Google has several services — as well as its underlying commercial cloud infrastructure — that have previously received FedRAMP High authorizations. But with this latest spate of authorizations, the company adds many services that are in demand for government customers, like AI, zero-trust security, and data and analytics tools.

In an interview with FedScoop ahead of the announcement, Leigh Palmer, vice president of technology, strategy and delivery for Google Public Sector, said this not only gives federal civilian agencies that work with highly sensitive data sets — like those in health care, law enforcement, finance and emergency response, among others — a long list of new tools to work with, but they’re also hosted in a commercial environment, which she said comes with added benefits.

“These are certified on our commercial cloud, not a separate [government-specific] cloud instance,” Palmer said, referencing the model some cloud vendors have used to create separate cloud enclaves limited only to government work for security reasons. “Which means that you have the full capability of commercial cloud, right? More regions, more elasticity, more data, compute, storage, etc.”

That’s particularly important, she said, as the Office of Management and Budget in draft guidance issued last fall pushes to modernize FedRAMP — short for the Federal Risk and Authorization Management Program — with more of a focus placed on agencies using commercial cloud services instead of the government-specific offerings.

“Instead of having physical separation, we have logical separation [through] encryption. So we can run the same workloads on our commercial cloud without having to have that physical separation,” Palmer said. “Whenever you have to do that, it’s going to be difficult to keep parity across the environments.”

On top of that, the compute-intensive tools — such as AI — that more and more agencies are beginning to use will stand to benefit from the scale of commercial cloud, she added.

“As you look towards AI and things that are going to require, you know, heavy, massive amounts of compute, it’s going to be much more cost-effective and easy for our customers to do that in a commercial cloud than in [a government-specific] environment,” Palmer said.

On the topic of the federal government’s recent work to modernize FedRAMP, she added that Google is “really optimistic and encouraged by the modernization changes that are happening at FedRAMP.”

“At the end of the day, I think what we all want is more capabilities in the government’s hands faster” and done so safely, Palmer said.

The new authorizations come after Google Public Sector last month announced that defense and intelligence agencies were approved to use Google’s air-gapped cloud platform, Google Distributed Cloud Hosted, to process top-secret workloads. Palmer called the achievements “complementary” to one another, and added that Google is continuing work to add more services that meet the Department of Defense’s IL-5 compliance for some of its most sensitive but unclassified workloads.

The post Google earns FedRAMP High authorization for more than 100 additional commercial services appeared first on FedScoop.

During panel discussions Wednesday at the Scoop News Group-produced Amazon Web Services Innovate Day, chief information security officers downplayed the Sept. 30 deadline on targets called out in the Office of Management and Budget’s zero trust architecture strategy, expressing both confidence that they will hit the goals and readiness to turn the page on the January 2022 memorandum. 

“The status of OPM zero trust is pretty darn good,” said Office of Personnel Management CISO James Saunders. While there’s work to be done at OPM on the data pillar of the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, Saunders said that “overall, I think we’re on track and on target to hit the end of this fiscal year goal.”

The Department of the Interior — and its 11 bureaus and eight offices — may not have had quite so smooth a path, but CISO Stan Lowe said the agency is in a good position with its adoption of “practical zero trust.”

“We’re always going to live in a hybrid environment where I’m going to have legacy applications,” Lowe said. “It’s an ongoing, continuous thing. It’s not a destination, it’s a journey, because technology is going to change.”

The “ongoing” nature of meeting the White House’s zero trust benchmarks was on display at Interior with its work on implementing phishing-resistant multifactor authentication — a callout under the identity pillar of the strategy. 

When Lowe, a Federal Trade Commission and Veterans Affairs alum, took over as Interior’s CISO in 2023 after several years in the private sector, he was greeted by “a lot of legacy stuff … floating around the department.” He quickly discovered that what worked for one bureau might not for another — at least in those early stages of MFA adoption.

“The requirement says ‘phishing-resistant MFA.’ Well, that wasn’t necessarily possible [for some offices], so my position on that in the beginning, until we got to the point, was any MFA is better than no MFA,” Lowe said. 

Tackling the zero trust architecture pillars has been filled with trade-offs and shifting strategies of that kind for agency CISOs. Saunders, for example, said funding was the “biggest challenge” for OPM early on, especially coming off an August 2021 OMB memo on logging that “did not come with extra money” for agencies.

A $9.9 million investment from the Technology Modernization Fund to OPM in September 2021 ultimately proved to be a game-changer in fueling the agency’s zero trust work.

Still, a lesson in budgeting and prioritization was learned. “For a lot of these new cybersecurity investments, we need to engage with our business [counterparts] because TMF is only going to support us for so long,” Saunders said. “And that’s a continuous conversation; continuous engagement was not something that was necessarily a strong suit of the cybersecurity organization at the time.”

Shane Barney, CISO at U.S. Citizenship & Immigration Services, described zero trust as “the world’s biggest unfunded mandate for a lot of organizations.” That changed for USCIS when “all of [the Department of Homeland Security’s] different director heads” got in a room and “actually prioritized it first — and it’s not a small amount of money,” Barney said.

“They recognized the connection between security and the business being successful,” he said, adding that zero trust essentially amounts to good “cyber hygiene.”

For any CISO given a mandate to implement agency-wide technical change, internal cultural resistance is a frequent roadblock. Lowe joked that the security organization within Interior has a reputation of putting “the ‘no’ in ‘innovation.’’ 

But Lowe is entering the zero-trust sprint to the end of fiscal 2024 feeling “pretty optimistic.” After Interior weathered the Ivanti VPN vulnerability earlier this year, the veteran CISO said he’s ready for whatever comes next in the federal government’s cybersecurity journey.  

“Having worked in organizations that are fully zero trust and having gone through that journey with those organizations, I know this is possible,” Lowe said. “It’s just gonna take some intestinal fortitude and some hard decisions along the way to be able to get this done.”

The post Agency CISOs aren’t sweating a looming zero trust deadline appeared first on FedScoop.

With a healthy dose of skepticism formed through years of protecting digital infrastructure from advanced threats, many federal cybersecurity practitioners have significant concerns about AI, viewing it as a technology that needs corralling. That’s especially true for large language models and other data sources, they say. 

“It’s garbage in, garbage out,” said Paul Blahusch, CISO for the Department of Labor. “If our adversary can poison that data, well, we’re going to start getting the wrong information back out from our artificial intelligence. It’s going to say, ‘Day is night, night is day. Black is white, white is black.’ And are we going to just take that and say, ‘Oh well, that must be what it says because the AI said so?’”

Speaking during an Advanced Technology Academic Research Center webinar last week, Blahusch and other government and industry cyber experts painted AI as a technology that’s not entirely new, having found itself in the cultural zeitgeist thanks to ChatGPT. But it’s one that can and will be put to better use.

“I’m sure that my … antivirus [software] has been using some form of AI and machine learning for a long time,” Blahusch said. “The whole idea of artificial intelligence within cyber tooling has been there for a while — all our threat intel types of analyses use some of that. But we can certainly take it to the next level.”

That next level should come in the form of reducing burdens on the federal cyber workforce, Blahusch said. When it comes to data analysis, those employees can focus on “higher-value work” if AI systems are positioned to handle the rest. 

“I don’t have all the resources to have 100 people looking at streams,” he said. “I need technology to help me with that and have my limited number of people do the things that human beings need to do.”

Jennifer R. Franks, director of the Government Accountability Office’s Center for Enhanced Cybersecurity, Information Technology & Cybersecurity Team, acknowledged during the panel that she’s “not really an AI enthusiast,” but as a cyber professional who also works in privacy and data protection, the technology is “here to stay.” 

New uses of automation in government work are necessary given staffing shortages, but humans will still play a critical role since emerging technologies like AI also bring on additional vulnerabilities, she said. 

“We can’t be naive to the risk-based approaches that we have to take, making sure that we still have human decision-making. You know that is going to help us in managing some of the complexities,” Franks said. “We have to make sure that … we’re managing some of the controls around the tools and technologies and the machine learning aspect of the codes that are going into the algorithms, [so they] are not compromised.”

As a former federal IT manager now on the industry side, Youssef Takhssaiti said government cyber officials need to embrace AI, leveraging the technology’s ability to analyze network traffic, detect anomalies, automate responses to standard attack scenarios and myriad other defensive techniques. 

But procurement officers also “have to be very careful when it comes to adopting or purchasing” AI products, according to Takhssaiti, a Treasury Department and Consumer Product Safety Commission alum who’s working on a PhD in artificial intelligence. 

“Everyone is focused on speed to market — how can I get my product and application out to the market and consumers,” said Takhssaiti, now global GRC director for Aqua Security. “Before adopting any [AI products], two key things to focus on: Are they a vulnerability for you or as vulnerability-free as they could be? And what do they do with my data? Is it being used to retrain these models?”

Whether it’s continuing to embrace zero-trust architectures, dabbling in AI or looking out for the next big defensive thing in cyber, federal security professionals agree that threat protection strategies need to take an “all of the above” approach while also leaning on tried-and-true mitigation methods.  

“We’re still actively deploying and implementing the initiatives as ZTA across our various environments. But now we have AI, right?” Franks said. “But we cannot still forget … the basic cyber hygiene strategies. … And then going forward, we have to redesign and strengthen where it is we need to go so that we can stay ahead of the vulnerability curve.”

The post Federal cyber leaders proceed with caution on AI as a defensive tool appeared first on FedScoop.

In requesting from Congress $916 million in appropriated funds — up 6.5% from its FY2024 ask — and another $59.8 million in offsets and supplemental appropriations, the GAO said it intends to leverage the cloud as it moves to adopt emerging technologies more quickly. 

That leverage will come from the GAO’s plan to shift from an on-premise data center to a cloud environment, a move that the watchdog said will allow it “to grow in agility and better engage IT modernization and cybersecurity strategies.”

“GAO is implementing Zero Trust Architecture principles to enhance cloud services with access and authentication controls using the cloud-based Secure Access Security Edge,” the GAO wrote in its request. “Zero Trust allows GAO to transition from traditional perimeter-focused security models to cloud focused models with security controls throughout the infrastructure.”

The budget request also includes “small program and inflationary increases” for GAO’s Information Technology and Building and Security programs. Those budgetary boosts will go toward “enhanced cloud data management and storage solutions, as well as IT security upgrades to combat the ever-growing cybersecurity threats toward U.S. assets,” the GAO wrote, adding that funds will also support planned work from the agency’s Innovation Lab.

Beyond modernization, GAO said its budget request would support five critical areas of importance to Congress and the country at large: national security enterprise, fraud prevention, science and technology, cybersecurity, and health care costs.

The GAO said it will continue to assess the development and execution of the White House’s national cybersecurity strategy, while also paying close attention to the 16 critical infrastructure sectors and how federal information systems are secured.

“Escalating threats, including new and more destructive attacks from around the globe, highlight the critical and persistent need for effective cybersecurity,” GAO wrote. 

The post GAO budget request puts premium on modernization efforts appeared first on FedScoop.

Following a massive data breach in 2015, OPM instituted a comprehensive overhaul of its IT and security practices. However, in the years since, it became increasingly clear that without modernizing its underlying IT infrastructure, many of the remedies OPM put in place were becoming outmoded in the face of ever more sophisticated cyberattacks.

That was especially apparent to Guy Cavallo, who arrived at OPM in the fall of 2020 as principal deputy CIO after leading sweeping IT modernization initiatives at the Small Business Administration (SBA) and before that at the Transportation Security Administration (TSA). He was named OPM’s CIO in July 2021.

Recognizing new cyber challenges

“We looked at the on-premises cyber tools that OPM was running since the breach and saw while they were effective, with today’s advancements in AI and cyber capabilities, they weren’t keeping up with the attack vectors we’re facing today,” said Cavallo in a recent interview. Threat actors had shifted to identity-based attacks using more sophisticated tactics, requiring advanced detection and response solutions.

“We knew with AI coming and the Executive Order on Cybersecurity requiring logging to get visibility into your environment, investing in on-premises hardware would be a never-ending battle of running out of storage space,” he concluded.

The cloud was “the ideal elastic storage case for that,” he continued. But it also offered other critical solutions. The cloud was the ideal way to host applications to ensure “that we’re always up to date on patching and versions, leaving that to the cloud vendors to take care of — something that the federal government struggles with,” he said.

Checklist for a better solution

Cavallo wanted to avoid the mistake he had seen other organizations make, trying to weave all kinds of tools into an enterprise security blanket. “It’s incredibly difficult to integrate them and not have them attack each other — or also not have gaps between them,” he said. “I’m a believer that simpler is much better than tying together best-of-breed from multiple vendors.”

That drove Cavallo and OPM Chief Information Security Officer James Saunders to pursue a fundamental shift to a cloud-native cybersecurity platform and “making that the heart of our security apparatus,” said Saunders.  

After reviewing the options, they elected to move to Microsoft’s Azure cloud-based cybersecurity stack “so that we can take advantage of the edge of cloud, and cloud in general, to collect data logs.” Additionally, it would mean “We didn’t have to worry about software patching and ‘Do I have enough disk space?’ It also allows us to springboard into more advanced capabilities such as artificial intelligence,” Saunders said.

Because OPM exchanges data with many federal agencies that rely on different data systems, Cavallo and Saunders also implemented a cloud access security broker (CASB) — a security policy enforcement engine that monitors and manages security activity across multiple domains from a single location. It also “enables our security analysts to be more efficient and identify threats in a more holistic manner,” Saunders explained.

Added benefits

“There is a general misconception that you can only use cloud tools from the host vendor to monitor and protect that environment.  We found that leveraging cyber defenses that span multiple clouds is a better solution for us instead of having multiple different tools performing the same function,” Cavallo added.

Microsoft’s extensive threat intelligence ecosystem and the ability to reduce the number of contracts OPM has to maintain were also critical factors in their decision to move to Azure, Saunders added.

The pay-off

The migration from on-premises infrastructure to the cloud was a complex process involving the retirement of more than 50 servers and the decommissioning of multiple storage areas and SQL databases, according to Saunders. The most challenging aspect, though, was not the technology but managing the transition with the workforce. Extensive training and organizational change management were as critical as the technical migration to the success of the transition.

According to Saunders, the benefits didn’t take long to recognize:

• Enhanced visibility: OPM now has a more comprehensive view of its security posture, thanks to the centralized platform and increased log collection.
• Improved threat detection and response: AI-powered tools and Microsoft’s threat intelligence helps OPM identify and respond to threats faster and more effectively.
• Reduced costs and complexity: Cloud-native solutions eliminate the need for buying expensive on-premises hardware and software, while also simplifying management and maintenance.
• Increased scalability and agility: The cloud platform allows OPM to easily scale its security infrastructure as needed to meet evolving threats and business requirements.

Collectively, those and related cloud benefits are also helping OPM make faster headway in meeting the administration’s zero-trust security goals.

Lessons learned

Perhaps one of the most important benefits is being able to demonstrate the magnitude and nature of today’s threat landscape to the agency’s leadership and how OPM is much better prepared to defend against it, according to Cavallo.

“When James and I showed them the visibility that we have from all those logs, it was a drop-the-mic moment for them. We can say we blocked 4,000 attacks in the last hour, but until you actually show them a world map and our adversaries trying to get into OPM, then be able to click and show the real details of it — those threats get lost in the noise,” he said.

“My recommendation at the CIO level is, this is a better mousetrap. But you can’t just expect people to flock to it. You have to go show them why it’s a better mousetrap.”

Among the other lessons Cavallo recommends to fellow IT leaders:

• Focus on simplicity: Choose a single, integrated security platform to avoid the complexity of managing multiple tools.
• Invest in training: Ensure your staff is trained and familiar with new cloud-native security tools and processes.
• Start small and scale gradually: Begin with a pilot project and gradually migrate your security infrastructure to the cloud.
• Communicate effectively: Clearly explain the benefits of cloud-native security to your stakeholders and address any concerns.

This report was produced by Scoop News Group for FedScoop as part of a series on technology innovation in government, underwritten by Microsoft Federal.

The post How cloud modernization transformed OPM cybersecurity operations appeared first on FedScoop.

Speaking Thursday at CyberScoop’s Zero Trust Summit, Sean Connelly, CISA’s senior cybersecurity architect and trusted internet connections program manager, said the agency’s Zero Trust Initiative Office is intended to provide federal agencies with more comprehensive trainings and resources. 

“We’re working with various organizations to support broad training,” Connelly said. “We also have some in-house training we’ve done with a number of agencies [and have made available] playbooks and guidance [for] agencies that want to know how to move toward zero trust.”

The new office will offer expanded training on zero trust principles and will also include an effort to better identify the skills and knowledge needed for successful implementations of the architecture. The office’s playbooks will build on current CISA resources, specifically the agency’s Zero Trust Maturity Model and Trusted Internet Connections 3.0. 

Connelly said the office will also focus on community building and collaboration, some of which will come in the form of expanded relationships with interagency partners and the broader IT community. A slide deck presented by Connelly highlighted the creation of two zero trust interagency working groups centered on practitioners and network modernization.

Finally, the office will be tasked with assessing agencies’ zero trust maturity. Connelly said the agency is working with the Office of Management and Budget about how agencies can “move forward” through the stages laid out in CISA’s model. CISA, OMB and others will work together to develop metrics and benchmarks that track agencies’ progress toward maturity.

The establishment of CISA’s new zero trust-focused office builds upon the principles laid out in the National Institute of Standards and Technology’s “Zero Trust Architecture” publication, the strategies detailed in OMB’s zero trust strategy and a 2021 executive order focused on cybersecurity.

The post CISA establishing new office focused on zero trust appeared first on FedScoop.

As part of that process, the HHS’s Office of Chief Information Officer is looking for potential contractors that could identify capabilities and gaps related to zero trust in each operating division, develop and maintain a zero trust scorecard, and establish a zero-trust roadmap, among other things, according to the request for information posted to federal contracting website SAM.gov.

The information security office within the OCIO is currently conducting market research on the establishment and maintenance of a program management office support for zero trust, according to the solicitation, and is looking to get information from interested parties by Dec. 6.

“While a few [operating divisions] within HHS have Zero Trust Maturity (ZTM) plans in place, HHS is just beginning to align resources to a department wide Zero Trust Strategy,” according to the solicitation.

HHS didn’t respond to a request for comment.

The solicitation comes as agencies work to achieve the Biden administration’s standards to improve cybersecurity through governmentwide zero-trust security architecture by the end of fiscal year 2024. 

While the Biden administration issued a strategy for achieving those goals, efforts can vary by agency. For example, the Department of Commerce’s CIO Andre Mendes told FedScoop in July that the agency elected to have a department-wide rather than letting bureaus chart their own course. 

Although the department already has many of the skills and technologies required by Biden’s zero-trust architecture strategy, the solicitation said that “putting all the components together requires HHS to significantly upgrade governance and Information Technology (IT) management, and more deeply integrate teams and technologies.”

At least one agency is already establishing a zero-trust program management office. The Department of Education is getting funding under the General Services Administration’s Technology Modernization Fund to establish an “enterprise-wide program management office dedicated to zero trust,” according to the TMF website. 

The Department of Education awarded a contract to ShorePoint Inc. to provide program management office support.

The post HHS exploring program management office support for departmentwide zero trust implementation appeared first on FedScoop.

The new investments, announced Friday, will provide $8 million to the DOT for the modernization of an outdated consumer complaint system for air travelers and $1.1 million to the FTC to retire and replace an old system that tracks information about textile products.

“Our newest investment in the FTC represents the kind of speed of delivery we aim to achieve, because the problem and solution are well understood and the FTC team is ready to make changes within the next 12 months. Additionally, our investment in DOT will help improve a system accessed by thousands of air travelers each year,” TMF Executive Director Raylene Yung said in a Friday statement.

The TMF, housed within GSA, is focused on improving technology across the government and currently manages 47 investments in 27 federal agencies. It received a $1 billion infusion through the American Rescue Plan and $255 million through the annual budget process. Previous investments included a $50.5 million round of funding for cybersecurity and customer experience investments at five agencies in July and $20.8 million for similar projects at three agencies in October 2022.

The House Oversight Committee recently advanced a bipartisan bill that would extend the TMF’s authorization through 2030 and would require agencies to refund or reimburse investments to maintain the solvency of the fund.

The DOT investment will specifically go to the Office of Aviation Consumer Protection (OACP), which will use the funds to enhance a system that tracks consumer complaints and tracks cases for “thousands of consumers each year,” according to a release.

Blane Workies, OACP’s assistant general counsel, said in a release that the modernized system will “make it easier for consumers to know their rights and file air travel service complaints should problems occur, while enhancing OACP’s ability to analyze these complaints and enforce aviation civil rights and consumer protection laws.”

Meanwhile, FTC’s project is focused on its system that issues “registration numbers to U.S. based businesses to identify who manufactured, imported, distributed, or sold a covered textile, fur, or wool product.” The TMF funds will be used to “modernize the Registration Number System by developing a user-friendly cloud application.”

Mark Gray, FTC’s chief information officer, said in a release that completion of the project would “mark a critical milestone – all FTC applications accepting incoming traffic will have been migrated to the cloud.” Gray said the funding will improve the agency’s security and move it closer to its “zero trust” goals, which has been a focus of the Biden administration.

The post Tech Modernization Fund awards $9M in air travel, textile industry consumer protection investments appeared first on FedScoop.

GSA recently issued a solicitation for cybersecurity support services that is meant to help the agency take those final steps in modernizing the way it delivers cyber services internally, Shive told FedScoop on a recent episode of the Daily Scoop Podcast.

“We’ve developed some maturity with cyber here at GSA, and we’re looking for partners that can demonstrate mature cyber operations in their past and help us lean pretty far forward with the use of cyber and protecting the business interests of GSA,” Shive said. While the solicitation wasn’t publicly available, a GSA spokesperson pointed FedScoop to a listing on the agency’s Acquisition Hallway forecasting the opportunity.

Explaining the scope of the contract solicitation, Shive said it’s quite broad and that GSA “looks to deliver a unified, defensible cybersecurity boundary with a focus on operational excellence.” However, because the solicitation is still open for bidding, Shive said he had to refrain from commenting on it too extensively to provide a “fair and equitable acquisition experience for anybody who might like to do work with us.”

“They have to be able to demonstrate that they can drive down risks, strengthen resilience within the enterprise, and maintain effective and compliant programs to facilitate innovation,” he said, highlighting that innovation is “kind of one of the hallmarks here at GSA. And so they need to be able to deploy and defend in that attitude of innovation that’s present here at GSA.”

Shive continued listing out what types of services the contract seeks: “Zero trust architectures, security delivery via product versus services orientation, infrastructure and security as code, security operations … true enterprise security visibility, security automation and augmentation — we’ve been doing that for a long time here at GSA. They need to be able to help us run our security operations center and incident response centers, be able to do cyber threat intelligence … be able to do cyber threat hunting. And then because we’ve been doing DevSecOps here at GSA for a long time, using agile for a long time, they need to fit seamlessly into that because they’re the ‘Sec’ in DevSecOps.”

And, finally, as GSA continues its journey to zero trust, it’s placing more emphasis on “the application security layer,” Shive said, and it will need a partner who can support that.

That shift to zero trust has presented GSA with an opportunity to pivot in the way it thinks about cybersecurity, the CIO said.

“That pivot is we’ve evolved from that traditional perimeter-based, compliance-oriented model to a zero-trust architecture that considers resources and accesses as fundamentally untrusted,” Shive said. “Instead of verifying devices at the perimeter, we verify everything and anything attempting to access anything within GSA. And we do that continually. This represents one of the key changes from the traditional model that we’ve been operating against. We’re pretty far along and are seeing the results that we hoped for.”

Now, Shive said, the agency just needs a good partner from industry to help finish that journey.

The post GSA seeks help to ‘get across the finish line’ modernizing cybersecurity, adopting zero trust appeared first on FedScoop.