FedRAMP’s Ongoing Evolution

The Federal Risk and Authorization Management Program (FedRAMP) is entering its teen years, having been established in 2011. Just as age 13 brings a host of changes for humans, it's also proving to be just as momentous for the program that provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products.

FedRAMP has evolved to meet the growing importance of cloud services to the daily operations of the government. However, the speed at which FedRAMP grants cloud service status has consistently been an issue. In 2022, Congress enacted the FedRAMP Authorization Act, making FedRAMP law. The bill included a laundry list of modernization steps for the program to speed up its work and expand its capacity, including through the use of more automation technologies. There have been a number of modernization efforts this year, implemented to help FedRAMP meet the demands of agencies and live up to its promise as a secure way to deploy cloud in government. Continue reading

Developing an AI Training Plan for the Government Workforce

In talking about AI, there is a lot of discussion about "training the models"--feeding large amounts of data into an algorithm and then examining the results to ensure they are accurate. Once the models are deployed, the training does not stop for the models, and even more importantly, for its users.

A study from Deloitte estimates that generative AI could help boost productivity tenfold. However, this jump in efficiency will only be realized if AI and its outputs are being used correctly. Working with AI and AI-generated content requires a different set of skills that include critical thinking, algorithmic understanding, data analysis, deeper domain knowledge, cyber/data hygiene, and more. Continue reading

The Changing Identity of Identity Management

A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."

Key challenges to implementing MFA include:

  • Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
  • Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
  • Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.

Continue reading

Understanding the State of State-Level IT

The National Association of State Chief Information Officers (NASCIO) annual member survey aimed to get a picture of what is currently happening in IT implementation at the state level. It focused on how states are funding their IT work and how they are implementing key technologies.

Show Me the Money

The survey found that state CIO offices have a median budget of $132 million, with high levels of federal funding resulting from the Coronavirus Aid, Relief and Economic Security Act, the American Rescue Plan, and the Infrastructure Investment and Jobs Act. But with the level of modernization needed to meet citizen expectations of digital government, that frequently is not enough.

States are increasingly moving to a "chargeback" model where IT funding comes from the business unit where it is used. For example, the Human Resources Department would be responsible for paying for the licenses and development costs of their HR information system, rather than that being seen as an overhead expense funded out of IT. This model allows CIOs to use more of their budget for large-scale IT modernization projects that stretch over many years and impact multiple departments. Continue reading

The Government Case for Generative AI

Generative AI is a type of Artificial Intelligence (AI) that produces content. That could be a story, an image, or an audio file, and is a shift from traditional AI usage, which is focused on completing a task based on predefined rules. Generative AI utilizes existing data to produce this new content based on a prompt such as "write a blog post on government use of generative AI." Disclaimer: generative AI was not used in the creation of this blog post.

Balancing Act of Generative AI

Like traditional AI, generative AI holds great promise for automating highly manual tasks in many areas of government. A recent report found that three-fourths of agency leaders said their agencies have already begun establishing teams to assess the impact of generative AI and are planning to implement initial applications in the coming months. Continue reading