This isn’t the first time the federal government has focused its attention on this ongoing challenge.

Following the cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, the federal government has renewed its focus on ensuring the security of the water and wastewater (WWS) sector of the country’s critical infrastructure, and recently issued a warning to water system operators regarding an uptick in attacks against those systems by pro-Russia hacktivists. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released new guidance on the actions that WWS entities should take to improve the resilience of their networks to cyberattacks as well as an incident response guide for the sector. Further proving the government’s renewed focus, in February 2024, the White House also issued an executive order to bolster the maritime sector further and upgrade security requirements for the nation’s ports.

Recent studies show that the vulnerabilities that permitted the Aliquippa attack are far from unique. In fact, Censys identified vulnerable and exposed Unitronics programmable logic controllers (the type of devices targeted in the Aliquippa attack) associated with water, wastewater and energy systems in the U.S. and found a total of 149 internet-exposed devices and services.

Unfortunately, there is a plethora of these vulnerable systems nationally, with the entire infrastructure lacking security controls. More often than not, the operators of these systems are focused on operational technology (OT) and lack the necessary cybersecurity skills to address the challenges that today’s bad actors present. Although the federal government offers limited oversight and grants to help, water authority organizations reside in municipal governments where funding for cybersecurity resources can be a major issue.

CISA’s recent guidance presents a significant step in the right direction, with common-sense recommendations that can help water authorities protect themselves. And while many of the recommendations might sound relatively simple, they address extremely complex problems that will be difficult to surmount.

For example, take the first recommendation in the CISA guidance: Reduce exposure to the public-facing internet.

CISA rightfully notes that the controllers and remote terminal units deployed in waterworks make easy targets when connected to the internet. It may sound like an easy fix to remove such devices from internet access, but the vulnerability may be due to compromised external systems that are connected to the water authority. For example, these systems may be associated with water towers or even gas stations and car washes that interact with the water authority via the internet. Consequently, all these connections must be managed and monitored – an extremely complex and arduous task.

Adding to the difficulty of this endeavor, municipal water authorities often lack the resources and staff to enact the recommendations in the EPA’s alert. Many are underfunded and have not traditionally prioritized cybersecurity as a critical aspect of their mission.

Consequently, we need a “whole of government” approach in which a federal agency like CISA can play an essential role. CISA and the Environmental Protection Agency – the agency designated by the White House to ensure that the water sector is prepared for any hazard, including cyber risks – are well positioned to lead a systematic process to support critical infrastructure organizations and operators that don’t have the funding, technical skill sets or acumen and guide them down the path as a partner to help solve these problems. Such an approach should begin with a few basic steps on the part of the federal government and water authorities:

• Conduct an internal asset inventory. CISA and EPA can help leaders at municipal water authorities determine what systems, devices and data exist in their environment, both internally and externally. However, this should extend beyond a simple inventory. It must also include an understanding of the criticality of each of those systems relative to the organization’s ability to achieve its mission. The EPA’s Water Sector Cybersecurity Technical Assistance Provider Program trains state and regional water sector technical assistance providers who can assist with this assessment. The EPA also offers a Cybersecurity Incident Action Checklist specifically geared to helping water utilities prepare for, respond to and recover from cyberattacks.
• Identify and monitor assets external to the organization’s domains. This includes looking at supply chains to understand potential vulnerabilities related to business partners, a step almost as important as understanding the inventory of the organization’s own assets. Most organizations have a good understanding of their internal assets but often don’t have a good handle on risks associated with external assets that the organization reacts with – which is how adversaries usually get into the environment. An unclear understanding of those external assets – especially internet-connected IT and OT systems – makes it extremely easy for the bad guys.
• Continue to provide funding and grants to municipalities working to address critical infrastructure security issues. Congress and DHS should continue to provide funding that will help these organizations train their IT and OT workforce in cybersecurity, hire people with the skill sets they need and generally help these organizations to modernize their infrastructure. This funding should be contingent on supporting policies that will help facilitate training, modernization and closing the pay and skills gaps within municipalities that are specific to the water and wastewater issue.

On the other side of the equation, water systems operators should not hesitate to request help. CISA and EPA offer assistance to organizations upon request, so operators should take the initiative to proactively contact the EPA or their organization’s regional cybersecurity advisor at CISA.

There have been recent signs of progress. Reps. Rick Crawford (R-Ark.) and John Duarte (R-Calif.) are promoting a bill to create a government office to develop cybersecurity rules for water systems, with the EPA acting as an enforcer, as they already are the sector risk management agency. Also, EPA and White House officials in March asked a group of governors to develop plans for dealing with major cybersecurity risks facing their state’s water and wastewater systems, according to a report from The Wall Street Journal.

Finally, we need to view addressing this issue as a marathon, not a sprint, to beat the hackers. Our adversaries are continuously looking to poke holes in our defense, and it is mandatory that we do the same in order to keep them out – now and in the future. We must not lose sight of the stakes involved; our country’s national security may depend on it.

Todd Helfrich is the vice president of federal for Censys.

The post How federal funding, guidance can protect the water supply first appeared on Federal News Network.

ADA requirements and in-office work

The ADA requires employers to provide reasonable accommodations to employees with disabilities, including mental health conditions. Keith Sonderling, commissioner at the Equal Employment Opportunity Commission, told me about the importance of understanding these legal protections.

“Employers must engage in an interactive process with employees who request accommodations for mental health conditions,” said Sonderling. “If an employee is diagnosed with a mental health issue, the employer is obligated to consider accommodations, which could include remote work.”

During the pandemic, many government employees experienced the benefits of working from home, including increased productivity and better work-life balance. As Sonderling points out, there is no inherent legal right to remote work. However, the EEOC has issued recent guidance about how the right to work remotely becomes protected under the ADA when it is a reasonable accommodation for a disability.

Brandalyn Bickner, spokesperson for the EEOC, underscored in the fall of 2023 that under the ADA, the mandate for “reasonable accommodation” encompasses “modifying workplace policies.” This could entail employers waiving certain eligibility criteria or adjusting telework programs to facilitate remote work for employees with disabilities.

And the EEOC is showing its teeth. In a landmark legal settlement, ISS Facility Services, Inc. agreed to a $47,500 payment to resolve an EEOC complaint alleging ADA violations. The case centered on the company’s refusal to permit a disabled employee to continue part-time remote work. In another example, the EEOC filed a complaint against a Georgia company for terminating a marketing manager who had sought to work remotely three days a week to manage her anxiety.

Awareness of ADA can shift RTO dynamics dramatically

Despite the clear legal framework, few government employees are aware of their rights under the ADA. This lack of awareness means that many may not realize they can request remote work as an accommodation for mental health conditions such as anxiety, depression or PTSD. If more employees were informed, the current RTO dynamics could shift dramatically.

To successfully claim a WFH accommodation, government employees need a formal diagnosis from a licensed mental health professional. This diagnosis must indicate that remote work is necessary for managing their condition.

“The ADA protects employees with mental health conditions, but it requires a legitimate diagnosis and a documented need for the accommodation,” Sonderling said.

Once an employee provides documentation, employers must engage in an interactive process to determine a reasonable accommodation, which might include full or part-time remote work.

Sonderling emphasized the importance of training for managers and HR professionals to handle these requests properly.

“It’s crucial for employers to understand that they can’t dismiss mental health accommodation requests out of hand,” he said. “Failure to engage in the interactive process can lead to significant legal repercussions.”

The implications of widespread awareness about these rights are significant. If government employees begin to leverage mental health claims to secure remote work, it could lead to a substantial increase in accommodation requests. This scenario poses a challenge for government agencies who may need to adjust their RTO policies and processes.

For example, imagine a government agency where employees have been working remotely since 2020. If several employees request remote work accommodations for mental health reasons, the agency must assess each request individually. This could create disparities and tensions among employees, particularly if some are granted remote work while others are not.

“The ADA requires individualized assessments, and what works for one employee might not work for another,” Sonderling said. “Employers need to navigate these requests carefully to avoid discrimination and ensure compliance with the law.”

For agencies, the key to managing this complex issue lies in a balanced approach. While in-person collaboration offers undeniable benefits, such as enhanced communication and team cohesion, accommodating employees’ mental health needs is key to avoiding legal liability.

Agencies should develop clear, consistent policies for handling accommodation requests. This includes providing training for managers to recognize legitimate mental health issues and understand the legal requirements. Additionally, agencies can explore creative solutions to balance remote work with in-office expectations. This might include hybrid work schedules, flexible hours or designated quiet spaces in the office for employees with anxiety.

As the workplace continues to evolve, the interplay between mental health accommodations and remote work will remain a critical issue. Agencies have a legal obligation to inform their staff of their rights under the ADA, and agencies must be prepared to accommodate legitimate mental health needs while maintaining operational efficiency.

For leaders, the challenge is to create an inclusive work environment that supports mental health without sacrificing the benefits of in-person collaboration. By navigating this complex landscape thoughtfully and legally, agencies can foster a workplace that respects employees’ mental health needs and drives business success.

Dr. Gleb Tsipursky is the CEO of the future-of-work consultancy Disaster Avoidance Experts and author of the best-seller called Returning to the Office and Leading Hybrid and Remote Teams.

The post If they only knew: How ADA awareness can block RTO for government staff first appeared on Federal News Network.

The Defense Department and Space Force (USSF) recently released aligned strategies that prioritize expanding commercial partnerships to enhance mission capabilities, resilience and operational advantage. The USSF Commercial Space Strategy (CSS) emphasizes leveraging industry innovation, prioritizing operational utility, feasibility, resilience and speed to fielding.

The CSS highlights the need for beyond-line-of-sight satellite communications (SATCOM) to support command and control, data transport and reach-back requirements for the Joint Force worldwide. Through commercial SATCOM partnerships, the USSF aims to enhance data transport, capacity, flexibility, reliability and resiliency to support multi-domain and joint mission operations. The CSS also acknowledges commercial space sector’s role as an accelerator, fostering innovation and helping reduce barriers to entry for new capabilities.

The DoD’s Commercial Space Integration Strategy (CSIS) recognizes the importance of leveraging all available tools to prioritize the resilience of the national security space architecture. It identifies 13 mission areas, including SATCOM as a hybrid mission area. The CSIS emphasizes the integration of government and commercial SATCOM systems, highlighting the need to make “commercial solutions integral — and not just supplementary — to national security space architectures.”

These strategies demonstrate the military’s commitment to embracing private sector partnerships and commercial innovations to enhance mission capabilities and resilience for modern military operations.

Collaborative, user-driven innovation

Ideal collaboration will drive a continuous loop in which industry invests, develops and demonstrates with federal agency end user requirements foremost in mind. Through continuous iteration, testing and customer feedback, commercial operators can deliver solutions that are proven, strong and resilient.

While shifts toward this type of development and adoption will face budget and acquisition challenges, the government is making meaningful progress through several rapid experimentation and development initiatives designed to accelerate creation of national security and warfighter operation capabilities.

While not a defense-focused initiative, NASA’s Communications Services Project is an example of embracing collaborative public-private partnership, helping create a market for new COMSATCOM solutions and services that could be replicated by government agencies. NASA is working with five commercial companies to develop and demonstrate COMSATCOM solutions for future launch and near-Earth communications. NASA recognized that commercial systems could meet their mission communications needs rather than investing heavily to replace its Tracking and Data Relay Satellite system.

The Air Force Research Laboratory’s Defense Experimentation Using Commercial Space Internet program has awarded several major industry contracts that explore the capabilities of commercial space constellations to connect military platforms with user terminals that can talk to multiple space broadband providers, including across different spectrum and orbits.

Last year, Space Systems Command announced the launch of the Commercial Space Office (COMSO) to pave pathways for collaboration in its “race to resilience” by 2026. Senior Materiel Leader Col. Richard Kniseley explained that “The goal of COMSO is to leverage the full force of this innovation with speed, cost efficiency and minimal duplication of effort to deliver efficient and sufficient commercial space capabilities to the warfighter.”

These innovative programs offer models for mutually beneficial public-private partnerships that USSF and other DoD components can leverage.

Building blocks for success 

The next phase of realizing this collaborative vision requires a strong, aligned partnership foundation. Implementing effective and scalable SATCOM hinges on engaging trusted commercial partners that are willing and able to deliver current and future solutions fully in sync with DoD operational and mission needs.

Looking ahead, four essential building blocks for successful SATCOM initiatives include:

1. Intentional innovation: Commercial industry continuously innovates advancements in satellite and ground networks, applied with the intent to meet operational and resilience needs. Trusted public-private partnerships should promote transparency to better understand mission requirements and enhance iterative SATCOM
2. Flexibility: Dynamic mission needs demand flexible technologies and service models from commercial providers. Additionally, greater agility in agency procurement can accelerate the adoption of new capabilities for warfighters.
3. Expertise: The commercial industry attracts top talent, and government customers can access this expertise without incurring recruitment and training costs. Managed services also deliver ongoing technology maintenance updates, shifting that responsibility to industry to conserve time and resources.
4. Commitment: Commercial SATCOM providers should immerse themselves in government partnerships to understand specific environments and requirements. This customer-focused approach ensures mission-aligned capabilities, solutions and services, executed with efficiency and efficacy.

President Kennedy’s famous 1962 speech emphasized the pursuit of difficult goals; more than 60 years on, developing advanced SATCOM capabilities remains a challenge. Space is hard, but strong commercial-government partnerships engendering trust and commitment will yield the solutions we need to reliably support space missions and protect our warfighters.

Sunil Pandit is vice president of strategy at Viasat Government.

The post Four essential elements of trustworthy public-private SATCOM partnership first appeared on Federal News Network.

Despite being designated as critical infrastructure, many of the nation’s public water and wastewater facilities are considered antiquated and outdated due to resource constraints, even as they adopt digital infrastructure like sensors and network-connected systems. This gap leaves systems vulnerable to attacks, with inadequate incident response coordination and information sharing increasing the risks. 

To bolster cybersecurity, agencies and critical infrastructure organizations must prioritize adopting a comprehensive approach to modernization and protection. This includes implementing zero trust measures to mitigate risks, enhancing incident response processes to improve resilience and recovery capabilities, and sharing resources efficiently. As you’ll see, implementing zero trust does not have to be difficult.  

Laying the security groundwork 

Like other critical infrastructure sectors, the water sector relies heavily on operational technology (OT) systems and is often integrated with Internet of Things (IoT) systems. Many of these OT systems are legacy technologies that are not up to current cybersecurity standards, making this IoT/OT landscape incredibly ripe for “cyber-physical” incidents.  

In fact, escalating threats to critical infrastructure, including the targeting and compromising of OT systems and industrial control systems (ICS) in the water sector, have resulted in the federal government  sounding the alarm over malicious cyber actors who now pose physical threats against “insecure and misconfigured OT environments.”   

Securing OT/IoT systems is paramount, and zero trust frameworks offer a layered defense strategy. This approach ensures the security of critical systems while enabling efficient data exchange with internet-connected IT systems. Enhanced visibility and traffic monitoring further safeguard against potential threats, including command-and-control attacks.  

Enter zero trust 

Adopting zero trust architectures is a crucial step in hardening remote access to ICS devices that rely on a mix of IT and OT assets. In the absence of zero trust, systems can become key attack vectors and another entry point for malicious actors. 

Zero trust operates under the principle of “never trust, always verify,” and is inherently designed to reduce a network’s attack surface, prevent lateral movement of threats, and lower the risk of a data breach. A zero trust security model leverages least-privileged access controls, granular micro-segmentation, and multifactor authentication (MFA) to provide continuous verification of identities and devices, regardless of location, type or network connection. 

By implementing a zero trust approach, critical infrastructure operators and agencies will have more effective OT security, with adaptive, context-based application access that doesn’t depend on network access and users only having access to the applications and systems necessary for their job.  

Crucially, the correct zero trust solution must not require refactoring applications or OT controllers that cannot be modified. A good litmus test for zero trust is one in which the solution can use the network but does not depend on it for security. 

Finding the right tools 

Concurrently, critical infrastructure organizations and agencies must enhance their incident response capabilities. Resources like CISA’s Cyber Incident Response Guide for the Water and Wastewater Sector provide a framework for effective incident management, covering preparation, detection, containment, eradication, recovery and post-incident activities. Standardized tools and collaboration platforms facilitate information sharing and coordination among utilities and supporting organizations. 

Collaboration at all levels, including federal, state and local, and between critical infrastructure operators, government and industry is crucial for maximizing resources and enhancing cybersecurity across these vital sectors. By pooling resources and expertise, technology and cyber leaders can make meaningful strides in safeguarding information and OT systems in water and wastewater facilities. 

Taking a sector-wide approach 

By embracing modern cybersecurity solutions and leveraging available resources, the water and wastewater sector can lead by example in public sector cybersecurity, ensuring the resilience and security of critical infrastructure essential for safeguarding our communities and nation.  

Federal agencies must also serve as role models for secure and resilient systems by securing outdated technology while simultaneously modernizing security processes and supporting critical infrastructure operators with their digital modernization efforts. Again, securing outdated technology requires using zero trust solutions that do not force refactoring of applications or controllers nor depending on the network to provide that security. Otherwise, critical infrastructure sectors will remain easy targets, and the prospect of devastating disruptions to essential services will grow. 

Adopting zero trust is a journey. While OT presents challenges to implementing zero trust and modern security, federal leadership in support of greater collaboration, standardization and accountability is an effective way to secure critical infrastructure sectors from malicious threat actors. 

Hansang Bae is public sector chief technology officer at Zscaler. 

The post Safeguarding critical infrastructure: Addressing threats to the water sector first appeared on Federal News Network.

Core civilian agencies are tasked each day with ensuring U.S. prosperity, continuity and trust on a national level — and these agencies now find themselves in a unique position at the intersection of massive mission needs combined with increasing volumes of data. The key to pulling it all together: artificial intelligence, the most important technology advancement in a generation. Stemming from last year’s Executive Order on AI, deadlines are quickly approaching for agencies to comply with the EO and Office of Management and Budget requirements, serving as a critical impetus to ensure the resiliency of the country — powered by data and AI — no matter what is happening on the global scale.

It is critical that civilian agencies forge ahead with robust, coordinated, scalable and repeatable strategies to take advantage of AI and the power of data to prepare all-of-government responses to not only maintain equilibrium, but also prepare to meet challenges at home — from extreme weather events, public health crises drawing on lessons from the COVID-19 pandemic, financial and critical infrastructure threats, and beyond. In an era marked by geopolitical tensions, climate crises and cybercrime, being prepared is not merely an option but a necessity.

AI and data: The key to empowering critical civil agencies

So what does preparation look like in action? Technology and data are not just tools, but lifelines that can significantly impact emergency responses and day-to-day operations. Here are three critical areas where AI-powered and data-enabled mission approaches can revolutionize civilian and public sector efficiency and efficacy:

1. Climate resilience: As natural disasters become more frequent and severe, the need for comprehensive data sharing across agencies has never been more urgent. AI can process vast datasets rapidly, pinpointing at-risk communities and extending the lead time for extreme weather forecasts, turning hours into minutes and saving lives in the process.
2. Public health: Early detection of public health threats can prevent them from spiraling into endemics and full-blown pandemics. Through enhanced data sharing between local and federal entities, and AI-driven pattern recognition, agencies can quickly identify potential outbreaks, ensuring that preparedness is a step ahead of the problem.
3. Fraud Prevention: The importance of bolstering the resilience and security of systems cannot be overstated. A recent advisory from the Cybersecurity and Infrastructure Security Agency highlights the threat of nation-state hackers targeting civil society organizations to destabilize democratic values. The repercussions of such cyberattacks have already disrupted our healthcare systems. By employing AI to continuously monitor and analyze systems and data, and to respond to security breaches and fraudulent activities swiftly, we can enhance the integrity of our civil agencies and protect the interests of our citizens. This proactive approach is vital in safeguarding our nation, its people, and our democratic way of life against nefarious threat actors.

Investing in the future: The human factor and reimagined automation

The potency of AI and implementation of data enabled missions hinges on skilled talent. To meet the challenge of tomorrow, agencies need to double down on investing in their people to modernize their workforce the same way they are modernizing their technology. Reflecting on how the widespread availability of Microsoft Office tools transformed workforce skillsets three decades ago, it’s clear that tools alone do not suffice; adoption and proficiency in their use does.

Today, we find ourselves at a similar juncture with AI and data. It’s not just data scientists and people in technical roles who need to become proficient — it’s everyone. You don’t need to be a data scientist, but you do need to be data fluent. As technology perpetually evolves, the constant that remains is the people behind the machines. Success hinges not just on having the latest technology but on working collaboratively to leverage these tools for better mission outcomes.

Tied to reimagined talent development in the quest for public sector modernization, it will be paramount to transition from manual to automated processes, particularly in data management and emergency response. Reimagining workflows with AI and real-time data can free up agency staff to focus on strategic priorities and empower urgent, data-informed action in crisis situations. Civil agencies must make their data readily available to stakeholders and be equipped with AI tools and proficient personnel to deploy solutions at a moment’s notice when American lives and livelihoods hang in the balance.

A call to action

Agencies need to balance today’s demands with tomorrow’s potential. As we continue to navigate the digital age, the mandate for civil government agencies is clear: Embrace technological advancement, invest in talent, and create and maintain a proactive roadmap for modernization. There’s greater awareness and excitement about civil agencies being able to solve challenges through better use of their data. While agencies are at different points in their digital transformation journeys, the potential to overcome challenges with data is becoming more apparent.

The challenge is that agencies need to deliver on the missions in front of them today with the tools they have, while taking modernization steps to build the road for tomorrow. Only then can we truly safeguard and serve the American public.

Richard Crowe is president of the civil sector at Booz Allen Hamilton, the leading provider of AI services to the U.S. federal government.

The post The power of AI, data in preparing for the next national emergency first appeared on Federal News Network.

Well-meaning policies have blocked many agencies from swapping traditional waterfall or siloed software development models for agile methods capable of continuous delivery. By understanding process bottlenecks, officials can avoid bureaucratic barriers and enhance security. As co-founder of the U.S. Air Force’s Kessel Run, I know this firsthand.

To enable continuous delivery, Kessel Run had to design an alternative to the traditional authority to operate (ATO) process for the changes we had to make in near-real time. The traditional ATO process provides neither the speed nor adequate security to address changes in technology and cyber threats. Our answer was to establish continuous authority to operate (cATO), a process dependent on the continuous application of the structured, but adaptable National Institute of Standards and Technology’s Risk Management Framework (RMF).

Think of cATO as an ongoing authorization for continuous delivery after achieving the initial ATO. The process embeds compliance into the development lifecycle by creating strong controls, rigorous continuous monitoring for security and privacy risks, and exceptional documentation.

Ongoing authorization is not a shortcut. It is a disciplined approach to constantly understanding a system’s risk profile based on building trust through transparency and enabling technologies that create a secure, compliant agile environment. With the right processes and partners, federal agencies can regain control of digital transformation initiatives and deliver higher-quality software faster than ever before.

Stack your AO’s team with its own technical assessors

More than 80% of the time it takes to get a traditional ATO is spent waiting in the queue. Developers wait months before receiving feedback on their code while the rest of the technological landscape continues to change. Waiting often leads to obsolescence.

Capacity and skills deficits cause the delay. The government doesn’t employ enough information security analysts and authorizing officials to handle the volume of systems and changes that require evaluation. Hundreds or even thousands of requests are waiting for review overload security analysts, and some lack the technical expertise to assess modern systems properly.

Programs seeking an ATO should set aside money for their authorizing official to hire dedicated, technically skilled assessors to work directly with them to significantly reduce delays. Build this technical talent into your budget and contract vehicles, even if it means sacrificing a developer – it’s a smart trade-off for getting software to production more efficiently.

Take advantage of flexibilities in the RMF

The Federal Information Security Management Act requires agency systems to undergo a risk management process. NIST made the RMF flexible and adaptable, but many agencies slow the workflow with unnecessary, additional practices.

By design, the framework allows agencies to tailor the guidance to their systems. For example, a myth persists that RMF doesn’t work with a DevOps environment. Some agencies freeze their code baselines when they send them for assessment and assume they cannot conduct new work until they receive authorization. But the framework doesn’t call for serial assessments. Instead, NIST explicitly states agencies should align the framework with their software development life cycles.

NIST avoids dictating particular platforms or methods, keeping the framework technology neutral. Agencies often get stuck doing things the way they have always done them rather than following new roadmaps.

Focus on common controls

One of the first technical steps in transitioning from traditional ATOs to ongoing authorization is to implement common controls inheritance.

To achieve initial authorizations at Kessel Run, we locked ourselves in a room for days exclusively focused on understanding the controls inheritance for each layer of our infrastructure and platforms. Everyone wants to skip this kind of compliance work, but it’s fundamental to saving time later. A dedicated technical assessor also makes this process go more smoothly.

This time investment paves the way for maximizing common control inheritance. For example, developers can reuse the authorized controls of a cloud environment for each deployed app to shrink the scope of future project assessments. Organizations save time on each deployment, which pays dividends considering how many apps agencies use.

Prepare to present evidence

Once an organization achieves initial ATOs, it must demonstrate comprehensive continuous monitoring capabilities after deployment in order to achieve cATO. The NIST RMF focuses explicitly on verifying that security controls remain in place. Don’t confuse this with dynamic scanning for security vulnerabilities, which is merely one component of continuous monitoring.

Organizations will need to digitize and automate control implementation documentation, but the governance, risk and compliance (GRC) platforms agencies commonly use weren’t built for ongoing authorizations with dynamic, modular inheritance. Agencies must prepare to manage very modular evidence packages and understand how changing one layer of the tech stack impacts the others. Most importantly, agencies need to detect when the production environment drifts from approved configurations.

Make room to shift left

Leaders must create a low-friction environment so development teams can easily integrate security into their work. Examine overloaded schedules or backlogs for tasks that provide no to negligible value. Remove what can be removed and reduce friction for essential tasks.

Seek continuous improvement. Look for ways to optimize change approval workflows, shorten the time waiting for ticket resolutions, or otherwise address chronic inefficiencies. Teams can’t “shift left” on security without organizations proactively making space for it.

By embracing the ongoing authorization process, federal agencies can overcome bureaucratic delays, better manage emerging threats, and accelerate digital transformation initiatives. Adopting this mindset and the processes to achieve it ensures agencies can respond to mission-critical demands by continuously delivering software at the speed of relevance.

Bryon Kroger is the CEO and founder at Rise8 and co-founder of the U.S. Air Force’s Kessel Run, the Department of Defense’s first software factory.

The post Overcoming bureaucracy to expedite software development cycles first appeared on Federal News Network.

As a result, there has been no shortage of procurement legislation and regulation prohibiting or curtailing the federal government’s purchase of Chinese products: Section 889 of the Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) (restrictions on the use of telecommunications equipment and services); Section 847 of the FY 2020 NDAA (mitigating risks related to foreign ownership, control, or influence of Department of Defense (DoD) contractors or subcontractors); Section 223 of the FY 2021 NDAA (disclosure of funding sources in applications for federal research and development awards); and Section 5949 of the FY 2023 NDAA (prohibition of certain semiconductor products and services).

Even more legislation may be on the way, as we see provisions in the House version of the FY 2025 NDAA (see, e.g., Sections 173, 178, 242, 807, 1706, and 1722) and in the Senate version of the bill (see, e.g., Sections 885, 886, 887, 888, and 889).

Two different supply chain supply regimes essentially govern supply acquisition: The Buy American Act (BAA) and the Trade Agreements Act (TAA). Recently, there has been a renewed focus on the BAA, as the domestic component requirements have been increased.

The BAA, however, is a price evaluation preference, which means if the price of a Chinese product is low enough, the federal government will buy that product. For large business offerors, the price preference added to non-domestic offers is 20%, and for small business offerors, it is 30%. Under DoD acquisitions, the preference is 50% for all domestic offerors, regardless of size.

Depending on the item and the value of the acquisition, the TAA or other specific free trade agreements might apply because the United States Trade Representative (USTR) has waived the BAA for many supply acquisitions above specific thresholds, ranging from 50,000 to 174,000. If the TAA applies, offerors generally must supply products made domestically or in allied countries.  Most major acquisitions for commercial products, like the MAS program, are subject to the TAA.

Under the TAA, Chinese products are not eligible for purchase because China is not a signatory to the TAA. Although the BAA favors domestic production, it has the downside of allowing the acquisition of Chinese products in certain circumstances. The TAA provides a holistic approach to strengthening the supply chain, by taking advantage of the economic advantages and technical capabilities of our domestic sources and our allies, with the added benefit of providing domestic firms with the ability to participate in the procurements of allied countries. The differences between the BAA and TAA are important considerations as government and industry work together to address supply chain security and resiliency.

The post Competing global supply chain approaches first appeared on Federal News Network.

Digital twins solve key challenges for government critical infrastructure

Digital twins allow an organization to dynamically model and fine-tune processes via virtual abstractions of a real-world entity and are typically informed by ongoing and often real-time data inputs. While digital twin technologies are vital for revolutionizing operations in many industries, nowhere is the need greater and the benefit more impactful than in the public and critical infrastructure sectors.

By its very nature, critical infrastructure requires high reliability and minimum downtime to support essential mission operations, whether that involves keeping production on schedule for much-needed military aircraft, maintaining power plant operations, or ensuring rapid development of an essential highway project. These models can also be used to monitor the safety of aging infrastructure or identify how city projects will impact its citizens. Digital twins enhance quality and save time by conducting design and analysis in the virtual world, making them especially useful in meeting these heightened operational demands within a government critical infrastructure setting.

The addition of artificial intelligence (AI) has further enhanced a digital twin’s value in government. AI-enabled digital twins can automatically strategize process workarounds in defense manufacturing to avoid downtime from equipment failure, streamline ER and ICU operations in a Department of Veterans Affairs hospital, or help a public health agency speed vaccine development with predictive modeling for new production lines. These are just a few examples of how AI boosts a digital twin’s capacity to support mission-critical operations through stronger performance, accuracy, scalability and predictive capabilities.

Digital twins facilitate government innovation

Given the benefits described above, it is not surprising to see that 63% of federal agencies are already investing or planning to invest in digital twins. To get the most out of the investment, federal transformation teams should carefully select the type of deployment that best fits the specific use case, with digital twin options generally broken down into three types.

A descriptive twin is an engineering design and visual representation that embodies all knowledge of a physical object or set of objects; these are especially useful for training purposes or in architectural modeling. An informative twin is similar to a descriptive twin but features an additional layer of operational and sensory data to extract performance-related insights. Finally, a predictive or autonomous twin includes updatable models that allow the digital twin to iteratively learn and take action autonomously within the organizational IT system.

Not surprisingly, government technology leaders are finding the full range of these options to be useful in both optimizing current use cases and in supporting entirely new innovations in critical infrastructure that weren’t previously possible. Consider the example of how digital twins can aid in the design of a cutting-edge fusion power generation facility:

Fusion power generation has the potential to provide near-limitless and highly sustainable energy, but developing production capabilities at scale requires intensive computational resources and artificial intelligence for development and testing. Engineering teams can achieve this by linking supercomputers with digital twin prototyping models to run the massive amounts of modeling and simulations needed for fusion research. Digital twins future-proof the development lifecycle with sensor-driven feedback loops that continually incorporate new data and metrics as technologies mature.

Key implementation priorities

For all their promise, successful digital twin deployments require government transformation teams to make the right design and configuration choices during implementation. One key priority is to ensure the correct data is being gathered and analyzed. This involves choosing the appropriate data to target, and then choosing the right design and placement of sensors and edge systems for optimal collection and analysis of that data.

Security must be a top priority during implementation to ensure seamless collaboration. Any breach in the security of a digital twin could potentially compromise the entire physical system it represents, leading to significant operational, financial and even safety risks. Therefore, thorough security measures, including data encryption, access control, authentication protocols and regular security audits are essential to safeguarding digital twins and the systems they represent from malicious attacks and unauthorized access.

Robust authentication protocols represent another key implementation priority. As mentioned earlier, any gap in security along what could be a global network of designers and suppliers poses a potential risk to project integrity or even national security. This is why a strong access management paradigm must be in place, ideally fortified with software guard extensions (SGX) that create protected enclaves for data, and trust domain extensions (TDX) that expand these enclaves to trusted third parties.

Throughout, government transformation teams looking to implement digital twins should prioritize solutions that can integrate with existing infrastructure and systems. This is necessary in government settings where funding limitations or continuity of critical infrastructure operations make legacy systems or components unavoidable. By iteratively adding compute resources strategically and cost-effectively to legacy systems, agencies can scale the digital twin deployment overtime on a realistic path toward progressively larger and more demanding use cases.

Conclusion

AI-enabled digital twins are yielding powerful benefits for government teams in charge of designing and maintaining critical infrastructure, including faster process optimization, more situational awareness and stronger predictive capabilities. Furthermore, when agencies prioritize an incremental approach that strategically incorporates legacy assets and is driven by a clear implementation plan, the outcome is a virtuous cycle of ongoing mission success for agencies and ongoing value for taxpayers and citizens.

Burnie Legette, Director of IOT and Artificial Intelligence at Intel.

The post AI-enabled digital twins are transforming government critical infrastructure first appeared on Federal News Network.

Many regulations require that companies working with national security information implement aggressive levels of cybersecurity standards based on the type and sensitivity of information. Within the last year, President Biden signed the Fiscal Year 2023 National Defense Authorization Act, which produced a $773 billion funding package. While this represents a lucrative potential future for job shops it comes with a caveat: They must be able to meet the technological standards that allow them to comply with ever-changing regulations.

For job shops with smaller teams or limited resources, compliance is no small feat. Nevertheless, compliance is not optional. To meet these standards with limited workforce capacity, job shops must look to leverage technology that can automate processes, monitor and protect against cyberattacks, and update processes in real time. With a pen-and-paper or manual approach, manufacturers are committing significant time and resources that ultimately impact the bottom line, in a time where budgets are tight as they are being asked to do increasingly more with less. As certification standards continue to evolve, working with outdated tools will only hinder job shops’ progress.

Evolving landscape requires agile solutions

Meeting new CMMC standards is not a question of ‘if’ but rather a question of ‘how’ and ‘how quickly.’ The DoD is currently at the stage of suggesting the creation of a thorough and adaptable evaluation system to guarantee that defense contractors and subcontractors, under the CMMC program, have integrated the necessary security measures. This would extend the coverage of current security standards and introduce new security requirements in specific priority programs. In order to remain compliant and continue supplying the DoD, job shops must enhance their data security ahead of these rollouts.

Additionally, for maximum efficiency, manufacturers should focus on leveraging solutions that will integrate with their contractual requirements and CMMC implementation strategy. Cloud-based enterprise resource planning (ERP) solutions can help in a variety of ways, including centralized data management, compliance features, as well as enabling scalability and the ability to manage risk.

Visibility is essential in any security measure, and a centralized data repository provides crucial clarity. Disparate systems cause confusion and a lack of control. Through an ERP solution, sensitive data can be stored and managed in a secure platform, in which CMMC requirements regarding data security and access control can be easily adhered to. For Midway Swiss Turn, the progression to an ERP came following a PC and QuickBooks, and previously, typewriters. Their lack of data organization called for a solution that would allow them to be able to collect all the data and organize it in the most successful way. The evolution to automated collection of accounting data, machine availability and material stock helped revenue and employee numbers increase exponentially. The ability to spur growth with safe and secure data will be integral as CMMC standards finalize and evolve.

For job shops operating with smaller teams and tighter margins, achieving compliant data management is too significant an individual lift. Manual in-house efforts of creating encryption protocols, configuring access controls, maintaining audit logs and monitoring data protection take immense time and resources. In short, that’s a cost that many job shops can’t bear. Instead, cloud-based ERP solutions exhibit features like encryption, access controls and audit trails pre-designed to meet CMMC standards, ensuring compliance while looking out for the bottom line.

As job shops look to leverage opportunities in defense and aerospace investment, CMMC readiness also enables growth and scale. Cloud-based ERP systems bring with them the ability to adapt to changing compliance needs and include risk management features to identify and address cybersecurity vulnerabilities, allowing manufacturers to maintain compliance as standards evolve. CMMC-ready ERP solutions provide customers with a framework to meet timely compliance standards, maintain cybersecurity best practices, and build a competitive advantage in the market with the expanded opportunity to work with government contractors. This ultimately saves manufacturers time and money, enabling them to grow their businesses and avoid costly fines and opportunity exclusions. This forward-looking perspective is invaluable to data security as the CMMC deadlines approach.

Investing in the present and future

Manufacturers must adopt adaptable, industry-evolving solutions to remain compliant and position themselves for future success, especially as the new CMMC standards are set to be in place Q1 of 2025. Failing to leverage the technology required will ultimately be of a higher cost than the technological investment. Secure, agile solutions continue to provide the visibility and compliance that the government requires and serve as a strategic step to set manufacturers up for future success.

Matt Heerey, President of Manufacturing, ECI Software Solutions

The post Data security’s integral role in the digital age first appeared on Federal News Network.

To solve this conundrum, federal IT leaders must lean into artificial intelligence and automation to better manage their complex IT environments. When supported by a strong data management foundation, this combination can deliver enhanced service-level visibility and control for government IT teams in charge of ever-changing hybrid cloud architectures.

Hybrid cloud brings challenges of complexity and scale

As government networks load up on new data and applications, gaining visibility over modern IT estates has become more difficult than ever. Rather than adopt a single cloud service from a single cloud provider, agencies are embracing a wide range of cloud vendors and approaches. This can leave teams, who may already be understaffed and swimming in technical debt, siloed and struggling further to manage a workload-intensive mix of legacy and modern applications and infrastructure.

This dramatic proliferation of operational complexity is fueled by massive increases in the volume, variety and velocity of data to be managed. Additionally, IT platforms are often not accessible, understandable or usable for many user-level government workers who need to collaborate on them. The picture is further complicated by the fact that not all workloads are moving to the cloud and by the persistence of legacy monitoring tools that aren’t able to keep up with the variety and velocity of data across hybrid cloud architectures.

All these factors contribute to an unsustainable scenario of outdated tools and disjointed processes that stifles IT’s ability to respond to spiraling complexity and keep up with evolving agency and end user expectations. Fortunately, government IT teams can overcome these obstacles by making strategic use of both AI and automation to progress towards a state of autonomic IT and bring more visibility and control to their hybrid cloud architectures.

Overcoming hybrid cloud complexity with AI plus automation

To make sense of the current state of hybrid cloud complexity and better meet key mission objectives, federal IT teams must opt for a modern approach to ITOps that combines AI and automation to create a more unified service view across the entire hybrid cloud universe. This includes all data center, public cloud – software-as-a-service, infrastructure-as-a-service and platform-as-a-service — and private cloud environments.

The combination of AI and automation is crucial to driving observability across each of these environments, applying machine learning and scalable process optimization throughout all hybrid infrastructure data and systems. This empowers staff to perfect and then automate routine operational tasks, such as collecting diagnostic data, exchanging real-time operational data between systems and platforms, executing ticketing, remediation workflows and more.

The most successful deployments combine a wide range of data across environments to establish a real-time operational data lake. This makes it possible for IT teams to analyze and act on the data at “cloud scale” while applying a rich set of analytical techniques to add business service context and meaning to the data – with multi-directional workflows for both proactive and responsive actions.

Facilitating AI and automation with stronger data management techniques

While there is no single blueprint to follow for applying AI and automation for more alignment and orchestration of agencies’ hybrid cloud environments, the most successful efforts make sure to prioritize the underlying integrity of data. The right data management foundation will allow AI to properly manage, model and analyze operations, and this foundation is also essential to optimize and scale processes with automation.

In particular, federal IT teams should pursue three essential data-related priorities to support the journey to complete visibility and autonomous IT operations. To begin with, data must be of high fidelity, meaning it’s critical to collect the right types of data from the right sources in order to accurately reflect the state of what’s happening with an agency’s IT and business services at any given time. In addition, the cleaning, analyzing and acting on data must happen in real-time – ideally via automated processes and closed-loop decision making to enable action quickly without the need for a human analyst to be involved.

Throughout, data must be thoroughly contextualized, with all metadata and asset dependencies clearly defined through a service oriented view that enhances the ability to understand operational patterns and identify anomalies or performance issues. The right platform for AI and automation will include capabilities for managing data in these ways, enabling teams to cut through the noise and quickly establish the impact and root causes of issues. This, in turn, sets the broader stage for fundamental IT and agency transformation toward stronger agility, speed and growth.

As governments become increasingly digitized, many agencies struggle to manage their integrated hybrid-cloud environments. Fortunately, the right combination of AI and automation founded on the right data management techniques can bring more visibility and control to these environments. As a result, federal IT teams can conduct faster root cause analysis, reduce downtime, optimize IT investments, and provide a more stable foundation to support broader agency modernization efforts as technology continues to advance.

Lee Koepping is senior director for global sales engineering at ScienceLogic.

The post Resolving federal hybrid cloud challenges with AI and automation first appeared on Federal News Network.

With the Fourth of July behind them, and the Republic convention ahead of some of them, Congress spends this week in session. Now the Senate will join the House to splash around in the budget pond. But that’s not all, as we hear from Bloomberg Government Deputy News Director Loren Duggan on the Federal Drive with Tom Temin.

Interview Transcript: 

Loren Duggan
The Senate is holding its first markup on Thursday with three of the 12 appropriations bills, plus setting the top lines that they want to spend on all 12, which will be a really useful indicator of where some of the flashpoints will be between the two chambers. And the House side, the committee has already wrapped up work on six, and they’re aiming to get the other six done this week before they head out to the GOP convention. So a lot to watch in two different places, plus one House floor vote later in the week, too. So a lot happening on the spending front.

Tom Temin
Right. So does that mean that they’ll come to reconciliation at some point before Sept. 30?

Loren Duggan
No. There’s already talk about a stopgap and when it would run through. That’s not the focus right now, they’ll probably do that when they get back from the August recess, which they’ll still be taking. But that certainly the post election period is when this will get resolved. After everyone understands who the President will be, if there’ll be the partisan makeup there. And then who’s going to control both chambers of Congress. You kind of want to get that picture in mind before you figure out if you’re going to try and wrap it up this year, or let it extend into next year, maybe when there’s new people in charge.

Tom Temin
Yeah, the whole presidential picture is such a murky thing right now, we won’t even get into that one. But I wanted to ask you about also the Chevron ruling from the Supreme Court, which seems to change the dynamic among the branches of government to some earlier period when laws were more specific, agency rulemaking was maybe less broad than it is now. What does it look like the Hill will be doing next? Do you think.

Loren Duggan
I’m not sure that they’ll do anything this week about it. But it does change the dynamic longer term and a lot of ways. As you noted before this ruling, agencies were given deference when the law wasn’t clear about what powers they had. Now, the courts are going to have more deference. So Congress, if they want to achieve a policy goal, are going to have to be more specific in the legislating. And that could come in two different ways. We may see more staff or different types of staff brought into Capitol Hill who have deeper experience, or perhaps more time in the regulatory space or whatever. So that could be a big hiring boost, or at least hiring change going into the future. And then lobbyists may also have a bigger role to play here too. Because if they know the rules, and they know the details, they might have more things to write. But as one lobbyists said, if the 1,000 page on the business you see now give you pause, think about the 5,000 page ones you may need in the future to make sure that all your policy goals are spelled out. So this really is a big change. It’s something our newsroom, which covers the law of tax government, across the board is very focused on and thinking about all the ways it could affect lawmaking and regulating going into the future.

Tom Temin
Do you think it could affect this year’s appropriations for the congressional branch that they might even vote on ahead of everything else?

Loren Duggan
That bill is scheduled to go on the House this week. And it’s one of the three that the Senate committee is looking at. Not clear, if they’ll attack that yet. That could be one of the things that when it gets to a final version later this year, they put more funding in there. But certainly those questions are going to be going around. And it could also be to create more offices in the capitol to help. There’s this office of technology assessment that existed before 1995. And there’s been pushes a time to bring that back. Could that be something that comes in now, because if you think about it technology and regulating it is really hard, because what you write into law today may be surpassed by developments, 10, five, three years into the future, as we’ve seen with AI and other things.

Tom Temin
Right. So the big question, then long term is Congress’ capacity to deal with Chevron, if it does have to be more specific in legislating this chemical, or that social media thing. They have to actually know the details.

Loren Duggan
They may, and that’s something I think we’ll see play out over time and how the courts also absorb this, because it could change their workload if they’re reviewing more decisions like this. So all three branches are affected by this and all the things that go around it like K Street in the lobbying world too.

Tom Temin
We’re speaking with Loren Duggan, deputy news director at Bloomberg Government. And a couple of topical issues, the Senate, one of the committees is going to be looking at the Francis Scott Key missing bridge. What’s going on there? Could there be some federal money sooner rather than later for it?

Loren Duggan
Well, Congress has to digest the requests that the administration sent up during their little break here where they asked for, I think it was about $4 billion, primarily through the transportation department to help with the actual rebuilding, but then also some other agencies to help with the cleanup and some of the shipping things that the Army Corps of Engineers has helped with. But this hearing is about looking at what the federal and state government have already done to date. I think there’s a Federal Highway Administration official coming in, and then somebody from Maryland at least. And they’re just going to review where things stand and what they need to do. The timing of when they act on this request could come down to what FEMA needs as well, because some of the disaster relief funds are going to be tapped. This latest hurricane is just hitting the US. And if another hurricane does in August, that could expedite things are. So we’ll be watching that. But it could be a stopgap spending or CR writer as well in September, if they need to move this money faster.

Tom Temin
All right. And then a couple of, again, specific things, and this maybe relates to that bigger question of Chevron, but the EPA will be before House Oversight.

Loren Duggan
Michael Regan will be before that committee. Again, the House Oversight Committee can oversee anything at once, and this time they’re bringing him in, and we’ll probably have a lot of questions about Chevron and some of the other court rulings, perhaps that affected what the EPA can do. And then just what his general plans are, I think it’s a chance to try and draw contrast between what Republicans won and what a democratic EPA has been doing.

Tom Temin
Right. Because the EPA has been the focus, not in this particular Chevron case, that was actually the Commerce Department. But the EPA has been the subject of a lot of court battles over specific regulations. And they’ve won some, they’ve lost some. So I think Chevron has more for them than maybe the Commerce Department, even though that was the sparking case here. And at the same time, the refrigerators and dishwashers standards, here we go coming up for a vote, what’s going on there?

Loren Duggan
These bills were talked about a few months ago, they did a broader, making it harder to change efficiency standards, unless there were real reasons. But these are going out to the specific ones. You mentioned refrigerators and dishwashers. And just making it a little harder to change the standards to try and keep appliances where they are. Democrats will push back on these. These are being driven by Republicans. But, yet again, it’s part of this regulatory push and I think trying to have maybe some division going into that convention week that’s coming up.

The post One more week of business on Capitol Hill before the craziness sets in first appeared on Federal News Network.

From my experience in various roles, working for energy service companies and in leadership positions at the DOE, I’ve seen federal agencies consistently adapt to meet numerous climate-related goals, steadily working towards building the framework for climate-resilient infrastructure and operations.

Despite challenges that shifted priorities momentarily, such as responding to COVID-19 and managing economic uncertainties, federal agencies have emerged stronger than ever. Over the past three years, agencies have rebuilt their departments and energy programs, leveraging years of data and experience to establish the necessary framework to deploy infrastructure investments. Now is the time to capitalize on this framework.

Agencies are well-positioned with access to DOE qualified private sector partners, funding opportunities, and internal support structures to achieve net-zero emissions.

Private sector partners

We often hear from DOE leadership that the energy transition is government-enabled and private sector-led. Qualified private sector partners that can provide validated financing mechanisms to leverage federal agencies’ dollars are critical to deploying any infrastructure project. Energy service companies (ESCOs) have successfully partnered with federal agencies for the past 25 years. ESCOs provide Energy Savings Performance Contracting (ESPC) and Utility Energy Service Contracting (UESC) as procurement vehicles for financing capital intensive infrastructure projects. Two unique aspects of performance contracting that greatly benefit federal agencies are that funds are effectively multiplied through the implementation of energy efficiency measures and upgrades, and ESCOs financially guarantee the energy savings, shifting the risk from the federal agency to the ESCO.

ESCOs also serve as resources during the project development phase, providing preliminary assessments, investment-grade audits, recommendations and guidance on the best and most feasible energy conservation measures for the project. The relationship with an ESCO is extremely collaborative; the project is, in essence, built in partnership.

The DOE qualifies ESCOs that have met the criteria set by the DOE to perform federal government ESPC projects. The DOE manages three approved ESCOs lists. 

Funding

Federal agencies can access funding through the Federal Energy Management Program (FEMP) Assisting Federal Facilities with Conservation Technologies Program, which offers grants for the development of energy and water efficiency upgrades to new and existing federal buildings. In March 2023, the Biden-Harris Administration announced $250 million in funding from the Bipartisan Infrastructure Law for this purpose, to be distributed over three phases. The first phase awarded $104 million to 31 federal projects, with 80% of projects leveraging performance contracts.

These grants can support projects at any stage, including technical assistance funding up to $100,000. Phase application submission deadlines can be found FEMP’s website.

Additionally, agencies received funding from the Inflation Reduction Act, allowing them to invest in staff and resources. The IRA also offers tax credits, like the clean energy investment tax credit, which can provide up to 30% for qualifying investments in renewable energy projects.

Energy Resilience & Conservation Investment Program funds are available for the Defense Department. The program is intended to fund projects that provide energy resilience to critical electrical loads at an installation or joint base, implement energy and water conservation measures and renewable energy technologies.

 Leveraging Funding Contributions with a Performance Contract

Federal agencies have experienced significant advantages through leveraging funding contributions alongside performance contracting. The Oak Ridge National Laboratory completed a study in 2023 that concluded, “Funding contributions allow for expanded scope; the savings generated annually for the term of the contract by the new Energy Conservation Measures are capitalized to expand the scope even further and there is little or no need to finance the additional scope. For this reason, a funding contribution increases the size of the project more than the funding contribution itself.”

Resources

There is an abundance of resources available for agencies to learn how to develop a project, fund a project, and partner with ESCOs. Internally within agencies, leadership has been established to drive towards the goals set by the administration. In addition to the chief sustainability officer, many agencies have implemented sustainability taskforces or working groups to help facilitate projects. A few places to start for agencies to learn more about project development and implementation are:

• Performance Contracting National Resource Center (DOE)
• Energy Savings Performance Contracting Case Studi
• Resources for Implementing Federal Energy Savings Performance Contracts (FEMP)
• Energy Savings Performance Contracting Training & Webinars (FEMP)

The Oak Ridge National Laboratory supports FEMP and agencies, providing technical assistance, reviewing investment grade audits and preliminary assets, managing maintenance and verification reports, providing stakeholder engagement, and managing the indefinite-deliver, indefinite-quantity ESCO List. They also help develop tools in partnership with the FEMP, like:

• Climate Smart Buildings Initiative Planning Tool: A tool to help agencies estimate greenhouse gas reductions from their planned performance contracts.
• ESCO Selector: A tool to help agencies create a notice of opportunity that complies with federal requirements and meets agency needs.

There are also supporting organizations representing energy service companies, advocating for performance contracting, offering resources and training to ESCOs, and aiding federal agencies in learning more about them.

• Federal Performance Contracting Coalition
• National Association of Energy Service Companies

If you feel that your agency is stuck and facing challenges getting a project off the ground, whether that be limited resources, limited access to funding, unfamiliarity with project development, or any other reason – raise your hand and ask for help. The DOE, FEMP, ORNL, supporting organizations and ESCOs are all here to help you get your project started. Gone should be the days when agencies said, “We don’t know where to start.”

Dr. Timothy Unruh, Executive Director of the National Association of Energy Service Companies (NAESCO).

The post Federal agencies are primed to address net zero infrastructure goals – Here’s why first appeared on Federal News Network.

Of course, modernization requires investment. A custom agency-owned application will take a large in-house development effort and have perhaps ten years of useful life. Alternatively, sourcing low-code/no-code vendor software is faster to implement but less customizable to agency-specific needs. There are also costs to update software to comply with new regulations, and the need to keep up with rapidly changing technology.

Most agency IT leaders will look at these investments in terms of cost savings. While reducing costs is never a bad thing, it is far more important to estimate the mission benefits and business savings that are the primary reasons for IT investments. REI has found in multiple cases that performance improvement and its mission impact are where the biggest returns lie, usually far exceeding the operating savings or the capital expense.

Three steps to rationalizing investment

Focusing on how to maximize those benefits should be part of any IT modernization effort. As IT leaders are planning for future requirements, three often-overlooked steps will help prepare them for measuring and justifying the right level of investment:

1. Understand the current budget environment. Do some homework to see which modernization projects are meeting the bar for acquisition, which are not, and why. Be sure to include acquisitions through special programs like the Technology Modernization Fund, the Information Technology Oversight and Reform (ITOR) initiative, and other available innovation programs.
2. Assess from where mission impact and return on investment (ROI) actually result. This must be an intentional effort; presenting a case for a new investment will be far easier with some supporting evidence rather than having no idea where ROI will be found and no way to measure it.
3. Factor in improvements in quality, productivity and customer service. While this must include updating existing technology, don’t forget to calculate automating processes that are currently manual. All of these inputs equate to mission impact. While they may depart from typical IT measures, quantifying them will go a long way to supporting the case for a given investment.

Expand thinking around ROI measurement

IT leaders who have not previously considered prioritizing new investment this way may be unsure of how to start. Looking at already-completed projects can offer a blueprint. Consider just one example of a real agency program:

A department within Agency A identifies and certifies whether or not individual claimants are legitimate victims of a particular type of crime. Department personnel used spreadsheets to collect and track claimant data, then an analyst would decide if an individual was entitled to benefits or not.

Automating data collection and tracking allowed on-demand access for the entire immediate team, an obvious benefit of introducing technology. However, it also enabled a dozen Agency A components to more easily coordinate with Agency B, an integral part of the justice system.

In quantifiable terms, Agency A was able to serve twice as many victims in the year after implementation vs. the year before, without increasing budget or staffing. While that was likely in part because more people were being victimized, it was also because the agency was far more productive. Additionally, the time to victim certification was reduced by half (from six to three weeks). This already shows high value ROI from the IT system modernization.

Taking it a step further, if all of Agency A’s staff is needed to serve 1000 victims, with their annual salary costing roughly $50 million, there is additional savings in not hiring another $50 million worth of staff to serve twice as many customers. Ultimately, the $50 million in savings produced a $50 million ROI on a $1 million IT investment — a 50-fold return. Even better, some personnel could be repurposed to another program that was short-staffed. There was no need to reduce the workforce. Everyone won.

Beyond Agency A, the IT investment eliminated the need for a duplicate system at Agency B, which was now willing to accept Agency A’s victim certification. The lesson is that the case for investment can also benefit from exploring opportunities to reduce redundancy of partner efforts.

Productivity improvements from IT investment will not only measurably improve critical mission impacts of customer experience and satisfaction; there are also bottom line savings. For example, automation can reduce or eliminate costly manual intervention to help customers who fail to successfully transact for agency services on the first try. This is particularly important given federal mandates to transform customer experience and service delivery.

Transparency elevates ROI

Performance measures are integral to estimating actual savings from IT investment.  While some IT leaders hesitate to reveal full potential savings to their budget officer due to internal sensitivities, practically speaking, transparency usually pays off. Preparing this level of data and insights arms IT leaders to share it with contracting personnel if and when they need to. Not having it eliminates the option.

With IT modernization a never-ending quest, IT leaders will ultimately be well served by understanding the full scope of mission impact that their investments will produce for their agency and for their citizen customers.

Jeff Myers is senior director at REI Systems.

The post Mission impact: The critical factor in IT modernization ROI first appeared on Federal News Network.

As federal employees, we need to bring this mindset into the everyday. The benefits of vacations and weekends fade quickly amid heavy workloads, bureaucracy and meetings. Regular breaks, or “productivity pauses,” are crucial for the well-being and effectiveness of public servants. It is possible —and essential — to create a culture where self-care is seen as wise, not weak, in government.

Biological basis for breaks

Our biology explains why we need breaks. The nervous system quickly responds to changing environments and threats as it controls essential functions like sleep, digestion, breathing, heart rate, mood and behavior. Neuroscientist Dr. Stephen Porges explains that when our body senses safety we are calm and open, while perceived or real danger triggers a fight, flight or freeze response. These stress responses are beneficial in dangerous situations and can also help us focus to meet a work deadline.

However, our bodies hang onto this stress. For example, the pressure of back-to-back meetings or feelings of unworthiness put us into a “dysregulated” state where we are reactive, defensive and prone to burnout. A personal challenge (that I’m working on) is my tendency to stubbornly cling to ideas during stressful times or when I feel self-conscious about my value.

The need for nervous system regulation in government

Deep breaths, exercise, mindfulness, sleep or just doing nothing help us regulate our nervous system and return to a calm and open state. The Washington Post recently reported that breaks as short as 10 minutes “boost vigor, reduce fatigue” and make us “more focused, more productive and more creative.”

The idea that we don’t have time to take breaks is tempting. Many federal employees face rigid schedules and heavy workloads, making it difficult to take breaks. Stressful periods, like budget season, remote work, and genuine care for our work and colleagues make it hard to disconnect.

But these are not really breaks. More accurately, they are  “productivity pauses” that enable clearer thinking, better decisions and empathy. Cal Newport’s concept of Slow Productivity rejects “busyness as a badge of pride,” asserting that mixing busy periods and downtime enhances overall productivity. He contrasts this with “pseudo-productivity” where we mindlessly stare at our inbox, feeling overwhelmed. Newport argues that breaks, though they might not feel like work, are crucial for high-quality, creative and collaborative tasks.

The public needs federal employees to slow down. Taking a moment to breathe during heated discussions usually improves the outcome, just as a walk before an important meeting can help you stay calm under pressure. The General Accountability Office recently highlighted the broader impact of well-regulated nervous systems, connecting military readiness to sleep. The standards for hiring senior executives in government, known as the Executive Core Qualifications, emphasize qualities like flexibility and resilience, which are built on this biological regulation. On a personal note, while racing to finish this article, pausing to join a meditation group helped me return with fresh eyes.

Supporting each other

In the federal workplace we must be at least as vigilant about our nervous system as we are about cybersecurity, and we can’t do it in isolation. Leadership can shift culture by taking lunch breaks, encouraging collective pauses, and asking their teams about their self-care. We all play a role in normalizing nervous system regulation. When a colleague asks to reschedule a meeting during a busy week or take a break during a tough conversation, we can thank them for their self-awareness and care.

Finally, calm or stress can be contagious through a process called co-regulation. For example, a friend’s coworker who uses their lunch break to roller skate. This fun and unconventional break inspired others to step away from their desks and recharge.

Your productivity pauses

It would be nice if we could wish stress away. Mindful breathing may not be your cup of tea, but it’s important to find practices that help you be the best colleague and public servant you can be — and there are many options. Here are a few to explore:

• Wellness walk: Schedule a walk to connect with a colleague before or after stressful meetings.
• Meditation: Simple meditations like these ones for the Surgeon General or the 5-4-3-2-1 practice can calm nerves and improve mental clarity.
• Cold water splash: Wash your face with cold water to refresh your body.
• Dance break: For those who don’t think Taylor Swift belongs in government, a short dance break can help you “shake off” a stressful meeting.
• Chocolate: A nibble (or five) of chocolate offers a delicious pause.

Independent, but connected

We need to talk about nervous systems in government. The public relies on federal employees to consistently show up as their best selves. Regulating our nervous systems over holidays like July 4th and in the everyday isn’t the opposite of work; it’s essential for it. This Independence Day and beyond, let’s give breaks the gravitas they deserve to create a healthier, more productive government.

Alex Snider is Strategy Lead for the President’s Management Agenda at the U.S. General Services Administration. Previously he spent 10 years as a diplomat at the U.S. Department of State, served as a Fellow in the Senate, and worked at the World Bank. He is a certified mindful facilitator from UCLA’s Mindful Awareness Research Center, is a co-lead the federal government-wide Mental Health and Wellbeing Community of Practice, a Mindful GSA Ambassador, and co-founder of Mindful FED. You can find him on LinkedIn.

This op-ed is written in his personal capacity and the views expressed in this article do not necessarily represent the views of his agency or the United States.

The post This July 4th, serve your country by taking a break first appeared on Federal News Network.

And yet, at the heart of this escalating threat lies a stark reality: a staggering shortage of cybersecurity professionals — both in the public and private sectors. There are more than 500,000 unfilled cybersecurity positions in the United States alone, according to Cyberseek, and that number is expected to increase. The private sector has already taken steps to address this, but the federal government continues to lag. Despite such a significant talent gap, the Office of Management and Budget has certain educational requirements that prevent skilled cybersecurity workers from getting hired into federal contract positions. With the battle for talent intensifying, the time for change has come.

Today’s threat landscape makes it clear that it’s time to reevaluate this antiquated barrier and embrace a more inclusive and agile approach to cybersecurity recruitment — one that prioritizes skills over diplomas and diversifies our cyber workforce to confront the myriad challenges facing our digital age. And with skyrocketing costs and crushing student debt, thousands of young Americans are opting for alternatives to higher education. It is imperative the federal cybersecurity workforce does not miss out on this cohort.

Fostering a skills-based cyber talent across the federal enterprise has been a key focal point for the new National Cyber Director Harry Coker.

“To secure our nation’s cyberspace, we need to make cyber jobs more available and attainable for groups that traditionally haven’t been recruited,” Coker told a community college in Baltimore earlier this year.

He also has pushed for a series of cyber hiring sprints that aim to bring more people from diverse backgrounds into federal cyber jobs.

And Congress appears to agree with Coker’s approach. Late last year, the House of Representatives passed a bipartisan bill designed to limit the requirement of minimum educational attainment for cybersecurity jobs in the federal government. Largely built on the Biden Administration’s National Cyber Workforce and Education Strategy, the bill signals a recognition of the need to modernize hiring practices.

“No part of the federal government should disqualify an individual from winning the competition for a federal job based on whether they have one type of educational credential,” said Rep. Katie Porter (D-Calif.), who spearheaded the bill.

In early May, the White House announced plans to shift thousands of federal IT jobs to skills-based hiring. Both initiatives represent major milestones.

Ultimately, a paradigm shift in hiring practices towards skills-based hiring offers significant promise in closing the talent shortage at the federal level. Government agencies ought to focus more on relevant skills and experience from apprenticeships, coding bootcamps and other non-traditional pathways. IBM has already partnered with ISC2, the world’s leading nonprofit for cybersecurity professionals, to launch an entry-level cybersecurity certificate, allowing candidates with no previous experience to obtain the in-demand skills and hands-on experience required for a cybersecurity specialist role. By following in footsteps like these, federal entities can not only bridge the cybersecurity talent gap but also empower individuals from diverse backgrounds to contribute their unique perspectives and insights to the field.

Facing an onslaught of cyber threats, the federal government must act. By prioritizing skills and competencies over traditional educational credentials, federal contractors can tap into a wider pool of talent and foster a more diverse cyber workforce. Such an approach not only aligns with the dynamic nature of cybersecurity but also ensures that the most qualified individuals get hired. Only then can the nation fill the talent gap and secure our nation’s digital infrastructure.

Suzanne Wilson Heckenberg is President of the Intelligence and National Security Alliance (INSA) and INSA Foundation, a non-profit association dedicated to government-academia-industry collaboration in the Intelligence and National Security. David Mitchell is a military/Skillbridge fellow at INSA

The post Eliminate college degree requirements and secure our nation in cyberspace first appeared on Federal News Network.