The Evolution of the Role of the CFO

It’s essential that the CFO organization has and will continue to move from being an enabling function to being an empowering function.

Nikki Reid

Partner, KPMG

Inclusion of Modernization in Financial Planning and Strategy

We’re seeing a ton of interest in business intelligence tools where even your standard accountant is really embracing the use of tools that allow them to analyze data faster.

Nikki Reid

Partner, KPMG

When Congress passed the CFO Act of 1990, their goal was to bring some consistency and standardization to how agencies manage and report on their funding.

Now, 30-plus years later, the law not only empowered the role of the chief financial officer but transformed the entire financial management area for agencies.

Nearly every agency received a clean audit in 2020, most have implemented strong internal controls, and the CFO role itself has been elevated to that senior strata.

Now it’s time for the CFO office to transform once again.

Rep. Carol Maloney (D-NY) introduced the CFO Vision Act 2022 in March to do several things, including standardizing CFO responsibilities to enhance strategic decision-making, providing deputy CFOs with sufficient authority to minimize the effects of CFO turnover and revising financial management planning by requiring the release of governmentwide and agency-level plans to gauge progress in addressing financial management challenges.

New CFO bill would codify agency programs

In many ways, the legislation would confirm and codify a lot of what agencies are already doing today.

Nikki Reid, a partner at KPMG, said agencies don’t have to wait for a new law to accelerate the transformation of their financial management efforts.

“It’s essential that the CFO organization has and will continue to move from being an enabling function to being an empowering function,” Reid said on the Modern Government: Expanding the Impact of Federal Finance show. “To me, that is literally what all of this is all about really going from nuts and bolts accounting to being a purely compliance based organization to being someone that’s focused on operations and really empowering mission areas and leadership in these agencies to make strategic decisions.”

Data and technology are the enablers to drive those decisions. CFO organizations didn’t always have high-quality data, and the technology evolution over the past five years has really driven this transformation.

Agencies now have more transparency into their data and more accountability around the quality of the information, Reid said. Laws ranging from the Digital Accountability and Transparency Act (DATA) Act to several of those focused on improper payments have driven progress across the board, she added.

Data helps drive better financial decisions across government

“Some of the agencies are really embracing and leveraging predictive analytics, which is something that I am so excited about,” she said. “When you think about the impacts to cash and receivables, and the impacts from a budget perspective, the government needs all this data to make decisions.

“Being able to leverage sometimes nonquantitative — or more and more qualitative aspects of data — in that decision-making effort, from a predictive standpoint, is eye opening and amazing. That’s probably the biggest thing that I’m seeing our clients start to do, and it’s great.”

That means agencies need to take advantage of historical data and combine it with new tools and methodologies to inform that predictive analytics, Reid said. She offered an example of a client going through a major transformation effort, deciding whether to move from a general fund to a working capital fund model.

“In order to be in a working capital fund, you have to have a lot more insight and detail about how you’re spending your money to develop whatever product or service you produce. In doing that, they have to have a lot more insights and information with respect to their data,” Reid said. “They are realizing that their data is not perfect, but they have to start. The great thing about this organization is they’re using visualization and data analytics, and it’s easier to see where they have holes in their data.”

This is one of the reasons why it’s important to get started in using data to drive decisions, she said, because the data will “clean itself up,” so to speak.

The four factors of federal financial transformation

On the technology side, CFOs are partnering with other senior leaders whether it’s the chief information officer, chief acquisition officer or chief data officer.

“We really look at transformation in what we call dimensions. The first one is service delivery model, really understanding how you deliver your services. So that could be your funding model, your general fund or your working capital fund. That could be your service level agreements. Do you have shared service providers? It’s anything that enables you to operate effectively as a finance function,” she said. “The second would be people. Yes, we use tools, but you need people to make that activity work correctly. So really focusing on people, making sure they’re empowered, that they know what their job is, that they’re trained appropriately. All of that has to be a real aspect of transformation.”

The third dimension is data. Agencies need to make sure their data is clean, but they also must begin moving forward to use data to improve their decisions.

The fourth dimension is technology, which means automating manual processes through robotics process automation and other capabilities.

“We’re seeing a ton of interest in business intelligence tools where even your standard accountant is really embracing the use of tools that allow them to analyze data faster. No one will ever stop using Excel, right? But some of our government counterparts are really embracing the use of more effective tools to analyze data,” she said.

“There’s large-scale implementations of hardcore financial systems going on today, and there is a push to go to shared service providers. But there still are agencies that are truly implementing new financial systems. That’s not what I’m talking about today. I’m really focused on these technology enablers like low-code applications that allow you to really manage your data in, manage decision-making and manage workflow in a more effective way.”

And the final one is process and policy.

“Most CFOs are very, very familiar with process cycle memos, and process narratives, and all of these things that go with controls and internal control documentation. But your policy and your process should really be foundational to what you’re doing to ensure that you have consistency and that your teams are doing things right,” Reid said. “At the foundation of it all is your program and change management. You need to embrace those dimensions if you are really going to have true strategy and true change.”

Listen to the full show:

Supply chain management is the idea of moving people and stuff from one place to another in a timely and efficient manner. This has been the goal since people started trekking from point A to point B.

But experts say it wasn’t until the 1980s that the technology revolution started to have are real impact on moving people and things.

Today, supply chain is at what experts call is entering a second transformational stage.

Agencies must focus on improving customer engagement by making assets more visible across multiple systems and data sets. Visibility can be something as simple as transportation information to improve the routes trucks drive. Or it can better align the organization through digital feedback.

The second part of the transformation is speed—the speed to process requests and to move stuff from Point A to Point B.

Agencies face a host of opportunities and challenges as part of today’s modern supply chain. In the end, the only goal is getting warfighters the products and services they need as quickly and efficiently as possible.

Stephen Gray, the director of the 448th Supply Chain Management Wing at the Air Force Sustainment Center, said like many parts of the Defense Department over past 10-to-15 years, the service has reduced its footprint and become leaner in managing its supply chain.

“We dictate essentially to them what stock they’re going to have, and then we manage the processes to make sure that the materials are available to them,” Gray said. “By centrally managing that, we’re able to optimize the inventory and reduce it to I don’t want to say bare minimum, but minimum amounts that are needed to support the enterprise. We take an enterprise approach in all activities that we do. By centralizing and optimizing our inventory, we’re able to carry less, which frees up dollars for the Air Force to go invest and do other things.”

The Air Force and others also work closely with the defense industrial base to ensure the timeliness and resiliency of the supply chain.

Gray said within the United States, the Air Force can move any part within three days or less. While overseas, it’s somewhat dependent on the country, but it’s equally quick given the geographic challenges.

Learning objectives:

• Agencies’ supply chain strategy
• Data and supply chain management
• Cloud and supply chain management

Complimentary Registration

Please register using the form on this page or call (202) 895-5023.
This program is sponsored by      

From SolarWinds to Microsoft Exchange to Pulse Secure, the impact to agency networks and systems has been real and is forcing, once again, a call for real change to federal cybersecurity.

President Joe Biden’s recent executive order aims to drive significant upgrades to how agencies and industry think about and apply cyber protections.

At the heart of the EO—and really so many governmentwide efforts—is data.

In fact, the order calls on agencies to adopt security best practices; advance toward a zero trust architecture; accelerate movement to secure cloud services and to centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.

Additionally, the Cybersecurity and Infrastructure Security Agency at DHS plans to spend some of its $650 million windfall from the American Rescue Plan Act on improving their capacity to conduct analysis of cybersecurity information coming to better understand risks and threats across the government.

It’s clear that data is key to everything agencies can do to protect their network and systems.

Viral Chawda, a principal and head of artificial intelligence, analytics and engineering for the government sector at KPMG, said once agencies truly understand their cyber data, leaders can have insights into things like what applications still don’t require multi-factor authentication, what hardware is going out of support, how much of a workload is in the cloud, which devices are using non-compliant software and so much more.

“From there you go to diagnostics analytics, which helps us answer question like, ‘Why it’s happening? Why is the migration to cloud slower than what we planned for? And how can we focus our resources on high risk areas like productivity, quality model, confidence, value delivered and cost management,” Chawda said on the show Modern Government: Cyber Analytics sponsored by KPMG. “Having a clearly defined matrix helps measure and monitor a defined set of indicators, and use effective interactive tools like visualization and dynamic drill downs to better understand cyber risk at the summary executive level all the way down in the detail of operational execution.”

Chawda said as agencies improve their understanding and application of their data, they can mature their cyber risk approach.

“If we can break it down into two types, predictive analytics, which tries to identify high risk areas before threats are exploited, and prescriptive, which is very advanced and it’s about recommending specific set of actions to respond to those risk analyses,” he said “Advanced analytics has many potentials to identify hidden risk and bring more value, but it also requires more sophisticated skills such as machine learning and predictive modeling or scenario planning and optimization.”

Public and private sector organizations have found benefits in applying cyber analytics ranging from improving their annual assessments to identifying risks more quickly to knowing what type of tool to buy that will make the biggest impact on their cyber protections.

Chawda said answering the questions around tools is become more critical as agencies are becoming overwhelmed by the sheer number they are using.

“Companies need to define a well-rounded set of high-level dashboards to meet their objectives and collect cyber data in a matrix [approach] because it’s cross functional. To get the complete security posture, you need to bring data across all the components inside your environment and from third party providers,” he said. “After defining a set of matrix, we need a continuous monitoring approach that can be standardized around the collection, curation and processing of cyber related data, which helps baseline the performance from a historical perspective and benchmark that risk indicator against other agencies or other companies. In this way, organizations can get an early warning, when observing abnormal behavior or drastic fluctuations within the data. Leadership can obtain the cyber risk picture through this mechanism in real time or on an impromptu basis, rather than waiting for the annual assessment report to come out or even, at best, on a periodic basis.”

Chawda offered one example where KPMG worked with a large client to apply a machine learning-based approach to detect command and control servers.

“Attackers use command and control servers to maintain communications with the compromised system. With this automated data pipelines and machine learning algorithm, it saved them months from having to manually scan 1000s of domains. We were able to identify more than 50 previously unknown detections, that existing rules couldn’t blacklist. This helped optimize the security analysts’ performance and prevented potential breach,” he said.

For the most part, public and private sector organizations already are using data to drive cyber decisions.

Chawda said many organizations, however, can be better organized by creating a strategy that outlines a roadmap, sets data standards and baseline metrics and defines risk indicators.

“Once that energy is being channelized in that focused area, it can drive results very quickly. Once that is done, meaning after the matrix program is maturing, the next step is to leverage advanced analytics to solve agency’s most urgent business problems in securing the systems and infrastructure,” he said. “This phase will continue to build upon the data pipeline and insights from the prior steps. By following an iterative machine learning model development approach, with feature engineering, model training, model governance, model deployment and prediction. Fortunately, the advent of big data and the compute capacity and capability in advance of governance, governments and companies now have ways to counteract cyber attacks.”

Defining Cyber Analytics

Companies need to make efforts and define a well-rounded set of high level dashboards to meet their objectives and collect cyber data in the matrix because it's cross functional. To get the complete security posture, you need to bring data across all the components inside your environment and from third party providers.

Viral Chawda

Principal, Head of AI, Analytics and Engineering, Government Sector, KPMG

Recommendations for Agencies Using Cyber Analytics

Behavioral analytics allow agencies to flag suspicious emails or badge check-ins or downloads or access to unauthorized sites and assets or even attempted access to those sites and assets. It helps us in identifying deviations from pattern of normal and expected behavior, whether that's web traffic for those employees or contractors while browsing the network, or the network package content across the servers. So that's how AI is able to play an increasing the critical role in preventing, detecting and remediating cyber threats.

Viral Chawda

Principal, Head of AI, Analytics and Engineering, Government Sector, KPMG

Listen to the full show: 

The move to remote working didn’t impact the bureau. Employees already were used to teleworking to some extent and HRSA had expanded its underlying technology infrastructure before COVID-19 to handle large numbers of remote workers.

Congress, through the CARES Act and other bills, gave HRSA funding for hospitals and healthcare providers to help with the response to COVID-19 and to help cover lost revenue attributable to the outbreak.

Adriane Burton, the chief information officer at HRSA, said the grant programs quickly looked to her office for help in getting the money out the door.

“We had to stand up that program very quickly. What we did is we implemented a contractor owned, contractor operated model. But we also had to complement that service with some of the platform-as-a-service offerings as well to support the Provider Relief Fund,” Burton said on Modernizing Government: How employees can thrive in this hybrid work environment sponsored by KPMG. “Another program that we received was standing up the telehealth.hhs.gov, which was a new site to support HHS and its response to COVID.”

She said the expediting of handing out grant money quickly became an IT issue.

HRSA typically takes 90-to-120 days to distribute grants, but through modernized processes and technology, they reduced that time to as little as five days.

“What we did is we held daily meetings with all those key stakeholders. We learned each time that we disbursed grants for different parts of the organization and we were able to reuse some of those processes,” she said. “We also automated, using some scripts to try to make it easier for folks. We basically save 1000s of hours and reduced grantee burden to actually receive the award. We reduced the time, for instance, for issuing funding memos and various other internal activities. We were really proud of the work that we did.”

Burton said the contractor-owned, contractor-operated model wasn’t necessarily new for HRSA. It just let them bring capabilities to the program areas faster.

“Why build a system when you can use a system that already exists? I mean, that’s one of the foundations for the Federal IT Acquisition Reform Act (FITARA),” she said. “What we did is we actually contracted out that service. We complemented with other services, such as Salesforce for our Performance Reporting System, as well as our case management system. We use Salesforce for our contact center, but we didn’t use it for things such as case management and performance reporting before, so we’re really excited about using that technology and starting to integrate that and some of the other technologies that we have in place, as well as we implemented DocuSign. We were using that for our onboarding process to make it easier as for folks to sign off on all the forms electronically.”

Burton said the experience of rolling out technologies to get grants out the door faster or using electronic signatures will make it hard to back to the old processes and expectations.

A good example that success is the telehealth.hhs.gov website. HRSA already put some of the technology pieces to support site and just had to modify them to meet the needs of the new portal.

“We have our find that health center tool where citizens can go and they could find our health centers that provided COVID testing, as well as telehealth services. Then more recently, HRSA has been involved with the vaccination program, so we’ve updated our tools to reflect some of the new services that we do provide,” she said. “The health center site had geospatial capabilities and we were able to leverage that software for the website.”

Reflections on Remote Work

My staff has been working with program folks to figure out ways to expedite the disbursement of the grants. So typically the grant cycle takes anywhere from 90 to a 120 days. What we did is that we were able to reduce that initially to 18 days for the first round the COVID grants, and then we reduced it to 12 days. Then finally we reduced it to five days. So there's been a lot of activity from an IT perspective and support of the programs.

Adriane Burton

Chief Information Officer, Health Resources and Services Administration, Department of Health and Human Services

Current Workflow Capabilities

I think the whole idea of building systems from scratch as opposed to using something that has the foundational capabilities and then you just add to that and customize it to your environment is going to be key moving forward. People are getting used to things happening at record speed so I think long term will be interesting to see to see how that plays out in regards to rolling out capabilities. I think the doors definitely open for that movement, so it'll be interesting to see how things continue down that path.

Adriane Burton

Chief Information Officer, Health Resources and Services Administration, Department of Health and Human Services

Listen to the full show:

Intelligent Automation Trends

Many of these automation platforms are starting to integrate other more advanced capabilities. For example, some of the low-code platforms, many of whom are already in production at federal agencies are starting to incorporate robotics process automation (RPA) inherently in their platforms. The other things that the RPA vendors are doing is they're starting to enable application programming interfaces (APIs) to more advanced artificial intelligence and machine learning solutions within their platform. So it makes it much simpler for a government agency who's implementing one of these platforms to tap into what I'll call democratized AI.

Kirke Everson

Principal & Government Intelligent Automation Leader, KPMG

Low-Code Platforms and Intelligent Automation

These [low-code] platforms allow you to stand up new capability in a matter of, and I will dare to say days versus months. One example was we worked with a large federal agency who had agency employees all over the world, and when the pandemic first hit, there was a big concern about the safety of their employees overseas. We actually helped within a matter of days stand up a capability within a low-code platform to start to track where those employees were the process of getting those employees back to the country and making sure that they were safe.

Kirke Everson

Principal & Government Intelligent Automation Leader, KPMG

A recent report from the Robotics Process Automation Community of Practice in the government highlights the impact of this technology over the last few years.

In 2020 alone, the report says RPA program maturity increased significantly with the number of automations deployed across the government increasing by 110% and the number of annualized hours of capacity created increasing by 195%. Last year agencies deployed 460 automations, which is expected to save more than 848,000 hours.

The paper says this growth demonstrates that programs have matured and increased their functional capacity, which meant automation tools became more impactful and therefore increased the demand for these software solutions.

Overwhelmingly, the CFO office is using automation to save time, some 49% of all implementations came from that group. But acquisition, administrative and IT were all in the double digits, showing how success travels.

Kirke Everson, a principal and government intelligent automation leader at KPMG, said a lot of agencies are still in the early stages of applying intelligent automation to their business processes.

“Some of the trends that we’re seeing are agencies are less inclined to just to do, one or two proofs of concept to prove out the technology. Now that they know it works, a lot of agencies are looking to others for lessons learned and implementing RPA programs that are a little bit more robust. And by robust, I mean, more enterprisewide,” Everson said on the Modern Government: Emerging Trends in Intelligent Automation in a Time of Rapid Change show sponsored by KPMG. “I think agencies are looking beyond RPA as well. The whole idea of hyper automation is starting to come into the vernacular of a lot of agencies. What I mean by hyper automation is RPA is definitely a stepping stone to artificial intelligence (AI).”

These advanced capabilities using AI and machine learning can only happen if agencies create a structure to manage the processes and data.

“Many of these automation platforms are starting to integrate other more advanced capabilities. For example, some of the low-code platforms, many of whom are already in production at federal agencies are starting to incorporate robotics process automation (RPA) inherently in their platforms,” Everson said. “The other things that the RPA vendors are doing is they’re starting to enable application programming interfaces (APIs) to more advanced artificial intelligence and machine learning solutions within their platform. So it makes it much simpler for a government agency who’s implementing one of these platforms to tap into what I’ll call democratized AI.”

Everson said an important step to democratizing AI is to make sure employees understand the technology and processes, but they don’t have to be experts.

“With these APIs, I can pull in a very quick machine learning algorithm just based upon what’s already been pre-determined from the vendor and allow, for example, natural language processing of a contract. I can pull in a natural language processing algorithm to read a document and extract certain things from that document, without leaving the low code or the platform,” he said. “These [low-code] platforms allow you to stand up new capability in a matter of, and I will dare to say days versus months. One example was we worked with a large federal agency who had agency employees all over the world, and when the pandemic first hit, there was a big concern about the safety of their employees overseas. We actually helped within a matter of days stand up a capability within a low-code platform to start to track where those employees were the process of getting those employees back to the country and making sure that they were safe.”

Everson added the 2020 memo from the Office of Management and Budget saying bots are non-person entities when it comes to identity management, and agencies can continue to take advantage of intelligent automation as they move more systems and data to the cloud.

“A lot of agencies recognize that developing these capabilities from scratch isn’t the most efficient way to do it. A lot of the large cloud providers are allowing agencies to tap into these capabilities as part of their infrastructure solutions. So if you want to pull in a machine learning algorithm that’s going to do something for you, you can actually pull that directly from, for lack of a better term, an API store, it’s very much been kind of parsed out,” he said. “For certain capabilities, you can use those capabilities by the drink, get the license cost every time you hit that API pay the fee. And it’s a very minor fee. What’s happening is all these things are starting to converge, where you’ve got the infrastructure, the cloud providers, allowing you access to some of these more advanced capabilities through APIs. You’re also having the low code vendors implementing some of these API’s to access some of those capabilities. Then you’ve got also the RPA providers implementing low code and an API into their platform, so there’s this convergence among the software-as-a-service, infrastructure-as-a-service and platform-as-a-service to basically give the customer choices. So there’s really no need to develop these standalone machine learning algorithms unless it’s for a very specific purpose, that may have a mission need.”

State of Supply Chain Security

I think now [supply chain risk] is a topic that has transitioned from esoteric to exoteric as it's more accessible to the public. COVID has made supply chain a dinner table conversation topic, so it's a combination of organizations learning more about third party risk and operational risk, and realizing the consequences of not attending to that risk could be devastating.

Joyce Corell

Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, Office of the Director of National Intelligence

Using Data to Identify Risk

There's so much information out there that's publicly available, not always for free, but publicly available information from organizations that are very adept at pulling information together for commercial due diligence. I'm really pleased at how this technology has changed. In the last five years, all of these firms are now actually looking at how to apply machine learning and train their AI systems to get at a more exquisite understanding of the data that they have access to. So that's really going to be the wave of the future, being able to tune those systems to get answers to the questions that we want.

Joyce Corell

Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, Office of the Director of National Intelligence

The old adage “trust but verify” is taking on new meaning with the ever-increasing focus on supply chain risk management.

From the Cybersecurity Maturity Model Certification (CMMC) program to Section 889 and the banning of certain Chinese made telecommunications products, agencies and vendors alike must do more than just say they are doing enough to protect their supply chains.

That means organizations must rely on data to prove the trustworthiness of the supply chain. That data can provide insights into everything from foreign ownership to insider threats to chain of custody.

The challenge of depending on data is how deal with the volume of information and deciding what is most valuable. That is why agencies and companies are applying analytical tools and machine learning algorithms to identify potential risks.

Joyce Corell, the assistant director for supply chain and cyber directorate at the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI), said over the last three or four years, public and private sector organizations, and Congress have grasped more than ever the threats brought on by the global supply chain.

“I think now [supply chain risk] is a topic that has transitioned from esoteric to exoteric as it’s more accessible to the public.  COVID has made supply chain a dinner table conversation topic, so it’s a combination of organizations learning more about third party risk and operational risk, and realizing the consequences of not attending to that risk could be devastating,” Corell said during the Modern Government: Supply Chain Risk and Security show sponsored by KPMG. “I view this threat from a counterintelligence perspective, not so much about counterfeits in our supply chain, but rather an adversary using a company as a threat vector. That might be a company which might be complicit or not and it’s being used as a threat vector. What kind of untoward level of influence an adversary government may have is certainly a concern.”

One of the best ways to deal with the growing threat is by understanding the data. The challenge for agencies, and industry, is just how much data is available.

“There’s so much information out there that’s publicly available, not always for free, but publicly available information from organizations that are very adept at pulling information together for commercial due diligence,” Corell said. “I’m really pleased at how this technology has changed. In the last five years, all of these firms are now actually looking at how to apply machine learning and train their AI systems to get at a more exquisite understanding of the data that they have access to. So that’s really going to be the wave of the future, being able to tune those systems to get answers to the questions that we want.”

She added that the data help point users in a direction, but may not answer all the risk questions.

“These tools applied to commercially available data really point you in a direction to say, either, here’s a gap where you don’t have information, do you care, does that matter to you from a risk perspective, or, hey, here’s some data that shows that risk is trending up, or risk is trending down,” Corell said. “Those are the kind of tools that help inform your decision analysis. So that is just where I think the government broadly should go. What the government really needs is some type of commercial due diligence service as a shared service for government agencies. There’ll be organizations that are very under resourced and are not going to be able to afford the data that would help them in their decision analysis.”

The Federal Acquisition Security Council and others in government are trying to address these challenges and raise awareness about the value of information sharing.

“One of the things that that we’re doing under the Federal Acquisition Security Council is standardizing how that research is done so that there is rigor and integrity behind it,” she said. “We’re also looking at all the other regulatory regimes that have a supply chain nexus to ensure that we’re harmonizing the factors that we look at, as well as the criteria we use to evaluate what factors in what combination make us think the risk is high, medium, or low.”

Along with the FASC, Corell said there are several other supply chain related efforts, including the DNI is establishing a task force to standardize information sharing of counterintelligence risk information in the supply chain environment, and share that standardize it across the entire acquisition community of the government, and the Commerce Department working with telecommunications companies to develop an information sharing process.

“We’ve already launched work with this venue and that is the mechanism by which we are going to have move forward with a fully coordinated intelligence community position,” she said. “The statutes also required some elements that are not in the intelligence community to participate GSA, OMB’s Office of Federal Procurement Policy and a couple of others. That is a mechanism that we’re going to be able to use to drive the standardization of information sharing.”

Strategic Imperatives for CIOs

I really see five strategic imperatives for CIOs. The first is manage IT as a business. Funds are always required for big transformations. But yet, when you look at it, roughly 80% of federal IT spend goes to O&M. The other thing is making sure that you have accurate and good cost information for your services and products. Technology Business Management certainly can help in that area. Procurement, spend optimization to include licensing and rationalizing applications, freeing up funds for modernization. I think moving as much on-premise work to commercial cloud environments as you can is a good business investment. And then really take a look at her look at managed services. Everything is a service that's being offered out there.

Joseph Klimavicz

Managing Director, Federal CIO Advisory Practice, KPMG

Security and Agility in the Multi-Cloud Environment

Modernization does not equate to transformation. So I love all the talk about modernization. But transformation is actually more valuable than just modernization. Some of the other trends are data optimization and virtualization. We collect a lot of data in the government, but maybe only use it once. And then it is stored someplace, but nobody ever knows it exists, so we have to minimize dark data. Another trend is rapid software development, low code, no code, micro-services, artificial intelligence and machine learning. We have to lower the barrier to entry to bring products in. There's a lot of training that has to go into bringing real artificial intelligence.

Joseph Klimavicz

Managing Director, Federal CIO Advisory Practice, KPMG

Agency chief information officers face shifting priorities today more than ever before amid the coronavirus pandemic.

These technology executives are realizing the importance of not just IT modernization, but all the pieces to make these efforts success such as cloud, hybrid cloud, application rationalization and the use of the technology business management framework to better understand cost structures of IT.

Joe Klimavicz, the managing director of the federal CIO advisory practice at KPMG and the former Justice Department CIO, said five strategic imperatives emerged for technology leaders over the past few years.

They are:

• Manage IT as a business
• Automate, scale and embrace new technology
• Simplify IT for a consistent user experience
• Protect the environment, but maintain agility
• Leverage data as a strategic asset

“I think digital leaders are certainly investing heavily in the cloud. But lift-and-shift today is not enough. We need to think about the opportunities there. There’s the rehosting or lifting shifting model. There’s refactoring, which is minimal alteration of the application for the cloud. There’s rearchitecting. And that’s taking these monolithic applications that maybe have been around for 20 or 30 years, and rearchitecting them using microservices and containerizing them,” Klimavicz said on the Modern Government: How COVID-19 Changed the Course of Digital Transformation show sponsored by KPMG. “You can rebuild, essentially write new code as a cloud native application, and then replace with a more nimble solution. Clearly, lifting and shifting gets you saving. You can save you a lot of money, but it doesn’t give you the performance increase that you really need. So my take would be re architecting at the very least, or rebuilding.”

Klimavicz said getting the architecture and infrastructure right will open the door to achieving the goals under these imperatives.

“You want to build that trust into it as safeguards and as much as you can. I think you need to take a holistic view of risk, but understand that security in the cloud is a shared responsibility,” he said. “There’s obviously the cloud service provider, there’s also the mission owner and the cloud reseller. There’s the app developer, there’s the network and there’s the security operation center, that’s actually going to monitor 24/7 your workloads that are running in the cloud. I think the environment needs to be architected, implemented and operated with all the regulatory requirements in mind.”

Additionally as employees continue to work remotely, CIOs must take security capabilities like zero trust and identity and access management, end point and mobile application security and other similar concepts into account because the network perimeter is expanding, or even going away altogether.

“As you go to zero trust, you need a plan. For me, zero trust includes strong identity management, that’s very important,” he said. “You do to be able to collect the data at scale, across your entire cloud, in your on-premise environment. You need to collect it across users, applications, devices, infrastructure, software, defined networks are key for zero trust, and then advanced analytics to protect those assets and data and services. And you also need to build a cyber aware culture.”

Over the last six months or so during the coronavirus pandemic, many agencies accelerated these security and cloud initiatives. Now, Klimavicz said, agencies need to think about digital transformation, not just IT modernization.

“Modernization does not equate to transformation. So I love all the talk about modernization. But transformation is actually more valuable than just modernization,” he said. “Some of the other trends are data optimization and virtualization. We collect a lot of data in the government, but maybe only use it once. And then it is stored someplace, but nobody ever knows it exists, so we have to minimize dark data. Another trend is rapid software development, low code, no code, micro-services, artificial intelligence and machine learning. We have to lower the barrier to entry to bring products in. There’s a lot of training that has to go into bringing real artificial intelligence.”

Klimavicz said digital transformation success will come if applications are rationalized and in the cloud, and the workforce has the skillsets to deliver services.

“If you can pay extra attention to the workforce and take care of the workforce, and I extend that to the industry workforce as well, they’ll take care of you,” he said. “There’s a lot of accelerators, connectors that are already built out there, try to take advantage of them. Don’t reinvent the wheel, because if you can leverage what somebody else has already done, they will save you a lot of time in that modernization effort.”

DLA's Application Modernization Strategy

We’ve baked cybersecurity into how we do [IT modernization] within DLA. You mentioned some Dev/Sec/Ops models and things of that nature. It's all part of the modernization journey to where you're using software-as-a-service, low code, no code. But as you use low code, no code, you want to do it within a Dev/Sec/Ops model. So that cybersecurity is thought of through the development testing, as well as deployment phases. For us, within DLA, with the number of applications we have, setting up this Dev/Sec/Ops factory allows us to really more efficiently control our costs, when you have a bunch of system integrators coming into your agency, they all have their own flavor of tools they like to use.

Adarryl Roberts

Program Executive Officer, Defense Logistics Agency

Workforce Tools and Challenges to Application Modernization

We’re not talking about applications anymore within DLA. We really are talking about business capability needs. We’re shifting from managing applications to managing by business capability area. What’s the mission and function that you're providing? What's the business capability you need to perform that mission? And then from a technology perspective, it doesn't matter if it’s an IBM product or a Microsoft product or a SAP or Oracle product, what’s the capability that you need to utilize, and we provide that.

Adarryl Roberts

Program Executive Officer, Defense Logistics Agency

When it comes to technology and digital services, speed is often mentioned right after security.

The faster an agency, or any organization for that matter, can deliver new capabilities, the better it can meet customer needs.

This is why the buzz around the use of low code or no code platforms has grown over the past years. Now it’s a part of the Dev/Sec/Ops and agile discussion.

Adarryl Roberts, the program executive officer at the Defense Logistics Agency, said the agency has been on a modernization journey for much of the past few years. At one point, DLA had more than 1,300 systems and 194 applications, and it was challenging, to say the least, to manage and secure them.

DLA kicked off its application modernization strategy by releasing a request for information in 2019 and eventually awarded a contract in September to take advantage a cloud platform for its enterprise resource planning (ERP) system.

“We really want to reduce the amount of infrastructure that we’re sustaining and leverage as much commercially viable products as we can,” Roberts said during a discussion sponsored by KPMG. “One of the other major efforts we have is called the warehouse modernization system (WMS) effort, that’s also migrating our distribution piece to SAP standard software. And it’s going to combine our ERP, where our financial and other integrated business applications live, with our warehouse modernization efforts so that we have one ERP instance, as we rationalize and create a platform for our customers.”

Part of this modernization effort is the use of low code, no code platforms. Roberts said DLA recently made an award to ServiceNow to use their software-as-a-service platform to modernize applications.

“We’re leveraging the ServiceNow platform to get productivity efficiencies for our workforce, as well as move some of the ability to bring technical solutions to the employee themselves. So we call them citizen technologists here and DLA digital citizens,” he said. “How do we provide these low code, easy to enable platforms to the customer? We’re developing that concept here. How do we create citizen technologists, so that as a logistician, with a little bit of training, can actually create some low code acquisition or workflow products, while we maintain oversight from a cybersecurity and sustainment perspective? So we’re using low code and the ServiceNow platform as a baseline.”

Before DLA can open up the low code, no code platform, Roberts said it has to get the underlying architecture correct. This means ensuring cybersecurity is “baked in” from the beginning through the Dev/Sec/Ops methodology and

“[A]s you use low code, no code, you want to do it within a Dev/Sec/Ops model. So that cybersecurity is thought of through the development testing, as well as deployment phases,” he said. “For us, within DLA, with the number of applications we have, setting up this Dev/Sec/Ops factory allows us to really more efficiently control our costs, when you have a bunch of system integrators coming into your agency, they all have their own flavor of tools they like to use.”

Roberts said this approach will reduce DLA’s cyber risks and ensure standardization across the agency.

“We’re really leaning upon governance, a partnership with our functional community. And we’re not really labeling this as just an IT modernization, but this is an agency modernization based on reviewing our business processes, as well as other aspects of the business and DLA,” he said. “I think at DLA, as well as other agencies, people have begun to realize IT is not a nice to have anymore, it’s actually the business, it’s part of the business, no one can conduct business without it. We’re really trying to change the culture and make sure we’re looking at this from a lifecycle management perspective, as opposed to a legacy system discussion and a modernization discussion.”

One way DLA is doing that is through changing the discussion from applications to business needs.

Roberts said the questions that the IT department is asking focuses more on business capabilities needed to meet mission instead of technology requirements.

“[F]rom a technology perspective, it doesn’t matter if it’s an IBM product or a Microsoft product or a SAP or Oracle product, what’s the capability that you need to utilize, and we provide that,” he said. “If we focus the user and ourselves on what capability or function tasks you need to perform, and we show them how they’re able to do that more efficiently, that’s only going to help in terms of cost savings, and by removing duplicative capabilities across the enterprise. So that’s a driving factor in terms of what we’re looking at here. Where do we have duplicate of technology, not because we actually need it, but because people weren’t aware of what was in the inventory and how we could leverage it? We are going to see some immediate savings just from an IT perspective, moving to these commercial cloud environments, leveraging more commercial applications versus government developed products. But then we’re also going to start seeing productivity increases efficiencies across the functional workspace as well.”

This transformation effort includes a host of initiatives from enterprise IT-as-a-service to workforce training to the use of zero trust principles and identity and access management to secure data.

Lauren Knausenberger, the deputy chief information officer of the Air Force, said each of these initiatives are moving the service forward and toward a better future, but it was the coronavirus pandemic that in many ways added fuel to the fire.

“A lot of our airmen in the field know things are broken and are trying to do things on the move. A lot of us back in the Pentagon, we have [IT] teams. We have devices that work. If a senior ranking official says something is wrong, it gets fixed fast,” Knausenberger said on the Modern Government: How COVID-19 Changed the Course of Digital Transformation show sponsored by KPMG. “But we have to make it equal to everyone and the coronavirus made it equal for everyone. Everyone was at home trying to figure out how to make this work. Everyone realized that those airmen who have been saying for years that it really stinks was an understatement when we are not in the building trying to do our job.”

Knausenberger said a perfect example of making it equal was in connecting to the network through a virtual private network (VPN). She said the Air Force went from 7,000 people a day to having to support upwards of 650,000 people a day.

“We were not poised for telework, but we had incredible team. We told the IT team this is your time on the front lines, you have to get everyone up fast, act like you have money. Those guys went out and got us up to 400,000 VPN connections. They got us down from 40 hops to send an email, which is ridiculous, to 8 hops so you can send emails so much faster than we used to. They cut through some of the legacy because we said this is your mission, go do it and we will fund you right now,” she said. “That level of focus and that level of culture change I don’t think anything would have done this for us short of a war. COVID is the crisis that we need to drive forward the digital transformation and we are trying not to let the crisis go to waste.”

Going forward, Knausenberger said her priorities include continuing to build the digital foundation that things like Cloud One, Platform One and artificial intelligence can rely on. She said the Air Force also is testing a zero trust architecture, investing in Digital University, where 9,000 airmen are enrolled to gain the IT skillsets needed in a digital Air Force, and is ruthlessly attacking manual processes and policies, anything in their way of going fast and costing them money.

“We are launching operation flamethrower. We are burning these things with fire and they have no place in our Air Force anymore,” she said. “One of the big things we just kicked off is robotics process automation. We had our digital wingman challenge in the spring where airmen came up with some incredible ideas. We had folks automating their executive functions where they had to go to multipole databases and put them in PowerPoint. They are completely automating that. Any type of standard report, they are automating that. Sometimes when they have to reenter things in multiple systems, they are automating that too. With that, I’m looking forward to in the short term really enabling more airmen. We’ve invested more in RPA. Even more exiting, we will be able to use the data to see exactly how much time we are wasting with crazy process and crazy software. That will help us focus our spend on what parts of the software apparatus we need to fix permanently.”

Current Air Force Modernization Efforts

[The IT team] got us down from 40 hops to send an email, which is ridiculous, to 8 hops so you can send emails so much faster than we used to. They cut through some of the legacy because we said this is your mission, go do it and we will fund you right now. That level of focus and that level of culture change I don’t think anything would have done this for us short of a war.

Lauren Knausenberger

Deputy Chief Information Officer, Air Force

2021 Goals and Initiatives

We are going to ruthlessly attack manual processes, policies or hardware, anything that is in our way of going fast, especially if it’s in our way of going fast and especially if it is costing us money and slowing us down. We are launching operation flamethrower. We are burning these things with fire and they have no place in our Air Force anymore. One of the big things we just kicked off is robotics process automation.

Lauren Knausenberger

Deputy Chief Information Officer, Air Force

Listen to the full show:

The Current State of Cyber

There is the NIST Cybersecurity Framework, the risk management framework and now you’re going to have the Cybersecurity Maturity Model Certification (CMMC) effort. It is difficult as a federal contractor to make sure you are checking all those boxes and having controls in place to satisfy that.

Tony Hubbard

Government Cybersecurity Lead, KPMG

Supply Chain Challenges

There are so many areas in cybersecurity that can be automated whether you’re looking at things such as audit trail review, account management, threat management, threat intelligence analysis and management. A lot of those processes are very manual right now and require a lot of research by analysts, but they can be automated and I’m excited about that opportunity to automate these processes.

Tony Hubbard

Government Cybersecurity Lead, KPMG

How Cloud Helps Government

If somebody wants us bad enough they’re going to get us in some kind of way. So now the discussion isn’t so much about preventing the breach, but now the conversation turns to have do we manage the risk around that? How do we make sure from a technology architecture perspective we’ve segmented our crown jewels, our highest priority data elements into a place where they are harder to get?

Tony Hubbard

Government Cybersecurity Lead, KPMG

With a constant barrage of cyber attacks hitting the government and industry, federal contractors need to stay dynamic and fluid in the way they approach the cyber world and how they interact with federal agencies.

There are an increasing amount of hoops contractors working in cyber need to jump through to partner with the government, but Tony Hubbard, government cybersecurity lead at KPMG, says that is the reality of the world today.

“There is the NIST Cybersecurity Framework, the risk management framework and now you’re going to have the Cybersecurity Maturity Model Certification (CMMC) effort,” Hubbard said during a Federal Insights: Cyber interview sponsored by KPMG. “It is difficult as a federal contractor to make sure you are checking all those boxes and having controls in place to satisfy that.”

Of course, those rules are in place for good reason – to protect important government data and functions. So contractors must adapt.

While the NIST standards have been in place long enough for some contractors to get used to them, CMMC will be a new ballgame.

CMMC makes the NIST standards more stringent, and the Defense Department plans to release the first version in January 2020.

The framework assesses the cybersecurity posture from a supply chain standpoint and ensures every company that wants to work with DoD, not just the defense industrial base, has proper cyber hygiene.

Hubbard said the supply chain issue is complex, but hygiene is paramount.

“There’s so many moving parts and so many vendors in programs,” Hubbard said. “I heard recently that the F-35 has over 1,000 vendors involved. How do you manage the security and risk around that? There’s no silver bullet or an easy answer, but a lot of it gets back to some of these basic hygiene topics. If you look at some of the major breaches that have occurred over the last several years, a lot of them have been supply chain, third-party vendor type of issues.”

Keeping in line with all the standards and ones to come may seem daunting, but Hubbard says it’s not as frightening as it may seem.

“There are so many areas in cybersecurity that can be automated whether you’re looking at things such as audit trail review, account management, threat management, threat intelligence analysis and management,” Hubbard said. “A lot of those processes are very manual right now and require a lot of research by analysts, but they can be automated and I’m excited about that opportunity to automate these processes.”

No one is perfect and even the military will admit there will be cyber attacks that make it into networks.

Hubbard said what’s most important is being able to detect those attacks as fast as possible and to limit areas where hackers can attack.

“If somebody wants us bad enough they’re going to get us in some kind of way,” Hubbard said. “So now the discussion isn’t so much about preventing the breach, but now the conversation turns to have do we manage the risk around that? How do we make sure from a technology architecture perspective we’ve segmented our crown jewels, our highest priority data elements into a place where they are harder to get?”

Listen to the full show:

The National Park Service and the Postal Service remain the highest rated agencies that offer services to the public. TRICARE, the government-managed health insurance for service members, also held its rank as the third-best rated program.

Agencies are expecting to see improvements across the board when it comes to customer service over the next year. The reason for such optimism comes from a growing understanding of what it takes to provide exceptional customer service.

A recent study by the Partnership for Public Service, for example, highlighted three key concepts that drive a better customer experience:

• Develop a departmentwide strategy.
• Expand employee perception of who their customers are, and what they expect.
• Make sure the leadership has clarity and feedback from the customers.

Improving customer experience is also part of the President’s Management Agenda.

The Office of Management and Budget is pushing forward with other initiatives around customer experience. It is accepting ideas and potentially awarding $900,000 under its Government Effectiveness Advanced Research (GEAR) Center initiative. One of the focus areas for the GEAR Center is to help agencies better connect federal programs with a quantitative and qualitative understanding of the people they serve, and capture the voice of the customer in order to continuously improve federal services.

And finally, agencies have more optimism because OMB established and is now measuring governmentwide metrics around customer service through the A-11 guidance.

There are a lot of parallel efforts that are helping agencies understand, improve and develop first-rate customer experience services. Agencies can take steps to bring these initiatives together to continue to make real progress. get those scores higher and, most importantly, meet citizens’ needs.

Customer Experience Strategy

We do a lot of stakeholder engagement where we have something called a forging model where we map out all of our stakeholders at different levels. Then we have stakeholder engagement activities. We meet with them at offsites. We do mission road shows. We have communications and there is no such thing as over communication.

Lori Ruderman

Initiative Lead, HHS Services’ ReImagine/Buy Smarter Initiative, Department of Health and Human Services 

Complexity of the Customer Experience

There are different tools we can apply like journey mapping and human centered design to help us focus on what that customer’s experience is and translate that into the organization. Even journey mapping, I think the government has embraced that and is starting to develop them.

Quimby Kaizer

Principal, Federal Advisory, KPMG

Measuring Success

When you start with the customer first and design around the customer ultimately you will get a better result for them, which will ultimately save time, energy, money and resources. One of the things that I’m grateful for is our current secretary and our leadership has been willing and wanting to invest in the capability of customer experience.

Barbara Morton

Deputy Chief Veterans Experience Officer, Department of Veteran Affairs

Listen to the full show:

That’s according to Kirke Everson, principal and government intelligent automation leader at KPMG. In this interview with Federal News Network’s Tom Temin, Everson describes the three levels of intelligent automation maturity and how to achieve them, and he describes AI and automation use cases for internal deployment and for public services. He also discusses the need for workforce training and reskilling so programs and bureaus can take on their own projects in conjunction with IT staff.

Matching use case and technology

When you get into the advanced realm where you’ve got machine learning as well as the true neural networks, where you’re actually having the computer develop its own intelligence over time …. that’s where you’re getting into that augmented reality and AI realm.

Kirke Everson

Principal & Government Intelligent Automation Leader, KPMG

Workforce Training

Success means training people not only how to do their jobs with these new technologies but also upskilling to better arm our workforce with the new tools and techniques to be able to then implement [RPA] on their own.

Kirke Everson

Principal & Government Intelligent Automation Leader, KPMG

Acquisition and Requirements

We can automate bad processes all we want. But maybe we take this opportunity to actually reengineer that process.

Kirke Everson

Principal & Government Intelligent Automation Leader, KPMG

Listen to the full show:

Participants in a recent Federal News Radio panel discussion explored how the threat environment is changing and how federal agencies are tying together data from what’s going on with strategies for stopping threats before they turn into damage or pilfered data.

Cyber Threat Analysis and Tools

Basically, any evidence-based knowledge we can get from any source is what we use to analyze. That’s working with other intelligence agencies, DoD joint force headquarters for cyber defense, and our own cyber operations center. And vendors…often they detect cyber threats and report them to us.

Pat Flanders

CIO, Defense Health Agency

Risk Management and Automation

One of our strategies in terms of our cyber program is to automate as much as possible…leveraging cybersecurity automation, orchestration strategies, particularly at the cloud level. We’re looking to address today’s cyber threats in real time, free up our analysis time – valuable human resource time – to address more advanced threats than currently face the federal government. We’re looking to leverage artificial intelligence, blockchain…[and] machine learning technologies.

Mark Johnson

Deputy CIO, CISO and Chief Privacy Officer, U.S. Agency for International Development

Supply Chain and Insight into the Future

As we get more folks recruited into the cybersecurity industry… don’t necessarily need to have a technology degree to be successful in cybersecurity, especially if you’re in the threat intelligence and analysis world. It’s more about … a natural curiosity and trying to diagnose what a situation might be. As we all work in this industry we need to collectively do a better job of elevating the conversation up to more of a risk-based conversation instead of a technical bit-and-byte conversation.

Tony Hubbard

Principal, KPMG

Listen to the full show:

In modernizing the IT systems that support these and a myriad of other processes, agencies are trying to introduce a new a new level of automation that incorporates data analysis, improved business processes, and greater cybersecurity and privacy controls.

One way to do this is through a concept known as intelligent automation, or IA. IA can range from the simple automation of transactional rules to the application of artificial intelligence, cognitive learning and big data analysis to yield more time for knowledge employees to do higher level tasks. Indeed, the President’s Management Agenda specifically calls for enabling systems to free employees from low-value tasks like paperwork.

The Move to Intelligent Automation in Agencies

At DLA, we’re looking at a wide range of opportunities. We have several projects we’re working in robotics process automation, which is taking those routine, mundane tasks and having a computerized bot do those…The other area we’re looking into is artificial intelligence, targeting data mining and predictive analytics.

Linda Williams

Deputy Director, Strategic Technology and Investment, Defense Logistics Agency

Stakeholders for Intelligent Automation

When you look at these problems, it’s not only the technology side of the workforce coming together to solve the problem. We have to bring in the people who have the programmatic experience … It’s almost like the idea of user-centered design and design thinking where you go through a journey with the program office to understand what is your day-to-day problem.

Robin Thottungal

Chief Data Scientist, Environmental Protection Agency

Acquisition and Security of Systems

From an acquisition perspective, think about your outcomes. Focus on an objective you as an agency are trying to accomplish. Allow the vendor community to say, ‘Based on what you’re asking for, I think these solutions would be the right fit for you.

Kirke Everson

Managing Director, Federal Advisory Practice, KPMG

To explore these issues, Federal News Radio convened a panel of experts:

• Leo Scanlon, senior adviser for health care and public health sector cybersecurity in the CIO office at Health and Human Services
• Ray Letteer, chief of the Cybersecurity Division at the U.S. Marine Corps
• Tony Hubbard, principal at KPMG

Letteer explained a new Marine Corps implementation of the Navy’s “comply to connect” policy under which every endpoint is automatically scanned and evaluated for cyber threats each and every time its user logs on. If it passes muster, the system checks it hourly while it is connected.

Scanlon detailed how, after last year’s government-wide cyber sprint, HHS has established two-factor authentication for all of its users, en route to two-factor for systems administrators and network staff members.

He also explained why the need for cyber defense automation is extra important for HHS. Many of the department’s agencies and bureaus are connected directly to the greater health care ecosystem, and health care data is among the most sought-after target of hackers.

Hubbard said automation and orchestration of information technology processes such as cybersecurity monitoring and mitigation aren’t new, but they are becoming more widely adopted as agencies improve their fundamentals of vulnerability patching, multi-factor authentication, and inventorying and monitoring of critical assets.

The panelists also discussed how cloud computing, software-as-a-service, and the internet of things add to both the urgency and complexity of cybersecurity automation.

Moderator

Tom Temin, Federal News Radio

Tom Temin has been the host of the Federal Drive since 2006. Tom has been reporting on and providing insight to technology markets for more than 30 years.  Prior to joining Federal News Radio, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.

Panelists

Leo Scanlon, Senior Advisor for Healthcare and Public Health Sector Cybersecurity, Office of the CIO, HHS

Leo Scanlon is the HHS Senior Advisor for Healthcare and Public Health (HPH) Sector Cybersecurity and the Deputy Chief Information Security Officer for the Department of Health and Human Services.  He serves as chairman of the HHS Cyber Security Working Group, which coordinates cybersecurity collaboration between HHS Operating Divisions and their partners in the private sector. He is the executive sponsor of the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC). The HCCIC supports cyber threat and indicator sharing across HHS Operating Divisions, DoD and civilian agency partners, and healthcare cybersecurity stakeholders in the intelligence and law enforcement communities, and the National Health Information Sharing and Analysis Center (NHISAC).

Leo has worked at the interagency level as a co-chair of the Identity Credential and Access Management sub-committee of the Information Security and Identify Management Committee (ISIMC), and as a tri-chair of the ISIMC.  He is co-chair of the Government Advisory Council of the International Information System Security Certification Consortium (ISC2), and government chair of the ACT-IACT Cybersecurity Community of Interest.

Dr. Ray Letteer, Chief, Cybersecurity Division, United States Marine Corps

Dr. Letteer is the Marine Corps Senior Information Security Official (SISO) and the Chief of the Cybersecurity Division of the Command, Control, Communications, and Computer (C4) Department at Headquarters, U.S. Marine Corps. As such, he is responsible for and oversees all Cybersecurity (CY) tasks, standards, and conditions within the Marine Corps, which includes Computer Network Defense (CND), Defensive Cyber Operations (DCO), Public Key Infrastructure (PKI), Electronic Key Management Systems (EKMS), and Certification & Accreditation (C&A).

Dr. Letteer serves as the appointed Approving Official (AO) for the Marine Corps Enterprise Network (MCEN), which includes all networks and networked systems whether in garrison or tactically deployed. He is also the Functional Area Manager (FAM) for Marine Corps EKMS/KMI/PKI issues.

Tony Hubbard, Principal, KPMG

Mr. Hubbard has spent 25 years providing cybersecurity consulting services to the Federal Government. He currently leads KPMG’s Federal Cybersecurity practice supporting the Defense & Intel communities as well as Federal Healthcare and Civilian agencies with a wide range of cybersecurity services, including identity access management support and cyber governance, among others. Mr. Hubbard has authored articles and spoken widely on Federal Government cyber challenges and opportunities. He received his Bachelor’s degree from Shepherd University, and is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).