Cloud Native ChannelATARC & Aqua Webinar: Navigating IT Modernization and Cloud Security
This ATARC federal panel explores how government agencies are tackling IT modernization, cloud migration, cybersecurity requirements, and the growing impact of AI and machine learning. Senior technology leaders from CFPB, OMB, the Air Force, Interior, Navy, State Department, and Aqua Security share practical approaches to working with tight budgets, improving workforce readiness, advancing FedRAMP adoption, reducing misconfiguration risk, and using AI to streamline operations. The discussion provides real examples from across government on how agencies can modernize securely and deliver mission outcomes more effectively.
“We must know what is accessing our data and that is authorized and authenticated. So think of course zero trust, identity credentialing, access management. We must know what's on our network and what the state and security posture is.”
Tony Plater, DON CISO
Transcript
Hello, and welcome to ATARC's webinar series. Today, topic experts will share strategies that agencies can implement to alleviate the concern of the unknown and make operations more efficient.
My name is Kirsten Katsuruba, and I will be moderating today's panel discussion.
ATARC stands for the Advanced Technology Academic Research Center, and ATARC is a organization that facilitates collaboration through on-site interaction, learning, and market research.
We provide ongoing opportunities for cross agency collaboration, and we want to begin this session by welcoming all of our attendees.
So a special thank you to Lisa, Ragusa, Fadella, and the entire Aqua Security team for making today's event possible.
Before we begin, I want to encourage our audience to please submit questions of your own in the q and a chat. We love for this to be as interactive as possible, and we are also going to be posting a few poll questions throughout. So be sure to respond to those poll questions if you'd like to receive your CPE credit for attending today's event.
Okay. With all of that being said, I would love to welcome our panelists. It looks like they're all on camera now, which is is great because we're gonna begin with hi. We're gonna begin with a round of introductions. So please share with us who you are, what agency or organization you represent, and a little bit about your role there just to kick things off. So if we could begin, Dr. Tiina Roderick, welcome back to our panel. If you could kick us off with introductions, that would be great.
It would be my pleasure. Dr Tiina Roderick, I am the CISO at CFPB, and I have been here for over five years. I've also served in CTO and CISO positions at, DHS and served as a senior adviser at Federal Student Aid Education.
Thank you. Let's go to Laura next.
Good afternoon, everyone. I'm Laura Gerhardt, and I am at the office of management and budget in the office of the federal chief information officer. And I am the director of technology modernization and data. And within our portfolio, we're working on broad initiatives around, enabling capabilities as well as data policies throughout, the federal e ecosystem.
Thank you. And, Darek?
Well, good afternoon. I am in this role for about a month. I started this role with the Air Force, department of the Air Force a one, CTO, July first. And prior to that, I was with the army and I ran, the c army, the cloud, enterprise cloud for the army. And and the agency in that runs it is the enterprise cloud management agency. So I ran a few hats, which includes the cloud services division chief, the operations, and then CTO and chief architect. So, very excited to to be here, but thanks.
Very cool. Thank you. And Rachel?
There it is. My mouse. So hi. I'm Rachel Seil. I'm with the Department of Interior. I'm the senior adviser to our chief information security officer, so I work in the office of the CIO.
But I'm also a co host or co chair for the Federal Low Code No Code Community of Practice.
So I get to work with Laura and her team a lot on different things, so it's kind of fun to see her in a meeting finally. And then, so I've been in federal government for a good number of years, but I have been around the block. And so hello to my fellow my fellow DOD brethren. I've done stints in both the navy and marine corps and loved every second of it.
Great. Thank you. And Tony?
Hey. Good afternoon. I'm Tony Plater, head department of Navy, chief information security officer. I've been or acting, but I've been doing this about three years and, with the navy in general about fourteen years.
And before that, I did a lot of IT by, retiring from the army. So lots of, military service and industry service, and we bring that to bear for a pretty large portfolio. So I'll be talking from our portfolio of the Department of Navy as far as the navy and the marines, and, about eight hundred thousand seats. So lots of, lots of things going on with cloud, lots of value.
So looking forward to the conversation. Thank you.
Great. Thank you. And Paula.
Hi, everyone. I'm Paula Wagner. I'm from the Department of State. I run the application design and delivery office, within diplomatic technology, formerly IRM.
But we just went through a massive transformation, so we're super excited to be here.
Thank you. And Yousef?
Thank you. Yousef Taksaidi. I'm with Aqua Security. I'm the director of Global GRC, oversee the, governance, risk management compliance, and lead their FedRAMP efforts.
I am a former, government employee. I spent many years, serving, in a civilian capacity. Before that, I I I was teaching elementary school, if you can believe that, which quite frankly prepared me to cybersecurity. Right?
You know, with kindergartners and first graders, it's the best experience out there.
I just wanted to take a moment to say thank you to the panelists and anyone, in the attendees list that serves in the federal government or has served in the military. Thank you for your service.
Thank you. Alright. So I'm gonna quick, sneak in a quick poll question before we jump into our first question. So for our audience, that'll be up here on the screen momentarily.
It is around challenges, which is actually gonna be what our first question is. So for the poll question, what aspect of IT modernization poses the greatest challenge for your agency? And then we're gonna talk about that. So for our panelists, we don't need to go in any particular order on these questions.
As far as responses are concerned, we probably won't have time for every single person to respond to every single question, but we'll get through them as best as we can. And I'd love to hear a few different perspectives for these questions. So if this one resonates with you, I'd like to ask, how do you feel agencies can effectively address the challenges of IT modernization while navigating discretionary budgets and workforce drain? So if anyone on our panel wants to kick things off, I know it's a big topic.
We'd love to I'll take a stab at it just to just to have my fellow friends here kind of add in thoughts.
So I would say returning back to fundamentals, as you look to go into the next iteration of the ecosystem or this, you know, modernization of a system, go back to portfolio rationalization.
Think about ways to not only modernize it, but how to streamline it, how to automate it.
Look for opportunities that may have not been present. So, like, with the advent of AI and now on the cusp or machine learning, use those. Dream big.
I would say the bigger that you dream, the more that you can see the art of possible. But, obviously, having great, you know, voices in the room at that dreaming stage. Right? So having people who are budgeteers or people who are lotisticians or, you know, your security, more importantly, your security folks at the table to kind of put some, you know, guardrails around that big dream. But that's where I would recommend is, you know, start reaching for the sky.
Love that. Thank you, Rachel. And Paula, go ahead.
Oh, thanks. Yeah. I was gonna say I I echo what Rachel said. And then I think the other thing that we look at is really about prioritizing our products as well. You know, we don't wanna boil the ocean, and we wanna be able to deliver. So, you know, we're really big on, leveraging agile methodology so that we can have quick wins and be able to show successes, but then also learn from our failures, so fail quickly.
And then the other big push that we're trying to do is enhance our workforce.
You know, offering up training, offering up, brown bags, doing learning series with, you know, some of our cloud providers. We we had, I think, two weeks ago, a learning series with AWS, and we had over a hundred and seventy folks from state department join.
So really optimizing kind of what our options are across the department, and and working working at an enterprise versus silos.
Thank you. Tina, go ahead.
I absolutely agree with Rachel and Paula. And what I would add is making sure that the value proposition is checked and using great discernment, making sure that this is a mission essential requirement and that it is something that is trustworthy, has been, attested to, and checks all of the security box as well as the mission box.
There's a lot of things that are shiny out in the world, but not everything fulfills the promise. And so I would say that not just at the point of acquisition, but throughout the life cycle, make sure that it's still delivering as you hoped.
Thank you, Tina. Laura?
I think a lot of it in from OMB have a slightly different role in terms of helping enable agencies across the federal work force.
In particular, Lee, we've been working on FedRAMP recently. We issued the guidance just last week and really updating and really hoping that that enables a lot of capabilities. One, as others have said, really making sure that the capabilities meet the the mission need in an ongoing and iterative way. And we're really hoping we can accelerate mission delivery with the use of cloud solutions that have been vetted in the commercial, commercial sector and scale the capabilities and practices that drive both that accelerated delivery, that failing fast and that that agile delivery.
And similarly, aligning those resources, you know, through FedRAMP, streamlining the cloud security assessment process, leveraging reuse so agencies are not repeating that, and enabling agencies to really focus on what their unique mission needs are rather than sort of, overburdening on repeating duplicative mission, duplicative security assessments. And then once they're, you know, taking advantage of that that cloud native approach and unlocking the data because there's a lot of better observability with some of these modern tools. And I think, again, to that that streamlined, really, one of the things that's critical in our new guidance is this presumption of adequacy, which really we hope will one, it's in the legislation that passed at the end of twenty two.
And we're thinking that's gonna increase reuse, and increased reuse can sort of drive down cost, hopefully.
You've all probably heard FedRAMP say do once, use many as a slogan, but many CSOs have haven't necessarily felt that in the federal community. And so our goal is to really lean into that presumption of adequacy. Once it's authorized, it the controls are assessed throughout the federal community for use.
And we also wanna make sure that the agencies understand the underlying assessment so they can trust it and use it. And, again, that will really help drive that streamline, streamline process.
And we're really, right now, starting to engage with other agencies so that they understand it. As, you know, it's it's right off fresh off the pass presses, and so wanna make sure that that that is understood so that folks in the federal community can take advantage of of everything that we hope that the federal program has to offer.
Thank you. Derek, I saw your hand up earlier. Did you still wanna add anything?
Oh, yeah. Absolutely. You know, a lot of this comes down to money. And I know especially with a large enterprise, a large, portfolio, we gotta start with the big question that nobody wants to answer. How much does it cost to host that legacy application?
And it's not just one, but the total cost, the the people side of it, the the the all the licensing, the heating and cooling, and, you know, all the things that we've been paying for for twenty plus years. But it it's the hard question that is sometimes almost impossible to answer, but it needs to get answered because as you can demonstrate through a business case analysis, what, you know, what is that return on investment? And we we were gonna have to demonstrate, hey. Granted, this is what we pay, and it's a total cost. And then this is where we're going, and this is how quickly and, you know, with all the other elements of that business case analysis, you know, a a a target architecture, alternative analysis, an acquisition strategy. Again, all that formalized so then, thus, you have a clear path, but also be able to defend because it is an acquisition artifact. But it has all the necessary ingredients for a good start point.
Thanks.
Thank you. K. I saw Yousef's hand up next. Go ahead.
I just wanted to add, utilizing your your industry partners is is a very important important factor. These folks that sell you applications have the right expertise to help you onboard and best utilize it. And they want you to use it. Right? Because when the renewal time comes, they want you they wanna show you that you've, you've you have value there, that you want to renew. So reach out to them.
They're not always gonna going to to want to charge you support services. In most cases, they'll provide them free of charge or a reduced cost. So reach out to those guys first.
There's benefit there.
Yeah. Absolutely. Thank you. Alright. And then last comment here, Tony.
Yeah. Just to be quick, I think, you know, only thing I would add is, you know, we're going back to the basics too from a IT asset management perspective. You know, it's essential we know what is accessing our data and that is authorized and authenticated. So think, of course, zero trust, identity credentialing, access management.
You know, we're we're challenged with people working distributed, remote posture, and we must you know, and have to rearchitect, our infrastructure. So accounting for the cloud that's on prem, cloud that's off prem, enterprise, tactical afloat, weapon systems, denied, disrupted, and limited bandwidth means we must know what's on our network and what the state and security posture is. So all of that is going to this idea that we must be strategic, and we have to be data driven and threat informed. So all of that is helping us to prioritize our initiatives and helping us to prioritize our investments.
Good. Thank you. Appreciate y'all jumping in and sharing your perspectives with us. I'm going to call for poll question number two now, which is also gonna tie into our next question.
So first and foremost for the audience again, poll question number two is up on the screen. What is the primary concern that your agency has when migrating to the crowd? There is a whole slew of options there. So moving on to our next round of questions.
And, again, if you feel inclined to respond first, just go ahead and shoot your hand up or come off mute to signal to me that you wanna respond. But the next question is, what are some best practices that should be followed when migrating to the cloud to ensure compliance with cybersecurity requirements and successful modernization. So if a few panelists, could share with us a best practice or two from their their experience. Go ahead, Tina.
One of the things that we do is, shift left with our partners.
We we don't wait until the build phase. We shift left to the build, left to the buy, left to the budget, all the way, as my friend Derek said, to the business case to make sure that the total cost of ownership includes those costs of security, not again just for the acquisition, but through the full life cycle. And part of what we try to do is be a strong adviser to ensure that all of the various aspects partner, but that we have been training them the entire time to ensure that the partner, but that we have been training them the entire time to ensure that the system, succeeds the first time.
Thank you. Tony, go ahead.
Say, I think one of the points I'd bring up is just recognizing that a lift and shift only does you know, only does not maximize the use of the cloud.
It only moves legacy or bad code from one environment to the other. So I really appreciate from where I sit that we now have access to enterprise cloud capabilities from world class vendors.
But we stress using the security requirements guide that's put out to help us standardize the assessment authorization process so we can maximize reciprocity, which was talked about earlier.
And it also covers all our mission business owners to detail what their responsibilities are, what the technical implementation needs to be, all that goes to secure configuration. So maximizing any of the work that's done by Fred Ramp that was mentioned earlier. And we have our deep we have our zero trust strategy and roadmaps, and we're moving beyond traditional security methods and working to reduce those network attack surfaces and enable risk management. But I would also like to note from the start, we must have know that how we're gonna defend those cloud environments.
So we must have cybersecurity service providers aligned. You need to know and understand the native tools. Your defenders need to have insights into our cloud environments. So if we plan that correctly, we implementing identity credentialing access management to safeguard those cloud environments, and we're regularly doing the same patching and cyber hygiene that we did when we weren't in the cloud and doing it correctly and continuously and making sure our people are trained, I think it becomes a real force multiplier in what we're trying to do.
Thank you, Tony. Yousef, you're up next.
I mean, Tony covered pretty much, all of it. Well said. Well said. I mean, the the the only couple of things I wanted to add is, you know, have having having a migration strategy ahead of time, right, before you even, decide what you're going to do.
Partnering with the right cloud service provider that meets whatever security and compliance requirements you have. FedRAMP, you know, there's many cloud service providers on the FedRAMP marketplace.
Start there. Partnering with the, you know, the right CNAP to follow the shift left strategy there. It's very important. And definitely definitely, this is something that folks do not think about as much backup before you migrate. Right? Make sure that you have proper backups. Test those backups before you migrate to the cloud.
Other than that, I mean, what what what was said earlier, is on point.
Yeah. Absolutely. Okay. Rachel?
Yeah. I would also add, especially when you're moving into the cloud environment that you consider the new threats. These are threats that may have not ever been present before in some cases. So understanding and learning different environmentals and threats than those those vectors that can be, you know, exploited.
So understanding the environment from a security standpoint definitely helps because then you're able to build in and have those communications with your vendors saying, you know, here's what a new defense in-depth should look like for me. Having that cloud security stack in place is very, very important because at the end of the day, it's about the data. Right? So we we need to ensure that the data is protected at all cost.
Thank you. And Laura?
Really echo what a lot of others said in terms of FedRAMP as well as not lifting, shifting. One thing's in particular from the FedRAMP new memo is really the stress on real world threat assessment. You'll see specific a couple mentions to red teaming and, again, security reviews that can happen sort of at the request of the FedRAMP board, you know, potentially embed, in light of particular events or even emerging, you know, threat vulnerabilities. So I think as we look toward FedRAMP being a really place and and hoping that our updated FedRAMP guidance really moves toward a security first program that we really can build confidence in the cybersecurity request requirements, but also really focusing on on novelty in that and adaptability and, like, thinking through the complexity of these of cloud environments, and while taking advantage of of the unique capabilities of cloud that really I carry a complete with Tony around not just lifting and shifting because that that is retaining the sort of paradigms of a non cloud environment and really moving toward what the the cloud capabilities are both for the cybersecurity, but I would also say that often, you know, can help with the user experience or the customer experience throughout the life cycle by really taking advantage of those cloud native capabilities.
Thank you. Derek, go ahead. You're muted. Still muted.
How's that?
Now it is.
Oh, god. Sorry. I I'm gonna talk about the big elephant in the room, the people side of this. You know, the the the the the the workforce the workforce needed to do this right. So as everyone knows, the modernization can there's many ways of doing it in the cloud.
But being able to discern the bad from good is is gold, is platinum, actually. You know? And and as I've noticed through some of the experience, when you go into this, we rely on the the the integrators, the outside parties to help us with the partners. But in reality, we as a government are gonna have to have that knowledge to say, wait a minute.
There's a better way to do this. This is not in the best interest of the government, not just from a security perspective, but from, you know, a cost perspective. The life in the cloud, a lifetime is like three years. You know, what you've done three years ago is gonna be completely different than what you're doing today.
But, you know, investing in your workforce is is is paramount. If you look at a lot of the, cloud strategies, AI strategies, the first objective many times is the people. You know, getting that workforce so that they can help you and to make sure that that works together as a team, but with the right ingredients.
Thanks.
Absolutely. Thank you. And, Tina, did you wanna add anything else?
Well, Derek, has an excellent point. And the other aspect of the workforce that we have to take into account is that, Brigadier Admiral Greg Tuhill, when he was our first CISO, noted that, the greatest threat is a negligent or indifferent workforce. And that in the cloud space in particular, it's misconfiguration that causes the most number of threats.
So we have to make sure that our workforce is cloud enabled themselves and that they have the skills and the desire to do the right thing at all times because we have seen the threat vector and it is us.
Absolutely.
Thank you all so much for your responses. So we're gonna move on to our next question. This is question number three, which is how can artificial intelligence and machine learning be leveraged to streamline processes and improve decision making within federal agencies? So I'd love to hear from few of you on this topic as well if you've had any experience with this. Yousef, go ahead.
Thank you. Thank you. This is, one of my favorite topics ever.
So the AI and LM have been around for a while. Right? That that's that's not new. What's out there now, what everyone is talking about is generative AI. And and one of the things that it can help do is just automate routine tasks, such as data entry processing, just freeing up valuable human resources. That SAC analyst used to spend hours and hours looking through logs now can use a human like language to ask the question and get an answer within second, which is very important, especially in today's, just, lack of of, talent or lack of available talent, if if you will.
These technologies can also help, analyze vast amounts of data in a matter of seconds, which provides better visibility, which helps with decision making, which just, helps with with efficiently allocating resources to the right areas and and and, the right projects.
Yeah. Thank you, Yousef. And Paula.
Hey. Thanks. I was super excited to see this question on here because at state, generative AI has been helping us a lot. We recently launched, which I think is really cool, an SBU state chat, for all of our folks across the department, and our folks in embassies and posts around the world, because a lot of it was, you know, reading documents that were, you know, twenty some pages long, in foreign languages. And so we created the state chat so that folks could upload these documents, get a synopsis, even look at translation, or just simply ask questions of, like, where to find something at at state.
And, you know, we've been beta testing for, a good part of six months now, with this in our analytics, to a big success. And then we recently just demoed to the secretary. There was one slip up, but our, our analyst fixed it, and so it worked out fine. But, it's it's nice being able to leverage that and then be able to help with public diplomacy on that.
Oh, that's amazing. Thank you for sharing. And, Laura, go ahead.
One of the things that we heard loud and clear from public comment when we released the FedRAMP memo for draft was around how we might think about the use of AI in FedRAMP. And one of the things that was an update into the final, guidance was, having FedRAMP in the GSA team in collaboration with the newly established FedRAMP board, looking at how AI might be leveraged for assessing, the actual security controls. You know, it's some of the thing again, what you said around, monitoring. And so at this point, we're sort of looking at what that that initial pilot might look at, for some of the assessment of controls within the FedRAMP authorization process as well as in the continuous monitoring. And then I think the other thing too is recognizing that FedRAMP is a way for, commercial and emerging technologies to enter permit, is the and that was definitely something put forward in the AI executive order.
One of the things that collaboration that was an action item between our office and FedRAMP from the executive order was this emerging technology prioritization framework. And the first capabilities that they're really looking to prioritize are generative AI in chatbots, in debugging tools, in image generation, as well as, you know, the API versions of that because that's often how you'll build in those capabilities with into your existing ecosystems.
And FedRAMP is looking for, commercial part industry partners for that who would meet the criteria from the technical capability and can demonstrate agency demand for that initial round of prioritization by August third thirty first. So, again, to the extent that you're aware of vendor capabilities that you think, like, you would believe, and and Surmise could help streamline those processes. Like, now is a great time between now and now, I guess, August, the end of the month to to work with those industry partners and help, make sure that they're getting aware of the emerging, technology prioritization framework because firmly believe that there's a lot of our opportunities here and wanna make sure that we're supportive of that through the prioritization.
Absolutely. Thank you. And, Derek?
This is, from my experience with the army, and I I saw a really good proof of concept that I got me excited.
Using AI to do contract vehicle development. So writing all the, you know, very complex now becoming more and more, lengthy contracts, but using the AI to to help shape those, ensuring that you cover all the gaps. And, I I think that's gonna be something that we in the photogrammet are gonna be relying on more and more. But, again, yeah, another another lens to look at.
Absolutely.
Alright. Thank you. Let's see here. Maybe we'll do a third poll question, which is how confident are you in your agency's ability to handle cybersecurity threats while modernizing IT systems. So, again, this is for our audience at home. If you wanna receive your CPE credit, be sure to respond to this poll question that's up here on the screen.
Okay. And then moving right along to our fourth question here.
For our panelists, again, how can IT be simplified or improved to better support modernization efforts in federal agencies?
Anyone wanna jump in on this? Rachel, go ahead.
I'll take that. Actually, I'm gonna give a shout out and probably pull Laura up.
I would say doing exactly what our friends in the FedRAMP area, especially OMB, are doing. It is making policy and governance and certainly all of the regulation living, evolutionary, more more on the cusp of becoming this living thing that helps us enable our modernization journeys to getting to that goodness. So when we talk about, you know, that IT governance, we're in fast paced times. So doing what they're doing on making it possible to utilize as much, you know, generative AI or any type of technology that's coming up.
My name is Kirsten Katsuruba, and I will be moderating today's panel discussion.
ATARC stands for the Advanced Technology Academic Research Center, and ATARC is a organization that facilitates collaboration through on-site interaction, learning, and market research.
We provide ongoing opportunities for cross agency collaboration, and we want to begin this session by welcoming all of our attendees.
So a special thank you to Lisa, Ragusa, Fadella, and the entire Aqua Security team for making today's event possible.
Before we begin, I want to encourage our audience to please submit questions of your own in the q and a chat. We love for this to be as interactive as possible, and we are also going to be posting a few poll questions throughout. So be sure to respond to those poll questions if you'd like to receive your CPE credit for attending today's event.
Okay. With all of that being said, I would love to welcome our panelists. It looks like they're all on camera now, which is is great because we're gonna begin with hi. We're gonna begin with a round of introductions. So please share with us who you are, what agency or organization you represent, and a little bit about your role there just to kick things off. So if we could begin, Dr. Tiina Roderick, welcome back to our panel. If you could kick us off with introductions, that would be great.
It would be my pleasure. Dr Tiina Roderick, I am the CISO at CFPB, and I have been here for over five years. I've also served in CTO and CISO positions at, DHS and served as a senior adviser at Federal Student Aid Education.
Thank you. Let's go to Laura next.
Good afternoon, everyone. I'm Laura Gerhardt, and I am at the office of management and budget in the office of the federal chief information officer. And I am the director of technology modernization and data. And within our portfolio, we're working on broad initiatives around, enabling capabilities as well as data policies throughout, the federal e ecosystem.
Thank you. And, Darek?
Well, good afternoon. I am in this role for about a month. I started this role with the Air Force, department of the Air Force a one, CTO, July first. And prior to that, I was with the army and I ran, the c army, the cloud, enterprise cloud for the army. And and the agency in that runs it is the enterprise cloud management agency. So I ran a few hats, which includes the cloud services division chief, the operations, and then CTO and chief architect. So, very excited to to be here, but thanks.
Very cool. Thank you. And Rachel?
There it is. My mouse. So hi. I'm Rachel Seil. I'm with the Department of Interior. I'm the senior adviser to our chief information security officer, so I work in the office of the CIO.
But I'm also a co host or co chair for the Federal Low Code No Code Community of Practice.
So I get to work with Laura and her team a lot on different things, so it's kind of fun to see her in a meeting finally. And then, so I've been in federal government for a good number of years, but I have been around the block. And so hello to my fellow my fellow DOD brethren. I've done stints in both the navy and marine corps and loved every second of it.
Great. Thank you. And Tony?
Hey. Good afternoon. I'm Tony Plater, head department of Navy, chief information security officer. I've been or acting, but I've been doing this about three years and, with the navy in general about fourteen years.
And before that, I did a lot of IT by, retiring from the army. So lots of, military service and industry service, and we bring that to bear for a pretty large portfolio. So I'll be talking from our portfolio of the Department of Navy as far as the navy and the marines, and, about eight hundred thousand seats. So lots of, lots of things going on with cloud, lots of value.
So looking forward to the conversation. Thank you.
Great. Thank you. And Paula.
Hi, everyone. I'm Paula Wagner. I'm from the Department of State. I run the application design and delivery office, within diplomatic technology, formerly IRM.
But we just went through a massive transformation, so we're super excited to be here.
Thank you. And Yousef?
Thank you. Yousef Taksaidi. I'm with Aqua Security. I'm the director of Global GRC, oversee the, governance, risk management compliance, and lead their FedRAMP efforts.
I am a former, government employee. I spent many years, serving, in a civilian capacity. Before that, I I I was teaching elementary school, if you can believe that, which quite frankly prepared me to cybersecurity. Right?
You know, with kindergartners and first graders, it's the best experience out there.
I just wanted to take a moment to say thank you to the panelists and anyone, in the attendees list that serves in the federal government or has served in the military. Thank you for your service.
Thank you. Alright. So I'm gonna quick, sneak in a quick poll question before we jump into our first question. So for our audience, that'll be up here on the screen momentarily.
It is around challenges, which is actually gonna be what our first question is. So for the poll question, what aspect of IT modernization poses the greatest challenge for your agency? And then we're gonna talk about that. So for our panelists, we don't need to go in any particular order on these questions.
As far as responses are concerned, we probably won't have time for every single person to respond to every single question, but we'll get through them as best as we can. And I'd love to hear a few different perspectives for these questions. So if this one resonates with you, I'd like to ask, how do you feel agencies can effectively address the challenges of IT modernization while navigating discretionary budgets and workforce drain? So if anyone on our panel wants to kick things off, I know it's a big topic.
We'd love to I'll take a stab at it just to just to have my fellow friends here kind of add in thoughts.
So I would say returning back to fundamentals, as you look to go into the next iteration of the ecosystem or this, you know, modernization of a system, go back to portfolio rationalization.
Think about ways to not only modernize it, but how to streamline it, how to automate it.
Look for opportunities that may have not been present. So, like, with the advent of AI and now on the cusp or machine learning, use those. Dream big.
I would say the bigger that you dream, the more that you can see the art of possible. But, obviously, having great, you know, voices in the room at that dreaming stage. Right? So having people who are budgeteers or people who are lotisticians or, you know, your security, more importantly, your security folks at the table to kind of put some, you know, guardrails around that big dream. But that's where I would recommend is, you know, start reaching for the sky.
Love that. Thank you, Rachel. And Paula, go ahead.
Oh, thanks. Yeah. I was gonna say I I echo what Rachel said. And then I think the other thing that we look at is really about prioritizing our products as well. You know, we don't wanna boil the ocean, and we wanna be able to deliver. So, you know, we're really big on, leveraging agile methodology so that we can have quick wins and be able to show successes, but then also learn from our failures, so fail quickly.
And then the other big push that we're trying to do is enhance our workforce.
You know, offering up training, offering up, brown bags, doing learning series with, you know, some of our cloud providers. We we had, I think, two weeks ago, a learning series with AWS, and we had over a hundred and seventy folks from state department join.
So really optimizing kind of what our options are across the department, and and working working at an enterprise versus silos.
Thank you. Tina, go ahead.
I absolutely agree with Rachel and Paula. And what I would add is making sure that the value proposition is checked and using great discernment, making sure that this is a mission essential requirement and that it is something that is trustworthy, has been, attested to, and checks all of the security box as well as the mission box.
There's a lot of things that are shiny out in the world, but not everything fulfills the promise. And so I would say that not just at the point of acquisition, but throughout the life cycle, make sure that it's still delivering as you hoped.
Thank you, Tina. Laura?
I think a lot of it in from OMB have a slightly different role in terms of helping enable agencies across the federal work force.
In particular, Lee, we've been working on FedRAMP recently. We issued the guidance just last week and really updating and really hoping that that enables a lot of capabilities. One, as others have said, really making sure that the capabilities meet the the mission need in an ongoing and iterative way. And we're really hoping we can accelerate mission delivery with the use of cloud solutions that have been vetted in the commercial, commercial sector and scale the capabilities and practices that drive both that accelerated delivery, that failing fast and that that agile delivery.
And similarly, aligning those resources, you know, through FedRAMP, streamlining the cloud security assessment process, leveraging reuse so agencies are not repeating that, and enabling agencies to really focus on what their unique mission needs are rather than sort of, overburdening on repeating duplicative mission, duplicative security assessments. And then once they're, you know, taking advantage of that that cloud native approach and unlocking the data because there's a lot of better observability with some of these modern tools. And I think, again, to that that streamlined, really, one of the things that's critical in our new guidance is this presumption of adequacy, which really we hope will one, it's in the legislation that passed at the end of twenty two.
And we're thinking that's gonna increase reuse, and increased reuse can sort of drive down cost, hopefully.
You've all probably heard FedRAMP say do once, use many as a slogan, but many CSOs have haven't necessarily felt that in the federal community. And so our goal is to really lean into that presumption of adequacy. Once it's authorized, it the controls are assessed throughout the federal community for use.
And we also wanna make sure that the agencies understand the underlying assessment so they can trust it and use it. And, again, that will really help drive that streamline, streamline process.
And we're really, right now, starting to engage with other agencies so that they understand it. As, you know, it's it's right off fresh off the pass presses, and so wanna make sure that that that is understood so that folks in the federal community can take advantage of of everything that we hope that the federal program has to offer.
Thank you. Derek, I saw your hand up earlier. Did you still wanna add anything?
Oh, yeah. Absolutely. You know, a lot of this comes down to money. And I know especially with a large enterprise, a large, portfolio, we gotta start with the big question that nobody wants to answer. How much does it cost to host that legacy application?
And it's not just one, but the total cost, the the people side of it, the the the all the licensing, the heating and cooling, and, you know, all the things that we've been paying for for twenty plus years. But it it's the hard question that is sometimes almost impossible to answer, but it needs to get answered because as you can demonstrate through a business case analysis, what, you know, what is that return on investment? And we we were gonna have to demonstrate, hey. Granted, this is what we pay, and it's a total cost. And then this is where we're going, and this is how quickly and, you know, with all the other elements of that business case analysis, you know, a a a target architecture, alternative analysis, an acquisition strategy. Again, all that formalized so then, thus, you have a clear path, but also be able to defend because it is an acquisition artifact. But it has all the necessary ingredients for a good start point.
Thanks.
Thank you. K. I saw Yousef's hand up next. Go ahead.
I just wanted to add, utilizing your your industry partners is is a very important important factor. These folks that sell you applications have the right expertise to help you onboard and best utilize it. And they want you to use it. Right? Because when the renewal time comes, they want you they wanna show you that you've, you've you have value there, that you want to renew. So reach out to them.
They're not always gonna going to to want to charge you support services. In most cases, they'll provide them free of charge or a reduced cost. So reach out to those guys first.
There's benefit there.
Yeah. Absolutely. Thank you. Alright. And then last comment here, Tony.
Yeah. Just to be quick, I think, you know, only thing I would add is, you know, we're going back to the basics too from a IT asset management perspective. You know, it's essential we know what is accessing our data and that is authorized and authenticated. So think, of course, zero trust, identity credentialing, access management.
You know, we're we're challenged with people working distributed, remote posture, and we must you know, and have to rearchitect, our infrastructure. So accounting for the cloud that's on prem, cloud that's off prem, enterprise, tactical afloat, weapon systems, denied, disrupted, and limited bandwidth means we must know what's on our network and what the state and security posture is. So all of that is going to this idea that we must be strategic, and we have to be data driven and threat informed. So all of that is helping us to prioritize our initiatives and helping us to prioritize our investments.
Good. Thank you. Appreciate y'all jumping in and sharing your perspectives with us. I'm going to call for poll question number two now, which is also gonna tie into our next question.
So first and foremost for the audience again, poll question number two is up on the screen. What is the primary concern that your agency has when migrating to the crowd? There is a whole slew of options there. So moving on to our next round of questions.
And, again, if you feel inclined to respond first, just go ahead and shoot your hand up or come off mute to signal to me that you wanna respond. But the next question is, what are some best practices that should be followed when migrating to the cloud to ensure compliance with cybersecurity requirements and successful modernization. So if a few panelists, could share with us a best practice or two from their their experience. Go ahead, Tina.
One of the things that we do is, shift left with our partners.
We we don't wait until the build phase. We shift left to the build, left to the buy, left to the budget, all the way, as my friend Derek said, to the business case to make sure that the total cost of ownership includes those costs of security, not again just for the acquisition, but through the full life cycle. And part of what we try to do is be a strong adviser to ensure that all of the various aspects partner, but that we have been training them the entire time to ensure that the partner, but that we have been training them the entire time to ensure that the system, succeeds the first time.
Thank you. Tony, go ahead.
Say, I think one of the points I'd bring up is just recognizing that a lift and shift only does you know, only does not maximize the use of the cloud.
It only moves legacy or bad code from one environment to the other. So I really appreciate from where I sit that we now have access to enterprise cloud capabilities from world class vendors.
But we stress using the security requirements guide that's put out to help us standardize the assessment authorization process so we can maximize reciprocity, which was talked about earlier.
And it also covers all our mission business owners to detail what their responsibilities are, what the technical implementation needs to be, all that goes to secure configuration. So maximizing any of the work that's done by Fred Ramp that was mentioned earlier. And we have our deep we have our zero trust strategy and roadmaps, and we're moving beyond traditional security methods and working to reduce those network attack surfaces and enable risk management. But I would also like to note from the start, we must have know that how we're gonna defend those cloud environments.
So we must have cybersecurity service providers aligned. You need to know and understand the native tools. Your defenders need to have insights into our cloud environments. So if we plan that correctly, we implementing identity credentialing access management to safeguard those cloud environments, and we're regularly doing the same patching and cyber hygiene that we did when we weren't in the cloud and doing it correctly and continuously and making sure our people are trained, I think it becomes a real force multiplier in what we're trying to do.
Thank you, Tony. Yousef, you're up next.
I mean, Tony covered pretty much, all of it. Well said. Well said. I mean, the the the only couple of things I wanted to add is, you know, have having having a migration strategy ahead of time, right, before you even, decide what you're going to do.
Partnering with the right cloud service provider that meets whatever security and compliance requirements you have. FedRAMP, you know, there's many cloud service providers on the FedRAMP marketplace.
Start there. Partnering with the, you know, the right CNAP to follow the shift left strategy there. It's very important. And definitely definitely, this is something that folks do not think about as much backup before you migrate. Right? Make sure that you have proper backups. Test those backups before you migrate to the cloud.
Other than that, I mean, what what what was said earlier, is on point.
Yeah. Absolutely. Okay. Rachel?
Yeah. I would also add, especially when you're moving into the cloud environment that you consider the new threats. These are threats that may have not ever been present before in some cases. So understanding and learning different environmentals and threats than those those vectors that can be, you know, exploited.
So understanding the environment from a security standpoint definitely helps because then you're able to build in and have those communications with your vendors saying, you know, here's what a new defense in-depth should look like for me. Having that cloud security stack in place is very, very important because at the end of the day, it's about the data. Right? So we we need to ensure that the data is protected at all cost.
Thank you. And Laura?
Really echo what a lot of others said in terms of FedRAMP as well as not lifting, shifting. One thing's in particular from the FedRAMP new memo is really the stress on real world threat assessment. You'll see specific a couple mentions to red teaming and, again, security reviews that can happen sort of at the request of the FedRAMP board, you know, potentially embed, in light of particular events or even emerging, you know, threat vulnerabilities. So I think as we look toward FedRAMP being a really place and and hoping that our updated FedRAMP guidance really moves toward a security first program that we really can build confidence in the cybersecurity request requirements, but also really focusing on on novelty in that and adaptability and, like, thinking through the complexity of these of cloud environments, and while taking advantage of of the unique capabilities of cloud that really I carry a complete with Tony around not just lifting and shifting because that that is retaining the sort of paradigms of a non cloud environment and really moving toward what the the cloud capabilities are both for the cybersecurity, but I would also say that often, you know, can help with the user experience or the customer experience throughout the life cycle by really taking advantage of those cloud native capabilities.
Thank you. Derek, go ahead. You're muted. Still muted.
How's that?
Now it is.
Oh, god. Sorry. I I'm gonna talk about the big elephant in the room, the people side of this. You know, the the the the the the workforce the workforce needed to do this right. So as everyone knows, the modernization can there's many ways of doing it in the cloud.
But being able to discern the bad from good is is gold, is platinum, actually. You know? And and as I've noticed through some of the experience, when you go into this, we rely on the the the integrators, the outside parties to help us with the partners. But in reality, we as a government are gonna have to have that knowledge to say, wait a minute.
There's a better way to do this. This is not in the best interest of the government, not just from a security perspective, but from, you know, a cost perspective. The life in the cloud, a lifetime is like three years. You know, what you've done three years ago is gonna be completely different than what you're doing today.
But, you know, investing in your workforce is is is paramount. If you look at a lot of the, cloud strategies, AI strategies, the first objective many times is the people. You know, getting that workforce so that they can help you and to make sure that that works together as a team, but with the right ingredients.
Thanks.
Absolutely. Thank you. And, Tina, did you wanna add anything else?
Well, Derek, has an excellent point. And the other aspect of the workforce that we have to take into account is that, Brigadier Admiral Greg Tuhill, when he was our first CISO, noted that, the greatest threat is a negligent or indifferent workforce. And that in the cloud space in particular, it's misconfiguration that causes the most number of threats.
So we have to make sure that our workforce is cloud enabled themselves and that they have the skills and the desire to do the right thing at all times because we have seen the threat vector and it is us.
Absolutely.
Thank you all so much for your responses. So we're gonna move on to our next question. This is question number three, which is how can artificial intelligence and machine learning be leveraged to streamline processes and improve decision making within federal agencies? So I'd love to hear from few of you on this topic as well if you've had any experience with this. Yousef, go ahead.
Thank you. Thank you. This is, one of my favorite topics ever.
So the AI and LM have been around for a while. Right? That that's that's not new. What's out there now, what everyone is talking about is generative AI. And and one of the things that it can help do is just automate routine tasks, such as data entry processing, just freeing up valuable human resources. That SAC analyst used to spend hours and hours looking through logs now can use a human like language to ask the question and get an answer within second, which is very important, especially in today's, just, lack of of, talent or lack of available talent, if if you will.
These technologies can also help, analyze vast amounts of data in a matter of seconds, which provides better visibility, which helps with decision making, which just, helps with with efficiently allocating resources to the right areas and and and, the right projects.
Yeah. Thank you, Yousef. And Paula.
Hey. Thanks. I was super excited to see this question on here because at state, generative AI has been helping us a lot. We recently launched, which I think is really cool, an SBU state chat, for all of our folks across the department, and our folks in embassies and posts around the world, because a lot of it was, you know, reading documents that were, you know, twenty some pages long, in foreign languages. And so we created the state chat so that folks could upload these documents, get a synopsis, even look at translation, or just simply ask questions of, like, where to find something at at state.
And, you know, we've been beta testing for, a good part of six months now, with this in our analytics, to a big success. And then we recently just demoed to the secretary. There was one slip up, but our, our analyst fixed it, and so it worked out fine. But, it's it's nice being able to leverage that and then be able to help with public diplomacy on that.
Oh, that's amazing. Thank you for sharing. And, Laura, go ahead.
One of the things that we heard loud and clear from public comment when we released the FedRAMP memo for draft was around how we might think about the use of AI in FedRAMP. And one of the things that was an update into the final, guidance was, having FedRAMP in the GSA team in collaboration with the newly established FedRAMP board, looking at how AI might be leveraged for assessing, the actual security controls. You know, it's some of the thing again, what you said around, monitoring. And so at this point, we're sort of looking at what that that initial pilot might look at, for some of the assessment of controls within the FedRAMP authorization process as well as in the continuous monitoring. And then I think the other thing too is recognizing that FedRAMP is a way for, commercial and emerging technologies to enter permit, is the and that was definitely something put forward in the AI executive order.
One of the things that collaboration that was an action item between our office and FedRAMP from the executive order was this emerging technology prioritization framework. And the first capabilities that they're really looking to prioritize are generative AI in chatbots, in debugging tools, in image generation, as well as, you know, the API versions of that because that's often how you'll build in those capabilities with into your existing ecosystems.
And FedRAMP is looking for, commercial part industry partners for that who would meet the criteria from the technical capability and can demonstrate agency demand for that initial round of prioritization by August third thirty first. So, again, to the extent that you're aware of vendor capabilities that you think, like, you would believe, and and Surmise could help streamline those processes. Like, now is a great time between now and now, I guess, August, the end of the month to to work with those industry partners and help, make sure that they're getting aware of the emerging, technology prioritization framework because firmly believe that there's a lot of our opportunities here and wanna make sure that we're supportive of that through the prioritization.
Absolutely. Thank you. And, Derek?
This is, from my experience with the army, and I I saw a really good proof of concept that I got me excited.
Using AI to do contract vehicle development. So writing all the, you know, very complex now becoming more and more, lengthy contracts, but using the AI to to help shape those, ensuring that you cover all the gaps. And, I I think that's gonna be something that we in the photogrammet are gonna be relying on more and more. But, again, yeah, another another lens to look at.
Absolutely.
Alright. Thank you. Let's see here. Maybe we'll do a third poll question, which is how confident are you in your agency's ability to handle cybersecurity threats while modernizing IT systems. So, again, this is for our audience at home. If you wanna receive your CPE credit, be sure to respond to this poll question that's up here on the screen.
Okay. And then moving right along to our fourth question here.
For our panelists, again, how can IT be simplified or improved to better support modernization efforts in federal agencies?
Anyone wanna jump in on this? Rachel, go ahead.
I'll take that. Actually, I'm gonna give a shout out and probably pull Laura up.
I would say doing exactly what our friends in the FedRAMP area, especially OMB, are doing. It is making policy and governance and certainly all of the regulation living, evolutionary, more more on the cusp of becoming this living thing that helps us enable our modernization journeys to getting to that goodness. So when we talk about, you know, that IT governance, we're in fast paced times. So doing what they're doing on making it possible to utilize as much, you know, generative AI or any type of technology that's coming up.
Watch Next
