust programs to be more dynamic, intelligent, and responsive with identity and data monitoring across all pillars.

To illustrate, let’s look at three of the five pillars of the CISA Maturity Model: Identity, Device, and Data.

Ultimately, zero trust is about enabling and controlling access from an individual to the data, continuously. The device, the network and application are the middleware enabling user to data access.

Identity

Everything starts with an identity, the “who” of the equation. We need to identify who we are before we enter a building or a computer or phone.  Agencies need to have a centralized identity solution that validates users’ credentials against a central identity directory – across both on-premises and cloud environments.

Optimal identity validation can only be achieved with ML built into the zero trust architecture. ML enables real-time analysis of the user or system attempting to access an application. It collects various bits of information – when’s the last time this person signed on, how often do they use the application, where are they signing on from, etc. – and progressively learns about users’ security postures. It continuously validates those postures to determine if a person poses a risk the minute they attempt to sign on.

Agencies with Optimal identity validation are continuously evaluating the identity across the full lifecycle of creation, permission management, and retirement.

Agencies should ask the following questions when evaluating their identity validation capabilities:

  • Do my users have a single identity across on-premises and cloud?
  • Do I continuously monitor to ensure users have the right access and not too much?
  • Do I have the ability to identify individuals that are demonstrating abnormal behavior?

Device

Agencies cannot just monitor the “who,” they must also consider the “what” – meaning, what device is being used to access data. They must be able to trust the devices that employees are using, particularly as employees continue to work remotely, and complement the use of agency-issued devices with their own personal tools.

This reality requires an advanced zero trust architecture that constantly monitors the devices that are touching the network for potential threats. The architecture must be able to immediately discern if the devices are authorized for network access, up to date on the latest virus protection operating system software, and are as security-hardened as possible. If not, the architecture must be nimble enough to block access in the moment, before the unsecured or unsanctioned device has a chance to exfiltrate data.

Agencies should ask the following questions when evaluating their device capabilities:

  • Do I check for device posture on initial connection to the agency application/data? Device Posture includes hardware details, OS level, patch level, running application, harden configuration, and the location.
  • Can I identify all identities used on a single device?
  • Can I detect a device posture change after connection to an agency application?

Data

CISA states that for an agency to achieve Optimal ZTNA levels, it’s not enough to just store data in encrypted clouds or remote environments. The data itself must be encrypted and protected.

Furthermore, agencies must be able to inventory data, analyze it, and categorize it based on certain characteristics – continuously and automatically. Some data might be highly confidential, for example, and should only be accessible to certain members of an organization. The ZTNA must be intelligent enough to learn and process changes to data classification. It must also be able to rapidly identify not only who is accessing the data, but the type of data that person is accessing – and then match the two.

Agencies should ask the following questions when evaluating their data capabilities:

  • Can I continuously discover the on-premises and cloud environments storing my data and create an inventory?
  • Do I know the category and classification of the discovered data?
  • How do I control access to the data?
  • Do I encrypt the data with my environment and when it leaves my control?

The CISA Zero Trust Maturity Model indirectly acknowledges that networks have gotten smaller and more fragmented. As network perimeters become blurrier, organizations must focus their firewalls on specific users, devices, and data points. Traditional ZTNA architectures barely evolved from VPNs won’t be enough. Agencies need a more modern ZTNA model, replete with machine learning, to achieve Optimal protection.

Five Essential Metrics for Measuring Federal Government CX

By Willie Hicks, Federal Chief Technologist at Dynatrace

Whether users are shopping on Amazon or another top company’s website, they expect certain website performance and features availability to ensure a positive customer experience (CX).

Users expect to access product links and conduct transactions seamlessly and swiftly. They expect to navigate to comprehensive product specifications or details instantly, and to enlarge images with a simple mouse click. If they have any questions or concerns, they want effective chat support in the form of a live human being or an artificial intelligence (AI)-enabled avatar.

These advancements will continue to expand as customer demands intensify for their online and in-person experiences. For example, I recently swung by a fast-food drive-through, and an AI bot took my order. I intentionally changed certain words when repeating the order to see whether I could throw off this “employee.” But I failed. The bot got my order exactly right.

Given how far private industry has advanced, one might think we should harbor the same expectations when we seek services from the federal government. But agencies cannot deliver this level of CX yet.

Fortunately, the current administration recognizes this and has taken action. In December 2021, the White House released its “Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” The order states – in light of complex, 21st-century challenges – that the government must be held accountable for the experiences of its citizens. Additionally, the order indicates, agencies impose an annual paperwork burden on the public by requiring them to complete forms and other tasks that exceed nine billion hours.

Department leaders, therefore, must reduce this burden while delivering services that people of all abilities can navigate. Human-centered design, customer research, behavioral science, user testing, and additional engagement efforts should come together to drive CX, according to the order.

The order arrived at a time when citizen satisfaction with U.S. government services has declined over the past four straight years. Satisfaction is now at a historic low — scoring 63.4 out of 100, according to research from the American Customer Satisfaction Index (ACSI). In categorizing satisfaction levels, the ACSI found the government’s “ease of accessing and clarity of information” score declined from 71 out of 100 to 67 in two years. Website quality declined from 75 out of 100 to 70 within the same period.

Beyond the order, the Office of Management and Budget (OMB) published additional guidance that identifies key CX drivers, including service effectiveness, ease and simplicity, and efficiency and speed. As agencies focus on these criteria, they need to find a way to monitor and measure progress – especially as the vast majority of them are making a significant transition to the cloud: Nine of ten federal IT leaders say their agency now uses the cloud in some form, with 51 percent opting for a hybrid cloud model. These leaders indicate that they will migrate 58 percent of their applications to the cloud within the next 12 to 18 months.

Observability tools – which capture all interactions and transactions in an automated, intelligent manner – will enable effective monitoring whether in the cloud or on-premise. This includes user session replays, which will pinpoint the causes of negative CX. When combined, key metrics can generate an accurate CX index score.

But which metrics should your agency consider? Here are five essential ones:

  1. Transaction completion time. The unavoidable truth is all users are busy. If citizens apply for a passport, they know what they want and they want to get it done now. If they encounter delays during the form-filling process or the final “Click here to submit application or purchase” stage, it will lead to a negative CX.
  2. Page load time. This clearly influences transaction time and CX. If it takes more than five seconds to load a page, users often become frustrated and may leave the site.
  3. Rage clicks. When a website loads slowly or freezes, users sometimes click a button five or six times – e.g., rage clicking. Tools such as session recordings can measure this, too.
  4. Abandonment rate and data. Agencies need to track how often users abandon a transaction. Then, they should investigate the source of the abandoned task: Which stages of the process are slow or confusing for users, to the point where they quit in frustration? Once IT pros have identified those stages, they can prioritize what to address first.
  5. Conversion rate. This goes up as the abandonment rate goes down. How often do users cross the finish line (with a completed transaction or query) when they interact with an agency? The higher the conversion rate, the more satisfied the customer.

Observability tools provide AI-enabled monitoring, which automatically tracks and provides visibility into these five metrics, among many others. AI will also auto-remediate issues that metrics expose. This allows agencies to measure progress as they focus on better CX.

The federal government doesn’t sell hamburgers, smartphones, or streaming content. It delivers noble services for citizens daily. But, as with major companies in private industry, we should always seek to measure and continuously improve public-sector CX.

Ensuring positive experiences is all about awareness, proactivity, and instinct regarding user needs. The federal government’s increased commitment to improving the digital CX is heartening, but agencies will never know how they are doing if they can’t measure system performance.

That’s why agencies should consider the five metrics summarized here as a starting point for measuring the success of users’ online interactions. They must arrive at a logical breakdown of what customers need and use comprehensive metrics to improve systems at every transaction level. With automatic and intelligent observability, agencies gain a holistic view of their technology environments that’s required to deliver seamless customer experiences.

Unlocking the Benefits of 5G and Beyond

By Michael Zurat, Senior Solutions Architect, General Dynamics Information Technology (GDIT)

5G technology has the potential to be transformative for businesses and consumers, as well as for the U.S. government. 5G can provide the enabling connectivity to drive digital transformation from a paperless digital Internal Revenue Service, to enabling the Postal Service to outperform Amazon, to providing zero latency situational awareness to our first responders and warfighters at the point of need.

The Department of Defense (DoD) understands that leveraging both purpose-built private 5G (P5G) and operating over commercial wireless networks managed by mobile network operators (MNOs) in support of their mission is critical to keep pace and provide our warfighters with technical superiority on the battlefield. This is evidenced by recent new projects as part of its Innovate Beyond 5G program and recent DARPA programs.

These include: a new industry-university partnership to jumpstart 6G systems; research on open radio access networks (ORAN); security and scalability for spectrum sharing and; efforts to increase resiliency and throughput for wireless tactical communications for the warfighter, and DARPA’s efforts to research securely operating over MNO networks globally.

As 5G technology becomes more widely available and as we look ahead to what’s next, it’s important for agencies of all types to consider both the risks and opportunities associated with 5G and other new wireless networking technologies – and the drastic changes the technology introduces at all levels of wireless architecture from network core, to edge compute, to radio, and RF spectrum.

First, the Risk

Spectrum is a finite resource. Like land, they’re not making more of it, and new players emerging in the space have only increased demand for it. The recent announcement that the Federal Communications Commission intends to continue to release spectrum capacity for commercial uses will put the DoD and its early-stage experimentation at the mercy of commercial mobile network operators unless the department invests heavily in next-generation wireless technology. In the meantime, it will be important for the government to adequately manage spectrum capacity for critical civilian and defense needs and work closely with industry and radio manufactures to ensure all devices meet the same standards for interference or RF filtering and shielding.

Another inherent risk: Playing catch up. Many other countries – including some near peers – are farther ahead than we are when it comes to implementing commercial 5G. The window of opportunity for the U.S. defense industrial and commercial base to catch up, or to leapfrog those nations’ advancements, is rapidly closing.

Now, the Opportunities

5G is being used today across a variety of industries and agencies. You’ve no doubt seen cell phone companies’ commercials touting the benefits of 5G and making claims about what it can offer. And a few in some sectors, agencies, and companies are rolling out their own private 5G networks. These networks, however, are only the tip of the 5G “iceberg.” 5G networks available commercially today in the U.S. are non-standalone networks – basically 4.5G – leveraging new radio spectrum but at the core leveraging legacy LTE equipment. Once fully 5G stand-alone compliant services are available we will see the full potential of the 5G feature set.

In the Federal space, 5G is being used to support experiments at the DoD as well as initial P5G production pilots at air, sea, and land bases across the U.S. The Department of Veteran Affairs has leveraged MNO-provided 5G to support virtual reality (VR) and augmented reality (AR) surgery training at the Palo Alto Medical Center. The Federal Bureau of Prisons has deployed private wireless at correctional facilities across the country to provide inmates with video and audio chat with those outside, as well as on-demand network and training access.

At GDIT, we see 5G as an enabler for digital transformation and industry 4.0 – for everyone from warfighters in theater, to first responders to scientists in remote locations using edge devices to engineers collaborating on digital twin simulations. In our 5G Emerge Lab, we test and demonstrate 5G technologies alongside our customers. The lab is a place to convene and train skilled talent, assess emerging 5G solutions, and work with partners to innovate and rapidly develop new ones. It allows us to prototype and prove capabilities in response to customer requirements, to test and compare vendor technology, and to interact with the latest 5G technologies and then use that knowledge in support of all our customers.

We look forward to continuing to conduct our research and develop 5G innovations in partnership with our customers so that we can help accelerate progress on 5G and next generation wireless across the Federal government, enabling agencies to look ahead to what’s next and to expand their capacity to deliver on their missions.

The Federal Factory of the Future: How AI is Transforming Manufacturing

By: Bob Venero, President & CEO, Future Tech Enterprise, Inc., Ftei.com

Manufacturing is all about operational efficiency – make it quicker, cheaper, and ship it for less. For this reason, the industry has long been at the forefront of the application of new technologies, finding creative solutions to increase production and decrease costs.

Basically, how can we innovate faster while still prioritizing safety?

There is a mood of cautious optimism in the industry, and companies still wary of ongoing turbulence are using this time to invest in the future. In manufacturing – including manufacturing for Federal organizations and by Federal contractors – that future lies in artificial intelligence (AI).

Intelligent Design

A recent study from MeriTalk found that almost all – ninety-five percent – of Federal technology leaders feel that the appropriate use of artificial intelligence (AI) could supercharge the effectiveness of government and benefit the American people.  Michael Shepherd, a senior distinguished engineer at Dell Technologies, says increased adoption of AI represents a “tremendous amount of opportunity” for Federal agencies, despite the workforce challenges.

Investing in AI “is going to make a difference,” Shepherd said in a recent interview with MeriTV. “I guarantee you, it’s happening in other countries, and we need to have that same level of investment here in the U.S. as well, especially within the armed forces and the Federal government.”

One of the many areas where that impact is significant is within manufacturing – from smart factories that can adjust production to meet evolving needs; to predictive maintenance that reduces equipment downtime and maximizes fleet readiness.

Manufacturing has been going digital for about a decade, leading some to christen this period the “Third Industrial Revolution”.

Direct automation, reduced downtime, 24/7 production, lower operational costs, greater efficiency, and faster decision making are just some of the rewards on offer to organizations that embrace the transformation and master the implementation of AI throughout their entire business.

The process of introducing AI is not without its challenges – it’s highly complex, costly, time-consuming, and requires a systematic approach. Just four in ten Federal IT leaders say they feel completely prepared for AI project implementation, with the lack of resources and available talent noted as the biggest roadblocks – ahead of budget.

But those that jump in earliest will gain a competitive edge. For example, John Deere debuted a fully autonomous tractor during CES 2022, powered by artificial intelligence and in development for over 20 years. The technology is now advancing so rapidly that organizations that don’t make their move into AI soon will find themselves falling behind.

Three Areas of Transformation

AI in manufacturing is often associated with futuristic robots, and for good reason. According to Global Market Insights, the industrial robotics market is forecasted to be worth more than $80 billion by 2024. But most (if not all) AI applications are software, and can improve a wide variety of functions for a manufacturer.

  1. Maintenance – In manufacturing, the greatest value from AI can be created by using it for predictive maintenance(generating more than $0.5 trillion across the world’s businesses). AI’s ability to process massive amounts of data means it can quickly identify anomalies to prevent breakdowns or malfunctions. The problem is getting that data. To scale requires more data, which requires more computing power to process. In fact, data preparation for AI systems is still 80-90% of the work needed to make AI successful.

One workaround might be the use of synthetic data, created “algorithmically” instead of real-world. Manufacturers are able to use synthetic data to build “digital twins” of their own datasets to test performance, improve functionality, and speed-up development so they can scale faster.

Enabling users to create precise digital twins is one thing Future Tech’s partner, NVIDIA, is making easier with its NVIDIA Omniverse Enterprise.

NVIDIA Omniverse Enterprise is a virtual environment enabling creators, designers, and engineers to connect major design tools, assets, and projects to collaborate and iterate in a shared virtual space.

Omniverse Enterprise is built on NVIDIA’s entire body of work, allowing users to simulate shared virtual 3D worlds. Here is the key part: these shared virtual worlds obey the laws of physics.

And, by doing that, Omniverse Enterprise enables photorealistic 3D simulation and collaboration. This in turn allows users to simulate things from the real world that cannot – and in many cases should not – be first tested in the real world.

To date, NVIDIA has demonstrated great success for Omniverse Enterprise in numerous industries, including aerospace, architecture, automotive, construction and design, manufacturingmedia, and sensors.

  1. Safety – Optimizing safety on the factory floor is a critical consideration for any manufacturer. Advanced technologies are now focused on how to improve both factors at the same time.

Recent advances in AI can help catch compliance violations, enhance plant processes, and support better design and process flows.

Other AI-powered safety measures include being able to immediately detect whether employees are wearing the right type of gloves or safety goggles for a specific situation. Background process analytics can also be run to estimate potential for fatigue, reminding people when to take breaks.

  1. Quality Control – Within the manufacturing industry, quality control is the most important use case for AI. Everybody makes mistakes, even robots. Defective products and shipping errors don’t just cost companies millions, they also damage reputations and jeopardize safety. Now, AI can inspect the products for us.

Using special cameras and IIoT (industrial internet of things) sensors, products can be analyzed by AI software to detect defects automatically. The computer can then make decisions on what to do with the defective products, cutting down on waste. Better yet, the AI will learn from the experience so it doesn’t happen again.

Futureproof

As advances in AI take place over time, one day we might see fully-automated factories, product designs created with limited human oversight, and innovations we have not yet considered. Smart manufacturing environments will be there to help us build them.

The Quantum Impact on Cyber

By Dr. Jim Matney, Vice President and General Manager, DISA and Enterprise Services, at General Dynamics Information Technology (GDIT)

As almost any cybersecurity professional would tell you, you can’t reliably know what vulnerability a hacker will find and exploit. To avoid an attack, your defenses must be right 100 percent of the time. The hacker only must be right once.

Quantum computing turns that all on its head. Why? Two reasons.

First, quantum computers are exponentially more efficient than classical computers for certain problems and can support more advanced and complex compute applications. The emergence of quantum as a compute resource for solving specific computing challenges is at the same time full of promise and peril.

Second, some encryption algorithms being used today can be hacked with already-built quantum algorithms. For a long time, that was fine because there were not quantum computers big enough or fast enough to crack them (i.e., crypto-analytically relevant quantum computers or CRQC). But that’s changing. American adversaries are investing heavily in the quantum computing space, making the threat of quantum-based attacks against our encryption algorithms a much more compelling one.

Moreover, we are reliant on encryption because the networks our data travel on can be intercepted. A persistent fear is that – even if bad actors can’t yet do anything with our data – they can harvest it now, store it, and play it back later.

So, what are Federal agencies to do in the face of this reality?

As the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) all advise, agencies should continue to conduct good cyber hygiene practices and not yet purchase enterprise quantum-resistant algorithm solutions, except for piloting and testing. NSA expects a transition to quantum resistant algorithms will take place by 2035 once a national standard is adopted. In the meantime, however, CNSA (Commercial National Security Algorithm) 1.0 and 2.0 algorithms offer the benchmarks for national security systems.

Additionally, agencies should take stock of their cryptological assets and ensure they have confidence that their scans are not missing particular devices or data stores and connections to internet of things (IoT) and peripheral devices. Agencies should also ensure they have a clear understanding and rating of the criticality and sensitivity of the various sets of data within their organization. While all data is important, bandwidth and resource limitations do exist, so agencies must develop a road map that ensures the highest-sensitivity data is secured first.

These are good practices in line with a zero trust approach, but the quantum threat provides extra impetus for getting this done as soon as possible. In addition, the White House issued a national security memorandum that sets the requirements for Federal agencies to prepare for this threat.

GDIT has developed a framework to help agencies prepare for the quantum threat and navigate the new standards that will ultimately be issued for agencies to implement, which are expected from NIST by 2024. The GDIT Quantum Resilience Framework is a risk-based, post-quantum cryptography implementation approach. It includes these steps:

Assess Risk

Begin by looking at your overall encryption risk profile. Some algorithms will be severely impacted by quantum computing, and some will be less impacted. Agencies should know where they are in relation to the latest NIST encryption standards and understand the risks of not being up to date.

Analyze Impact

Examine what encryptions are used throughout your organization and what services they support. This can include web browsing, email, digital signatures, message digests, key exchanges, VPN, enterprise data center transport and data at rest. Determine which ones are most important to protect and understand the impact of a potential quantum-enabled attack.

Prioritize Actions

With the impact assessment complete, create a risk response strategy (e.g., accept, avoid, transfer, or mitigate). Then, prioritize your risk categories (critical, high, medium, low) and define risk tolerance statements for each. In these statements, articulate what actions you’ll take, in what order, who will perform them, and on what time horizon.

Examine Solutions

Once you’ve prioritized the actions to take to protect critical services, examine the available solutions to address them. There should be no appetite for accepting risk where there is an approved quantum-resistant solution available. Agencies should explore viable near-term solutions to counter the “harvest and replay later” threat. Long-term solutions should be based on approved NIST and/or NSA standards.

Implement

Implementing quantum-resistant algorithms that drive resiliency is a logical next step, once NIST has fully vetted and provided guidance. Part of the implementation process involves following the risk prioritization schedule and being clear about what solutions will be implemented in what sequence.

Track to Completion

Agencies should be sure to track and document their solution implementation. This will provide a roadmap for future updates when new standards are released.

Monitor Continuously

As with anything cybersecurity-related, agencies should continuously monitor their encryption risk. Expect standards and solutions to be updated frequently in line with quantum advancements, as well as the advancements in the sophistication of hacking techniques.

To be quantum resilient across the enterprise, agencies should plan and budget for these activities now so that they can be prepared to implement new solutions as soon as the new standards are released. The goal is to conduct proactive planning that drives future security; to improve trust in data confidentiality and integrity; to lower the risk of the pending quantum threat to current encryption algorithms; and to consistently broaden awareness of quantum’s impact to cybersecurity across the enterprise.

How Next-Gen Computers Will Transform What’s Possible for Federal Government

The Accenture Federal Technology Vision highlights four technology trends that will have significant impact on how government operates in the near future. Today we look at Trend #4, Computing the Impossible: New Machines, New Possibilities.

When Intel launched the Intel® 4004 processor in 1971, the first general-purpose programmable processor was the size of a small fingernail and held 2,300 transistors. Today, state-of-the-art microprocessors pack in 60 billioneven 80 billion – transistors.

For federal agencies, the trend towards ever-more-powerful computers has driven significant new efficiencies and discoveries. Yet, we are now approaching the physical and engineering limits of Moore’s Law, the guiding framework for computing advancements over the past five decades. In its place, new computing approaches are emerging, fueling a range of new federal use cases.

Quantum computers, high-performance computers (HPC), and even bio-inspired computing all promise to accelerate innovation and expand upon existing capabilities in the federal space.

Federal leaders are bracing for impact. In a survey by Accenture, ninety-seven percent of U.S. federal executives say their organization is pivoting in response to the unprecedented computational power that is becoming available. The same percentage report that their organization’s long-term success will depend on leveraging next-generation computing to solve the seemingly unsolvable problems.

With ever-more-powerful machines coming to the fore, agencies need to start thinking now about how to make best use of these emerging capabilities in order to take full advantage of the opportunities they present.

What’s Coming

Among next-generation computing types, quantum is currently receiving the most attention because it promises to be so disruptive and transformative. Quantum computers use “qubits,” which can be both 1 and 0 simultaneously, rather than being restricted to one or the other. This quality of qubits enables quantum computers to run more complicated algorithms, tackle millions of computations simultaneously, and operate far faster than traditional computers.

Quantum machines are well-suited for solving optimization problems incorporating large numbers of factors and criteria, giving greater visibility to the entire landscape of possible solutions to decision-makers. The most immediate use cases for this type of capability includes greater efficiencies in scheduling or supply chains, as well as support for the financial services or manufacturing industries.

Then there’s HPC, or massive parallel processing supercomputers. The most mature of the next-gen computers, HPCs help organizations leverage large volumes of data that may be too expensive, time-consuming, or impractical for traditional computers to handle.

HPCs typically rely on different hardware and system designs – where multiple computing processors, each tackling different parts of a problem, are connected together to operate simultaneously. This enables them to solve more complex problems that involve large amounts of data.

HPC is already having an impact for federal agencies. The Energy Department’s National Renewable Energy Laboratory is developing its Kestrel supercomputer to answer key questions needed to advance the adoption of cleaner energy sources. And three federal departments – Health and Human Services, Veterans Affairs, and Energy – have jointly leveraged HPC to accelerate COVID-19 research.

Waiting in the wings is “biocomputing,” which relies on natural biological processes to store data, solve problems, or model complex systems in fundamentally different ways. It could have implications especially for data storage: One estimate predicts DNA could store an exabyte of data in just one cubic centimeter of space, with great reliability.

A related capability, “bio-inspired computing” draws inspiration from biological processes to address challenges in areas such as chip architectures and learning algorithms. Pilots have shown this emergent field can deliver benefits like greater power efficiency, speed, and accuracy in solving more complex problems.

These examples help to demonstrate the potential for advanced computing to enhance the federal mission. In fact, 68 percent of U.S. federal executives say quantum computing will have a breakthrough or transformational positive impact on their organizations in the future, while 55 percent say the same for high-performance computing.

Forging Tomorrow’s Agencies

Next-generation computing will have ripple effects on the federal government, whether agencies act or not. The computers that will create and fuel the next generation of government and industry are already being built, and agencies need to be part of this wave or risk being swept away by it.

One of the most well-known effects is quantum computing’s forecasted impact on cybersecurity. The clock is currently counting down to Q-day, or the day when everything that runs on computer systems – our financial accounts, government secrets, power grids, transportation systems, and more – may suddenly become susceptible to quantum-powered cyberattacks.

Q-day is an event with incredibly serious implications for national security and the day-to-day operations of our digitally connected society. Comprehensive new approaches to cybersecurity – such as crypto-agility – will be needed to prepare agencies’ security architectures for this day.

For decades, computers that could efficiently solve the world’s grand challenges have been nothing more than theoretical concepts. But enterprises can’t afford to think about them in the abstract any longer. They are rapidly improving, and their impact on our most fundamental problems and parameters may be the biggest opportunity in generations.

The agencies that start anticipating a future with these machines will have the best shot at taking full advantage of the opportunities available, while preparing for the risks.

Learn more about how agencies can capitalize on next-generation computing in Trend 4 of the Accenture Federal Technology Vision 2022: Computing the Impossible.

Authors:

  • Chris Copeland: Managing Director – Chief Technology Officer
  • Chris Hagner: Managing Director – Technical Innovation and Engineering Lead, National Security Portfolio
  • Justin Shirk: Managing Director – Cloud GTM Lead, National Security Portfolio
  • Mimi Whitehouse: Emerging Technology Senior Manager
  • Garland Garris: Post-Quantum Cryptography Lead
  • Mary Lou Hall: Chief Data Scientist, Defense Portfolio

Agencies Must Take an Authentic Approach to Synthetic Data

The Accenture Federal Technology Vision 2022 highlights four technology trends that will have significant impact on how government operates in the near future. Today we look at Trend #3, The Unreal: Making Synthetic Authentic.

Artificial intelligence (AI) is one of the most strategic technologies impacting all parts of government. From protecting our nation to serving its citizens, AI has proven itself mission critical. However, at its core, there is a growing paradox.

Synthetic data is increasingly being used to fill some AI methods’ need for large amounts of data. Gartner predicts that 60 percent of the data used for AI development and analytics projects will be synthetically generated by 2024. Synthetic data is data that, while manufactured, mimics features of real-world data.

At the same time, the growing use of synthetic data presents challenges. Bad actors are using these same technologies to create deepfakes and disinformation that undermines trust. For example, social media was weaponized using a deepfake in the early days of the Russian-Ukrainian War in an unsuccessful effort to sow confusion.

In our latest research, we found that by judging data based on its authenticity – instead of its “realness” – we can begin to put in place safeguards needed to use synthetic data confidently.

Where Synthetic Data is Making a Difference Today

Government already is leveraging synthetic data to create meaningful outcomes.

During the height of the COVID crisis, for example, researchers needed extensive data about how the virus affected the human body and public health. Much of this data was being collected in patients’ electronic medical records, but researchers typically face barriers in obtaining such data due to privacy concerns.

Using synthetic data, a wide array of COVID research was artificially generated and informed by – though not directly derived from – actual patient data. For example, the National Institutes of Health (NIH) in 2021 partnered with the California-based startup Syntegra to generate and validate a nonidentifiable replica of the NIH’s extensive database of COVID-19 patient records, called the National COVID Cohort Collaborative (N3C) Data Enclave. Today, N3C consists of more than 5 million COVID-positive individuals. The synthetic data set precisely duplicates the original data set’s statistical properties but with no links to the original information so it can be shared and used by researchers around the world trying to develop insights, treatments, and vaccines.

The U.S. Census Bureau has leveraged synthetic data as well. Its Survey of Income and Program Participation (SIPP) gives insight into national income distributions, the impacts of government assistance programs, and the complex relationships between tax policy and economic activity. But that data is highly detailed and could be used to identify specific individuals.

To make the data safe for public use, while also retaining its research value, the Census Bureau created synthetic data from the SIPP data sets.

A Framework for Synthetic Data

To create a framework for when using synthetic data is appropriate, agencies can start by considering potential uses cases, to see which ones align with mission.

For example, a healthcare organization or financial institution might be particularly interested in leveraging synthetic data to protect Personally Identifiable Information.

Synthetic data could also be used to understand rare, or “edge,” events, like training a self-driving car to respond to infrequent occurrences like when debris falls on a highway at night. There won’t be much real-world data on something that happens so infrequently, but synthetic data could fill in the gaps.

Synthetic data likewise could be of interest to agencies looking to control for bias in their models. It can be used to improve fairness and remove bias in credit and loan decisions, for example, by generating training data that removes protected variables such as gender and race.

In addition, many agencies can benefit from the reduced cost of synthetic data. Rather than having to collect and/or mine vast troves of real-life information, they could turn to machine-generated data to build models quickly and more cost-effectively.

In the near future, artificial intelligence “factories” could even be used to generate synthetic data. Generative AI refers to the use of AI to create synthetic data rapidly, at great scale, and accurately. It can enable computers to learn patterns from a large amount of real-world data – including text, visual data, and multimedia – and to generate new content that mimics those underlying patterns.

One common approach to generative AI is using generative adversarial networks (GANS) – modeling architectures that pit two neural networks – a generator and a discriminator – against each other. This creates a feedback loop in which the generator constantly learns to produce more realistic data, while the discriminator gets better at differentiating fake data from the real data. However, this same technology is also being used to enable deepfakes.

Principles of Authenticity

As this synthetic realness progresses, conversations about AI that align good and bad with real and fake will shift to focus instead on authenticity. Instead of asking “Is this real?” we’ll begin to evaluate “Is this authentic?” based on four primary tenets:

  • Provenance (what is its history?)
  • Policy (what are its restrictions?)
  • People (who is responsible?)
  • Purpose (what is it trying to do?)

Many already understand the urgency here: 98% of U.S. federal government executives say their organizations are committed to authenticating the origin of their data as it pertains to AI.

With these principles, synthetic realness can push AI to new heights. By solving for issues of data bias and data privacy, it can bring next-level improvements to AI models in terms of both fairness and innovation. And synthetic content will enable customers and employees alike to have more seamless experiences with AI, not only saving valuable time and energy but also enabling novel interactions.

As AI progresses and models improve, enterprises are building the unreal world. But whether we use synthetic data in ways to improve the world or fall victim to malicious actors is yet to be determined. Most likely, we will land somewhere in the expansive in-between, and that’s why elevating authenticity within your organization is so important. Authenticity is the compass and the framework that will guide your agency to use AI in a genuine way – across mission sectors, use cases, and time – by considering provenance, policy, people, and purpose.

Learn more about synthetic data and how federal agencies can use it successfully and authentically in Trend 3 of the Accenture Federal Technology Vision 2022: The Unreal.

Authors:

  • Nilanjan Sengupta: Managing Director – Applied Intelligence Chief Technology Officer
  • Marc Bosch Ruiz, Ph.D.: Managing Director – Computer Vision Lead
  • Viveca Pavon-Harr, Ph.D.: Applied Intelligence Discovery Lab Director
  • David Lindenbaum: Director of Machine Learning
  • Shauna Revay, Ph.D.: Machine Learning Center of Excellence Lead
  • Jennifer Sample, Ph.D.: Applied Intelligence Growth and Strategy Lead

Biometrics and Privacy: Finding the Perfect Middle Ground

By Bob Eckel, CEO, Aware

Confirming the identification of the world’s most wanted man leaves no margin for error. In fact, when Osama bin Laden was killed in 2011, he was identified through facial recognition which was later confirmed by DNA analysis. Few would argue this was not a commendable use of biometrics.

Since then, biometric technology has been used in a variety of laudable initiatives designed to keep our country and citizens safe. In the past several years, U.S. Customs and Border Protection (CBP) has had tremendous success with its facial comparison system detecting criminals, terrorists and impostors trying to enter the country by using another person’s identification and travel documents. Most recently, DNA tests have helped determine if children arriving at the southern border do in fact belong to the accompanying adults or are being used as pawns.

Privacy concerns surrounding biometrics may be perceived as a gray area, but we believe the resolution lies in properly designing a system to eliminate the need for compromise. Biometrics are simply too valuable, and yet there are proven ways they can be implemented ethically, in a manner that builds the public’s trust. For instance:

Clear Opt-In/Opt-Out Procedures: Currently, the CBP is using biometrics to scan travelers at 26 seaports and 159 land ports and airports across the country. Complete privacy notices are prominently visible at locations using facial recognition, along with easy-to-understand instructions on how American citizen travelers can simply opt out of the screening. The facial recognition verification process takes less than two seconds for arrivals, and this convenience factor is a prime reason the vast majority of people opt into the system.

The CBP is often highlighted as an example among operators in terms of how to implement biometrics correctly, and this has much to do with their very clear opt-in and opt-out procedures. Everyone is fully informed of their options and as a result, people feel a sense of control.

Privacy by Design – Proper Data Storage, Processing and Protection: People often worry that the collection of biometric data in one central database makes us vulnerable to “the mother of all data breaches.” In reality, there are actually several easy ways for this to be avoided. First, an organization deploying biometrics may choose to delete data, such as facial images, within a matter of milliseconds after they are captured, used and no longer needed. In addition, organizations can make sure this data is never shared with third parties or industry partners.

There are other techniques as well, such as the “cancellable biometric” – where a distorted biometric image derived from the original is used for authentication. For example, instead of enrolling with your true finger (or other biometric), the fingerprint is intentionally distorted in a repeatable manner and this new print is used. If, for some reason, your fingerprint is “stolen,” an essentially “new” fingerprint can be issued by simply changing the parameters of the distortion process.

Biometric data can also be stored completely and separately away from other personally identifiable information (PII), meaning that even if a hacker were to be able to get access to biometric data, without accompanying PII, this data would hold no value. Finally, one of the most groundbreaking new techniques involves breaking biometric templates into anonymized bits and then storing this data in different places throughout a network, making it virtually impossible for a hacker to access complete biometric templates.

Eliminating the Potential for Bias: In the area of facial recognition, research has shown that certain biometric algorithms may not be as accurate in matching or distinguishing the facial morphologies of certain minorities – including Asians, Blacks and Native Americans – and genders.

However, facial recognition has come an extremely long way in recent years, driven by advances in machine learning and the availability of massive amounts of data for algorithm training. An algorithm’s accuracy is heavily dependent on the data it’s fed, and today’s leading ones are being trained on more diverse datasets than ever before. According to the      most recent evaluation, the top 150 algorithms are over 99 percent accurate across a variety of demographics. Even at these performance levels, we always recommend human involvement in any final decisions made in areas like crime investigation or border security, since in our view people and technology working together represent the strongest combination.

In closing, consider this law enforcement example. In crime investigations, eyewitness misidentifications are the leading cause of wrongful convictions, which are often resolved through DNA exoneration. It’s clear that we can’t afford to do away with the most accurate weapon in our arsenal – the benefits are far too vast. Rather, the key is leveraging the unmatched power of biometrics with the right privacy safeguards indelibly in place.

Two-Way Street: Why Officials and Constituents Are Equally Responsible for Securing the Midterms

By Melissa Trace, VP, Global Government Solutions at Forescout

As we approach the upcoming midterm elections, U.S. officials are on high alert for bad actors looking to target election networks and devices. Both state and non-state threat actors view our nation’s democratic processes as threats against their beliefs and see disrupting our upcoming election as a means of advancing their own agenda.

Made up of a diverse set of networks and infrastructure controls, election systems are often older, remote, or unpatched – making them attractive targets for adversaries. Additionally, while many larger communities can invest in election security, smaller localities are often budget-restricted, leaving them vulnerable to attacks.

To combat these potential system vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) officials have seen success in deterring threats with programs such as the Cybersecurity Toolkit and Shields Up, as well as guided exercises for election officials, and private-public partnerships. These programs have all provided comprehensive guidance for officials and private organizations to fill gaps in government policies with best practices from the private sector.

While these practices and programs help election officials handle potential threats, there are still additional steps both officials and constituents can take immediately to help ensure a free and fair U.S. election this fall.

To make the best use of the CISA Cybersecurity toolkit, election officials must ensure they are employing basic cybersecurity hygiene practices:

  1. Gain a full understanding of the network environment – in order to quickly identify vulnerable devices, officials must have both extensive visibility and understanding of what devices are connected and what operating systems they are running;
  2. Take inventory of existing security processes – this will help ensure that they are updated and functioning properly; and
  3. Identify non-compliant devices – once these devices are identified, they should be immediately quarantined and investigated.

These three steps should be continuously repeated, so the network is assessed in real-time to provide the most accurate and comprehensive risk assessment to officials. Once these basic hygiene steps are incorporated into officials’ cybersecurity routines, they can turn their attention to CISA’s Cybersecurity toolkit and upleveling its guidance.

Rather than doing just a weekly scan of the network, officials can take this recommendation to the next level by implementing real-time monitoring of their network and assets. Work from home has impacted elections and how election information is controlled, so being able to immediately identify vulnerable devices and isolate them until they are patched is vital to securing that data. Much like the rest of the population where many industries include work-from-home policies now, election workers operating remotely are also a prime target for hackers, which can lead to misinformation campaigns that may deliver incorrect information about voting locations, candidate policy positions, and more. Configuration Management Databases (CMBD) should also be updated in real-time, and continuous monitoring can help to ensure the library and patches are kept up to date. Given the shortage of election workers, automating these processes can help ensure they are followed without the need for a human to initiate the update.

The responsibility of securing the upcoming election does not just fall on election officials, but also on constituents. The average person most likely doesn’t view their home network as vulnerable, let alone a hunting ground for bad actors to access election networks, yet each household is a gateway to personal and community data. By following preventative practices, constituents can help to ensure they do not become a vector for an attack on the upcoming elections:

  1. Change your home network and device(s) default password;
  2. Deploy multi-factor authentication (MFA) whenever offered; and
  3. Inspect the home network, looking for unknown connected devices or users.

Everyone from election officials to volunteers to constituents must do their part to secure election networks and data ahead of the midterm elections. By deploying basic cybersecurity hygiene practices to all networks, both in the home and in election devices, and utilizing the comprehensive tools already available, everyone can make the 2022 midterm elections the most secure yet.

The “Programmable World” Will Bring the Best of the Virtual World Into the Physical One

The Accenture Federal Technology Vision highlights four technology trends that will have significant impact on how government operates in the near future. Today we look at Trend #2, Programmable World: Our Planet, Personalized.

What is a “programmable world?” Consider what’s going on at Tyndall Air Force Base, near Panama City, Fla. In line with the base’s ambition to be the “Installation of the Future,” the Air Force has created a digital twin of Tyndall. In March 2022, the base unveiled its new Hololab, which is the portal to access Tyndall’s digital twin and conduct “what if” scenarios and explore how new designs might look.

Using the digital twin, base planners and engineers can locate and design new flight line facilities, or better understand security vulnerabilities and conduct resilience planning. For example, planners and engineers can use the digital twin to perform storm surge modeling and simulate the effects of a big storm on the base’s critical infrastructure or conduct a range of active-shooter scenarios to optimize preparation and response planning.

This impressive technology is just one example of our increasingly programmable world – a world in which the control, customization, and automation of software is being embedded throughout our physical environments. And it will give Federal agencies greater intelligence and adaptability to tackle complex issues, including climate change, public safety, geopolitical tensions, and population health.

By overlaying integrated digital capabilities across our physical surroundings, agencies can increase the efficiency and effectiveness of Federal operations. Many see promise here: 94 percent of Federal leaders believe that programming the physical environment will be a strategic competency in the future.

And most take this even further, seeing this as not just an opportunity but a necessity. Almost all (98 percent) Federal leaders believe that leading organizations will push the boundaries of the virtual world to make it more real. That means there will be a greater need for persistent and seamless navigation between the digital and physical worlds.

We’ve been building toward the programmable world for years, with proliferating IoT networks. The global 5G rollout adds more fuel to the fire, setting the stage for more adoption of low-power, low-latency connected devices. And researchers across enterprise and academia alike are working on transformative technologies, like augmented reality glasses, new methods of manufacturing, and new kinds of smart materials. These trends – alongside advances in natural language processing, computer vision, and edge computing – will help embed digital interactions as an ambient and persistent layer across our physical environments.

Practical Outcomes

What will a programmable world mean to Federal leaders in practical terms? Consider three key use cases: smart workers, smart environments, and smart materials.

  • Smart workers — Federal workers perform all kinds of highly specialized tasks, from surgery and fixing complex machinery to securing our borders and flying jet airplanes. Technologies like augmented reality can give them superpowers to create a more agile, insight-driven workforce. In some cases, AR may be used to guide remote workers. In other instances, access to real-time information is the key to higher performance. Already, AR is being used to train both fighter pilots and case workers to better address unique situations.
  • Smart environments — A fully programmable world offers the ability to create life-like digital models of facilities or equipment. These models can then be used to explore options and run planning scenarios across a complex environment. Jet engine manufacturer Rolls-Royce, for example, is collecting real-time engine data from its airline customers to model performance in the cloud using digital twins. Using the digital twins, the company hopes to reduce unnecessary maintenance and ground time, as well as develop more sustainable flying and maintenance practices that could lower carbon emissions.
  • Smart materials — Even the materials we use to manufacture objects can be programmed to respond to interactions, and to provide deeper and more immediate insight. A Veterans Affairs Department research team at the Advanced Platform Technology Center in Cleveland, for example, developed a smart bandage that applies electrical stimulation to treat chronic wounds, also known as pressure injuries, that would otherwise struggle to heal on their own. It also records temperature readings and impedance across the wound, which inform the clinician how well the wound is healing.

Next Steps for Federal Agencies

For Federal leaders, taking advantage of the programmable world will require exploration, experimentation, and development. Agencies can start by developing a deeper understanding of the three layers that comprise the programmable world – the connected, the experiential, and the material.

Many are already investing in and deploying the foundational, connected layer; consider the push toward 5G, which is poised to be game-changing in terms of its speed and low latency.

Then, the experiential layer is about creating natural computer interfaces linking the physical and digital worlds. In the absence of keyboards and microphones, a focus on human-centered design can help create these connections by exploring how users approach and learn how to interact with new experiences, such as through the trial-and-error process of using gestures to direct complex systems.

The final layer requires understanding of how new generations of manufacturing and materials will bring greater programmability into our physical environments. Agencies can look to partner with startups and universities to stay at the forefront of real-world technology innovation in the material realm.

Cybersecurity must stay a priority at every layer. The programmable world holds tremendous promise, but it also vastly expands the attack surface available to cyber threats, putting critical networks and infrastructures further at risk. Holistic, smartly architected security frameworks, such as zero trust, will be critical to protecting these hyper-connected environments.

The increasing programmability of the material world promises to reshape Federal operations. We’re about to live in environments that can physically transform on command, that can be customized and controlled to an unprecedented degree, and that can change faster and more often than we have ever seen before. With these environments, a new arena for government innovation will be born.

Read Trend 2 of the Accenture Federal Technology Vision 2022 to explore how agencies can further prepare for the programmable world.

Authors:

  • Bill Marion – Managing Director – Defense Portfolio Growth & Strategy and Air & Space Force Lead
  • Jessica Bannasch – Digital Platforms Technology, Solutioning & Delivery Excellence Lead
  • Rick Driggers – Critical Infrastructure Cybersecurity Lead
  • Jessica Powell – Managing Director
  • Scott Van Velsor – Managing Director – DevSecOps Practice Lead

Cyberattacks are a Common Occurrence and the Costs are Higher Than Ever

By: Terry Halvorsen, general manager, U.S. Federal Market, IBM

The pandemic accelerated digital transformation, amplifying both opportunities and risks. Remote workers, new devices, partners, and integrations open organizations in ways that can radically increase their threat surface, making it less of a question of if a cyber attack will happen, but rather when. Therefore, the well-being of organizations today depends on not only protecting against and preventing cyber incidents, but also rapidly detecting, responding to, and recovering from them – and the costs prove it.

IBM recently released its annual Cost of Data Breach Report, which found that the financial cost of a data breach in 2022 reached an all-time high of $4.35 million on average. And one of the key revelations in this year’s report is that the financial impact of breaches is starting to extend well beyond the individual organization itself. We’re now beginning to see a hidden “cyber tax” paid by consumers because of the growing number of breaches. In fact, IBM found that for 60 percent of organizations, breaches led to price increases passed on to consumers. A prime example, in the wake of the 2021 Colonial Pipeline ransomware attack, gas prices rose 10 percent on a temporary basis, and some of this increase can be attributed to that attack.

While certain factors can exacerbate breach costs, such as focusing on responding to data breaches versus preventing them, there are other factors, including a zero trust strategy, that can help mitigate the financial and mission impacts of a breach.

  • Slow down bad actors with zero trust. The study found that organizations who adopt zero trust strategies pay on average $1 million less in breach costs than those who don’t. Instead of trusting that security defenses will succeed, zero trust assumes that an adversary’s attack won’t fail. To put a twist on an old Washingtonian phrase: don’t trust but still verify. Taking this approach helps organizations buy more time and slow down bad actors. It eliminates the element of surprise and moves away from patrolling a perimeter 24×7 – a strategy that has already crumbled at the feet of today’s digital revolution. In the year since the White House issued its cybersecurity executive order outlining a mandatory zero trust security strategy for the federal government, agencies are making progress toward their zero trust security goals. However, there’s still more work to be done specifically related to implementation. Assessing your current environment and properly defining what you’re trying to achieve will make for a higher probability of success. Zero trust is a journey, and patience is key.
  • Reduce the data breach lifecycle with security AI and automation. A zero trust approach helps slow down bad actors, which ultimately helps reduce costs. Security AI and automation can go hand in hand, also helping to reduce the time and ultimately costs of a data breach, by shortening the total breach lifecycle. With 62 percent of organizations stating that they are not sufficiently staffed to meet their security needs, using AI to automate certain repetitive tasks, for example, can help address today’s security skills shortage while also positively impacting response times and security outcomes. This year’s report found that organizations with fully deployed security AI and automation can pay an average of $3.05 million less in breach costs than those that don’t – the biggest cost saver observed in the study. For those organizations with fully deployed AI and automation, it took an average of 74 days less to identify and contain a breach (known as the breach lifecycle), compared to those with no security AI or automation deployed.
  • Enhance preparedness by testing, creating and evolving incident response playbooks. Zero trust makes it harder for attackers to gain access, but it doesn’t make it impossible. Incident response planning and capabilities can supplement by helping organizations quickly and effectively respond to security incidents and ultimately save costs associated with data breaches. In fact, the study found on average data breaches cost $2.66 million more for organizations that don’t have an incident response team or test their incident response plan compared to those that have both ($3.26 million vs. $5.29 million). That represents a 58 percent cost savings, compared to 2020 when the cost difference was only $1.77 million.

With the cost of a data breach higher than ever, it’s clear that the pressure on chief information security officers (CISOs) is not likely to let up anytime soon. The right strategies and technologies can help organizations across industry and government get their cybersecurity houses in order and may hold the key to reducing breach costs.

Increasing Equity Through Data and Customer Experience

By: Santiago Milian, Principal, Booz Allen; and Jenna Petersen, senior lead technologist, Booz Allen

From housing assistance to community health to closing the digital divide, equity is on the agenda of multiple Federal agencies. But making Federal services more equitable demands a close look at how constituents experience them.

Do services address the full breadth of a constituent’s challenges and needs? Are people able to get what they need with minimal delays and frustration? And are programs being tracked and held accountable for results?

Progress – and Gaps – in Customer Experience

Federal agencies have been improving in these areas. For the second year in a row – and even during a global pandemic and political turbulence – Federal agencies have improved their collective scores for customer experience (CX), according to a 2021 Forrester report. But the average Federal CX score – 62.6 out of 100 points – still lags behind the private sector average by a full 10.7 points.

These metrics matter. When private sector companies fall behind, they know immediately through their revenues and stock prices. Public sector organizations must also track progress to gain and retain trust amongst the public, maintain accountability, and shape future funding decisions related to CX and equity.

This is where data collection and analysis come in, increasing program accountability and transparency in order to improve the public’s trust and confidence. But tracking CX progress is just one way in which data can lead to greater equity in Federal services.

Data Ensures Services Reflect the Full Complexity of Needs

Many factors affect how a person experiences inequity. Consider, for example, the homebuying experience. What’s holding underserved homebuyers back from their goals, and how can a Federal program help?

Potential homebuyers may lack the kind of support network that helps establish credit history or overcome weaker credit ratings. They may experience racism or unconscious bias from lenders, real estate professionals, and appraisers, or may simply fall victim to the systemic biases built into the credit system itself. Based on their personal experiences or those of their close personal networks, they may not see homeownership as an achievable goal or a means toward financial security, or they may not trust in the underlying systems that support the homeownership ecosystem.

Data, both qualitative and quantitative, helps Federal agencies understand how inequities persist, how they affect people’s lives, and how they can be overcome. Among these complexities, Black women may face different challenges than Black men due to the intersectionality of race and gender. People with multiple underserved identities often face multiple burdens. Analyzing intersectional data ensures that constituents with multiple identities and challenges have their unique needs met, too.

In short, data helps Federal agencies center underserved constituents in their efforts—one of the core tenets of equity.

Lowering the ‘Time Tax’ With Data and Trust

Equitable services are easy for people to access. To find out how a program rates in this area, consider the following questions. Are eligibility criteria transparent? Is maintaining eligibility burdensome? Do those in most need know what’s available?

Difficulty navigating the issues above results in a “time tax” of delays and frustrations. This time tax is often highest for those with the fewest resources.

Federal agencies can use data to reduce the time tax, creating a comprehensive picture of challenges, needs, services constituents already participate in, services they’ve applied for, and services they are eligible for. With all of this information in one place like a cross-government CRM, the government can use this data to proactively serve customers with all the benefits for which they are eligible.

Meanwhile, staff can use pre-existing data and cross-agency collaboration to process applications and approvals more swiftly. Take, for example, the rapid mailing of millions of stimulus checks during the COVID-19 pandemic. Thanks to IRS data, the government already knew about income – and this saved administrative staff and recipients time and hassle.

Making this work requires trust. Agencies must engage more directly and meaningfully with traditionally underserved populations. They will need to understand their perspectives, challenges, and drivers for their behavior, and they will need to rebuild trust such that the traditionally underserved are willing to engage once again. Finally, agencies must be transparent about data collection and use: allaying fears of discrimination and communicating the benefits of data sharing.

With these tactics and caveats in mind, Federal agencies can turn knowledge into power, to deliver the American people more equitable experiences and more responsive services.

The AI Edge: Why Edge Computing and AI Strategies Must Be Complementary

By: John Dvorak, Chief Architect, North America Public Sector, Red Hat

If you’re like many decision-makers in Federal agencies, you’ve begun to explore edge computing use cases. There are many reasons to push compute capability closer to the source of data and closer to end users.

At the same time, you may be exploring or implementing artificial intelligence (AI) or machine learning (ML). You’ve recognized the promise of automating discovery and gaining data-driven insights while bypassing the constraints of traditional datacenters.

But if you aren’t actively combining your edge and AI strategies, you’re missing out on transformative possibilities.

Edging Into AI at Federal Agencies

There are clear indicators that edge and data analytics are converging. For starters, data creation at the edge will surge a compounded 33 percent through 2025 to account for more than one-fifth of data, according to IDC. By 2023, data analytics pros will focus more than 50 percent of their efforts on data created and analyzed at the edge, Gartner predicts.

It’s no wonder that 9 in 10 Federal technology leaders say edge solutions are very or extremely important to meeting their agency’s mission, according to Accenture. And 78 percent of those decision-makers expect edge to have the greatest effect on AI and ML.

Traditionally, agencies need to transmit remote data to a datacenter or commercial cloud to perform analytics and extract value. This can be challenging in edge environments because of increases in data volumes, limited or no network access, and the increasing demand for faster decision-making in real time.

But today, the availability of enhanced small-footprint chipsets, high-density compute and storage, and mesh-network technologies is laying the groundwork for agencies to deploy AI workloads closer to the source of data production.

Getting Started With Edge AI

To enable edge AI use cases, identify where near-real-time data decisions can significantly enhance user experiences and achieve mission objectives. More and more, we’re seeing edge use cases focused on next-generation flyaway kits to support law enforcement, cybersecurity and health investigations. Where investigators once collected data for later processing, newer deployment kits include the advanced tools to process and explore data onsite.

Next, identify where you’re transmitting large volumes of edge data. If you can process data at the remote location, then you only need to transmit the results. By moving only a small fraction of the data, you can free up bandwidth, reduce costs and make decisions faster.

Take advantage of loosely coupled edge components to achieve necessary compute power. A single sensor can’t perform robust processing. But high-speed mesh networks allow you to link nodes, with some handling data collection, others processing, and so on. You can even retrain ML models at the edge to ensure continued prediction accuracy.

Infrastructure as Code for Far-Flung AI

A best practice for AI at the edge is infrastructure as code (IaC). IaC allows you to manage network and security configurations through configuration files rather than through physical hardware. With IaC, configuration files include infrastructure specifications, making it easier to change and distribute configurations, and ensuring that your environment is provisioned consistently.

Also consider using microservices and running them within containers and automating the iterative deployment of the ML models into production at the Edge with DevSecOps capabilities such as CI/CD pipelines, GitOps, etc. Containers provide flexibility to write code once and use it anywhere.

You should seek to use consistent technologies and tools at the edge and core. That way, you don’t need specialized expertise, you avoid one-off problems, and you can scale more easily.

Edge AI in the Real World (and Beyond)

Agencies from military to law enforcement to those managing critical infrastructure are performing AI at the edge. One exciting and extreme-edge example is space and, specifically, the International Space Station (ISS).

The ISS includes an onsite laboratory for performing research and running experiments. In one example, scientists are focused on the DNA genome sequencing of microbes found on the ISS. Genome sequencing produces tremendous amounts of data, but scientists need to analyze only a portion of it.

In the past, the ISS transmitted all data to ground stations for centralized processing – typically many terabytes of data with each sequence. With transitional transmission rates, the data could take weeks to reach earth-based scientists. But using the power of containers and AI, research is completed directly on the ISS, with only the results being transmitted to the ground. Now analysis can be performed the same day.

The system is simple to manage in an environment where space and power are limited. Software updates are pushed to the edge as necessary, and ML model training takes place onsite. And the system is flexible enough to handle other types of ML-based analysis in the future.

Combining AI and edge can enable your agency to perform analytics in any footprint and any location. With a common framework from core to edge, you can extend and scale AI in remote locations. By placing analytics close to where data is generated and users interact, you can make faster decisions, deliver services more rapidly and extend your mission wherever it needs to go.

How Metaverses and Web3 can Reshape Government

The Accenture Federal Technology Vision 2022 analyzes four emerging technology trends that will have significant impact on how government operates in the near future. Today we look at Trend #1, WebMe: Putting the Me in Metaverse.

In the wake of the pandemic, people’s digital and “real world” lives are melding. Accenture research found that 70% of consumers globally report spending substantially more time online, and 38% of agree that their digital life is increasingly becoming their “real life.”

Alongside this, two distinct technology shifts are taking place: the rise of metaverses, and the arrival of Web3. Together they are driving a shift towards a more decentralized and human-centric internet. Federal leaders will need to prepare for this profound shift – and some agencies are already starting to dip their toes into this new future.

For example, the U.S. Army is building a Synthetic Training Environment (STE), which aims to revolutionize the Army’s entire training paradigm by allowing units and soldiers to conduct realistic, multi-echelon, collective training anywhere in the world. Currently scheduled to be fully operational in 2023, the STE will combine live, virtual, constructive, and gaming training environments that simulate real-world terrain in its full complexity.

Together, the metaverse and Web3 create tremendous opportunities for federal agencies, most notably around modeling complex interactions in real-time, whether they be on the battlefield, in major cities, in warehouses and other large facilities, or on public lands. At the same time, they enable more powerful collaboration, whether that be a training scenario or engaging with an increasingly digitally-minded audience. Together, these two developments are building a more immersive, more impactful digital world for government to explore and use to further its missions.

Breaking Down the Metaverse and Web3

With still-emerging concepts, it’s important to define our terms. We see the metaverse as enabling users to move beyond browsing, toward inhabiting and participating in a persistent shared digital experience. Web3 refers to the use of technologies like blockchain and tokenization to build a more distributed data layer into the internet.

In practical terms, we can think of metaverses as 3D digital environments where people can explore, play, socialize, experience, train, collaborate, create, and interact with others. A range of emerging creation tools, platforms, and technologies are taking this beyond the realm of video games to provide immersive experiences for consumers shopping, employees training, and more.

Web3 deepens that experience, introducing a data framework that generates the veracity, trust, and consensus that the virtual world has often lacked. By building services and applications atop often permissionless blockchains outfitted with open protocols and open standards, Web3 will allow for more freedom, decentralization, and democracy for individual users, content creators, and projects.

Many in government are already looking ahead toward the rise of the metaverse and Web3. Nearly two-thirds of U.S. federal government executives (64%) say that the metaverse will have a positive impact on their agency, with 25% calling it breakthrough or transformational. Of those anticipating the most significant impact, 94% believe it will happen in the next four years.

While both the metaverse and Web3 present interesting possibilities on their own, federal leaders should be especially attentive to the coming together of these two trends. Specifically, Web3 infuses the context, ownership and interoperability needed to transform the metaverse into a thriving community.

Federal Agencies are Helping Build the Metaverse

While this may all sound a bit fantastical, federal agencies are already exploring the possibilities.

The Veterans Health Administration Innovation Ecosystem Extended Reality Network is exploring new care models using extended reality for veterans suffering from post-traumatic stress disorder (PTSD), anxiety, depression, chronic pain, and other challenges. And the Department of Agriculture’s Forest Service is relying on AI and digital twin simulation technology in the metaverse to better understand wildfires and stop their spread. Lastly, the U.S. Air Force is pondering the creation of a space-themed metaverse and has even trademarked a name for it: SpaceVerse.

Perhaps one of the most compelling cases of a federal agency employing WebMe capabilities to design and create its own virtual environment is occurring at NASA’s Jet Propulsion Laboratory (JPL) near Los Angeles. The project team began scanning workspaces and rooms at JPL and then digitally reconstructing them. JPL employees can then wear Oculus Quest 2 headsets to attend virtual meetings in those scanned locations. The virtual space enables JPL employees to replicate the dynamic communication and collaboration needed for their complex engineering projects – even while working remotely.

Federal agencies can also leverage metaverse and Web3 technologies to optimize warehouse and logistics operations; mitigate vulnerabilities and improve resilience in industrial processes; better manage infrastructure elements; and deliver improved maintenance to weapons systems, equipment, and fleet vehicles — to name but a few of the possibilities.

Federal agencies need to start thinking now about what use cases might benefit from the immersive experience of a metaverse, and the verifiable data framework of Web3. Already, there are some standard metaverse use cases that agencies can leverage without high levels of risk. For instance, immersive technologies for training or productivity have been tested and experimented with for years.

Alongside use cases, they need to think about how they will do this: which human, technical, data, and other resources will they need — and which outside partners are best positioned to assist them — to move forward. Agencies will need to ensure they have both a solid technical foundation, as well as the skills and capabilities within their workforce to act on these opportunities.

Read Trend 1 of the Accenture Federal Technology Vision 2022: WebMe to learn more about the steps federal leaders can take to capitalize on the shift toward Web3 and the metaverse.

Authors:

  • Alejandro Lira Volpi: Managing Director – Accenture Federal Services, Financial Services Strategy Lead
  • EJ Dougherty III: U.S. Federal and Defense Extended Reality Lead, Accenture Federal Services
  • Kyle Michl: Managing Director – Accenture Federal Services, Chief Innovation Officer
  • Christina Bone: Senior Innovation Architect, Accenture Federal Services
  • Dave Dalling: Cybersecurity Chief Technology Officer, Accenture Federal Services
  • Terrianne Lord: Managing Director – Accenture Federal Services, Salesforce Delivery Practice Lead

Four Emerging Technology Trends set to Impact Government Most

By Chris Copeland, Chief Technology Officer, Accenture Federal Services; and Kyle Michl, Chief Innovation Officer, Accenture Federal Services

Both the public and private sector embraced technology to an unprecedented level in their response to the COVID-19 pandemic. This created a period of “compressed transformation” that disrupted the technology landscape dramatically. For example, the wholesale adoption of the cloud is now more common. In the pandemic’s wake, a number of emerging technologies – previously thought only to be on the distant horizon – came into clearer focus. Early adopters including federal agencies are already deploying them for enterprise impact.

In our latest Accenture Federal Technology Vision, we explore the four most prominent of these technology trends, as they are poised to up-end federal operations over the next three years. We also look at the convergence of these trends into a “Metaverse Continuum,” a spectrum of digitally enhanced worlds and business models rapidly taking shape. And in many cases, we find that the public sector is leading the way.

Through the Metaverse Continuum, the real and the virtual will merge in ways we’ve never seen before. Consider: Military pilots are already enhancing training in the metaverse, connecting live aircraft to a common augmented reality environment, up in the sky, to perform a refueling training exercise with a virtual tanker.

Using augmented reality, caseworkers are developing new interviewing skills and learning to manage stressful situations by immersing themselves in virtual experiences – complete with frantic parents, distracted children, and ringing phones.

The Metaverse Continuum will transform how federal government operates and its building blocks are being laid today. Extended reality, artificial intelligence, blockchain, quantum computing, advanced sensors, 5G, the Internet of Things, digital twins, etc. – when combined, these technologies create incredible new spaces, rich in breakthrough capabilities. We expect the Metaverse Continuum to eventually play a key role in missions ranging from training and education to logistics and maintenance to citizen service, and more.

And federal agencies are more equipped to adopt and scale these transformative technologies than ever before. Post-pandemic, the federal government now has a deeper understanding of what technology can do to further missions, and how to effectively integrate it.

Yet, navigating the Metaverse Continuum will still require a careful approach. There are opportunities ahead but also significant challenges, particularly in the areas of cybersecurity, privacy, trust, regulation, and more.

In this era, Accenture’s Federal Technology Vision 2022: Government Enters the Metaverse provides a map for assessing and organizing the technologies of the Metaverse Continuum into a meaningful structure for your agency.

The report dives into four trends:

  1. In WebMe, we explore how the internet is being reimagined, specifically through the intersection of metaverses and Web3. Metaverses are 3D environments, imbued with a sense of place and presence, where moving from an enterprise system to a social platform is as simple as walking from the office to the movie theater across the street. Web3 can underpin these environments with a data framework that generates veracity, trust, and consensus — things we’ve long had conventions for in the physical world, but which have often eluded us in the virtual world.
  2. Programmable World tracks the increasingly sophisticated ways in which technology is being threaded through our physical environments. The convergence of 5G, ambient computing, augmented reality, smart materials, and more is paving the way for agencies to reshape how they interact with the physical world, unlocking an unprecedented fidelity of control, automation, and personalization.
  3. The Unreal examines the paradox of synthetic data. Synthetic data – which is manufactured data meant to mimic real-world qualities – is increasingly needed to train artificial intelligence and power the algorithms that are being embedded in our day-to-day experiences. At the same time, synthetic data is negatively impacting populations, with the rapid growth of deepfakes and misinformation leading people to increasingly question what’s real and what’s not. In this world, authenticity – not “realness” – must be the north star for federal agencies.
  4. Finally, in Computing the Impossible, we look at the rise of quantum, biologically-inspired, and high-performance computing. Next-gen computing promises to reset the boundaries of what is computationally possible and will empower federal agencies to tackle problems once considered unsolvable.

The Federal Technology Vision 2022 incorporates insight from a global survey of 4,660 executives spanning 23 industries and 24,000 consumers worldwide. It applies these findings to the unique challenges and demands facing the U.S. federal government, featuring in-depth analysis from more than 20 Accenture Federal Services experts and results of a survey of 200 U.S. federal government executives.

Learn more about how the Metaverse Continuum can transform your agency in the report.

5G Enables AI at the Edge

By Michael Zurat, Senior Solutions Architect, GDIT

5G, Artificial Intelligence and Edge Computing have been areas of focus in the IT space for some time. What’s been given less attention, until recently, is how these three powerful technologies interact with one another and how, as one example, 5G is precisely what enables AI capabilities at the edge.

The proliferation of data-creating devices – whether that’s smart phones, Internet of Things (IoT) devices or drones – means that the sheer volume of data that exists is too large for humans to examine, and it has been for a while now. AI algorithms enable us to identify patterns and outliers and to either address a problem or pinpoint the things that require human intervention. 5G enables us to deploy those algorithms faster and more securely to devices at the edge, making them more powerful and capable than ever before.

Massive Machine-To-Machine Connectivity

Here’s why: 5G enables massive machine-to-machine connectivity. This allows for connected sensors and devices to “speak” to each other – sometimes without connecting to an enterprise or hub, such as in a mesh network. This allows for devices to manage themselves and react to data inputs from other devices, even without connecting to a cloud or centralized server. By leveraging embedded algorithms and even machine learning at the edge, we’re at the beginning of what will become a smart and independent mesh network of devices.

One example is how smart city traffic lights can automatically adjust to control or regulate the flow of traffic without communicating to a central server. As edge computing like this becomes ubiquitous, it will start to compete with the cloud as a compute and storage commodity. This may provide alternative physical locations for storage and compute for existing cloud vendors, and it could disrupt them altogether with potential new offerings from cellular network operators.

We’re already seeing the beginning of this from content distribution services. Netflix stores data in massive data centers in Virginia and California, but locally they’re using Akamai relays to cache data at the neighborhood level.

Blurred Lines Demand Advanced Cybersecurity

In this example and hundreds like it, as data moves from place to place with encryption at both ends, 5G and edge are, in effect, blurring the lines and creating a larger and more diverse attack surface in need of advanced cybersecurity. On top of that, more complex system architectures are built on more complex Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) services that abstract the cloud and edge compute and storage locations. There are also more complex layers of containerization involved. No longer will cyber teams be able to think about security in local, cloud or on-prem contexts.

In environments where everything is virtualized and when it’s not exactly clear where the data is at any given moment, or when serverless systems are being leveraged, cybersecurity becomes more important than ever. So, too, does having a secure software supply chain. Look no further than the recent log4j breach.

As ever-more complex systems enable ever-more complex capabilities, it can be easy to focus on the delivery of functionality without looking back at how and what software is being used and how secure it is. The stakes are even higher for government and Department of Defense customers and their mission partners. As a systems integrator, GDIT has broad and deep capabilities that address these complexities and the stakes – both today and for the future. This includes our 5G Emerge Lab that proves out 5G solutions and demonstrates how we can securely connect and protect 5G-enabled devices, data, and applications across the broader enterprise.

Underpinning Technologies Paved the Way

Paving the way for what’s to come with regard to AI at the edge are a host of underpinning technologies. Containerization, as mentioned above, helps to quickly move applications into the cloud. Virtualization abstracts applications from physical hardware. Graphical Processing Units, or GPUs, allow us to accelerate workloads. Gaming engines gave us the blueprint for reusing software components or to more quickly port applications to other platforms.

Today, GDIT is leveraging these advances as well as the capabilities offered by 5G to enable AI at the edge on a diverse array of use cases – from training and simulations that leverage virtual reality on edge devices, to medical trainings with smart mannequins. We are also exploring how to use AI and guided assistance within Denied, Disrupted, Intermittent, and Limited bandwidth (DDIL) environments. Another use case involves deploying smart warehouse technology on edge devices for logistics and supply chain management purposes.

What is clearer than ever is that teams are just scratching the surface of the enormous potential of AI at the edge. 5G, and the continued bandwidth enhancements that will come after it, will expand that potential exponentially. And we stand ready to capitalize on it, exploring the art of the possible, for customers.

Plugging Cyber Holes in Federal Acquisition

By Ken Walker, President & Chief Executive Officer, Owl Cyber Defense

Government agencies are under siege from ransomware and incredibly sophisticated cybersecurity threats, such as the 2020 SolarWinds supply chain attack. To help fight back, lawmakers are introducing steps to broaden defenses through non-traditional approaches. The Supply Chain Security Training Act (SCSTA) bill, recently passed in the U.S. Senate, would extend cyber responsibilities to federal employees with supply chain risk management responsibilities, like program managers and procurement professionals.

This is a much-needed step. SCSTA directs the General Services Administration (GSA) to develop a training program for federal employees that will help them identify and reduce agencies’ supply chain risks. Extending security responsibilities in this way is practical and necessary to widen the resource pool for tackling cyber risks, particularly given the shortage of people with hard technical skills who are battling supply chain threats. At this point, everyone needs to stay vigilant and not expect security to be someone else’s responsibility.

While SCSTA would obligate another element among current job training requirements, it is vital – even for non-technical employees – to understand the security angles of technologies they are acquiring. Focusing on specific vendor practices for both physical and digital supply chains will drive a thorough assessment of cybersecurity across a vendor’s entire process, sub-supplier requirements, and risk mitigation policies.

To get started, agencies can frame the discussion around a few simple but strategic questions: what are the supply chain security risks in what you’re offering me? In what ways could your product be compromised? How could the product be installed or integrated incorrectly that might cause or increase cyber risk? Then drill down into specifics. Here are some ideas of what to probe:

For physical systems:

  • Production. Ask about steps taken to ensure that the vendor’s bill of materials for the supply chain includes known, trusted entities who prove they adhere to stated security procedures. That can include steps like physically checking products through high visibility scanning, to make sure that there was no unauthorized substitution of components and comparing the exact build kit against scrap analysis. The ongoing global supply chain issues have exacerbated production problems that can lead to acquisition of gray-market components which can make it much easier for an adversary to introduce counterfeit or maliciously modified parts.
  • Critical software. While downloading has become the predominant software delivery method, the most secure way to deliver software is still on physical media. For systems that will be deployed in highly sensitive missions, vendors should provide both disks and independently supplied validation codes to verify that the software meets a specific signature and profile. If those don’t match, it’s an indication to not move forward.
  • Delivery. Packaging should be verifiably tamper-resistant, such as with tamper-evident tape on all seams. Vendors should minimize the length of time a package is in transport – that means it has less time to be compromised. If deliveries are delayed, ask why to see if there is an associated risk. Once shipments are received, verify that any devices contained within also have tamper defenses, and that those are not compromised.

For software applications:

  • Vendor verification. Vendors should be able to verify how they secure their software so that it is not altered along the chain of command. Find out if any entity or manufacturer has access to the entire build. If so, what steps are taken to validate the full build’s integrity? This includes using an isolated build and test environment that requires multi factor authentication to access and requires multi-tunnel VPNs for remote access. Source code should never be released outside of the isolated environment and all packages (open-source or otherwise) imported into the isolated environment must be verified.
  • Assess the source of the download. Given that most software is downloaded, risk is created if the source code is compromised then proliferated through an organization – such as what happened to SolarWinds in 2020. Where is the download platform housed? Who has access to it? Be able to independently check where any validation codes come from to verify that they are authentic and as expected.

Even with elevated training, it can be complicated for program managers and procurement professionals to interpret vendor input for particularly technical situations. Consulting with internal cyber experts can help when vetting a vendor’s response. Still, in the face of supply chain shortages that are already straining the acquisition process, and the growing number of cyber threats, these roles will certainly get harder.

SCSTA represents a big task. Yet taking such steps is vital in the modern threat environment. Cybersecurity is not an endpoint, it is a journey. Legislation like the SCSTA is a call to action for strengthening layers of national cyber defenses with the resources we already have. More people understanding the risks, asking the right questions, and knowing what to look for, will go a long way in making agency systems – and the country – more secure.

Resilient Critical Infrastructure Starts with Zero Trust

By: Raghu Nandakumara, Senior Director, Head of Industry Solutions, Illumio

From the Colonial Pipeline breach to the JBS ransomware attack, the past year has shown us that cyberattacks on U.S. critical infrastructure are more relentless, sophisticated, and impactful than ever before – and all too often threaten the economic stability and wellbeing of U.S. citizens.

Because of this, critical infrastructure protection remains a top focus for the Federal government. The Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO) laid out specific security mandates and requirements that agencies must meet before Fiscal Year 2024 in order to bolster organizational and supply chain resilience. One critical component the EO specifically articulated is the advancement toward a Zero Trust architecture – a cybersecurity methodology first introduced nearly a decade ago, and predicated on the principles of “least privilege” and “assume breach.”

In March 2022, President Biden reaffirmed the 2021 EO with his “Statement… on our Nation’s Cybersecurity”, again, pointing to Zero Trust as a cybersecurity best practice as the U.S. looks to improve domestic cybersecurity and bolster national resilience in the wake of an emerging global conflict. Further, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 signed into law in March 2022 will require private sector infrastructure operators to report cyber incidents and ransomware payments to the government – boosting the U.S. focus on protecting critical infrastructure.

Embracing ‘Assume Breach’

In order to bolster ongoing resilience efforts, organizations across the Federal government and private industry alike must start taking a proactive approach to cybersecurity. This starts with rethinking the way we fundamentally approach security.

Digital transformation has dramatically expanded the attack surface. Today, modern IT architecture is increasingly a hybrid mix of on-prem, public clouds and multi-clouds – opening up new doors for attackers to not just gain access, but also move across environments with ease. As the frequency and severity of breaches continue to increase, our industry is rapidly adopting an “assume breach” mindset – an understanding that even with the best preventative and rapid detection technologies, breaches are going to happen.

Think of the recent cybersecurity industry shifts this way: The first security era was solely focused on protection. In a walled in, on-prem data center the focus was on perimeter security – build a digital wall and keep the bad guys out. About a decade ago, a wave of high-profile breaches woke us up to the fact that a wall can’t keep the bad guys out entirely. From there, the focus shifted from perimeter-only security to the second security era of rapid detection and response – find the bad guy quickly after they scale the wall.

Now we are in the third wave of security: focus on containment and mitigation. This is where Zero Trust capabilities like Zero Trust Segmentation (i.e., microsegmentation) can help. For example, in the event that bad actors gain access to a Federal agency, Zero Trust Segmentation can help limit their impact by containing the intrusion to a single compromised system – vastly limiting access to sensitive data.

In fact, according to a recent study from ESG, organizations leveraging Zero Trust Segmentation are 2.1X more likely to have avoided a critical outage during an attack over the last 24 months, have saved $20.1M in the annual cost of downtime, and have averted five cyber disasters annually.

Going Back to Basics

As harrowing cyberattacks remain the norm, it’s never been more essential for critical infrastructure organizations to prioritize practicing and maintaining proper cybersecurity hygiene. Cyber hygiene is nothing revolutionary – it’s about adopting and putting the basics into practice, day in and day out.

In 2021, the White House issued a memo outlining key best practices for organizations looking to safeguard against ongoing ransomware attacks: make sure you’re backing up your data, patch when you’re told to patch, test your incident response plans, double check your team’s work (i.e., account for human error), and segment your networks, workloads and applications accordingly.

With proper cybersecurity basics in place, Federal agencies are better positioned to expand upon ongoing resilience efforts – like accelerating their Zero Trust journeys.

Building Resilience Starts now.

In the end, prioritizing proactive, preventative cybersecurity approaches like Zero Trust, and mandating them at a national level, will have positive long-term benefits on the nation’s security posture and overall resilience. But good cybersecurity hygiene and building real resilience is an ongoing effort. It’s important to start small. For example, start by segmenting your most critical assets away from legacy systems. That way, if a breach occurs, it can’t spread across your hybrid architecture to reach mission critical information. From there, you can move to larger, wider resilience undertakings.

But as with any goal, it’s important to not make “perfect” the enemy of good. In other words, not having a perfect plan shouldn’t be a barrier to starting somewhere. What is important is getting started today. Bad actors are evolving, emerging and now rebranding – and any cybersecurity hygiene practice (big or small) helps uplift organizational resilience. In the end, especially when it comes to public sector operations, we’re all only as strong as the weakest link in our supply chain.

Remember, “assume breach,” put the basics into practice, and prioritize securing your most critical infrastructure with Zero Trust security controls first.

The Evolution of Government Tech Procurement Under CMMC 2.0

By: Kyle Dimitt, Principal Engineer, Compliance Research at LogRhythm

Supply chain attacks have been on the rise across the globe, as we saw with targeted attacks against SolarWinds and Kaseya. The spike has created a large risk in the Federal government since industry supply chains don’t necessarily have to adhere to a set level of cybersecurity standards, specifically with agencies like the Department of Defense (DoD). To combat this, the DoD has attempted to minimize the risk by increasing the security of the Defense Industrial Base (DIB) with the introduction of the Cybersecurity Maturity Model Certification (CMMC) in 2019.

CMMC requires contractors to obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet basic cyber hygiene standards, as well as protect controlled unclassified information (CUI) that resides on partner systems. While this won’t answer all the government’s cybersecurity woes, it addresses what is becoming a more frequently seen exploit.

Challenges with CMMC 1.0

CMMC 1.0 was a very big change for the DIB. While contractors may have been required to adhere to NIST standards prior to its introduction, there was no requirement for proof of adherence to those standards with CUI. The requirement from CMMC to get audited and prove that your organization was adhering to these requirements became very costly depending on where the CUI was in your environment.

Many DIB contractors were also not confident in what CUI they had in their environments, further adding to the complexity of CMMC requirements. Because they couldn’t fully identify the CUI, they couldn’t fully scope what needed to be protected by the controls and what they would be audited against.

Additionally, there was no allowance for plans of action and milestones (PoAMs). Certifications were a firm pass/fail, which meant organizations could lose out on an opportunity for a contract if they weren’t certified and would have to be audited again once they remediated any deficiencies noted in the audit.

Introducing CMMC 2.0

In November 2021, the DoD announced CMMC 2.0, which came with an updated program structure and requirements. The key changes in CMMC 2.0 address some of the grievances shared above regarding CMMC 1.0, but other challenges remain.

CMMC 2.0 is more flexible, allowing for PoAMs and waivers to CMMC requirements under certain circumstances. This enables contractors who do not meet the security requirements to continue to bid on DoD contracts. The five-tier security system levels have also been revised to three levels, simplifying and streamlining requirements to focus on the most critical.

Third-party assessment requirements have also changed for version 2.0, reducing the number of government contractors that require a third-party assessment. Level 1 no longer requires third-party assessments but requires organizations to perform annual self-assessments. Level 2 requires triennial third-party assessments and annual self-assessments for select programs. Level 3 requires triennial government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center.

The biggest challenge is still the depth of understanding in CUI. Organizations must continue working with their DoD and Federal partners to understand what CUI needs to be protected and where it is in order to properly perform third-party and self-assessments.

Impact on State and Local Governments

CMMC 2.0 will aid Federal agencies’ ability to buy and implement new technologies by allowing for more flexibility for contractors to gain CMMC certification. By making the certification process simpler and more affordable, contractors can find a quicker path to certification and ultimately a smoother procurement process. While CMMC does not impact state and local government agencies for now, it’s reasonable to expect similar mandates to extend to the local level in the future. State and local governments will likely take their cue from Federal agencies and will be more likely to work with contractors who have gained certification and federal contracts, even though it is not currently required they work with vendors with CMMC certification.

State and local governments should keep a watchful eye on the continued rollout of CMMC as they look to incorporate similar requirements in their supply chain. More importantly, these governments should stay up to date on President Biden’s executive orders around cybersecurity as they could have cascading effects for those entities. There is nothing as broad and sweeping as CMMC at the state level but with the increased focus on cybersecurity, many states are introducing new cybersecurity legislation.

Looking Ahead

The latest changes to the Cybersecurity Maturity Model Certification are a great move by the Office of Acquisition and Development and the DoD to continue to hold the DIB accountable while providing a more flexible standard. CMMC 2.0 will allow more contractors to obtain the certification and adhere to the standards but, most importantly, the second iteration is creating greater public buy-in.

The U.S. government has taken great first steps to modernize its own cybersecurity efforts before extending a set of audited requirements to the entire government supply chain. A government-wide implementation of CMMC or something very similar is not out of the question, but don’t expect to see it before CMMC demonstrates some success with its new model or before the DoD’s full phase-in by 2026.

Zero Trust Requires Continuous, Tested Security for Federal Agencies

By Scott Ormiston, Federal Solutions Architect, Synack

Within a single week in late March, the Biden administration both reissued the call for American companies to shore up their cybersecurity efforts in the wake of the Russia-Ukraine war, and requested nearly $11 billion in cybersecurity funding from Congress for the Federal government and its agencies for fiscal 2023 – a billion dollars more than the year prior.

Record numbers of Common Vulnerabilities and Exposures (CVE) and zero day exploits also contribute to the urgency felt across the cybersecurity industry, which is being squeezed by a lack of talent and a hot labor market. Meanwhile, the federal government and its agencies are in the middle of an effort to modernize their technology – a herculean task that has the potential to widen attack surfaces and further burden cybersecurity professionals.

Adopting an adversarial, offensive cybersecurity strategy that aligns with the Federal government’s mandate to move to zero trust architecture can release some of that pressure by working proactively to harden your agency’s existing security program.

Zero trust architecture, as outlined in the Federal zero trust strategy memorandum M-22-09, is aligned with the Cybersecurity and Infrastructure Security Agency’s (CISA) five pillars of its Zero Trust Maturity Model. Those five pillars include: Identity, Devices, Networks, Application Workload and Data. Each pillar requires different kinds of tools and services to adhere to zero trust principles, which all coalesce around preventing unauthorized access by making access granular and as-needed.

Taking a closer look at the Application Workload pillar, optimal functionality should be designed for continuous testing. When an application is in development, security testing for Federal agencies should happen routinely throughout and continue once deployed. Once applications are deployed, CISA recommends continuous, external monitoring.

The common themes for all five of the pillars include continuity and externality. Why? Because that is the manner in which adversaries are scanning attack surfaces for potential threat vectors; they are continually learning from organizations’ security measures and augmenting their own approaches. The adversary is on-the-clock 24/7, looking for a way in, so security teams must rebuild their efforts to match.

To make the move toward zero trust, security teams need to establish if their existing security systems and processes are working as designed. Conducting outside-in testing and gaining an adversarial perspective on current security implements will demonstrate where to prioritize remediation efforts.

Synack provides dedicated application security testing that enables federal agencies to adhere to mandates, advancing their moves to zero trust principles. Agencies that select Synack will also benefit from its FedRAMP Moderate In Process designation, indicating that 325 security controls were met to enhance security for users working in Synack’s FedRAMP environment.

As former National Security Agency and Defense Department technical security experts, Synack’s founders know intimately the importance of securing federal operations and technologies in cyberspace.

CEO Jay Kaplan and CTO Dr. Mark Kuhr saw firsthand how difficult it was to unite thousands of government employees and acquire the necessary security expertise to proactively, and effectively, protect against today’s cyber attacks and threat actors. That view led them to create Synack, the premier on-demand security testing platform backed by a vetted community of ethical researchers for continuous penetration testing and vulnerability management.

“Helping defend the U.S. against cyberattacks is in our DNA. It’s why my co-founder Jay and I started Synack in the first place and it’s what our network of trusted ethical hackers do every day on the platform,” said Dr. Kuhr. “Synack’s FedRAMP designation is a powerful accelerant for even more Federal customers to benefit from continuous, crowdsourced security testing, which is an essential best practice especially in light of recent vulnerabilities like Log4j. The Synack offering can aid organizations by rapidly responding to the most urgent CVEs.”

Synack has worked with more than 30 government organizations on application security testing capabilities with capacity to deliver better results at scale than traditional methods, and is committed to helping agencies protect citizens and their data. Addressing the Biden administration’s call to make now the time to progress with security efforts, Synack can provide organizations with on-demand access to the most trusted worldwide network of security researchers.

How Multi-INT Fusion Accelerates Mission Intelligence for Real-Time Decision Advantage

Intelligence analysts are drowning in data amid ever-increasing numbers of communication channels, devices, and open-source intelligence.

Intelligence professionals often apply an adaptation of the Pareto Principle (aka the 80/20 rule) to the challenges created by all this data. Analysts anecdotally spend 80 percent of their time looking for data and information, leaving only 20 percent to analyze, render judgments, and articulate their analyses in a way that’s useful for decision makers. In this age of fast-evolving threats, it’s time to flip that number.

For the intelligence community (IC), access to near real-time information and actionable analysis is mission critical. That’s where multi-INT fusion comes in. Multi-INT fusion is the fusing of multiple data types to convert data to information more easily, enabling analysts to understand context and render intelligence assessments faster. It also involves converting manual tradecraft to more automated processes, empowering analysts to accelerate and improve their analyses and gain insights more quickly.

While multi-INT fusion is already a long-established practice, intelligence agencies can now apply new and emerging technologies to achieve it in faster, more efficient ways, in turn freeing analysts’ time for the problems that require more critical thinking. Here are two things IC leaders should consider as we drive toward a large-scale revolution in multi-INT fusion.

Thinking Big, Starting Small

Advancing multi-INT fusion requires a multi-prong approach. Not everything can change overnight, but the IC can seek quick wins that work with legacy systems, while remaining on the path toward enterprise transformation. For legacy systems, automation tools can be as simple as recommenders or real-time bidding – the same idea as seeing suggestions in a Google search or on your Waze app. Based on the user’s search patterns or location, this type of automation can often narrow down (and accelerate) analysts’ research efforts.

Ultimately, algorithms like those used in recommenders refine results based on what an analyst is looking for or is interested in, thus creating significant time savings. Similarly, we recently worked with a partner in the IC to develop an automated source extractor capability, which reduced the time it takes an analyst to properly cite sources by 75 percent. Not only do micro applications like this save analysts time, but they can also be rapidly integrated into legacy systems because they are low-cost and don’t take up much bandwidth.

More sweeping transformation might look like integrating advanced capabilities such as artificial intelligence (AI) and machine learning (ML) into new systems from the get-go. AI/ML can draw connections much more quickly than a human analyst can, which even more advanced AI can then analyze to predict outcomes and recommend action. In turn, AI/ML can correlate target activities to create faster decisions. This isn’t replacing the role of the human analyst, but rather increasing the pace of analytics to machine speed. This is also achieved by integrating AI/ML with advanced data science techniques, such as probabilistic and predictive modeling and automation of data pipelines.

Understanding Where Open Architecture Can Help

As intelligence organizations modernize, it’s important to create more sophisticated cross-domain pipelines. Fusing new, classified streams with commercially available and open-source data at scale requires layered levels of data engineering and analysis.

The data must be indexed, fused, and analyzed at appropriate security levels for multiple stakeholders, not just in the IC but also military, government, and international partners. Then, those recommendations need to be distilled to send to leaders at their level of access, whenever needed. Such large-scale, diverse fusion requires open architectures that move operations to the cloud for bandwidth and scale. To work within allotted budgets, many intelligence agencies should approach large-scale modernization incrementally, making small changes that build toward a larger vision.

Taking a modular open architecture approach simplifies transformation, while also allowing agencies to make decisions according to their funding resources. Often the answer lies in tools and frameworks created from commercial off-the-shelf or open-source software – ideally, tools that are already cleared through the accreditation process, have intelligence-level cybersecurity built in, and are proven in operation. The right technologies and solutions accelerate decision-making while providing capacity, all working together seamlessly, for faster, smarter analysis.

By Rob Goodson and Saurin Shah, Vice Presidents in Booz Allen Hamilton’s national security business

Three Things to Consider for Responsible AI in Government

The use of AI and analytics are crucial for government agencies, who are among the largest owners of data. The benefits of AI are often discussed – operational efficiencies, intelligent automation possibilities and the ability to gain deeper insights from massive amounts of data.

Claire Walsh, VP, Engineering and Services, Excella

With the intense interest and proliferation of AI, governance of machine intelligence is getting more attention and appropriately so. Absent legislation, organizations must anticipate and adopt voluntary practices to minimize risk and avoid undesirable outcomes.

Here are three areas of focus recommended as part of a comprehensive responsible AI strategy.

Plan Ahead

Responsible AI solutions start with planning. Some key questions to ask (and then answer) during the initiation of an AI project are:

  • What is the intended use case and are there other unintended uses that may need to be mitigated against?
  • What are the expected outcomes of the AI solution and are there possible unintentional impacts on individuals or community welfare? Are these positive or negative impacts?
  • How is the data used in the AI solution monitored and managed? Are data governance policies defined and applied consistently? Is data quality consistent and at appropriate level of completeness?
  • Where is there potential for bias with the AI solution and how can this be monitored and managed?
  • What considerations are needed to create model transparency and explainability?

Similar to applying the DevSecOps mindset, where teams “shift left” on security planning and execution to include these activities from the start, the same is recommended for risk planning in AI projects. Identify potential challenges and risks early and commit to maintaining a plan to assess and address them.

Be Transparent

AI models are complex, and transparency into how machine intelligence is making decisions and taking action is becoming increasingly critical. AI models now help us drive more safely through real-time alerts, or in some cases drive for us. AI is being incorporated into medical research and treatment plans. This level of complexity can be difficult to decipher when systems don’t operate with expected outcomes. What went wrong? Why was a decision made or an action taken?

Explainable AI (or XAI) advocates for fully transparent AI solutions. This means that all code and workflows can be interpreted and understood without having advanced technical knowledge.  This often requires additional steps in the design and build of the solution to ensure explainability is achieved and maintained.

Think of explainability as a two-step process – first, interpretability, the ability to interpret an AI model, and second, explainability, to be able to explain it in a way humans can comprehend. Explainable models provide transparency – so organizations stay accountable to users or customers and build trust over time. A black box solution that cannot be interpreted when things go awry is high risk investment that is potentially damaging and unexpectedly more expensive.

Enable Humans in the Loop

The Toyota production line Andon Cord is famous for its ability to stop the production line in the pursuit of quality. A physical rope used to halt all work when a defect was suspected, enabling an assessment and resolution of the issue before it can proliferate further.

What is the equivalent in the build and use of possibly high-stakes automated AI solutions? A human in the loop – enabling the ability for a person to oversee and have the option to override the system outputs. This can include data labeling by humans to support the model training process, human involvement in validating model results to support model “learning,” and implementing monitoring and alerts that require human review when specific or unexpected conditions are detected.

The combination of human and machine intelligence is a powerful one that expands possibilities while enacting safeguards.

By implementing governance guidelines and adopting approaches that specifically address the challenges and risks associated with AI solutions, federal organizations can proactively act to protect the interests of the public and Federal employees.

Legislation, White House Orders Show Agencies Opportunity for Hybrid Cloud

From pandemic relief bills to the cybersecurity executive order and the bipartisan infrastructure bill, Federal agencies have a wealth of mandates and opportunities to create new programs.

While each of these executive and legislative actions feature varying priorities, funding methods, and delivery objectives, in a larger sense they are unified by requiring Federal agencies to leverage advanced technologies like big data analytics, artificial intelligence, edge computing, and enhanced cybersecurity frameworks.

To meet these goals and ongoing program needs, agencies should consider increased investments in hybrid cloud technologies. Hybrid cloud infrastructure can provide the computing power, scalability, and security that on-prem or single cloud environments traditionally lack.

Where Hybrid Cloud Can Provide Value

Let’s look more at each piece of legislation and mandate to see how hybrid cloud improves traditional systems.

  • The Infrastructure Bill: The $1.2 trillion infrastructure bill was signed in November of 2021 and features funding for public sector cybersecurity enhancements, broadband access, and electronic vehicle expansion. Outside of the direct impact of improving technology infrastructure, agencies need to ensure they have the technological capability to administer properly the countless programs outlined in the new law.
  • The American Rescue Plan: Passed in January of 2021, the American Rescue Plan was most known for providing many Americans with stimulus payments. As with the Infrastructure Bill, this plan increased the need of Federal agencies to act quickly and provide a wealth of new and enhanced services to citizens in need, which put stress on outdated technology systems. However, the bill also created several short and long-term programs aimed at helping citizens, businesses, and schools return to everyday life.
  • The Cybersecurity Executive Order: The order calls for removing barriers to threat information sharing between government and the private sector and modernizing and implementing more robust cybersecurity standards in the federal government. Leveraging a hybrid cloud will allow for solid cybersecurity analytics and create a more modular architecture that can be harder to attack.

Pushing Further Toward Hybrid

The COVID-19 pandemic began to push Federal agencies toward hybrid cloud, and moved technology leaders closer to that idea. With more employees working remotely, agencies needed the power hybrid cloud platforms to allow remote employees to access applications.

While traditional cloud architectures offer the capability to scale, many agencies have created siloed cloud environments. Instead of having an application on an individual on-prem rack, as before, they now follow the same practice with the cloud. This goes against the ingrained benefits of a cloud model, something technology leaders understand.

In speaking with Federal customers, many have voiced how the pandemic amplified the importance of migrating to hybrid cloud – some even made the move before they originally planned. However, sometimes they moved too fast without proper planning.

What Agencies Need to Know About Hybrid

Faced with this increase in Federal mandates and programs, agencies need to ensure the proper technology infrastructure is in place to operate them. This means a hybrid cloud infrastructure with a flexible architecture that allows for more modular use.

For technology leaders, a switch to hybrid and how to better leverage cloud requires a culture shift. Agencies must move beyond the idea of siloed applications – even in the cloud – and utilize a hybrid structure that allows for better scaling, quicker time to action, and more adaptability for new applications.

Too often, agencies attempt to put a round peg in a square hole when it comes to applications. They need to look at hybrid methodologies – even if it means having a hybrid architecture for 20 percent, 30 percent, or 50 percent of the overall infrastructure. Simply taking steps in this direction can have a dramatic impact on the ability to take advantage of new and emerging Federal initiatives.

Creating an Effective Framework for DoD’s Software Factories

The Department of Defense (DoD) last month released its Software Modernization Strategy, an important step to unifying existing technology and directing a more joint approach to systems of the future. It notes that our competitive posture is “reliant on strategic insight, proactive innovation, and effective technology integration enabled through software capabilities.” Further, it asks DoD entities that are driving software development to address management and governance of the 29 software factories spread across the services.

The promise of software factories is significant. The construct has quickly demonstrated agile development of critical capabilities, while also delivering the speed and flexibility that DoD requires. This has been achieved with commitment to automation, modular and open architecture, and continuous authority to operate (cATO). Given how much progress has been achieved, software factories will undoubtedly play an important role in modernizing DoD technology, through a common framework which will drive efficiencies and provide oversight, best practices, and baseline software for reuse.

Industry’s Role  

The industry can offer lessons learned and best practices from supporting software factories over the past five years, and the Software Modernization Strategy makes several mentions of the role of industry within the acquisition process. Booz Allen has worked in partnership with the DoD to rapidly develop, integrate and field cutting edge mission capabilities. We know what works, and what it will take to mature the software factory ecosystem to bring more efficient, innovative software to the DoD.

The software factory ecosystem cannot be a one-size-fits-all approach. Given different mission requirements (i.e., from IT to OT), acquisition strategy and program maturity (i.e., inception to sustainment), bringing all of these software factories into a single factory or even entity will likely be both inefficient and ineffective.

DoD leaders would benefit from establishing an ecosystem that streamlines across today’s software factories and those that will exist in the future. We would offer that the DoD Chief Information Office should consider the following as a construct aligning software factories within a framework for governance:

Mission Purpose. Each software factory was purposefully designed to cover a broad spectrum of mission requirements. Some entities support complex combat requirements and require deep hardware integration for use on the battlefield driving additional layers of policy, cyber, security and technical specifications. Others focus on IT system development that requires less hardware integration, but instead requires standards for open architecture and system interoperability. Aligning against a core set of mission categories will help streamline baseline software and regulations.

Developmental Maturity of System. DoD must also consider the maturity of the software that’s being developed in applying governance to the software factories. For instance, a software factory for a system as mature as the F-35 program has very different needs (e.g., cyber regulations) than an entity that is incubating new software for prototyping and testing capabilities with more pipeline requirements (e.g., Navy’s Rapid Autonomy Integration Lab (RAIL) software factory).

Operations Model. Finally, the framework should address the variety of different models of ownership and accountability. Depending on how the DoD and industry partner together, the risks and benefits can vary significantly. In our experience, there are three broad models for operations that work effectively for managing cost, risk, and innovation: Government-Owned, Government-Operated (GoGo); Government-Owned, Contractor-Operated (GoCo); and Contractor-Owned, Contractor-Operated (CoCo). We have supported all of these models across the federal government and have lessons learned from each, including retaining government data rights, ensuring accountability and driving a culture of collaboration.

As the DoD works on the implementation plan for the Software Modernization Strategy and creates a framework for how to manage and govern its software factory ecosystem, aligning and categorizing its existing resources will be critical for delivering agile, mission critical software to current and future weapons systems.

Further, it is incumbent on the industry to continue to streamline and drive efficiencies in its software development. Across the Defense Industrial Base, we must commit to building open, reusable baseline software that can be extended and augmented across multiple use cases. Whether we are developing software on corporate research and development budgets or on government use cases, creating software that can be refined to meet mission needs is absolutely critical. From our own experience, we are committed to taking our investments and integrating them to build for custom mission solutions. Our AI/ ML software factories and cyber software factories are built consistently from a horizontal perspective so that they can be leveraged and reapplied for more vertical mission sets.

Through both a more consistent government framework for software factories built on real use cases and industry commitment to re-baselining, executing this new strategy will be critical for continuing to modernize technology to support today and tomorrow’s warfighter.

1 2 3 4 19