Feds At The Edge by FedInsider

“Shift Left” is a popular phrase in software development used to represent the idea of prioritizing certain tasks earlier in the life cycle process to avoid or easily identify potential problems before it moves on.   This week on Feds At The Edge, we ask the question – What does it take and what does it really mean to “shift left.” Our expert guests share practical insights on tackling the complex realities of modern software design and deployment.   Amit Madan, Chief Architect, Center for Enterprise Modernization at Mitre, recommends preparing for potential gaps when integrating legacy systems with modern, cloud-based solutions—and ensuring clear delineation of security responsibilities between agencies and cloud providers.  Eoghan Casey, Field CTO for Own, offers a compelling take on risk: sometimes, staying put poses more danger than moving forward. He highlights the need for early collaboration with security professionals and stresses the value of cross-agency knowledge sharing to foster a culture of security grounded in risk management and compliance.   Tune in on your favorite podcasting platform today to learn how federal teams are embedding security into every step of the software lifecycle—right from the start.                

As federal agencies move toward greater efficiency, cloud adoption is making the transition from optional to essential. But Federal leaders know not every system is a good candidate.   This week on Feds At The Edge, our expert guests share what agencies will need to know in order to identify which of their systems can move to the cloud and which systems are best suited to remain on-prem.   David Updike, CTO and Director for the Office of Digital Services & Technology Architecture at EPA, explains how cost frameworks reveal trade-offs between flexibility and savings, and the importance of AI in forecasting scalability.   India Baboola, Chief, Systems Engineering Division, Office of the Chief Information Officer (OCIO) for ICE, emphasizes that even the smoothest cloud transitions face a major hurdle: keeping databases synchronized and data validated throughout migration.   Tune in on your favorite podcasting platform today to hear practical insights on how AI, machine learning, and cloud-native apps are shaping the next wave of federal cloud strategy.        

Making a change to zero trust can be accomplished by being concerned about the humans involved, taking advantage of AI, and understanding risks. Heather Dyer from the U.S. Post Office cites some remarkable statistics. They have over 600,000 employees and 1,000 applications. To change to Zero Trust, she had to make sure everyone understood the importance of the shift. Once the cultural shift is established, a tech leader can emphasize anomalous behavior and end-point detection. With the number of people and apps in the U.S. Post Office, Heather Dyer had to use AI to continuously monitor the system for compliance with Zero Trust best practices. Heather Dyer and Prem Jawani agree that any successful deployment of Zero Trust must include a thorough understanding of risk. Once you establish a reliable, authoritative source to track who has access to critical assets, Zero Trust permissions can be assembled. The discussion also touched on integrating zero trust with cloud solutions and fostering collaboration with external partners.  

  The cloud offers incredible potential, are you making the most of it?     This week on Feds At The Edge, our expert guests explore three key strategies for utilizing AI to optimize potential, lighten workloads and ensure security in the hybrid and cloud work landscape.    >> AI for Smarter Cloud Management: Kevin Walsh, Director, Information Technology and Cybersecurity Team at GAO, suggests turning your focus on what we've learned from past use cases, especially for those who are overwhelmed with the idea of where to even begin their integration journey.     >> AI-Powered Training for Cloud Optimization: Sam O'Daniel, President & CEO for TVAR Solutions, proposes if AI can generate summaries, why not use it to create dynamic, continuously updated training materials for cloud optimization?     >> Balancing Cost and Performance: Noell Rebelez, Cloud Services Program Manager at the Department of Labor, highlights the importance of cost analysis - especially around GPU expenses - to ensure cloud investments align with your agency's mission.  Tune in on your favorite podcasting platform today as we take a step back in this rapidly changing federal tech landscape and explore actionable insights to help you maximize AI and cloud potential.     d.

Digital transformation has been a federal buzzword for years, but what's the first step in making it a reality? It all starts with knowing what's on your network and being able to monitor it before and during a transition.     This week on Feds At the Edge, our expert guests take a deep dive into the future of network monitoring and digital transformation.     Tom Gilmore, Enterprise Data Architect in the USMC, drops a staggering statistic: in just 2.5 years, over 15,000 applications were built and deployed across the Marine Corps—many of which are likely duplicates. This explosion of tools raises the question: how do we manage this sprawl effectively?     Joshua Stageberg, Vice President of Product at SolarWind, dives into the exponential growth of network monitoring tools, cautioning against "tool sprawl" and the siloed observability it creates. Instead, he advocates for a unified, single-pane view as the key to true modernization, offering not just insights into apps and data, but a roadmap for optimizing computing and operational efficiency.     Tune in on your favorite podcasting platform today for valuable lessons on collaborating with operations teams, addressing their pain points, and using observability to drive more effective and efficient digital transformation.    

Everyone is trying to unlock Artificial Intelligence's promise. We have seen generative AI tricks that can summarize long documents in a flash, which is substantially different from the requirements of serious federal research. Today, we examined some challenges scientific communities experience in applying AI. Quentin Kerilman from the PNN labs throws some icy water on AI enthusiasts when he cautions that using AI for many sensitive applications has no framework. Leaders must use their best judgment when including data sets in projects. Ramesh Menon from the DIA warns that careful data collection must still be used. For example, one must use fair, unbiased data. Is the AI appropriately documented? Further, a scientist will always need multiple data modalities. When used in AI, it needs to be appropriately tagged. Medical data has much theoretical value from AI. But this is the exact data that has double and triple protection. What about leaks and backdoors? Despite all the challenges presented, transparency, human oversight, and collaboration were emphasized to ensure AI's practical and responsible use.  

When the Federal Chief Data Officer position was instituted, understanding data location and security was considered an accomplishment. Today, they are charged with transitioning to become one of the strategic leaders of a federal agency. Our guests give guidelines on how to make that change. Arjuna Rivera begins the discussion by discussing how to handle data that can help one make actionable insights. He gives listeners a list of seven considerations for obtaining data that can assist in decision-making: You must start with clean, unbiased data. Part of this will include capacity management and data mining. From there, visualization is essential. Predictive modeling can be combined with graphs and patterns. Jaishen You gives listeners ways to use those tools to work with others in the federal government. To foster a data-driven culture, Jaishen You recommends that Chief Data Officers work closely with Chief AI Officers in other agencies. He details the Business of Data Working Group. It is out-growth of the Federal CDO that provides interaction with other agency data specialists to share challenges and solutions.

Despite the official launch of 5G networks in 2018, their full potential for federal applications has yet to be realized.     This week on Feds At the Edge, we explore the value of a mature 5G network and the groundbreaking possibilities of its next evolution.     Sal D'Itri, Chairman of National Spectrum Consortium, introduces the concept of a “network in a box,” an on-demand, scalable solution that enables rapid adaptation to changing workloads.     Steve Vogelsang, CTO Federal at Nokia Federal Solutions, discusses the need for better device ecosystems, the potential for 5G in emergency services, and the importance of interoperability and resilience in large, geographically dispersed networks.    One of the most exciting discussions revolves around Non-Terrestrial Networks (NTN)—a game-changing application that leverages satellite connectivity to provide emergency communications in remote areas.     Andy Greig, President, North America for Druid Software, sheds light on why, despite seven years of development, the device ecosystem still struggles to fully capitalize on 5G's potential. Finally, our panelists offer insights into the future of 6G, the next step in high-speed, flexible communications.     Tune in now on your favorite podcasting platform as we uncover the challenges, innovations, and future possibilities of 5G and beyond!      of 5G.

With cyberthreats on constant rise, Federal Leaders consider what role automation can play in managing cloud involvement and best practices to ensure their commitment to securing the nation's data.   This week on Feds At the Edge, we explore the role of AI, governance, and collaboration in strengthening security and improving capabilities and data security.  Joseph Ronzio, Deputy Chief Health Technology Officer, Veterans Health Administration, talks about the risks of blind patching and the benefits of a hybrid approach—combining automation with manual oversight.   Brian "Stretch" Meyer, Sr. Director of Engineering, Axonius Federal, sheds light on compliance challenges, the importance of visibility and control in cloud security, and the disconnect between regulations and engineering teams.   Tune in now on your favorite podcasting platform for actionable insights on modernizing federal cloud security.      

Despite federal mandates requiring every agency to have a disaster recovery plan, 6% of the federal government still lacks one entirely.  This week on Feds At the Edge, we explore proven strategies for building effective backup plans and provide timely advice for organizations with basic or intermediary recovery plans looking to enhance their preparedness. We'll focus on the key pillars of disaster recovery- planning, communication, and continuous updates.   Tommy Baril, Assistant Director, Defense Capabilities and Management Team, for GAO, highlights the need for synchronized disaster recovery plans across federal agencies, stressing strategic communication and role clarity.   Kashif Ansari, Senior Director of Sales Engineering, Commvault, discusses the role of AI in accelerating system recovery, helping identify compromised segments faster than human intervention.  Tune in now on your favorite podcasting platform to uncover the critical distinction between IT disaster recovery and cyber resilience, and gain actionable insights to strengthen your organization's readiness.    

Protecting healthcare IT presents challenges that do not appear in other areas. Today, we examine three areas of concern: interoperability, unique aspects of the attack surface, and the impact of IoT devices. Medical records need to be transferred between hospitals and between medical systems. This provides tremendous flexibility, but it also has risks. Jennifer Franks from the GAO cites a recent report that showed an increase in medical cyber-attacks due to interconnection. She notes that personal information, like medical information, unlike other systems, does not change over time. As a result, legacy systems must be protected. Dr. Joe Ronzio notes the VA  controls over 170 hospitals; getting an inventory of all the medical devices is a significant challenge. Each time a medical device is upgraded or replaced, a process must start to understand the new threat environment that presents. Medical devices can be protected with encryption, but this is another system that is subject to upgrades. Dr. Joe Ronzio describes a situation in which he is upgrading an encryption system called FIPS 140 to a newer model. Gaps in that process can cause vulnerabilities.    

When the cloud was first introduced to the Federal Government, their implementation had a “lift and shift” approach, essentially moving servers from one location to another. But cloud technology has matured into a complex ecosystem spanning public, private, and hybrid environments – creating distinct management challenges.  This week on Feds At the Edge, federal leaders offer their suggestions on managing this ever-evolving and complex landscape, with a focus on training, understanding data and leveraging cloud functions.  Dr. Gregg Bailey, Deputy Chief Information Officer in the Office of the CIO for the US Census Bureau underscores the importance of recognizing data management in a hybrid cloud is different, and suggests training on native cloud functions to leverage the new technologies may be a path of success.   Kristin Ruiz, Deputy Assistant Administrator, Deputy CIO for TSA, keeps us focused on security implementation with zero trust principles and strong data governance.   Tune in on your favorite podcasting platform now to hear what they have to say, and how with the proper security controls, AI has the potential to enable improved management of these complex cloud environments.           

Protecting operational technology (OT) environments is more complex than ever, requiring precise inventory, continuous monitoring, and strong IT-OT collaboration.  This week on Feds At the Edge, our expert panel unpacks the key cybersecurity challenges operators face in securing their OT systems.  Anthony J. DiPietro, Technical Director, Defense Critical Infrastructure Division for NSA, underscores the importance of maintaining an accurate inventory, especially in remote environments where “ghost” assets can appear unnoticed.   We'll discuss how continuous monitoring helps mitigate these risks and why traditional IT security methods, like sandboxes and automatic updates, don't always work for OT systems.  We also explore the evolving role of AI and Machine learning in OT security, workforce development, and the ever-growing threats posed by interconnected IoT and OT networks.   Tune in on your favorite podcast platform for expert insights on fortifying OT environments against emerging cyber threats.   

Here is our final.  Playing on the drama a bit. In healthcare, every second counts, and Artificial Intelligence is transforming how data is analyzed to save lives. But when critical decisions hinge on AI, ethics, accountability, and trust become non-negotiable.  This week on Feds At the Edge, dive into the complexities for applying AI in healthcare.  Joe Ronzio, Deputy Chief Health Technology Officer for Veterans Health Administration, shares insights on the importance of rigorous human oversight, traceable training data, and recognizing bias in AI systems.   We also tackle the tough questions:  >> How do we secure medical data?  >> What role does encryption and governance play?    Don't miss this compelling conversation.          

In an era marked by economic uncertainty, political shifts, and the rise of remote work, federal agencies face new challenges in maintaining a thriving workforce. Balancing productivity with employee well-being is no longer optional—it's essential. This week on Feds At the Edge, we dive into how federal leaders can create scalable, personalized, and sustainable strategies to support their teams' growth and mental health. Our guest, Matisha Montgomery, Chief Learning Officer at HUD, shares groundbreaking insights on career development. She challenges the traditional “climbing the ladder” mindset, encouraging professionals to leverage transferable skills for lateral moves that lead to long-term success. We also explore the importance of durable skills—adaptability, empathy, and leadership—that are critical in today's workforce. Hear why it's time to rethink conventional leadership methods and embrace new approaches to foster a resilient, connected, and effective team. Tune in on your favorite podcast platform for actionable insights from our experts, and discover how federal leaders can navigate the complexities of the modern workplace.      

This week on Feds At the Edge, we dive into the evolution of the Cybersecurity and Infrastructure Agency's Continuous Diagnostics and Mitigation (CDM) program in addressing the growing cyber-attack surface.   Hemant Baidwan, CISO for DHS, OCIO, noted that Continuous Diagnostics and Mitigation is a comprehensive suite of tools and policies, with a key focus on understanding the attack surface and ensuring high data quality during deployment.  John Schneider, Senior Systems Engineer, Axonius Federal, discussed the challenges inherent in managing IoT and OT devices for federal agencies, stressing interoperability and automation as best practices.   Tune in on your favorite podcasting platform as we discuss the critical role of partnerships and inter-agency collaboration to enhance cybersecurity postures.     = = =  

  The U.S. healthcare system, which includes roughly 200 federal hospitals, are constantly at risk for or under cyber-attack.   This week on Feds-At-The Edge we explore ways to improve security through basic controls like software updates and patching, with the conversation quickly turning to the importance of practical strategy.   >> Developing a good data inventory: Full of IoT devices? Learn what to include for your expanded attack surface   >> Human Interaction: Learn the critical role humans play amid the new promises of AI   >> Contingency Plans: If your agency was attacked today with ransomware, would you be able to identify your critical data?     

  Managing vast amounts of data, reducing alert fatigue, and improving threat detection can all be accomplished with automation.  This week on Feds At the Edge, we have three experts in automating cybersecurity response to provide guidance on best practices to deploy automation. They highlighted the need to establish a valid baseline for expected network behavior to identify deviations effectively, reducing false positives.   Bob Costello, CIO at CISA, stressed keeping humans involved in the process, citing a recent incident where AI breached an organization, bypassed security features by defeating automation.   Richard LaTulip, Field Chief Information Security Officer, Recorded Future, addressed resistance to AI in cybersecurity, warning that the overwhelming volume of attacks makes proper automation essential for staying competitive.  Tune in on your favorite podcasting platform as we discuss how automation is essential but must be applied with caution and human oversight to ensure robust defense mechanisms.      

SaaS (Software as a Service) applications, due to their ease of launch and proliferation, have created a “perfect storm” for attackers, and a significant challenge for cybersecurity professionals. Organizations with over 1,000 employees typically use 150+ SaaS applications, often unmanaged, which expands the attack surface and poses a unique threat to entities like the federal government.    This week on Feds At the Edge, we discuss where the threats may lie and give practical information on attempting to control this new threat vector.      Mark Canter, CISO at US GAO, highlights the widespread lack of understanding about where data is used, emphasizing the importance of good data management practices. AI can play a pivotal role in systematically addressing this issue.    Tune in on your favorite podcasting platform as we explore why organizations should maintain accurate inventories of SaaS applications, identifying and managing shadow SaaS apps, and implementing robust governance practices to secure and optimize their SaaS ecosystems.       

Malicious actors are always looking for the “Easy Button” when it comes to breaching your system.  This week on Feds At the Edge, we are revisiting our conversation on looking at the protection of Operational Technology (OT), critical hardware on premises. Traditionally separated from IT systems by air gaps, OT is now increasingly managed by IT departments due to the convergence of IT and OT.   Few realize that OT has federal compliance regulations, just like IT. The real issue, should an OT systems administrator have to do repetitive work to comply with IT mandates? Marty Edwards, Deputy CTO, OT/IoT from Tenable, noted that he has seen up to 80% similarity between IT and OT compliance standards, prompting efforts to reduce redundancy.   

This week on Feds-At-The Edge we explore AI used as a strategic tool, focused on risk mitigation, applications, and continuous user feedback.  >> Risk Mitigation: Risks vary by application. Luke Keller, Chief Innovation Officer at US Census bureau, highlighted using NIST guidelines, including bias reduction frameworks, to ensure ethical and accurate AI deployment. High-quality, diverse datasets are essential.   >> Use Cases: Start small with proofs of concept to test limitations and risks. Ryan Simpson, Engineering Chief Technologist for the Public Sector for NVIDIA, recommended tools like Retrieval-Augmented Generation to develop use cases which work with limited data and are easy to evaluate. Early wins can allay some fears and can build confidence.   >> User Feedback: Gathering user input during small test cases is crucial for refining and finding practical applications of AI in federal settings.   Tune in on your favorite podcasting platform as we explore strategic, iterative approaches that foster safe and effective AI implementation.    ns.

AI is just another tool in the technology market, only becoming a powerful resource when agencies learn how to best utilize it to reach mission goals.   This week on Feds-At-The Edge we explore several insights on deploying AI effectively for the federal government landscape.   Caroline Carusone, Deputy CIO for NRC, discusses AI's potential in identifying security risks and solving complex engineering challenges, like improving atomic reactor designs.   Luke Keller, Chief Innovation Officer at the US Census Bureau, explains AI's role in handling massive datasets, enhancing earth observation for accurate population counting, automating data ingestion, and metadata classification.   And Kurt Steege, CTO for ThunderCat Technology, introduces the concept of "multimodal AI," which processes data in multiple formats, broadening its utility.  Tune in on your favorite podcasting platform as the panelists stress the importance of reliable data, experimentation to explore AI's capabilities and limits, and defining specific use cases to use AI responsibly. They emphasized a strategic, ethical, and well-managed approach to AI deployment in federal agencies.        

Software as a Service (SaaS) is incredibly enticing with its ease and affordability, however despite the heavy lifting being done for you, the responsibility of protecting your data and network remains in your hands.   This week on Feds-At-The Edge we sit down with Eoghan Casey, VP of Cybersecurity Strategy & Product Development for Own Company, who highlights essential security practices for agencies using Software as a Service (SaaS).   >> Understanding data visibility- What's sensitive and what's not  >> The importance of continuous monitoring and backing up your systems on a regular basis   >> Scheduling regular tests to ensure you know how long it will take you to identify, mitigate, and recover from attack.   Tune in on your favorite podcasting platform today to get the inside scoop from Eoghan, including his thoughts on where AI and machine learning have a role in your SaaS environment.        

If you've tuned before then you've heard the three magic words; People, process, technology. While technology often takes the spotlight, there's a reason why “people” come first.   This week on Feds-At-The Edge we explore the cultural shifts agencies are prioritizing to achieve zero trust.   Jothi Dugar, CISO at NIH's Center for Information Technology emphasizes the age-old advice, communication is key. Federal leaders should speak a language all stakeholders understand, and responsibility should be placed in the hands of the many and not the hands of the select few.  We'll also explore the benefits of collaborative group environments where everyone contributes to change.  Matthew Posid, a Principal & CSO with KPMG shares how real-world zero trust examples can help technical leaders buy-in.   Tune in on your favorite podcasting platform to hear more about the importance of continuous learning, experimentation, and collaboration to navigate these complexities.     

Zero Trust is based on precisely understanding what is on your network and then assigning permission to an entity based on that knowledge. The first step is to see all the nooks and crannies on the network. Systems are burdened with mountains of data, compliance standards are changing, and systems are under attack. Today's discussion shows how micro-segmentation is the correct approach to accomplishing Zero Trust. Rob Thorne from ICS states that systems are so complex that connections can exist between services without the knowledge of the system administrator. He argues that micro-segmentation will show you these hidden connections. Further, these connections can be constantly refined, and any management system must be able to adapt and scale simultaneously. Like everything, machine learning and artificial intelligence can be used to learn what is on the system and then microsegment the network. The panel agreed that micro-segmentation is crucial for zero Trust, enhancing security and compliance. They also discussed the role of AI and machine learning in improving network security.

Software developers first produced the concept of continuous software development; the staggering increase in cyber-attacks has forced federal technology leaders to adopt the idea of “continuous” protection. This is a discussion in which subject matter experts provide guidance for transitioning from the basic “Authority to Operate” snapshot in time to a “Continuous Authority to Operate.” The discussion began with describing tools for continuous monitoring and moved on to threats from the supply chain. Col. Bryan Eovio from the U.S. Marine Corps stated it was valuable to establish a baseline to compare against. That way, discrepancies can be noted and examined. He went on to observe that users may have misplaced confidence in newer, low-code, no-code solutions. They have vulnerabilities as well. Major Ben Hunter, US Army Software Factory, remarks that the sequence is to first reach ATO, then an extension can be the Continuous ATO. One metric for success in a continuous environment can be how quickly you can apply security patches and then recover. The importance of good partnership between public & private sectors were stressed. That way, users can take advantage of a wide range of solutions.

Your agency will be attacked. Even if we look at the most conservative estimates, a company like Statista shows 32,211 attacks on federal agencies in 2023. The conclusion is obvious: you will be attacked and must have a way to remediate the problem. Today, we sat down with three experienced cyber professionals to hear suggestions on improving federal cyber security resilience. Russel Marsh from the National Nuclear Security Administration observes that federal employees may work 9 am to 5 pm every day, but malicious actors do not. The best practice here is to have a checklist of what to do in an “off-hour” emergency. As part of a resilience strategy, focus on device and asset attribution, as well as the ability to discard certain devices. Conduct tabletop exercises and simulations to assess incident response and communication processes. Flexera's Dylan Hudak has seen federal systems with unsupported applications still on them. Visibility and proper software lifecycle policy can remedy easy problems like this.

rev 1 Today, we sit down with state election officials from Pennsylvania, Florida, and Georgia. We add a subject matter expert to the mix and the result is listeners will get a fantastic overview of challenges, solutions, and places to get more information on election security.  Challenges: Of course, we have the “usual suspects” like disinformation and denial of service attacks. However, in today's world we have much more to concern ourselves with. Election officials have been physically threatened and many are leaving their job. This has caused a situation in Pennsylvania where 2/3 have left jobs. As a result, we have new people. Solutions: One if the simplest to implement and most cost effective is to have tabletop exercises. If there is a issue, who to call.  What happens if an unanticipated attack occurs, who to contact. Funding sources like the Help America Vote Act were highlighted, and the necessity of testing systems and maintaining cybersecurity was underscored. In addition, NIST and CIST offer an amazing amount of help. Some of it is specifically directed to election officials.

We live in a confusing digital world with rapid change and constant attack. One approach to guiding federal technology leaders through this experience is to have a common approach to transitioning to a digital world. Some call this a “Digital Playbook.” The value of a digital playbook is that it can be customized for each situation. Each agency has a unique risk profile and response to events.  For example, if there is a breach that includes personal information, what is the responsibility of the systems administrators? Digital playbooks can include an architecture to help design a complex application environment like the hybrid cloud. They can also include best practices for designing user interfaces for outward-facing sites and employees. AI is an essential part of a digital playbook. This will include ethical approaches, bias training, and securing good data. Admiral Bartz mentions DHS has recently hired its first ten experts in the AI Corps to explore ways AI can increase security and reduce system costs. The online seminar discussed the integration of digital playbooks in federal modernization, emphasizing the blend of people, processes, and technology.

rev 1 The Colonial Pipeline incident in 2021 has acted as a call to action that critical infrastructure can suffer attacks. Today, we look at lessons learned and how to improve cyber resilience. One main takeaway is that the government provides resources and support for smaller entities. Cheri Caddy mentions a wide range of organizations that can help. She includes the “usual suspects” like CISA and NIST, but she goes beyond. She suggests that private companies develop relationships with local FBI offices to know what steps to take in case of an emergency. Brendan Peter from Security Scorecard highlights the importance of continuous risk assessment. One essential element in this process is evaluating the impact of policies. In other words, has the policy reduced cybersecurity risk at all? This discussion reflects the federal and commercial response to a major infrastructure incident.  

rev 1  = = When a network system is attacked, analysts return to the logs and look for an event. This is a powerful method to gain an understanding of how the attack happened as well as informing other organizations of the attack. As a result, logging is crucial but has some hurdles, these include lack of staff, poor existing systems, and limitations to sharing sensitive information. When you take those challenges and add complex hybrid systems and a flood of data, we can have a major security issue. During the interview, we learned ways to overcome event logging challenges. Tate Jerussi suggests the importance of prioritizing critical logs and leveraging existing tools. Derek Lawson agrees and adds that agencies should look to guidelines like the ATT@CK framework from Mitre. In sum, the discussion reinforces the idea of embracing OMB 2131 as a logging standard and to use frameworks like the ones provided by Mitre.

rev 1 COVID has made the workforce remote; phones have enabled that transition. Unfortunately, one result of this transformation is your phone is now part of the attack surface. After you listen to this interview, you will never look at your phone again in the same way. You will learn that your phone is packed with vulnerabilities. You can have apps on your phone that are sending data back to China without you doing a thing. This may give an individual a security concern, but what if you work for the federal government? It is not just the phone. Malicious actors are taking sites by cybersecurity companies and copying them down to the pixel. From there, a harried phone user sees a site that appears to be valid and exchanges identity information. Today we have a couple of experts on securing mobile devices. They review ways to protect applications, maintain operating systems, and suggest ways to train people to resist web-based attacks.

The transition to cloud computing by federal agencies has highlighted the importance of security, especially as sensitive federal assets are now in hybrid environments.   This week on Feds At the Edge, leaders from federal and commercial sectors focus on improving security within the complex cloud environment. When code is written with the cloud in mind, applications can be moved easily, updates can be mastered, and systems architects can leverage many aspects of the cloud that are missed with an old “lift and shift” approach.   Dave Hinchman, Director, Information Technology and Cybersecurity for US GAO, coined an aphorism, “Documentation is easy, implementation is hard.”  Tune in on your favorite podcasting platform as participants discuss how to leverage cloud-native code and avoid the mishaps that plagued others.     

In this week's episode of Fed's At the Edge, we are talking about US Elections. From observations about challenges seen in previous elections to best practices to ensure a safe and fair election process.   We'll explore sources of help for election officials like utilizing CISA, local associations, and the US Election Assistance Commission. We also touch on critical areas like cybersecurity, communications, and physical security.   Mark Earley, Supervisor of Elections for Leon County, FL, shares how election professionals should be aware of phishing vulnerabilities as they honor the responsibility of answering citizens emails   Tune in on your favorite podcasting platform today to hear this and more, and learn how you can get involved.    

People imagine large organizations such as the Department of Transportation when they think about who needs to utilize Zero Trust. What they don't realize is that a smaller entity can make for a profitable attack, even a gateway to those larger targets.   In this week's Feds At The Edge podcast, Nick Graham, Senior Technical Sales Engineer of Civilian Sales from Raven Tek offers some solutions that smaller institutions should prioritize in their transition to a safer cybersecurity posture.  >> Multifactor Authentication – How this framework for larger organizations can move to eliminate many security problems  >> Staffing limitations – A look at those challenges of limited budgets and cost-effective ways to manage services.   >> Training, training, and training- Recognizing potential attacks in your company inbox. Tune in on your favorite podcasting platform to hear Nick's practical solutions for smaller organizations to enhance their security posture.  

draft When the federal government makes a strategic decision to implement Zero Trust principles, they must consider both user identity and the data users are trying to access.  Today, we have leaders in the federal and commercial sectors look at both data and identity and emphasize the need for centralized coordination, automated labeling, and real-time access control through Identity Management. Brian Rosensteel from Ping Identity argues that some kind of “federated” identity management system is the most effective for federal identification. Each agency really cannot be responsible for responding in a timely manner given the details that Zero Trust demands. Access controls have been around since the start of networks. During the discussion, participants gave opinions on the value of both access based and role-based access controls. They also suggested that “context” based access controls may provide additional abilities for systems administrators to improve real-time access controls.

Today's experts agree on the potential of Large Language Models (LLMs) in government agencies. Some benefits include improved knowledge management and a reduced burden on tedious tasks. Andres Perez from the CMMC hits the nail when he states that an organization may have data that can answer questions they did not know existed. The CMMC has put together a large Knowledge Management Platform that assists federal professionals in accessing information. Many federal agencies have sensitive data that they would like to generate insights from, but not have it exposed in an insecure manner. One method to do this ethically is to create “synthetic” data sets where conclusions can be drawn while never compromising personally identifiable information. Rather than thinking LLMs are the end answer, many subject matter experts comment that AI and LLMs should be viewed as extensions of human abilities. Chris Roberts from Quest states that this technology should be viewed as an augmentation to strategy, not a replacement. Developments in using AI to derive information from LLMs are changing rapidly. In addition to policy on data security, Don Wildner from BAE suggests that federal agencies may have to organize new policies on how to ethically create a prompt. Some may be allowed, some not.

rev one People have disputed the 2020 presidential elections for four long years. Today, we look at best practices to ensure the 2024 presidential election is safe and accurate. We have leaders from two states and well-respected Jim Richberg from Fortinet who all contribute to this discussion. The speakers focused on the need for robust cybersecurity measures, having a strategy to respond to cyber threats. They also emphasized the need to have strong partnerships with the private sector. Lester Godsey explained integrity of elections has a relationship with social media. Comments on social media may not be technically a cyber-attack, however if these imagined activities are believed, then that can impact the voter's predisposition to vote.  He continues to state that there must be a communication system between the cyber professionals and staff to respond to this wide range of integrity threats.  He suggests tabletop exercises for all members of management to be able to communicate verified facts about the election process. Jim Richberg talks about various levels of confusion. He refers to Misinformation, Disinformation and Malinformtation . Anyone of these can cause the perception of the election to be altered. Today's election process includes temporary workers and volunteers.  As a result, consideration must be given to internal threats as well. One must look at anomalous behavior from everyone in order to see if they are taking advantage of the election environment.        

To achieve a successful digital transformation in your organization, it's essential to consider the users.  This week on Feds At the Edge, we have gathered leading experts from City of Brownsville, TX, Delaware Department of Technology and Information, California Department of Technology, City of Roseville, CA, and Equinix who share valuable insights into making meaningful changes in their respective organizations.  Focus on User Experience: when you prioritize user experience, you make them feel included and they become more willing to transition.   Effective Communication: clearly communicating with staff about the project's vision and each person's responsibilities, helps staff feel part of the process and understand the tangible benefits of the new implementation.  Engagement and Benefits: by focusing on the people engaging with the change, ensuring that users see real benefits and feel involved in the process.   

 Chat GPT has made AI a household term, citizens can quickly gather useful data such as where the best places to travel through Italy are. But how are agencies using artificial intelligence technologies when it comes to larger and more serious topics, such as nuclear weapon distribution?  This week on Feds At the Edge, we have gathered leading experts from the FDA, National Cancer Institute and ICE who share their thoughts as agencies focus on data integrity, evolution of AI and the importance of training.  >> Utilizing use cases, particularly when you are gathering data information such as gathering data from life-and-death cancer studies.   >> Allowing artificial intelligence to provide the basics so you can focus on higher-priority issues   >> Understanding the human value- combining skill expertise to maximize the impact of what AI has provided.   >>Importance of training. From new users to re-skilling the current workforce. Especially when it comes to shifting legacy systems to keep up with modern needs.      

Zero Trust has revolutionized the way agencies everywhere are securing their networks, and this week on Feds at the Edge, we talk with titans in the field, including John Kindervag, Chief Evangelist with Illumio, who in 2010 coined the phrase “zero trust model.”  We delve into this stricter cybersecurity program where identity leads in the guideposts in defending today's cyber landscape.  Dr. Robert Roser, CISO with the Idaho National Laboratory agrees, “Without identity, nothing else matters.”     We also discuss the larger-than-life landscape that agencies are tasked with protecting. Sean Connelly, Federal Zero Trust Architect with CISA reminds listeners, while most know the big three cloud providers, there are over 300. Limiting our understanding to “the main and the plain” could lead to trouble. La Monte R. Yarborough, Acting DCIO, CISO and Executive Director, Office of Information Security, HHS, shares HHS is tasked with protecting 1200+ networks every day.        

(rev one)  According to TechCrunch, 2024 has already seen one billion stolen records and is still rising. In today's discussion, we learn ways state and local organizations can secure unstructured data. KINDS OF DATA Enterprise architects like to sit in front of a whiteboard and design a network with data all nicely arranged in columns. This is great for optimizing for retrieval from large databases. According to Jimmy Rogers, up to 90% of the data he sees is unstructured. This “unstructured” data comes from sensors, CAD design, satellites, and body cameras. One way to view this data is it is not in a column but in a workflow. Beginning with knowing how to manage unstructured data is key to keeping it secure. STRATEGY Terry Berttinger from Ohio has a simple, but effective strategy to protect data. Make sure a person owns that information. When that happens, people develop pride in working on efforts to make sure that data is not arbitrarily assigned and is stored in the appropriate place to secure it. SMALL BUDGET All participants understand the limitations of a state budget. However, Todd Holler suggests that a systems administrator can make simple changes like hardening Active Directory which can have a major impact. Further, CISA is gaining a well-won reputation for assisting state and local organizations by providing free information, checklists, and advice to secure unstructured data. Finally, one of the participants was willing to share that his system was compromised. Transparency is the only way to help other organizations see what they can do to secure systems.

For the video of this podcast: Bringing Agility to the Modern Security Operations Center  Follow FedInsider on LinkedIn  Today, we look at protecting critical infrastructure called Operational Technology (OT). One might think, what does a sensor in a water filtration plant have to do with my servers? OT can be considered as hardware on premises. Some are old and it is quite expensive to update. For years, IT leaders did not have to worry about security because IT and OT were separated by air gaps. However, today we see a convergence where the IT department is being placed in charge of protecting both IT and OT. The first challenge to overcome is discovering what is on your network. We are looking at physical devices, virtual devices, and virtual devices in the cloud. Inventories need to be tracked, and some will argue the cloud will permit IT/OT systems to be easier to be configured in an automated fashion. During this interview, compliance is a topic that is discussed in depth. We all know about IT compliance like NIST 800-53; few realize that OT has federal compliance regulations as well. The real issue, should an OT systems administrator have to do repetitive work to comply with IT mandates? Marty Edwards from Tenable remarked that he has seen up to 80% similarity in compliance standards. As a result, today, committees are meeting to make sure they can eliminate redundance in compliance for OT vs. IT. Malicious actors are always looking for the “Easy Button” when it comes to system penetration.  If federal leaders aren't careful, remote sensors can provide a launch pad for the next cyber event.    

In professional baseball, the team with the biggest budget does not win all the championships. Today, we look at ways to boost your cyber defensive skills with a limited budget. We must start with a state government that seems to “get it” when it comes to cybersecurity. James Weaver documents the thoroughness of their prevention system which includes a Joint Cyber Task Force. This may be a model for other states with funding, but he admits much can be accomplished by leveraging federal initiatives and taking advantage of training programs. THE FEDS Eudora Fleishman from Fairfield City California refers to programs provided by the Cybersecurity & Infrastructure Security Agency (CISA) for local communities. The link will give your local government and education institution guidelines, working groups, and more.  Eudora documents that CISA will help your organization make a presentation for funding. https://www.cisa.gov/resources-tools/groups/state-local-tribal-and-territorial-government-coordinating-council TRAINING James Weaver from North Carolina had a poignant quote about cybersecurity training, “it is more vocational than high education.”  He casually mentions that, just in the state of North Carolina they have 21,000 job openings in cyber. The fact of the matter is that we have a serious gap in people who can administer and defend systems. Many Human Resources Department demand a four-year degree and eight years of experience. That kind of inflexible thinking will delay any proper way to address the cyber crisis we are facing. HELP The subject matter experts all agree that one key part of preparation is partnering with commercial organizations that have the experience to prevent a cyber-attack. The episode has an obvious conclusion:  local governments and educational institutions can take advantage of offerings to make up for lack of cyber security funding.

Mike Tyson famously said everyone has a plan until they get punched in the face; what is your plan if you are hit with a cyber-attack? What does recovery look like? Today, we have a brutally honest conversation about a topic nobody wants to address: the step-by-step process of recovery from a cyber-attack. Solomon Adote frames the discussion by saying that attacks can compromise the management of hypervisors. As a result, the best practice here is to isolate the hypervisor to establish virtual domains and firewalls that you know are safe. James Thurmond has an insightful suggestion to set up an isolated account. He takes the common phrase “Break in Case of Emergency” and applies it to setting up accounts only used in an emergency. He calls this a “break glass” account that will give a systems administrator a starting point for recovery. All the subject matter experts suggest tabletop exercises. These allow individuals to set up playbooks that include telephone numbers and action steps in case of an event. One key component of one of these playbooks is an accurate assessment of your assets. You must know where all your assets are located. All these must be documented, Danny Page from Rubirk takes it to the next level. An attack may exfiltrate data of which you are not aware. Because of this, a systems administrator must have an accurate scope of the reach of the attack. A balance is needed between prevention and recovery skills for all systems with sensitive data.  

The federal government is playing a game of cyber-ack-a-mole. When networks are hardened, malicious actors go after endpoints; then Endpoint Detection & Response systems evolve. When endpoints are secure, the apps get attacked. Today, we have a group of experts looking at sophisticated attacks on federal apps and APIs. The first line of attack is to make sure the database of code libraries is authenticated to be safe. Around 2018 the concept of a Software Bill of Materials became popular. This would ensure safe code at one point in time. However, as Jerry Cochran points out, the SBOM concept is weak because of the constant change of code that is taking place. The static concept of “safe code” is altering with updates and new compliance changes. Peter Chestna from CheckMarx points out that even if an issue is detected, the remediation process can be cumbersome and time-consuming. Artificial Intelligence has been shown to detect vulnerabilities in this dynamic code. Unfortunately, the attackers also have access to AI and have used it to search for weaknesses. When a cyber professional examines code, they frequently use a signature-based approach. During the interview, Nate Fountain suggests that a better approach is to use behavior analytics. That way, a federal leader can have compromised code, but it cannot exfiltrate data because it does not have permission. The battle is still continuing; recent reports indicate that 41% of attacks are on the next level: the API itself. 

Years ago, anti-virus software updates were sent on floppy disks in the U.S. Mail. Today, the attack surface is so large, we need continuous diagnosis and mitigation (CDM). Legacy solutions like Security Information and Event Management (SEIM) would isolate data to point solutions. Andrew Manos suggests that if you consider today's volume, the only way to handle is centralizing data. Today, we have experts sit down and discuss how to take this CDM concept and deploy a solution for federal agencies. The discussion opens with best practices for a transition to CDM and follows with some guidance for the transition. After gaining an understanding of what is on a network, it is recommended to start to experiment to evaluate rapidly innovative technologies. This process will need to have a workforce – more flexible than in the past. Data surges have caused agencies to seek solutions to this vexing problem. One way to break this bottleneck is with the cloud. James Scobey observes the cloud allows data to be managed through an API that can go across environments. Once a mature approach to CDM is viable, then advanced considerations like sharing data with other agencies can be considered.  

Every reader has heard the phrase, “Lulled into complacency.”  One may have completed a checklist and can sit back and feel secure. It can be a false security. Today's explosion of data and reliance on compliance has led to a situation where federal agencies can be subject to attack from a vector that was not anticipated. The Zero Labs report from Rubrik shows how much data has grown:    Data:             25% growth in data year-over-year for most organizations   Cloud:            61% growth in cloud SaaS:           200% increase This growth is detailed in statistics from data.gov. They state that 250,000,000 data sets being used by the public sector. The bad news: generative AI will create more data. Best practices to steal yourself against attack include identifying where the data is stored, prioritizing what to protect, and collaborating with humans to determine who has access and when. Travis Rosiek from Rubrik explains how he was working with an agency in a backup capacity. When they tried to determine what to back up, they discovered sensitive data where it should not be. All agencies have a limited budget for data protection. Travis Rosiek recommends finding the most sensitive data and prioritizing protection there. Malicious actors know the vulnerable moments in a large organization. When someone leaves, weekends, and holidays. Managers should consider covering aspects of security when these events present themselves. One entertaining “human” problem Travis Rosiek reveals is hoarding data. Simply keeping data for eternity can open a federal agency to malicious actors who have hidden attack codes in the data. The lesson: move beyond compliance and think strategically about how your agency will get attacked.

By now, we have seen demonstrations of Artificial Intelligence summarizing content and even producing images. These are all great YouTube videos for a rainy Saturday afternoon, but what about the work of the government? With AI, one must begin with the data. When it comes to explaining how to leverage the petabytes of information, Karen Hall has a memorable quote. “Generative AI can unlock the knowledge trapped in data.” Her four guidelines for releasing this information are ·       Make sure the data is authoritative ·       Enable connectivity to other systems ·       Be aware of data standards ·       Use AI in a responsible manner. AI requires mountains of data to see patterns and help humans make conclusions. Government agencies may have sensitive information in their data stores, making it difficult to assemble meaningful data stores. Dr. Travis Hall from NTIA suggests that you can use AI to protect personal information. AI can be used as a privacy enhancing technology by being able to obfuscate data so trends can be seen to save money and speed up operations. Our expert from California, Hong Sae, provides many ways AI can assist government functions. He lists predicting traffic patterns, locating potholes, voice analytics customer service, gunshot detection, and predicting crime patterns. It is the early days of applying AI in a fast and secure manner. This discussion gives listeners the basic building blocks for success,

Everyone wants to pick up the phone and quickly get a human who has an immediate, correct, response. On the other hand, government institutions are characteristically understaffed and underfunded. The challenge is to apply modern technology to improve customer service within the allotted budgetary constraints. Amanda Nabours suggests that an answer that is one hundred percent correct must begin with the data used to provide answers. Data stores must prevent bias and privacy must be protected. Right now, her agency is in an exploratory phase, but she notes that one key aspect of a successful deployment must be training employees before a role out of what to expect when AI is relied upon to provide answers to citizen questions. Google's Tony Orlando expands on the robust nature of adding AI to citizen experience. He details how AI can improve the speed of response, automate reporting tasks, provide a more personalized experience, and even reduce fraud. During the interview Tony Orlando expands on six models to improve citizen experience, everything from improved reporting to optimizing traffic. This may be a great practical application of AI for government.

Compliance is difficult enough in an air-conditioned data center; taking this essential concept to an austere geography that has spotty communications with the potential of bullets flying makes it almost impossible. This disruption of communication has a new term, Denied Disconnected Latent, or DLL. When communications are restored, they still must maintain compliance standards. Today we get some perspectives on how to manage this arduous task. From a design perspective, an agency may have a process where the developers who deploy the application may not be the ones who make end points secure. As a result, a process must be worked out where the apps are updated and the security process for the end points are systematized as well. Jay Bonci from the U.S. Air Force describes how compliance can be checked during a regular maintenance process where central compliance information can be transferred to the field. Nigel Hughes from Steel Cloud shares that today, many systems administrators are executing this update through a set of tools. This manual process may have been tolerated with a few end points, today there is such a profusion that automation is needed. In a perfect world, one can scan assets, determine policy posture, examine apps, browsers, databases, baseline. If there is a drift – they can be snapped back into compliance. For more details, listen to the discussion because it delves into federated vs. centralized compliance and the theoretical debate over defining an end point in a world of platform-as-a-service.