Trends In Digitizing Citizen Services

“We're seeing examples in agencies where things that may have taken 100 hours have been reduced to a few hours in one day. It's just about thinking about what's working and how can it be done better or different,”
-- Fred Butler, Jr. the senior director for industry strategy and solutions at DocuSign

Fred Butler, Jr.

Senior Director for Industry Strategy & Solutions at DocuSign

Partnerships that Impact Citizen Services

“DocuSign really accelerates the experience across virtually any platform or device. We eliminate manual tasks with configurable and automated workflows, and we're generating value for the agencies by seamlessly connecting workflow management with the overall tools that each of their teams are using on a day to day basis,”
-- Fred Butler, Jr. the senior director for industry strategy and solutions at DocuSign

Fred Butler, Jr.

Senior Director for Industry Strategy & Solutions at DocuSign

Agencies and industry alike have talked ad nauseam about how the pandemic has changed the way they work.

But now, more than ever, agencies have an opportunity to rethink how they deliver services to citizens based on what they have learned over the past two years and, maybe more importantly, what their customers have come to expect.

From President Joe Biden’s executive order on customer service to new focus on five life experiences including retirement, recovering from a disaster and transitioning to civilian life from the military, agencies are rethinking what service need to look like.

A big piece of that reimaging federal services is moving off of paper documents, taking advantage of cloud based software and easing the burden of sharing information across the government.

Some agencies are more aggressive than others in adopting electronic services, particularly e-signatures. The General Services Administration, the IRS and the Security and Exchange Commission, to name a few, are moving toward that self-service, mobile-friendly, digital model.

The benefits of this model are clear to those who use it.

Fred Butler, the senior director for industry strategy and solutions at DocuSign, said it will take a much bigger and continuous focus on both the customer externally and internally by the workforce for others to jump on the bandwagon.

“The biggest thing is really thinking about burden and the administrative burden in terms of facilitating workflows, which is something that we do regularly in business,” Butler said on the Innovation in Government show. “This is something that the government must do actively to really think about what are those things that can be refined and replaced in a way that enables things to be streamlined to be much more efficient, generating more value internally to the operations and also improve the employees’ experience of the work that they’re doing on a daily basis.”

From hundreds of hours down to a few

A recent example of an agency doing this is the Homeland Security Department. It recently challenged its workforce to reduce the paperwork burden by 20 million hours out of 190 million hours the agency puts on the public each year.

For DHS, and other agencies for that matter, Butler said that could mean moving paper forms to digital services, which would reduce burden, errors and time to process the services.

“We’re seeing examples in agencies where things that may have taken 100 hours have been reduced to a few hours in one day. It’s just about thinking about what’s working and how can it be done better or different,” he said. “We’ve worked with one large agency who really was thinking about the inspections process and the applications that go along with inspections. The reality that the information that they had was enabling potentially two inspectors to be at the same location conducting an inspection at the same time. By modifying their process, they could capture the information that they needed with one inspector and spread that information to the various components within an agency to give each the information that they needed to do their jobs appropriately.”

Butler said this example is one that could be repeated many times over across the government. DocuSign estimates that the public sector relies on 25,000 forms and it costs an estimated $40 billion to manage and update content that is still being done in a paper format. It also costs approximately $117 billion in “time tax” to fill the paperwork out, to ensure that it’s done correctly, to send it through the workflows internal to the government and to hopefully get it back to the constituent or customer in a timely manner.

“There is a tremendous opportunity for change,” he said. “We’re seeing a lot of agencies are really taking this opportunity to address the opportunity to improve and to transform their systems. But there’s so much more that can be done.”

Improve workflows, mitigate security risks

Butler pointed to another example with an agency that manages an appeals process.

“We were able to see that agency recognized value that included a 70% reduction in email. There was an improvement from 99 to 17 days in terms of the workflow process. This generates value for both the customers and their constituents,” he said. “DocuSign really accelerates the experience across virtually any platform or device. We eliminate manual tasks with configurable and automated workflows, and we’re generating value for the agencies by seamlessly connecting workflow management with the overall tools that each of their teams are using on a day to day basis.”

Additionally, he said moving away from paper, improving the workflows and using commercial cloud services also can mitigate security and other risks.

Improving an agency’s workflow, Butler said, can have a bigger impact on constituents than just digitizing a paper form.

He said several agencies have already digitized forms, but into PDF documents that still need to be emailed.

“All of that can be done, authenticated in a more refined approach. We’re seeing examples of that occur. Some of those examples are really being magnified by multiple solutions working together in an effective way,” Butler said. “You may have a couple of different parties working with an agency to ensure that this solution that is provided is one that goes from A to Z. It’s really thinking about the whole process and how the full workflow is going to be engaged in a refined manner. That is something that we’re seeing a lot more of now.”

Butler added the overall goal is for agencies to rethink their entire workflow, understanding the chain of command, taking advantage of digital signatures and manage the entire process.

“There’s a huge value to the government to be able to look at the various different components of paper and agreements that they have across each of the components. Oftentimes, there is an ability to use analytics and be able to see where they are getting the most value. What processes are being put in place to achieve that value? Who are some of the players that are contributing and generating the most bang for the constituent or the US, and their resources in government?” he said. “I think that there’s a wealth of opportunity to think about program management across government because it’s that one variable that is consistent in every agency. To achieve the mission, you have to implement programs and to implement those programs effectively you have to streamline your processes and more effectively use partners to help achieve your goals.”

Legacy IT modernization and cloud collaboration

Gartner has this stat that says 60% of an employee’s work is self-managed, which means a large part of their job has to be accomplished using what's on their desktop, or what they can access on the cloud. Nobody tells them exactly how to do it.

Chris Aherne

Vice President of Federal, Smartsheet

Low-code/no-code platforms and protecting data

Every day, they can create workflows, they can collaborate with others and go through the big exercise of preparing reports from the boss for the big monthly meeting or those sorts of things. Because they're able to see an aggregate of all of what all their employees are doing, how they're tracking across projects and processes and those sorts of things, CWM gives you the capability to actually see what people are working on day in and day out.

Chris Aherne

Vice President of Federal, Smartsheet

Data is the fuel that is driving agency mission success. The challenge for many agencies is pulling the data out of siloes and aggregate so senior executives can make better decisions.

The thirst for this data and the need for tools to help collect and understand it is growing off the charts. Deltek, a market research firm, estimated that agencies will spend more than $4 billion by 2024 on data analytics tools. That spending is on top of other drivers like cloud and infrastructure modernization and workforce training around big data.

The benefits of breaking down the data siloes and integrating data are huge. During the pandemic, agencies saw them first hand where sharing information across the agency and the government helped improve citizen services and achieve mission goals.

A paper from the Harvard Kennedy School of Government found the benefits of using data to move toward a leading indicator instead of a lagging indicator includes financial savings, operational improvements and increased faith and trust in government.

The key to achieving these and other improvements is real-time access to the data and analysis to ensure changes can be made sooner than later and the leadership are all working from the same page.

Chris Aherne, the vice president of federal at Smartsheet, said agencies can move toward this data-driven environment by focusing on a combination of people, process and technology.

On the people side, Aherne said it’s a matter of training so employees understand how to use the tools at their disposal.

“Gartner has this stat that says 60% of an employee’s work is self-managed, which means a large part of their job has to be accomplished using what’s on their desktop, or what they can access on the cloud. Nobody tells them exactly how to do it,” Aherne said on the Innovation in Government show. “They get some training and those sorts of things, but they have to build processes, they have to build workflows and they have to integrate and get the data that they need.”

At the same time, these desktop systems create data and application siloes that force agencies to shift between the tools they need to complete their mission.

Aherne said one solution that more and more agencies are turning to is a collaborative work management (CWM) platform.

What typifies a CWM solution, the first tenant is usability. You need to have a capability that’s out there that folks can learn in a matter of hours or days as opposed to months. That’s a big tenant,” he said. “Then the other part is cloud. So if you think about it, if I’m working on an Excels spreadsheet that only I can see, then I have to save it, then I have to email it to you. I have to report on it and get it to my boss, right, and all those sorts of things, while I’m jumping from tool to tool and place to place. The average person–I saw the study from Pegasystems–switches screens 1,100 times a day. It’s not necessarily the best way to work. And CWM is a platform where, leveraging the cloud again, you can do all that stuff in one place.”

Meanwhile, the training of people to use the tools, the applications themselves must promote and make collaboration easy, and then there are the processes.

Aherne said the CWM platform helps agencies automate processes and promote the use of low-code and no-code development tools.

“Every day, they can create workflows, they can collaborate with others and go through the big exercise of preparing reports from the boss for the big monthly meeting or those sorts of things. Because they’re able to see an aggregate of all of what all their employees are doing, how they’re tracking across projects and processes and those sorts of things, CWM gives you the capability to actually see what people are working on day in and day out,” he said.

Aherne said when agencies combine the people, process and technology under a CWM platform, they can see up to a 40% increase in productivity from the same number of staff, they can reduce their risks due to having better visibility into what was going on all their projects at all times and rely on data to drive better decisions.

Listen to the full show:

About Smartsheet

Smartsheet is the enterprise platform for dynamic work. By aligning people and technology so organizations can move faster and drive innovation, Smartsheet enables its millions of users to achieve more.

Smartsheet Gov empowers agency leaders to bridge silos across teams, gain real-time visibility across initiatives, and accelerate mission results while maintaining security. Built to meet the enhanced compliance requirements of the US Government, Smartsheet Gov is a FedRAMP and DISA IL4 authorized cloud-based collaborative work management platform that enables agencies to achieve more across every department.

Find out why federal government agencies like the DoD, GSA, and NASA trust Smartsheet with their work at help.smartsheet.com/government.

The Impact of the Cyber EO on Agencies

This is a once in a generation opportunity.  We have the pandemic as a burning platform for a lot of the modernization projects that agencies had on the shelf, but hadn't really gotten around to, but then they had people working from home and were delivering services remotely and needed to get those projects going.

Juliana Vida

Group Vice President and Chief Strategy Advisor, Splunk

 Threats that Agencies Face

There are several different value propositions of cloud. Speed so you can move faster. Agility so you can change your configurations and move things around. There's also efficiencies to be found because agencies don't have to manage the infrastructure and pay for all the data center hosting.

Juliana Vida

Group Vice President and Chief Strategy Advisor, Splunk

Since May when President Joe Biden issued his cyber executive order, the Office of Management and Budget has been busy developing implementation memos.

There was the most recent memo on end point endpoint detection response in late October. Before that OMB released the draft Zero Trust strategy and is reviewing public comments on that strategy with a final draft expected out in the coming weeks.

OMB also issued memos around securing on-premise software as well as logging incidents.
And more memos and guidance are coming as the EO detailed 23 different required actions by agencies to address systemic cybersecurity problems.

Beyond the required actions, the EO also has changed the discussion about federal cybersecurity. The urgency brought on by a spate of attacks in early 2021 and the surge of funding from Congress to the Cybersecurity and Infrastructure Security Agency is generating a once in a generation opportunity to do more to get ahead of attackers, secure data and systems, and create a modern infrastructure that can change as the threats change.

Juliana Vida, the Group Vice President and Chief Strategy Advisor for Public Sector at Splunk, said agencies can use the momentum created by the EO, the funding from CISA and the technological advancements of the market to harden their cyber resolve.

“This is a once in a generation opportunity. We have the pandemic as kind of a burning platform for a lot of the modernization projects that agencies had on the shelf but didn’t get around to. Then they had people working from home who were delivering services remotely and needed to get those [modernization] projects going,” Vida said on the Innovation in Government show. “Now with the cyber executive order, and the memoranda, those are helpful policy guidelines that not only give specifics to the agencies but it gives them some deadlines that are pretty aggressive. It allows industry to respond in a way that is truly meaningful.”

Vida and other experts lauded the cyber EO and implementation memos for being prescriptive enough, but also taking into account that each agency is different enough and starting at an assortment of points to improve their cybersecurity.

“It’s a win for each of the agencies to show some creativity, to show some innovation, and let the people come up with a solution that works best. given the domain that they have knowledge on,” she said. “I really do think it’s a win-win as we’re already seeing organizations put their plans in place based on their maturity.”

No matter where agencies are starting, Vida said the OMB memo from August on incident logging is a good place to start and/or focus initial efforts on improving.

In that memo, OMB established a maturity model around event logging and required agencies to assess their current state against the model.

“What we’re finding is that agencies don’t always know where to start to with incident event logging. Well, when you start with the logs, that’s like the ground truth,” she said. “We talk in general terms about listening to your data, or go back and look at the logs and figure out where the cybersecurity event happened. But that takes a lot of deep inspection, and it takes a lot of time. Unless you have this robust data analytics platform to do it, it can just be another burden on the agency. If agencies want to use their workforce to manually go through logs, and try to meet these requirements of the EO, but still maintain a good cybersecurity posture, that’s a losing proposition.”

Instead, Vida said using a cyber and data analytics platform like Splunk can not only get you compliant with OMB’s memo, but, more importantly, identify patterns, vulnerabilities and relieve some of the burdens on the cyber workforce through the use of automation and orchestration.

Vida added running the data analytics on a cloud infrastructure raises the value of the platform.

“There are several different value propositions of cloud. Speed so you can just move faster. Agility so you can change your configurations and move things around. There are also efficiencies to be found because agencies don’t have to manage the infrastructure and pay for all the data center hosting,” she said. “All of that drives speed and it allows the speed of the data processing and for the workforce to be able to do higher-level work, then trying to reconfigure passwords.”

About Splunk, Inc.

Splunk Inc. (NASDAQ: SPLK) turns data into doing with the Data-to-Everything Platform. Splunk technology is designed to investigate, monitor, analyze and act on data at any scale. Learn more at splunk.com/publicsector.

Protecting Agencies from Cyber Attacks in the Current Environment

We just have to understand that everything is based on the value of the data. Everything's about access and everything's about availability. So as we extend out to the edge, we're going to have exposures. We have to understand that the critical data, the tier zero, tier one, foundational aspects of an organization is what we need to protect at the fullest.

Kevin McDonough

Advisory Systems Engineer, Dell Technologies

Attack Vectors of Focus

We have tools where, ultimately, because we've segmented the value of the data, we are preventing the adversaries from getting to command and control through isolation and through advanced mutability. At the end of the day, even if we haven't patched anything, even if one of our users clicks on the wrong thing, we can stop every single attack at that command and control phase, which means the adversaries can never take action on their objectives, and we win.

Kevin McDonough

Advisory Systems Engineer, Dell Technologies

About a third of all cyber incidents federal agencies faced last year were unknown or outside the typical spam, phishing or web authentication vectors.

The Office of Management and Budget says the prevalence of this attack vector suggests additional steps should be taken to ensure agencies appropriately categorize the vector of incidents during reporting.

While it may be a categorization issue, it also may be the variety and volume of attacks are harder to identify and characterize.

The increase of cyber attack vectors over the last year of the pandemic was stunning.

Experts say ransomware attacks alone are up by nearly 500% since March 2020.

Other experts found in 2020, 22% of data breaches involved phishing. A year later, that number increased to 36%.

And scammers are more successful, exfiltrating data or taking over systems 57% of the time, which is a 2% increase over the previous year.

In addition to the number of attacks increasing, researchers found that, on average, it takes 280 days to identify and contain a cyber attack.

All of these statistics, once again, prove just how difficult protecting systems and data continue to be.

Kevin McDonough, an advisory systems engineer at Dell Technologies, said there are things agencies can do to stay ahead of attackers starting with using the right tools as well as the ability to detect, and even predict threats, in real time.

“We just have to understand that everything is based on the value of the data. Everything’s about access and everything’s about availability. So as we extend out to the edge, we’re going to have exposures,” McDonough said on the Innovation in Government show sponsored by Carahsoft. “We have to understand that the critical data, the tier zero, tier one, foundational aspects of an organization is what we need to protect at the fullest.”

Protecting data becomes more important as the threat surface expands with remote work and devices at the edge.

McDonough said this is why agencies have to do more to protect against ransomware and the ever present phishing attacks.

“Because money is so big, that’s where the bad actors are getting innovative, and once they get in, they’re getting really good at hiding, really good at staying under the radar, really good at understanding what tools the people that they are trying to attack use,” he said. “Above and beyond that, coupled with some of the things that just came out, like REvil ransomware that basically steals Windows credentials, so they’re in and can start doing what they need to do in terms of getting command and control and taking action on their objectives. Brute force attacks are another big thing. I tell the organizations the brute force attack will be 100% successful given enough time and given enough resources. Now we have nation states backing these advanced persistent threats so they’re able to check all those boxes.”

Despite the increase in ransomware, brute force and phishing attacks, McDonough said all hope is far from lost.

He said agencies and industry are getting better at identifying and stopping attackers earlier in the process.

“We have tools where, ultimately, because we’ve segmented the value of the data, we are preventing the adversaries from getting to command and control through isolation and through advanced mutability. At the end of the day, even if we haven’t patched anything, even if one of our users clicks on the wrong thing, we can stop every single attack at that command and control phase, which means the adversaries can never take action on their objectives, and we win,” he said. “To me, that is the good news instead of getting bogged down by the absolute complexity and the size of the issue. It really comes down to isolating your critical data, separating it from the network, making it a physical separation and then a logical air gap separation, so that we know that there’s no way the adversaries can get to that critical data.”

McDonough said agencies still need disaster recovery tools, data protection tools and other capabilities to reach that level of immutability that every organization must strive for.

“Having an area that’s isolated essentially is your oxygen environment that allows organizations to forensically eradicate those attacks without affecting the production environment,” he said. “Then you also will limit dwell time by the adversary. If you understand that attackers exist, understand that they are out there, then you have a way to be able to react to them. Securing your technology is doable. It is not all doom and gloom. We just have to understand that it’s not matter if but when the attacks will come and when they do, we have to be ready.”

Listen to the full show:

About Dell Technologies

Dell Technologies services the federal government and supports their IT programs from system modernization to cloud integration. They empower countries, communities, customers and officials to serve the public with effectiveness and efficiency. Carahsoft is a Dell partner, and together they offer federal, state, and local government solutions on various contract vehicles to give you cost-effective products and services.

 

What we've seen now is the monetization of those attacks with ransomware and with the anonymization through cryptocurrency and other things, paying the ransom actually helps them advance themselves. As much as we like to get alarmed with ransomware, we should be equally alarmed with malware or any compromise because it's really up to the adversary and the human on the other side, and it's really up to their motive.

Travis Rosiek

Chief Technology and Strategy Officer, BluVector

 

The ability to detect threats without signatures, the ability to not have to wait for that time for analysis and propagation, especially in the disruptive malware world, is super critical. Trying to do better detection, without signatures, do it faster, allows cyber defenders to have a chance, especially in the destructive malware world.

Travis Rosiek

Chief Technology and Strategy Officer, BluVector

The rash of cyber attacks on agencies and private sector organizations will continue to rise. Just looking at the attack flavor of the year, ransomware…recent studies found ransomware attacks rose 62% worldwide and 158% in North America in 2020. The FBI received nearly 2,500 ransomware complaints in 2020, up about 20% from 2019.

This has led to increased costs for agencies and organizations alike. Some estimate that companies across the globe paid more than $20 billion in 2021 to deal with ransomware, which is a 57-fold increase since 2015.

Cybercrime overall costs companies across the globe an estimated $6 trillion and that cost is expected to only increase in the future.

The issue is more than just ransomware. Attacks against mobile devices are increasing. Phishing attacks are becoming more sophisticated. And new vectors like cryptojacking are becoming a more popular approach by bad actors.

To combat the ever-increasing cyber threats, agencies are spending more money than ever. In the fiscal 2022 budget request working its way through Congress, civilian agencies requested $9.8 billion, which would be a 14% increase over 2021. The Defense Department says its cybersecurity budget request in 2022 is $10.4 billion, bringing total cyber spending above $20 billion governmentwide for the first time.

But it’s more than just money that is needed. It’s also people and better data.

Travis Rosiek, the chief technology and strategy officer at BluVector, said the biggest change over the last 20 years is cyber attackers have gone from executing code and stealing data to destroying it or holding it hostage.

“What we’ve seen now is the monetization of those attacks with ransomware and with the anonymization through cryptocurrency and other things, paying the ransom actually helps them advance themselves,” Rosiek said on the Innovation in Government show sponsored by Carahsoft. “As much as we like to get alarmed with ransomware, we should be equally alarmed with malware or any compromise because it’s really up to the adversary and the human on the other side, and it’s really up to their motive.”

As the adversaries continue to improve their capabilities and become more sophisticated by cleaning up their tracks and leaving fewer traces, agency security operations centers have to accelerate their ability to triage networks. The goal, Rosiek said, is to reduce the dwell time attackers have so SOCs can prevent or better limit the impact and/or collateral damage of an incident.

Rosiek said agencies must become more predictive and less reactive to cyber attacks, which means becoming better at analyzing data from a people, process and technology perspective.

“The ability to detect threats without signatures, the ability to not have to wait for that time for analysis and propagation, especially in the disruptive malware world, is super critical. Trying to do better detection, without signatures, do it faster, allows cyber defenders to have a chance, especially in the destructive malware world,” he said. “From a process perspective, every security operation center I’ve ever been to public and private sector faces short staffs, there’s high turnover rates, and they easily burn out because they’re all drowning in events. There’s a huge big data problem in cyberspace. If you have this big mountain of data, everything is siloed or doesn’t have a lot of context from a cyber analyst’s perspective. It’s really hard to do really good correlation because you don’t have enough insight about why a specific product or tool made a determination. I probably spent 90 some percent of my time looking at false positives, which was probably one of the most unrewarding parts of my career.”

He said agency operations must become cyber resilient to address all three challenges.

“One aspect, and some of the things we tried to work on at BluVector, is better and faster threat detection, on a millisecond basis, through leading-edge machine learning and other non-signature based detection techniques to detect threats that have never been seen before, but also generating a lot of rich context about why we made decisions of something being malicious or benign,” he said. “Then, from a cyber workforce perspective, we try to create and visualize the data in a way that’s very intuitive so a non-novice analyst can come in and look at something and with a little bit of training can say, ‘Yep, that’s definitely bad. Or this looks pretty good.’”

Rosiek said only through AI and ML tools can detection and mitigation, even prevention, happen at a scale to keep up with the bad actors.

“For a targeted attack, a signature is only going to be able to stop that attack within the first minute or less. So they’re going to recompile their tools and have an attack profile that there is no signature that can be blocked or mitigated,” he said. “The evolution from signatures was sandboxing of non-signature based detection. But because that takes minutes or hours for cloud-based sandboxes or on premise sandboxes to return results, it still wasn’t fast enough for destructive malware. The application of machine learning allows that an analysis of unknown content to be rendered in a decision about whether it be benign or malicious can occur in milliseconds, but which is timely enough to be actionable and minimize that impact.”

Listen to the full show:

About BluVector

Deployed and actively used across global government and commercial networks, BluVector is trusted to provide comprehensive threat coverage thanks to nearly a decade of innovation in the areas of machine learning and artificial intelligence. Backed by Comcast, BluVector serves both Public Sector and Enterprise Commercial customers throughout the world.

 

You're starting to see this evolution of how government's looking, embracing this around a people-centric workplace. The workplace can be anywhere that individual may be, and they're putting in the policies and procedures to actually adapt to that.

Matt Mandrgoc

Head of U.S. Public Sector, Zoom

 

There's five things that really tie into how you would look for a successful communications, collaboration solution. Cloud based and its ease of use become the number one thing I've heard from every single customer. They can turn it on and they know how to use it, and they know it's secure and it's scalable. Now Zoom has these things where you can create a room and you can have different people sitting up, playing different types of immersive things to make this even feel more of a human-to-human interaction and human connection extensibility. This becomes important because in our commercial version, we have hundreds of integrations with different solutions. We are also working on a Zoom for Government platform to actually get the integration with other FedRAMP solutions. So think about the fact that not only we do this here, but can you if I have a FedRAMP version of an investment that has another solution I use, and I can integrate two solutions together. That's automating the process and making it easier for them.

Matt Mandrgoc

Head of U.S. Public Sector, Zoom

Many agencies always prided themselves as hubs of collaboration. The open office surge in the early 2010s. The use of things like industry days to bring vendors and federal buying officials together. These are but two examples of what agencies thought was impactful collaboration.

Then the COVID-19 pandemic struck, and we all entered a new culture norm when it came to collaboration and communication.

Agencies and companies quickly adapted to video communications for staff meetings, for industry days and for providing telehealth services. Without a doubt, the pandemic’s impact on the way agencies communicate internally and externally will be felt for decades.

The ease and comfort at which agencies moved to this new online-only approach was both surprising and a precursor for the future.

Agencies found employees were more satisfied and more productive, citizens found it easier, in some cases, to work with federal offices and security of the data and communications was as rigorous as in person events.

As agencies come out of the pandemic, they must figure out how to prosper in a hybrid world where communication and collaboration will be in person and online.

Matt Mandrgoc, the head of US public sector at Zoom, said the pandemic showed three things: Incumbent technologies were not necessarily scalable to satisfy the needs of the mass remote work environment; the culture change brought on by mass telework will be permanent; and cloud services were critical to all of these successes.

“You’re starting to see this evolution of how government’s looking, embracing this around a people-centric workplace,” Mandrgoc said on the Innovation in Government show sponsored by Carahsoft. “The workplace can be anywhere that individual may be, and they’re putting in the policies and procedures to actually adapt to that.”

That concept that work is what you do, not where you do it is a major piece to the culture change.

Mandrgoc said one agency customer found their employees were as productive or more productive working from home as they were in the office. At the same time, he said the agency also realized the remote working opened the door to recruit new employees from a wider area.

“This was a very special skill set that they needed. So instead of having to be in the DC metro area, maybe they would hire somebody from Raleigh, N.C., or from Austin, Texas, or from Denver or from California, all of those places out there. They have that skill set and they don’t have to be just in DC because you are providing them the productivity tools to actually do that,” he said. “We saw FEMA doing a lot of work out there in the field, using Zoom, to get the messaging out to actually work along with the different first responders to get information. We started to talk a lot about recruiting, just bringing employees in to the government.”

He said the military and civilian agencies embraced the technology, expanded recruiting and saw their numbers actually increase during the pandemic.

Agencies also took advantage of the cloud technology and the collaboration tools to reach citizens in a new and better way.

From telehealth to remote hearings to other ways, agencies could now engage citizens in a way that was less dependent on weather or staffing.

“We saw as not just the federal, the state, local governments also transitioning. We saw hearings and meetings that were occurring, and typically people would have to go in central location to watch a hearing. Now you saw a lot of these humans going into the remote status, and there was just a tremendous growth around that piece of it, which ties in citizens and talking to customers,” Mandrgoc said. “Some states are actually mandating that going forward because they were getting more people attending these types of meetings. It’s hard that if I have the hearing is at 5 p.m. on Wednesday, and kids have events or something happens and traffic is bad, I can’t get there. I can’t be participate in that. But I can click on, pop on my Zoom, go ahead and listen, watch what was going on. So they’re we’re seeing they’re getting more citizen engagement that way.”

Mandrgoc said all of these successes and experiences is leading to a hybrid workplace where in-person and online events, meetings and the like will be a standard and expected approach.

“There’s five things that really tie into how you would look for a successful communications, collaboration solution. Cloud based and its ease of use become the number one thing I’ve heard from every single customer. They can turn it on and they know how to use it, and they know it’s secure and it’s scalable,” Mandrgoc said. “Now Zoom has these things where you can create a room and you can have different people sitting up, playing different types of immersive things to make this even feel more of a human-to-human interaction and human connection extensibility. This becomes important because in our commercial version, we have hundreds of integrations with different solutions. We are also working on a Zoom for Government platform to actually get the integration with other FedRAMP solutions. So think about the fact that not only we do this here, but can you if I have a FedRAMP version of an investment that has another solution I use, and I can integrate two solutions together. That’s automating the process and making it easier for them.”

About Zoom

Zoom is for you. We help you express ideas, connect to others, and build toward a future limited only by your imagination. Our frictionless communications platform is the only one that started with video as its foundation, and we have set the standard for innovation ever since. That is why we are an intuitive, scalable, and secure choice for large enterprises, small businesses, and individuals alike. Founded in 2011, Zoom is publicly traded (NASDAQ:ZM) and headquartered in San Jose, California. Visit zoom.com and follow @zoom.

The Difference in the SolarWinds Attack

In every experience, whether it's a bug or a security breach, there is something to be learned that will fortify what we can do going forward to make it that much more difficult for a threat actor to perform their duties, so to speak. We are approaching this in exactly the same way. I also have another attitude which is one dissatisfied customer or one impacted customer is one too many. We are keeping the customer in focus and keeping the constant learning of these experiences in focus and continue to improve your processes, your tools, your training, your behaviors, to help to build a more safer set of environments.

Sudhakar Ramakrishna

President and Chief Executive Officer, SolarWinds

Working with Customers and Lessons Learned

The federal government customers are very important to us and I personally have spoken to many of them at this point. And I continue to do so. We're doing this for multiple reasons. One is touching the customers making sure that they are happy and satisfied with our performance and support. Another is articulating to them what we have learned and what we are doing because many of our federal government customers are also having complex supply chains from a software standpoint, and we are trying to drive our learnings into their environments. The third is a two-way open dialog where we can understand their requirements and their concerns better and take action. So I'm again very grateful, I would say is probably the right word to use in this context, to the government customers who have engaged with us who have helped us and who have been patient with us. And many of them actually have now turned our systems back on and are experiencing the benefits of the solutions that we deliver.

Sudhakar Ramakrishna

President and Chief Executive Officer, SolarWinds

Without a doubt, it’s been a busy 2021 for federal and private sector chief information security officers.

While the number of cyber attacks may be the same, or near the same, the severity and the impacts on every day society are not.

From the supply chain attack on SolarWinds to the Microsoft Exchange vulnerability to the PulseSecure VPN, all organizations have been reminded that their dependence on technology can both a blessing and a curse.

What these and so many attacks have taught agencies is the need to be resilient.

The most recent Federal Information Security Management Act (FISMA) report to Congress found agencies are doing a better job managing their cyber risks. In fact, their scores across the NIST Cyber frameworks around identify, protect, detect, respond and recover are among the highest in the last four years.

This means agencies are also doing a better job of communicating to their stakeholders about their planning and performance metrics around their recovery activities based on risk tolerance.

Still, one thing is clear from the last several months, no amount of planning, people or tools will stop a determined adversary.

This is why agencies, and really all organizations, must have confidence in their suppliers and ability to react and recover to threats and attacks.

Sudhakar Ramakrishna, the president and CEO at SolarWinds, said the high-profile attack his company experienced, which came to light in December but likely started a year before, is both a learning experience and an opportunity to double-down on software development approaches.

“In every experience, whether it’s a bug or a security breach, there is something to be learned that will fortify what we can do going forward to make it that much more difficult for a threat actor to perform their duties, so to speak,” Ramakrishna said on the Innovation in Government: Cyber Resiliency show sponsored by Carahsoft. “We are approaching this in exactly the same way. I also have another attitude which is one dissatisfied customer or one impacted customer is one too many. We are keeping the customer in focus and keeping the constant learning of these experiences in focus and continue to improve your processes, your tools, your training, your behaviors, to help to build a more safer set of environments.”

One of the ways SolarWinds is attempting to do just that is through an internal approach it launched after the breach came to light called “secure by design.”

Ramakrishna said this approach includes several steps.

“Security should not be an afterthought of delivering a product so we do penetration testing, we do post software analysis of the security of our software, all those are required. But I would say those are not sufficient and security needs to be planned in or designed in, and that needs to happen at the infrastructure level, that needs to happen in the build systems that need to happen in the build processes, and more broadly, in the consciousness and training of the company,” he said. “The learning, or if you want to think of it as the action that we’re taking, is how do we incorporate that across those dimensions within the entire company.”

One way SolarWinds is incorporating secure by design into its entire company is by using more red teams to more rigorously challenge the company’s plans, policies, development systems by using an approach a hacker or other bad actor would use.

“It is important for us to think like threat actors, no matter the size of the company, or the resources of the company, and provide some ability for the team to do synthetic attacks against ourselves to learn and improve on an ongoing basis. Another is that this is specific to the software bill of materials, and software development itself, we have created three parallel build systems, and the three parallel build systems are in different locations, with different permissions. The whole idea, going back to digitally signing a piece of code and delivering it to customers and giving them the confidence that it’s pristine and is coming from us, the goal is to build across three systems and create cross dependencies, and I should take cross checks across those three environments to make sure that the integrity is not compromised in any one of them,” Ramakrishna said. “If you think about a threat actor, even if they’re able to compromise in one environment, they will have to consistently compromise across three different environments in exactly the same way for us to have a compromised delivery to the field. That required a lot of innovation and that will require a lot of investment on our part. Our goal is that as we perfect it to be able to document it and publish it. This is some of the work that I’m working with some of the federal government agencies, including CISA and others, to articulate what we’re doing.”

All of these and the other actions SolarWinds has been taking over the last few months is to create the trust and confidence with its customers, particularly federal agencies.

He said despite revealing in the last few weeks that fewer than 100 customers were compromised by the attack, SolarWinds helped every customer who asked with applying the patch or rebuilding their systems.

“The federal government customers are very important to us and I personally have spoken to many of them at this point. And I continue to do so,” he said. “We’re doing this for multiple reasons. One is touching the customers making sure that they are happy and satisfied with our performance and support. Another is articulating to them what we have learned and what we are doing because many of our federal government customers are also having complex supply chains from a software standpoint, and we are trying to drive our learnings into their environments. The third is a two-way open dialog where we can understand their requirements and their concerns better and take action. So I’m again very grateful, I would say is probably the right word to use in this context, to the government customers who have engaged with us who have helped us and who have been patient with us. And many of them actually have now turned our systems back on and are experiencing the benefits of the solutions that we deliver.”

Ramakrishna said SolarWinds continues to share its lessons learned with the FBI, with CISA and many others.

He said by being transparent, he hopes others can learn from SolarWinds’ experience and not repeat the same challenges or face the same attacks.

“I noticed that some of the agencies may be restricted in what they can share with the private sector. Let’s say as we engage with the FBI, we continue to inform them of what we learn. But sometimes the relationship can be asymmetric. So the more we can make those relationships symmetric, I think the faster information flow will be and knowledge sharing will be,” he said. “If there is a broad recognition that these things can happen to anyone notwithstanding the best intentions, best practices, best tools, then the level of victim shaming goes down. In a strange way, coming out and informing proactively should be rewarded, not punished, so to speak, either by reputational damage or business damage. That’s the other thing that I think as part of awareness building, we all as a community need to do more to help engage equally accountability methods. Therefore, to the degree that we don’t come out and disclose, to the degree that you don’t come out and comply, they should mean some measures between public and private sectors where accountability is both expected and imposed.”

Addressing Federal Cyber Threats

Effectively, TIC 3.0 really isn't that much about networking. It's really about data protection and privileged access management. Who is on the network? What's happening on the network? What data is on the network, and how is it being protected? While TIC 3.0 is mandated, it's already in force. Although the vast majority of agencies, perhaps all, are behind on addressing those things, part of it is just sheer procurement delays based on their existing TIC 2.0 and Enterprise Infrastructure Solutions (EIS) networking procurements. But the reality is TIC 3.0, I think, is the silver bullet and it's a mandate. While it doesn't specifically have any dollars behind it, it does completely round out the vast array of cybersecurity challenges that CIOs, IT leadership and chief information security officers are having to deal with.

John Fanguy

Federal Chief Technology Officer, Cybersecurity, Micro Focus Government Solutions

Challenges Agencies Face in Cyber

There's tools that scan your entire application portfolio and database infrastructure to identify where you've got PII, where you’ve got HIPAA data, but also where you've got duplicate data,” he said. “Now, obviously, that's not a magic finger snap, but at least you understand where your vulnerabilities are so that you can begin to put in place programs to reduce the redundant data, the obsolete data, as well as address the question of privilege access management.

John Fanguy

Federal Chief Technology Officer, Cybersecurity, Micro Focus Government Solutions

The Cybersecurity and Infrastructure Security Agency released three emergency cyber directives in the last five months. Agency CIOs and CISOs have had one fire drill after another to patch critical vulnerabilities in software.

Of the three breaches—Solarwinds, Microsoft and Pulse Secure, the Solarwinds breach caused the most problems. CISA reported at least nine agencies were impacted directly, while every agency had to scramble during the first few weeks after the breach became known.

The Solarwinds breach isn’t just a one off. It’s part of a growing threat surface.

The Identity Theft Resource Center (ITRC)  found in its 2020 Data Breach Report that supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor.

ITRC says 668 entities were impacted by third-party or supply chain attacks last year.

These types of attacks become more complex as agencies live in a mixed environment of legacy and newer technologies.

John Fanguy, the federal chief technology officer for cybersecurity at Micro Focus Government Solutions, said agencies can prepare for the next cyber attack and ensure their missions are resilient by taking several important steps, starting with implementing Trusted Internet Connections (TIC) 3.0.

“Effectively, TIC 3.0 really isn’t that much about networking. It’s really about data protection and privileged access management. Who is on the network? What’s happening on the network? What data is on the network, and how is it being protected?” Fanguy said on the Innovation in Government show sponsored by Carahsoft. “While TIC 3.0 is mandated, it’s already in force. Although the vast majority of agencies, perhaps all, are behind on addressing those things, part of it is just sheer procurement delays based on their existing TIC 2.0 and Enterprise Infrastructure Solutions (EIS) networking procurements. But the reality is TIC 3.0, I think, is the silver bullet and it’s a mandate. While it doesn’t specifically have any dollars behind it, it does completely round out the vast array of cybersecurity challenges that CIOs, IT leadership and chief information security officers are having to deal with.”

CISA recently released new use cases for traditional TIC and the branch office connections. It’s still working on the use case for remote workers.

As agencies start to understand what the uses require, the path toward better cybersecurity gets a bit easier.

“The way EIS, the $50 billion GSA program, was let includes software-defined networks (SDN) and that effectively created new capabilities that TIC 2.0 did not address. TIC 3.0 programs wisely looked broader than just SDN and created a very comprehensive thorough set of key requirements that, perhaps, will serve as the next 15 years,” he said. “TIC 3.0 really has five main requirements: manage the traffic, protect traffic, confidentiality, protect traffic integrity, ensure service reliance and ensure effective response.”

He added that TIC 3.0 opens the door a bit wider for other cyber approaches like zero trust, privileged access management, data confidentiality, format preserving encryption of data and a number of other things.

These additional cybersecurity protections will go a long way to protect data, which in the end is every organization’s most valuable asset.

Even with the recent Solarwinds breach or the PulseSecure VPN vulnerability, the goal wasn’t penetrating the initial technology. It was gaining access to the network and then the data.

Fanguy said protecting the data and minimizing its usefulness through the application of new controls that come with TIC 3.0 and by using format preserving encryption of data is the goal that every organization wants to achieve.

“There’s a number of solutions, including ours, which can deliver this. And it’s important to realize that format preserving encryption isn’t necessarily appropriate for everything. But for anything that’s HIPAA or personally identifiable information (PII) related, particularly for federal employees and citizens, it’s critical that that data be encrypted with format preserving encryption. It’s different than disk encryption and SSL,” he said. “Format preserving encryption is select field or subfield encryption using pseudonymized, tokenized keys that are secure, either in the cloud or on premises, based on your agency’s preference. The reality is, let’s say my Social Security Number is 41063157, so typically most applications would have the last four digits for any citizen or employee. So in the database, if we use this format preserving encryption, we change the first five characters to something that really doesn’t align to me as a person, but the last four characters are, so effectively we’ve made that Social Security Number associated with my name, useless to exploit traders.”

Before an organization can implement format preserving encryption of data, it first must understand what data it has.

Fanguy said many agencies struggle to understand what data that they have and the number of copies of data.

He said having duplicative data and not understanding what information is most valuable to the mission exacerbates and expands the threat attack surface at each agency.

“There’s tools that scan your entire application portfolio and database infrastructure to identify where you’ve got PII, where you’ve got HIPAA data, but also where you’ve got duplicate data,” he said. “Now, obviously, that’s not a magic finger snap, but at least you understand where your vulnerabilities are so that you can begin to put in place programs to reduce the redundant data, the obsolete data, as well as address the question of privilege access management.”

Fanguy added if agencies can reduce the value of the data to hackers, then agencies can diminish the financial value and impact of cyber attacks.

Data to the edge

By having a Cloud Smart strategy and a data-first strategy, we’re able to analyze the value of the data, the type of data, what we're going to do with that data and be able to figure out where the data should reside at any given point during its lifecycle.

Ed Krejcik

Federal Systems Engineer, Dell Technologies

Innovation in multi-cloud solutions

Flexible consumption models allow organizations to 'put a buffered capacity on the floor, maybe a committed capacity of a petabyte.' But if they run into data surges where they need two petabytes of capacity on the floor just in case, 'they can be prepared for those data loads when they occur with flexible consumption models.'

Ed Krejcik

Federal Systems Engineer, Dell Technologies

Market research firm IDC estimates that 80% of all data created today by all organizations is unstructured. And there’s a lot of data—streaming in from sensors at the edge, connected nodes, and countless devices.

“With unstructured data growing so rapidly, you really need a foundational architecture…that’s scalable, whether that’s at the edge or at the core data center,” said Ed Krejcik, manager of presales engineers for the unstructured data business unit for Dell Technologies. A scale-out architecture offers flexibility. “Just like a hyper-converged model, you add individual nodes that have capacity, compute, networking to be able to respond in an easily upgradeable fashion,” he said.

Because of the pandemic, digital transformation happened seemingly overnight. Change was everywhere, and it was rapid. Everything that was once on-premise—from data to the workforce itself—suddenly was off premise. Scalability and agility became essential functions for delivering services swiftly and securely.

Cloud Smart is about putting data “where it is of most value and also where it’s most accessible and usable from a performance perspective,” Krejcik said during an interview on Innovation in Government, a show sponsored by Carahsoft. Manage your data, manage your workload.

Many agencies are adopting a hyper-converged infrastructure to meet shifting demand. HCI is a software-defined IT infrastructure that puts storage, compute, networking and management into a single virtualized environment, eliminating silos and redundant tools. It combines that hardware with locally attached storage appliances in a unified, software-defined framework that delivers greater scalability while reducing data center complexity. It can take agencies out of traditional three-tier architectures that may have served them well over the years but are now insufficient for modernized operations.

HCI is important because many agencies will live in a hybrid cloud environment for the short to medium term. Add to that hybrid cloud environment the challenges and opportunities around security and dev/sec/ops and you can see how making sure you data is accessible becomes even more important.

The growth of unstructured data also forces agencies to improve how they manage their cloud instances, including storage. A “pay-by-the-drink” model (known more familiarly as “as-a-Service”), said Krejcik, provides agencies the flexibility required to manage the ebbs and flows of their missions.

It’s a method of providing some predictability in terms of budgeting, a notoriously tricky process in Washington, DC. “We are working with agencies to understand what they need to be prepared for,” he said. “There are tiers of performance and capacity that have rates associated with them so it’s very predictable…. [They get] a clear understanding of what the costs are going to be up front before they go down the road.”

Krejcik sees the new consumption model a game-changer for the federal government. Agencies have got to “be able to have flexible consumption models…to pay for only what they use,” he said. “It’s also a big change in the color of money, changing it from a capital expense to an operating expense.”

Agencies still struggling to manage endless streams of data now have numerous routes to establishing a responsive infrastructure that meets their specific needs and missions.

About Dell Technologies

Dell Technologies is a unique family of businesses that provides the essential infrastructure for organizations to build their digital future, transform IT, and protect their most important asset, information.

The Federal Government Remote Work Story

If you have an operation with that has some people coming in, you have to make sure that you have the right people coming in at the right times. There's this idea of shift scheduling, and that that has to be implemented, and you have to be able to maintain a physical, appropriate physical distance in the office. These are all changes that may sound easy, but I think the devils in the details with these things. Digital technologies have a have a way to make this a little bit easier to manage. The further opportunity is to bring it all in some kind of dashboard and make it easy for leadership to see what it all looks like and make good management decisions is really essential to.

Jonathan Alboum

Federal Chief Technology Officer, ServiceNow

Using Automation to Return to Work

There's a need for digital technologies that can manage the complexity in the workflows because in the end, we're trying to get people who need a vaccine, a vaccination so they can be safe and healthy and we can get back to some sense of normalcy. It's a really big challenge with national and international implications so you can't do that in spreadsheets. It's too complex to manage through email. We're all we're all adjusting to some of these new requirements. And from what I see, talking to a number of these agencies, there's a clear recognition that we have to take a different approach.

Jonathan Alboum

Federal Chief Technology Officer, ServiceNow

Over the past year, agency successes of moving employees to remote work, upgrading networks and adjusting to the new video meetings and collaborations have been well illustrated.

Agencies figured out virtual onboarding of new employees, creating live chat rooms to give employees the watercooler experience and expanded their pool of applicants.

In a recent Federal News Network survey of more than 2,000 federal employees and contractors found 48% of the respondents would telework full time if they could.

At the same time, 56% said they wouldn’t feel comfortable returning to the office until their co-workers were vaccinated. Additionally, 53% said their agency hasn’t told them when to expect to return to the office.

No matter the timing, federal managers must begin planning for employees to return to the office, even on a limited basis.

The Office of Management and Budget created a workplace safety task force in January. The new group will advise agencies on government operations and continuity, as well as employee safety, throughout the pandemic. The task force will address at least a dozen topics, including testing, employee telework and commuting options, IT infrastructure needed to support remote work, contact tracing, social distancing and vaccine distribution.

Jonathan Alboum, the principal digital strategist for federal at ServiceNow, said agency managers can start preparing today for the future when employees return to the office with a goal of ensuring their safety through the use of technology and data.

“If you have an operation with that has some people coming in, you have to make sure that you have the right people coming in at the right times. There’s this idea of shift scheduling, and that that has to be implemented, and you have to be able to maintain a physical, appropriate physical distance in the office,” Alboum said on the Innovation in Government show. “These are all changes that may sound easy, but I think the devils in the details with these things. Digital technologies have a have a way to make this a little bit easier to manage. The further opportunity is to bring it all in some kind of dashboard and make it easy for leadership to see what it all looks like and make good management decisions is really essential to.”

Alboum said in some ways returning to the office may be more difficult than moving to full-time remote working. He said the need to balance a growing number of requirements for the safe return to work requires agency managers to not only ask the right questions, but collect and analyze the right data.

“There’s data, whether it’s in ServiceNow, or it’s in any of the other systems of record that support bringing people back into the office or other business processes in an agency, understanding the data is very important,” he said. “Being able to see it is very important. But being able to take action, I think, is really most important. And to the extent that those actions can be automated, that they are workflows that have to that can occur based on how data looks.”

This could mean employee self-reporting of receiving the COVID-19 vaccine, or how to do health screenings and contact tracing when employees begin to work out of office again.

He said agencies can’t waste time filling out and reviewing spreadsheets. Automation must be part of the answer.

“COVID vaccine management is the workflow challenge of our lifetime,” Alboum said. “We just think about the complexity of the number of entities involved on the on the private sector, the companies that make the vaccine, the companies that make the equipment that’s used to deliver a vaccine, let alone the number of federal agencies involved, and state and local entities involved. There are so many players, being able to coordinate across all of those different entities is really, really hard. And if we want to make sure that the vaccine distribution is very effective, and it’s very equitable, we need to really think about vaccine delivery as a workflow.”

He added the vaccine management challenge should make it clear to agencies that the only way to manage it is through digital technologies.

It’s clear that agencies will play a larger role in managing the vaccine distribution under the Biden administration.

“There’s a need for digital technologies that can manage the complexity in the workflows because in the end, we’re trying to get people who need a vaccine, a vaccination so they can be safe and healthy and we can get back to some sense of normalcy,” Alboum said. “It’s a really big challenge with national and international implications so you can’t do that in spreadsheets. It’s too complex to manage through email. We’re all we’re all adjusting to some of these new requirements. And from what I see, talking to a number of these agencies, there’s a clear recognition that we have to take a different approach.”

About ServiceNow

Your government agency is driven to make life better for citizens and ServiceNow is committed to making work, work better for people. Together, we can speed and automate the delivery of modern citizen services while driving down costs. Our cloud-based platform consolidates outdated IT systems, leverages the data, and delivers automated, digital workflows that create great experiences for users. With ServiceNow, agencies can prioritize and respond to cybersecurity threats faster, revitalize the workforce with more efficient HR processes and higher value work, and redefine how to serve citizens with modern solutions. Agencies across civilian, defense and intelligence services use our FedRAMP certified platform to deliver and unlock productivity. To learn more, please visit us online.

Evaluating the Remote Work Environment

I think overall government customers are feeling very productive today, if they have the right tooling in place. If you had collaborative software in place, that was much easier for you to make that migration. If they didn't have that tooling in place, or if even they didn't have laptops in place, it was definitely a challenge at first.

Phoebe Nerdahl

Public Sector Lead, Atlassian

Workforce Trends

I think that there’s always been a really hard balance to strike between innovation and security. I think that moving to an entirely remote work environment has really melded the two, and …brought to light the need to make sure that you can be innovative, you can be new, but you can still put an emphasis on secure delivery as well.

Phoebe Nerdahl

Public Sector Lead, Atlassian

As we’ve heard many times over the last nine or so months, the shift to remote work across government has gone probably better than expected.

Agency chief information officers and other executives have told numerous stories about how they have improved their network capacity and log in capabilities in record time to make remote working successful.

We’ve heard about the culture change that has happened at agencies that were not big fans of telework, and we’ve seen the broad acceptance of video teleconference capabilities.

Now many agencies are considering permanent telework positions. Take the Immigration and Customs Enforcement directorate at DHS. They are advertising some positions that are 100% telework, which is something the agency wouldn’t have envisioned even a year or two ago, especially for a law enforcement agency.

Phoebe Nerdahl, the public sector lead for Atlassian, said there technology, tools process steps agencies can take to continue this evolution.

“I think overall government customers are feeling very productive today, if they have the right tooling in place. I think there was a little bit of a scramble at the beginning of the pandemic to see how they were going to make sure that they keep on top of everything. How are they going to make sure everyone understands what needs to be done?” Nerdahl said on the Innovation in Government show sponsored by Carahsoft. “If you had collaborative software in place, that was much easier for you to make that migration. If they didn’t have that tooling in place, or if even they didn’t have laptops in place, it was definitely a challenge at first.”

Now agencies are not only used to working remotely, but have proven it not only can be done, but done successfully.

Nerdahl said agencies have to continue to innovate and secure their systems and networks as they continue their IT modernization efforts.

“I think that there’s always been a really hard balance to strike between innovation and security. A lot of times, newer products are continually changing. They’re more agile, making sure that they have the right certifications,” Nerdahl said. “I know that that’s been a key strategy for Atlassian. Specifically, as we’re accelerating our journey to cloud, making sure that we have our FedRAMP roadmap in place that is strong that we know we’re going to be able to deliver quality software-as-a-service products in a secure manner. I think that moving to an entirely remote work environment has really melded the two, and for both government agencies and vendors alike, brought to light the need to make sure that you can be innovative, you can be new, but you can still put an emphasis on secure delivery as well.”

One of the ways to do that is through better program and project management.

Nerdahl said it’s important for agencies track project’s progress and understand the how the tools worked for specific efforts. She said the topic of remote work, recruiting and project management all will be topics at the 6^th annual Atlassian Government Symposium in February.

“Obviously, in public sector, there’s some data that is accessible, there’s some data that can’t be accessible for security reasons. So it’s a double-edged sword, I think that you still need access to that data and usability of it in order to achieve good results and achieve the mission that you’re looking to achieve both the priorities and missions that you’ve been charged with as a public servant,” she said. “But you have to make sure that the right people will have access to the right data. I think it ties in that balance of both innovation and security, that you see more public sector than you do in any other industry.”

She said that could mean data dashboards, snapshots or high level overviews that help drive decision making across an agency. The goal is to direct the data in a useful way.

“I think the number one thing that has helped Atlassian is our ability to tag people in specific points. I constantly am digesting a large amount of data for my personal team and organization. And it would be really counterproductive to make everyone read, again, pages and pages of forecasts or product updates, but being able to say, ‘Hey, I know that my marketer is going to really need this one snippet, highlight it, comment it, bring her in there and she’s able to view it, comment on it, edit it however we need to update that. That’s been critical,” Nerdahl said.

About Atlassian

Atlassian unleashes the potential of every team. Our team collaboration and productivity software helps teams organize, discuss, and complete shared work. Teams at more than 174,000 customers, across large and small organizations – including General Motors, Walmart Labs, Bank of America Merrill Lynch, Lyft, Verizon, Spotify and NASA – use Atlassian’s project tracking, content creation and sharing, and service management products to work better together and deliver quality results on time. Learn more about our products, including Jira Software, Confluence, Trello, Bitbucket, Opsgenie, Jira Service Desk, and Jira Align at https://atlassian.com/.

Supply Chain Risk Management

The way we look at this is the risk footprint that an agency has, has expanded significantly and the importance, based on a lot of the nation state cyber criminals that are out there, to make sure that everybody in that expanded risk footprint is doing the best they can to secure those environments.

Dan Carayiannis

Director, Public Sector, RSA Archer

Operational Resiliency

Just establishing a supplier catalog is a basic start. From there, I could evolve to requiring those contractors to provide me information, maybe from automated tools or vulnerability scanning tools and highlight and attach that document to that particular vendor. Another area where we have seen where people have leveraged technologies and capabilities is independent virtual assessments of a third party contractor to see how secure they are from a public-facing perspective. There are a lot of different things we have seen agencies do where they are starting to leverage technology and tools. It’s an evolutionary thing, it’s a crawl, walk and run process.

Dan Carayiannis

Director, Public Sector, RSA Archer

Without a doubt, 2020 will be remembered in the federal sector as the year of supply chain risk management. Oh yeah, there’s also the coronavirus pandemic turning everyone’s world upside down.

But if we step back from this tragedy, we can see just how much attention and resources went to supply chain risk management over the last 12 months.

From the Defense Department’s somewhat challenging roll out of the Cybersecurity Maturity Model Certification (CMMC) to the launch of the Federal Acquisition Security Council to the second part of the Section 889 acquisition rule, at every turn there agencies and vendors faced new requirements.

The task is so great that the Office of the Director of National Intelligence outlined three broad goals to improve the security of the federal supply chain. These include implementing enhanced capabilities to detect and respond to supply chain threats and more outreach to public and private sector partners about potential and real vulnerabilities.

Nearly every agency from ODNI to the FBI to DHS to the Commerce Department is involved in protecting the federal supply chain.

Agencies need to take all this data—both from public and private sector sources—and apply it to their specific mission areas.

Dan Carayiannis, the director of public sector at RSA, said the increasing concern about technology products and components, and whether the technology suppliers understand and have transparency into the chain of custody created a wake-up call of sorts for public and private sector organizations.

“The way we look at this is the risk footprint that an agency has, has expanded significantly and the importance, based on a lot of the nation state cyber criminals that are out there, to make sure that everybody in that expanded risk footprint is doing the best they can to secure those environments,” Carayiannis said on the Innovation in Government show sponsored by Carahsoft.

The change in expectations and oversight is highlighted by initiatives such as the CMMC program as well as the Defense Industrial Base Cyber Assessment Center (DIBCAC) effort.

Carayiannis said CMMC, and soon DIBCAC, is pushing vendors to move beyond self-assessments and mandating certain controls and practices to increase the level of secure to address the expanded risk ecosystem.

“The pandemic has caused every agency to modify their thinking about their remote workforces, including the contractor community,” Carayiannis said. “I think the pandemic has opened people’s eyes to how organizations can operate in a more flexible, virtual environments, but also understanding the risks around that and therefore needing to put new security controls, processes, procedures and privacy standards in place to make sure they are doing that in a proper fashion.”

He said RSA hears from DoD and civilian agencies about CMMC and what it may mean for their industry partners especially as they realize that how employees and industry partners work has permanently changed and therefore so has their cyber risk profiles and footprint.

“We have or years been supporting agencies and the contractor community in the way they manage their supply chains. Anything from putting in place an application to track their supply chain community, a supplier catalog, not just the individual organizations, but maybe the contracts they may have in place or the technologies they acquire from them,” he said. “What the pandemic really did was cause people to reflect in a quick way not just on themselves but understanding the reliance they have on their contractors and suppliers. It got them to think through this concept of operational resiliency to ensure they are continuing business as usual.”

Carayiannis said the need for operational resiliency also caused vendors to apply zero trust principles to address the increased risk ecosystem.

“We have seen agencies moving quickly to deploy software solutions where they are tracking, monitoring and requiring their supplier community to attest and demonstrate they are secure on an ongoing basis. They have controls in place, processes, practices and procedures to do this,” he said. “We are able to do that using technology today where we are able to drive controls, be able to pull in information and be able to help contractors show a government organization that the following things are being done to protect the data or the technologies that they are providing are secure and there is a good chain of custody around those things.”

Carayiannis said more agencies and vendors are using these automated tools to “trust but verify” their partners, especially as the pandemic changed the view of the cyber risk ecosystem.

To stand up a fully automated vendor management program, agencies must build piece-by-piece, including starting with data collecting and sharing that information across the agency.

“Just establishing a supplier catalog is a basic start. From there, I could evolve to requiring those contractors to provide me information, maybe from automated tools or vulnerability scanning tools and highlight and attach that document to that particular vendor,” he said. “Another area where we have seen where people have leveraged technologies and capabilities is independent virtual assessments of a third party contractor to see how secure they are from a public-facing perspective. There are a lot of different things we have seen agencies do where they are starting to leverage technology and tools. It’s an evolutionary thing, it’s a crawl, walk and run process.”

About Archer

Archer, an RSA company, is a leader in providing integrated risk management solutions that enable customers to improve strategic decision making and operational resiliency. As true pioneers in GRC software, Archer remains solely dedicated to helping customers understand risk holistically by engaging stakeholders, leveraging a modern platform that spans key domains of risk and supports analysis driven by both business and IT impacts. The Archer customer base represents one of the largest pure risk management communities globally, with over 1,500 deployments including over 100 government organizations and 90 of the Fortune 100.

Data Modernization

Once we understand whether it’s structured or unstructured, then we can begin to define what that target environment looks like, the sizing and tiering of that storage whether it’s in the cloud or just consolidating a data center. This is the first step in the process to get out of the data center business and really get into the data business. The data is the mission for them.

Jeffrey Phelan

Chief Technology Officer, Public Sector, Rubrik

Data as a Strategic Asset

Now that they have the confidence that the data is protected, it’s consistent across all their applications and across their organization and managed in same fashion in the cloud, now they are asking how they can run analytics and get better information out of that data. So the stewardship, the governance and the security is foundational before they can move it over [to the cloud].

Jeffrey Phelan

Chief Technology Officer, Public Sector, Rubrik

Data is and will continue to be the lifeblood of federal agencies.

But as agencies move to the cloud and continue to live in a hybrid world, the complexity of networks and systems will only increase in the short term.

This is why federal data management efforts are critical to reduce complexity and cost, and increase value.

Agencies are getting plenty of help. From the Federal Data Strategy roadmap to the Evidence-based policymaking Act to the growth of chief data officers across the government, agencies are slowly getting their “data house” in order. They are digging into their data to understand what is accurate and what isn’t. But this isn’t an easy process, to say the least.

The Federal Data Strategy action plans says agencies are making progress. The most recent report says that as of Sept. 30, eight agencies have put a data strategy or road map in place; five agencies have developed a plan for capital planning for enterprise data assets and infrastructure; and five agencies have adopted a master data management program.

Additionally, 20 agencies have conducted and documented the outcome of their initial data maturity assessment.

There is still a lot of work that still needs to be done including enterprise data governance, access, data for decision making and to improve the public use of data.

Jeffrey Phelan, the chief technology officer for public sector at Rubrik, said while it’s clear every agency is at a different point in corralling their data, too often they are in “deer in the headlights” mode.

“As they look at modernization, they have to look not just at their technology stack, but their business processes, operational processes, how they are acquiring technology, call centers and how they are staffing it and training them so it’s fairly comprehensive,” Phelan said on the Innovation in Government show sponsored by Carahsoft. “It can be very overwhelming [for agencies].”

Phelan said agencies must get ahold of the huge amount of data they control—both structured and unstructured—and where it resides as part of their data management and modernization initiative.

“We are finding that the information about their data, just the inventory of where it is and what those systems are, many times are not accurate,” he said. “I’ve literally had to review 1 million line spreadsheets with people, which is mind numbing. When you starting going through the data with application owners and data owners, they quickly say, ‘I don’t think that’s right.’ It’s just because it’s been copied, pasted, transferred, updated, shared and all the normal reasons, just the reality of how these processes have been handled in the past in a manual fashion.”

One way to solve this is develop a baseline by indexing the data and where it lives. Phelan said that one step makes a big difference to move up the maturity of the data management model.

Adding fidelity to the data becomes even more important as agencies move applications to the cloud. Phelan said by knowing what data you have and where it lives, gives more confidence to the cybersecurity office.

“Once we understand whether it’s structured or unstructured, then we can begin to define what that target environment looks like, the sizing and tiering of that storage whether it’s in the cloud or just consolidating a data center,” he said. “This is the first step in the process to get out of the data center business and really get into the data business. The data is the mission for them.”

Another key factor in getting the data ready for the cloud is to digitize, index and meta data tag the information. This will let users run analytics in real time once the data is in the cloud.

“We try to get agencies to think about not being concerned where the data is, where it’s going to go or even where it’s moving, but they have a consistent view of that data everywhere,” he said. “Historically, organizations in order to manage their data, they write all of these independent jobs so I have to write 25 jobs for a specific application to make sure I’m taking care of how many times it’s replicated, where it’s saved, how it’s saved. It’s very granular. We are using people to write all of these steps. When you talk about artificial intelligence and machine learning, we have this declarative framework to automate that whole workflow so they don’t have to think about that anymore.”

Phelan said Rubrik has a customer that used to write 1,200 different incremental jobs to manage the data. Now by applying automation and AI/ML tools, the number of jobs is down to 45.

“Now that they have the confidence that the data is protected, it’s consistent across all their applications and across their organization and managed in same fashion in the cloud, now they are asking how they can run analytics and get better information out of that data,” he said. “So the stewardship, the governance and the security is foundational before they can move it over [to the cloud].”

About Rubrik

Rubrik provides One platform for instant recovery, search, development and cloud.

Federal agencies modernize and automate backup and recovery, while easily extending data management to the cloud and protecting data assets from compromise. We’ll help you implement a Cloud Smart approach to data management that eliminates legacy complexity, so you can focus on the mission instead.

Key Aspects of the Comply to Connect Program

The proliferation of devices that are connected in society today is also driving that same connectivity and reliance across DoD operations. As you get more complex, so does the need for having greater security and tools that work together to provide a wider solution. Let’s not forget that our adversaries have a vote too. The sophistication of what they are doing with their cyber attacks at the same time with the complexity of all of these devices being connected really brings about a new capability, a new program and a new framework that C2C is going to be delivering.

Col. Dean Hullings (retired)

Global Defense Solutions Strategist, Forescout Technologies

Back in April 2019, the Homeland Security Department issued a binding operational directive (BOD) to require agencies to patch critical vulnerabilities in 15 days. This cut the time period in half of the previous 2015 BOD requiring the patches in 30 days.

Patching of networks and systems has been a huge problem for agencies for much of the last 25 years. Back in 2004, the Government Accountability Office found agencies struggled with risk assessments and testing all patches before deployment.

This is why something as basic as the concept of comply-to-connect is such an easy concept to get behind.

Comply-to-connect (C2C) requires new devices to meet security requirements before they’re allowed access to the network. An automated process scans, analyzes and ensures the device is patched and up to date.

The Marines Corps has led this effort and now the Defense Information Systems Agency (DISA) is planning to expand it in the coming year. The Marines Corps issued a policy last May explaining how C2C will work.  DISA issued a request for information in June seeking a platform that would give real time visibility of all IP endpoint, network infrastructure, and internet of things devices.

Dean Hullings, the global defense solutions strategist for Forescout Technologies, said the goals of the comply-to-connect program was to close the gaps of existing security tools and make existing security processes more efficient for network administrators.

The Marines Corps and Navy comply-to-connect pilots were pathfinder efforts to establish what the framework looks like and what tools work together the best to provide that automation and effectiveness.

Hullings said the Army, the Air Force, the Fourth Estate and many others are moving toward C2C and the Defense Department’s chief information officer is working on a memo detailing how the initiative will work on an enterprise level.

“The proliferation of devices that are connected in society today is also driving that same connectivity and reliance across DoD operations. As you get more complex, so does the need for having greater security and tools that work together to provide a wider solution,” said Hullings on the Innovation in Government show sponsored by Carahsoft. “Let’s not forget that our adversaries have a vote too. The sophistication of what they are doing with their cyber attacks at the same time with the complexity of all of these devices being connected really brings about a new capability, a new program and a new framework that C2C is going to be delivering.”

Hullings said DoD has recognized that comply-to-connect is a key cog in their cyber protection machine is the basic challenge of keeping laptops, desktops and other devices secure. He said the size and scale of DoD makes it even more difficult to ensure devices aren’t infected with malware, giving hackers a way to get on the network and then move laterally looking for more valuable data.

“If you look at a lot of the recent breaches, they hit an internet of things device or some non-traditional device that is now connected to networks. That connection was made for efficiency of those operations like a security camera that is now IP connected. All it takes is getting into the network and then the lateral movement,” he said. “So you have to have an understanding of everything that is connected to the network and you have to be able to continuously monitor all of those devices connected to the network in order to stop those breaches from happening. Certainly, that is what C2C has attempted to achieve in delivering their capabilities and then integrating all of those tools together to stop that lateral movement to make sure that a device that supposed to be a security camera or a printer is acting and operating like only a security camera or printer and not reaching out to other database or other services on the network they shouldn’t have any need to access.”

Hullings said comply-to-connect becomes even more important with the rise of operational technology (OT), which have sensors that are connected through the network. He said OT doesn’t normally have end point “agents” or software that reports the device’s cyber hygiene level back to the network tools.

“If a vulnerability assessment scanner would interrogate one of these end points, you’d overload that operating system and you’d actually crash that device,” he said. “You are trying to apply security so the end point continues to work, but in doing so you are actually making the end point stop working so you are defeating your own purposes. So you have to have newer, modernized ways of looking at the solution that is provided to secure these devices, yet not impact how they are operating. That is what C2C is delivering, agent-less solutions that can use other methodologies of understanding what that device is and use policy based security to wrap a barrier around that devices that is different than wrapping the same level of security around a traditional end point.”

Hullings said the good news for DoD is Congress appropriated funds to expand the comply-to-connect program enterprisewide. DISA created a program management office to help spread the program across the military.

“The program office will be developing that enterprisewide policies, testing them, making sure they don’t impact other organizations, any network or subnetworks and working with the services and agencies to ensure their rollout is seamless,” he said. “They are also providing the training for the administrators in the field. I was a squadron commander and the last thing I wanted to hear was a mandate to install and implement something new, and then put it on my back to go figure out how to get my people trained.”

About RSA

RSA, a leader in cybersecurity and risk management solutions, provides organizations with technology to address challenges across security, risk management and fraud prevention in the digital era. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access control; and reduce operational risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to transformational change.