From AI to zero trust, how 2023 will be remembered by federal IT experts

When federal IT historians look back on 2023, they will underline the beginning of the federal revolution with artificial intelligence and the next step in the continued evolution of IT modernization.

Now if you said to yourself, “wait, there are federal IT historians?” Maybe I’m projecting my retirement job a little.

But either way, when we all look back at the year that was 2023, we all can point to several federal IT and acquisition markers of progress.

The AI executive order and draft memo from the Office of Management and Budget was a common highlight from current and former federal executives.

The progress around the Federal Risk Authorization and Management Program (FedRAMP), the continued focus on customer experience, in part through much-anticipated release of the IDEA Act guidance, and the advancement of cybersecurity through zero trust and other tools and capabilities all were top of mind across federal experts.

Federal News Network asked a panel of current and former federal executives for their opinions about 2023 and what federal IT and acquisition storylines stood out over the last 12 months.

The panelists are:

• Gundeep Ahluwalia, chief information officer of the Labor Department
• Jonathan Alboum, the former chief information officer at the Agriculture Department and now federal chief technology officer for ServiceNow
• Steven Brand, deputy chief information officer for resource management, for the Department of Energy.
• Guy Cavallo, the chief information officer at the Office of Personnel Management
• Kevin Cummins, a former Senate staff member on the Appropriations and Commerce, Science and Transportation committees and now a partner with the Franklin Square Group.
• Mike Hettinger, former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group.
• Renata Spinks, former assistant director and deputy chief information officer for information, command, control, communications and computers (IC4) and now founder of CyberSec.

What are two specific accomplishments in 2023 within the federal IT and/or acquisition community? Please offer details about those accomplishments and why you though they had an impact and what changes they brought.

JA: The guidance issued on the 21st Century Integrated Experience Act (IDEA) is an important accomplishment by Office of the Federal CIO. The guidance creates at 10-year roadmap to making government experiences simple, seamless, and secure by creating common standards for delivering online tools and experiences. Even though IDEA became law in 2018, its implementation has been uneven across government. The new standards will create consistency so as the public interacts with the federal government, they have a common experience that rivals experiences in the private sector. If properly funded, this has the potential to re-build trust in government.

The executive order on artificial intelligence is an important step forward for making generative AI solutions part of how government is delivered. We all know that AI has significant potential. I believe the Biden administration has shown global leadership by putting forth a roadmap for government agencies and critical sectors. The AI EO creates the framework to responsibly adopt and integrate AI into agency operations to improve government service delivery, while managing risks. These actions to advance trustworthy AI are imperative to fostering public trust in this emerging and exciting technology.

MH: First, I think the issuance of the 21st Century IDEA implementation guidance is going to be a game changer. The law, which is now five years old, has been implemented very inconsistently across government and the hope is that with the new guidance those agencies that had been lagging behind on implementation will step up to the plate. CX overall has been on the agenda for the last decade or so but this should really push it to the top. Second has to be zero trust. We have talked a lot about zero trust over the last few years but I think 2023 is the year it really got over the hump. If you look across the federal government today, as opposed to three-years ago, you’d be hard pressed to find a large federal agency that hasn’t invested in and embraced zero trust principles to improve their overall cybersecurity posture.

SB: Early in 2023, the Office of Personnel Management appeared to be on track to establish a new Special Salary Rate (SSR)—a new governmentwide pay model—for federal IT and cybersecurity personnel. The intent of the SSR was to close the gap between what IT and cybersecurity professionals can earn in federal agencies, as compared to what they can earn in the private sector. This pay gap has been a long-standing challenge for federal agencies, and with OPM’s decision to pause its SSR implementation, the challenge will extend into 2024.

GC: One of the largest impacts on federal IT was the emphasis on all federal systems implementing phishing-resistant multi-factor authentication (MFA) and encryption of data in transit and at rest, a requirement by Executive Order 14028.

At OPM, the EO required us to develop an innovative authentication method utilizing cloud services to implement MFA in front of many older legacy mainframe applications. We also developed virtual desktops in the cloud to implement the cyber requirements supporting those legacy applications.

Another accomplishment for 2023 was OMB’s issuance of Executive Order 13589 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and the draft implementation memorandum. With AI being rapidly deployed by the technology industry, a deployment of a new technology faster than any previous technology transformation in our lifetimes, this guidance and memorandum helped set the boundaries of how the federal government can safely and effectively leverage AI to improve providing critical services to the American people.

RS: The Cybersecurity and Infrastructure Security Agency (CISA) published its AI roadmap. The lines of effort outlined in the roadmap sets conditions for Executive Order 14110, “Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI). This is noteworthy and much needed to avoid stagnancy as cybercriminal increase their sophistication of tactics, techniques and procedures (TTPs) with a laser focus on debilitating critical infrastructure. Couple this with the need to increase automated defense and zero trust proactive offensive operations, the roadmap includes policy, agency collaboration guidelines, provides outcomes in a more aligned and congruent manner and lastly calls out specifically workforce training, which is outside of the norms in the past years of technical publications throughout the government.

Additionally, the launch of the National Security Agency’s AI security center within the Cybersecurity Collaboration Center provides securely integration of AI in national security systems and the defense industrial base which supports a much-needed whole of government approach to security. Silos are a haven for cyber criminals as well as increases challenges for procurement strategies and execution.

The Department of Defense prioritizing the presence in the Indo-Pacific region is noteworthy and the right thing. It is home to nearly two-thirds of the world’s economy, several of the world’s largest militaries, and many of the United States’ allies.  The geographical locations itself presents barriers in each category of warfighting –air, ground, land sea and cyber. Considering the span of miles that data and communications have to traverse, terrestrial, subsea and satellite infrastructure all have to be secure and reliable as well as logistics for equipment and personnel and to ensure information is available at the time of need in a secure and streamlined manner is critical and is no easy feat. DoD is focusing in on service-to-service partnerships and pilots to address infrastructure, redundancy and resiliency shows the commitment to this prioritization and the support to thinking differently. Secure communication continually growing alongside an ever-expanding-constantly-under attack global network, DoD’s visible focus on the Indo-Pacific service-by-service not only supports warfighting assurance abroad but also ensures safety here in the US.

GA: I’m proud to say we brought together 14 federal agencies, exhibited more than 90 technology displays, and recruited 26 expert panel speakers for Federal Tech Day 2023. More than 3,000 people experienced the governmentwide expo, both in person and online with our custom-built virtual platform. Two-thirds of the attendees told us they discovered technology that could benefit their own agencies. These are government innovations – and when IT solutions are shared across government, it can impact mission delivery for the public we serve.

We also identified and addressed a need for people who file for unemployment insurance (UI). The Labor Department’s identity verification program provides streamlined and equitable identity proofing services, as well as a secure process to reduce fraud and abuse in the UI program. No more barriers because of unreliable internet service. No more driving long distances to an unemployment office. A claimant can now go in person to a local U.S. post office to upload their identity documents. Or they can go online to verify their identity through the General Services Administration’s Login.gov. Those verified documents then go back to the states so they can process a UI claim knowing it’s for a genuine resident in need.

What technology or acquisition initiative or program surprised you based on how much progress it made or how the pieces and parts came together and why?

GC: The rapid worldwide deployment of AI from the technology industry was surprising.

Competition between the technology giants may have played a significant role to push all of them to get AI in the hands of their customers as fast as possible.

GA: We’ve made incredible progress on the move toward zero trust. The Department of Labor was already working on this, though EO 14028 did accelerate our timeline. We received our fourth Technology Modernization Fund investment (out of five total) to support our work, which includes robust cybersecurity measures, such as advanced threat detection to safeguard our data and systems, and employee cybersecurity awareness training to foster a culture of vigilance throughout the government.

JA: I was pleasantly surprised by the Office of Management and Budget’s draft memo for modernizing the Federal Risk Authorization Management Program (FedRAMP) that followed the passage of the FedRAMP Authorization Act by Congress at the end of last year. Since its inception, FedRAMP has maintained a goal of making it easy for agencies to utilize cloud services by minimizing administrative burden associated with authorization and continuous monitoring. However, the marketplace for cloud services has dramatically increased and FedRAMP leadership recognized the need to add capacity to the authorization process. I am intrigued by the idea of an alternate authorization processes, including the possibility of using Defense Department authorizations. Notably, OMB’s memo the implementation of the AI executive order directs agencies to prioritize critical and emerging technologies in FedRAMP’s authorization process, particularly generative AI. There are also opportunities to streamline continuous monitoring processes using automation. The administration has proactively sought industry feedback on FedRAMP modernization and there’s currently a healthy dialogue happening. I’ll be watching to see how the conversation evolves and what alternative authorization processes emerge.

KC: I was shocked by DoD’s decision to cancel its planned replacement of the Defense Travel System (DTS), given how long the existing DTS has been a subject of scrutiny and criticism from civilian and active duty users.

RS: After multiple rounds of protests, CACI was awarded the $2.4 billion NSA FocusedFox contract in May 2023. This follows a five-year, $284 million contract awarded in January 2023 to provide mission expertise and systems engineering support for NSA’s Cybersecurity Directorate. Former incumbents Leidos and Booz Allen Hamilton challenged the NSA’s best value determination and cost evaluation, respectively. According to the Government Accountability Office (GAO), it appears Leidos’ staffing approach lost the award. Leidos’ labor rates on average were 2% lower than the internal government cost estimate, while CACI’s rates either met or exceeded it. These lower labor rates presented a low-to-moderate risk of unsuccessful performance. I was not able to find details of the Booz Allen Hamilton protest.  I was surprised to see the lowest cost technically acceptable company –Leidos –did not win the award. This is a strong indicator of how the assessment teams are now looking more critically at the probability of success. In this effort, that is driven by skill sets, high level clearances and the ability to onboard skilled and capable personnel. Consequently, for the critical skills often required by these kinds of contracts, the costs are often an eyesore for an acquisition team who are often looking for ways to save the government money, which is great but I like to see the realistic approach being considered in contract awards.

What emerged as the biggest challenge of 2023 that will have an impact into 2024 and beyond?

GA: The development and use of AI is accelerating rapidly. It has the potential to be help

ful and hurtful. It’s why we are quickly responding to the executive order that not only calls for building a responsible AI framework, but for positioning the U.S. as a global AI leader. We have stood up an AI Center of Excellence to test standards and implement AI in an ethical and responsible way. We are forming an AI advisory board that oversees governance and responsible AI frameworks, which means we build AI tools in a way that minimize bias and assure accessibility. We are using AI to support our cybersecurity posture to analyze data and prioritize threat response – and to thwart hackers and U.S. adversaries who may be using AI to launch their cyber-attacks.

MH: I’ve got a couple here. One is the Technology Modernization Fund, which is now over six years old. The program, has struggled, particularly in the eyes of Congress. It’s been interesting to watch the TMF program respond positively to some of the criticisms and concerns about project status and transparency, updating the website and trying to do a better job of highlighting the program’s successes. As we head into 2024, future funding for TMF remains an open question, and what happens in Congress in February could determine whether or not TMF continues to exist.

Another is FedRAMP, which is going through some fairly significant and needed changes as a result of the FedRAMP authorization legislation enacted last year.  How those changes are implemented and how industry – both large and small players – react, will play a large role is shaping the future of federal cloud adoption.

Finally, and this is an important one is software security. Over the past year we have been inundated with software security regulatory proposals, largely flowing from Biden’s cybersecurity executive order. The proposed software security self-attestation form, combined with the proposed software security Federal Acquisition Regulations (FAR) cases, and a host of agency specific requirements are poised to significantly increase the cost of doing business with the federal government, probably to the point where some companies will simple choose not to participate. This could have a ripple effect.

KC: A big challenge that emerged in 2023 is a decline in Congressional support for the Technology Modernization Fund (TMF), which previously received a big boost of $1 billion in the American Rescue Plan Act but now faces a more grim funding picture for 2024 and beyond. A Senate 2024 appropriations bill even proposes rescinding $290 million in unobligated TMF money, and the less draconian House version would zero out any additional 2024 funding. While the TMF had made positive impacts across the federal government, there is a lot of work to do to make this funding mechanism work as originally intended as a better mechanism to fund IT modernization and cloud initiatives that improve performance and lower costs–similar to how a corporate capital committee in the private sector chooses which IT investments to fund.

JA: The arrival of high-quality, consumer-facing generative AI made an impact in 2023 on par with the launch of the iPhone in 2007. As commercial organizations integrate GenAI tools into their operations, there will be an expectation by the public that government does the same. However, the stakes for government are much higher, making adoption a challenge in 2024 and beyond. GenAI tools built on general purpose Large Language Models (LLMs) pose the risk of producing inaccurate or biased information, which is unacceptable in a public setting. The draft Executive Order on AI creates the beginning of a good framework for agencies to use as they evaluate AI tools and manage these risks. As the EO is implemented, I expect agencies will look to GenAI tools that are based on domain-specific LLMs with smaller and more narrowly focused data sets. These models are designed for specific tasks in specific industries and are much less prone to generating incorrect or offensive content. These models are also faster and more cost-effective for agencies.

GC: While the requirements of the cyber EO being more effectively implemented across the government, the sophistication and use of AI by hackers and attackers will continue to threaten government applications and websites. In order to combat such attacks, the government will need to leverage AI in all of our cyber defenses.

RS: Securing government-issued devices, devices accessing government programs, devices that are outdated and/or not connected to the network in a continual manner with certainty are all statuses for endpoint management. The best solution to do so starts not only with identity, access, credential management, but a multi-pronged approach coupled with the ability to see what is occurring in and around your network at each endpoint and respond in real time with minimal impact to the operations and with efficient automated actions—not just as a defense mechanism but also a proactive way to support secure by design system development and postures.

Network and endpoint attacks and meeting security mandates alongside system audits will be areas of accountability not only to agencies but with leaders as well as we are noticing by most recent Security and Exchange Commission (SEC) rulings, involvement, and regulations that right now, have many chief information security officers talking about this accountability approach. Accountability will be an area of emphasis. Reporting and creating the anatomy of attack will require extensive credible visibility which also means acquiring newer technologies, training the workforce on the technology, partnering with others with an information sharing mindset as well as shifting the mindset within the values of bureaucracy to increase funding and culturally adopting and implementing emergent technology.

Agencies need the ability to centrally manage and configure its end points and devices alongside remotely locking down devices, recover data if a breach occurs and increase continuity of operations exercises to ensure preparedness and real time training like what we often see in the aviation community for pilots. Additionally, intelligence-driven posture will need to be partnered with automated support to the network. Without intelligence-driven decision making on the network, operator error, areas of focus and time to resolve will be gravely impeded. What we need to avoid is spending time on outdated information while we modernize our defenses.  This will require larger investments in the intelligence space, integrating it with enterprise IT, which is highlighted in the Defense authorization bill for 2024.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.