Cybersecurity Maturity Model Certification requirements have officially descended upon the defense industrial base, the global network of businesses that produce materials, components and services to support the Defense Department, setting off something of a witching hour for a huge number of companies.

With DoD’s September publication of final rules, it could formally include CMMC requirements in its solicitations and contracts starting Nov. 10. It will be a phased-in scenario: within three years, nearly all DoD solicitations will stipulate that contractors must conform to one of three levels of cybersecurity requirements.

A number of forward-thinking companies are proceeding as if third-party certification of CMMC compliance for themselves and subcontractors is already a must today. In fact, that will be the case for a big chunk of the DoD contracting ecosystem over the next 12 months, as supply chains recognize both the risks of waiting and the advantages of racing forward.

Yet industry estimates suggest that only around 200 companies have been assessed so far by authorized third parties — even though up to 80,000 firms, plus many of their subcontractors, will be required to be officially vetted soon under Level 2 cyber hygiene certification.

A crisis brewing

Given the small number of early adapters, it’s reasonable to assume that a CMMC crisis is brewing at many companies, with some panicking, some in denial that a certification requirement is really here, and some underestimating what compliance and certification really entail.  Others are travelling a complex, expensive path toward compliance that may lead to success, or may lead to more complexity and expense.

We know of many, many companies that have backburnered taking action on the latest phase of CMMC because there had been no firm timetable for roll-out for so long. That approach has undoubtedly created significant risk and disadvantage for many businesses — because there is now very little time to act.

Taking a step back, the CMMC framework aims to ensure that defense contractors can adequately protect controlled unclassified information and federal contract information. Several hundred thousand companies have been self-reporting at Level 1 CMMC certification level, which does not involve third-party assessment. Level 2 not only demands an assessment, but it also requires compliance with 93 more practices than Level 1 does.

The challenges

We convened some of our counterparts in the IT and compliance world, including cybersecurity risk management expert Gray Analytics, to discuss CMMC compliance issues percolating for defense contractors. Here are some of the collective observations:

• Limited qualified resources: As mentioned, nearly 80,000 firms will need Level 2 certification. But there are only about 70 firms authorized to provide assessments and certification. These companies are known as certified third-party assessor organizations (C3PAOs), and they are accredited by the cyber accreditation body. They, along with a subset of CMMC certified assessors who work under them, may be among the only sources of truly effective gap analyses and guidance for Defense contractors and subcontractors needing to succeed with Level 2 CMMC certification.
• Too many unqualified resources: Many companies are relying on or bringing in in-house capabilities to conduct a gap analysis and then address the subsequent remediation. Or they’re entrusting work to consultants that may not be well-versed and experienced enough with CMMC. Accordingly, many of their customers could fail the certification assessment and have to go back to the drawing board — and thus lose more time, money and contracts, both current and prospective ones.
• Narrowing opportunities: Many big Defense contractors are starting to weed out their subcontractors — sticking with those that have been assessed by a C3PAO and are certain to be in Level 2 compliance. In these contractors’ view, it’s critical to be well along in preparation, as remediation takes time and waiting will be costly.

And then there’s the challenge of a company’s actual IT environment: hardware, software, processes, procedures, workflows and continuous updates. CMMC puts pressure on that function. Some companies may be best served finding a qualified provider of an external IT platform they can use as a service or utility. That raises the questions of whether it’s feasible and which one to go with.

Important steps

Given this daunting, time-compressed backdrop, what’s a company to do? Here are key steps to consider:

• Review contracts carefully. Companies with DoD contracts or subcontracts should review what they’ve signed, or are planning to sign, extremely carefully. If there’s Defense Federal Acquisition Regulation Supplement language in the contract, it means you’ll probably need to be CMMC compliant, perhaps at Level 2.
• Understand CUI. If that’s the case, then you’ll need to do the work to really understand CUI and whether you’ll be working with that kind of information. The National Archives offers the detailed information, and DoD offers free CUI training, which may be mandatory for you.
• Assess business impact. Look at the company’s book of business and pipeline to determine whether it will be worthwhile to move toward assessment-proof CMMC compliance. If Defense work involving CUI is only a tiny part of the corporate strategy, it may not be and make more sense to forego certain contracts. Or it may be extremely worthwhile — an imperative.
• Identify internal expertise. If the latter, determine if there’s someone at the company well-versed in CUI and what CMMC compliance entails who can spearhead the process and gather the right resources.
• Choose the right partner. If there’s not a superb internal resource, look for outside help. But that’s easier said than done. As noted, there’s only a small group of firms that qualify as C3PAOs. Some outfits that are CCAs are also effective; others may have less — or no — experience doing the work.
• More due diligence. If you cannot engage a C3PAO and must turn to the cyberab.org marketplace for a list of CCA firms, it’s critical to ask the ones you speak with for references at companies they’ve helped successfully pass the assessments. If they have not done so yet, it’s probably best to move on.

These steps should help you get through a gap analysis to understand the necessary actions to successfully pass an assessment.

From there, you’ll need to make sure your IT environment can handle all the requirements. If the company uses a managed service provider or cloud service provider, you’ll need to evaluate — with the help of a C3PAO or reliable CCA — whether your service provider is CMMC-focused enough and will stay ahead of evolving requirements and updates.

If you need to switch service providers, it may be worth searching for one with a compliant, CMMC-ready platform that amounts to IT-as-a-service. This would probably be a service provider moving rapidly toward FedRAMP certification. That would signal that the program continuously evolves its approach to the security requirements of federal agencies.

An existential challenge for the whole defense industrial base

Looking at the big picture, CMMC compliance represents an existential challenge not just to companies that know they’ll be subject to Level 2 certification; companies in the Level 1 category — where they simply have to self-report — may, in actuality, need to pass assessments. If there’s a data breach at the firm, DoD will automatically assess with Level 2 standards what was self-reported. If the company doesn’t live up to what it reported, it will, at best, need to scramble. At worst it could be a business-destroying problem.

The bottom line: The reality of CMMC compliance is accelerating and demanding, impacting the defense industrial base with force and speed. Be prepared.

Rob McCormick is CEO of Avatara.

The post CMMC compliance reckoning for defense contractors arrives first appeared on Federal News Network.

© Getty Images/phakphum patjangkata

Interview transcript

Terry Gerton PopVox has been advocating for a long time for a number of reforms to congressional operations. Three have kind of risen to the top of your stack lately. Talk us through what those three are and how you think if they pass, they would improve congressional operations?

Danielle Stewart Beginning of this year at the beginning of the appropriations process, we spoke with offices on both sides of the aisle to advocate for recommendations and reforms in the legislative branch bill text that would address the pacing problem. And that is everything from AI training to caseworker office support. And the way that we have been able to work with offices and continue this work over many years really speaks to the continued need in the House to prioritize these items, but also we’ve been able to prioritize them and champion them because there have been members that have been alongside us working towards these reforms as well. And so the importance here is that modernization is an ongoing project for the legislative branch. This is something that’s personal and important for me because I was a staffer on the Select Committee on the Modernization of Congress in the 116th Congress when the committee was first stood up. As a then-House staffer, being able to work with our member offices to advance over 100 recommendations on a bipartisan basis to deliver that final report in what was then still a very divided Congress really speaks to how meaningful this work can be for people. And so there was a second select committee in the 117th Congress. And last Congress, the select committee was enveloped and turned into a subcommittee under the Committee on House Administration. And so that subcommittee has helped to continue that work on a bipartisan basis and has continued to work with us for Congress to have improved technology and a better resourced workforce. And so getting back to what was included in the ledge bill was the highlighted importance of AI training and continued use of AI tools in the House. The continued emphasis on the need for caseworkers to have access to better resources and better tools, which we are seeing in what’s called the Case Compass Project. And a congressional liaison directory, which is housed and managed by the Congressional Research Service, which also helps, speaks to supporting staff and ensuring that they have the tools they need to better do their jobs, which in turn they can better help their constituents and provide results for their districts.

Terry Gerton I’m speaking with Danielle Stewart. She serves as the PopVox Foundation’s advisor for congressional initiatives. Danielle, let’s take each one of those in turn. The data map or the legislative branch data map, what would it really take to implement that now that it’s in law? And how will it change how the congressional offices operate?

Danielle Stewart Sure. Yeah, that’s a great question. So I believe last Congress, they started the process of, of starting to put this together, at least within the House. We have said, and we’ve advocated for a full legislative branch data map, which would include all of the agencies in addition to Congress, right? So not just Congressional offices and everything within the Congressional complex. It would include GAO, CRS, Library of Congress. Everything that you see touched sort of through that legislative branch operations umbrella. There’s no complete map showing how the data flows through each of these branches or agencies through its life cycle. So this isn’t something that necessarily each member office or each congressional staffer would need to sort of think about or manage. This is something that is more of an institutional entity and in what would need to be managed at the technical level. But data maps at their core are, you know, visualization diagrams of data ownership formats, where the data is being transferred and they help an organization better understand the who, what, when and where of data to be able to maximize use and ensure its security. And so included in the legislative branch bill was language — or, the bill report — was language highlighting the need to continue putting this data map for Congress together. And so that is in the works, we’re very encouraged by that. It’s being increasingly, become increasingly essential as government entities begin responding to the emergence of AI and other technologies. And so, that is something that was certainly a priority for us, and we were encouraged to see the language included.

Terry Gerton Talk to us about Case Compass because that’s really interesting in terms of getting a more synchronized picture of how constituent offices are working.

Danielle Stewart Yeah, Case Compass, we’re incredibly excited about this project. And a lot of credit goes to my colleague, Anne Meeker, who is a former district staffer constituent services representative, and this is a real passion of hers. So the Case Compass project is, we’ve seen the development over the last couple of years. Right now, 50 member offices have opted into the pilot project. And what the pilot does is it anonymizes and aggregates constituent casework data. And the data then feeds into Case Compass. And so Case Compass itself is a dashboard that we have championed to track this data to be able to identify systemic issues and areas for improvement within the federal government. And so this helps caseworkers at the local level, better understand agency trends, they get to have potential issues or concerns within their districts. And also, caseworkers as PopVox Foundation has learned and helped really cultivate through a lot of Ann’s work — caseworkers are some of the best, well-connected congressional staffers because they see and hear everything that’s going on on the ground in these districts. And they are able to talk to each other and help each other regardless of party affiliation. And that is something that has always been worth celebrating and worth supporting. And so continued resources for caseworkers through this Case Compass project, this is a bipartisan achievement. The report language encourages continued development of the project. And through this project, Congress will be able to have the data to act when caseworkers see trends or issues. For example, you know, a couple of years ago, I think you probably remember, there was a huge, huge uptick after the COVID pandemic in passport delays, passport processing. And being able to get ahead of that, ahead of time, while caseworkers are being able to see sort of this creep up of these cases coming in, being able say, hey, red flag, we see this is happening. How can we get ahead of it and try to provide more resources to fix the problem, or to speak with the agency head and identify ways that we can work together to better support the American people. So that’s a huge win, and it’s better inter-branch communication and coordination, which is critically important.

Terry Gerton That makes a lot of sense. And it seems like the third initiative is closely related to that, a congressional liaison directory, maybe to help those awesomely connected local case workers stay even better connected.

Danielle Stewart Yes, and this is, I’m simplifying this tremendously, but I always, when I think about this one and I read about it in our materials, I always think about it as like a mega yellow pages for caseworkers, just a giant, beautiful phone book, which you would be disappointed and shocked to learn does not really exist. Like, you know, I have been able to open multiple freshman member offices and when you walk in the door and you open a district office, you’re not handed a packet of agency contacts, who to get in touch with at the VA, who to call if you have a Medicare question. Those contacts, they are available, but it is not as easy as a Google search. And so CRS maintains the only extensive list of congressional liaisons at executive branch and independent agencies. But the scope of casework is bigger than just those executive branch agencies as you would think of executive branch agencies just being here in D.C., right? There are D.C.-based liaisons, but regional contacts, processing center contacts and more. And so the language in this year’s report requests that CRS examine the feasibility of expanding this list and the appropriations committee will be working with them to do so. So that is huge. And the more resources that caseworkers and district staff and congressional staff as a whole have to better do their jobs, or more efficiently and effectively do their job, the better the service and representation will be for constituents.

The post New provisions in the shutdown-ending funding deal aim to modernize Congress first appeared on Federal News Network.

© Getty Images/suwadee sangsriruang

 

• House Republicans are seeking annual reauthorization of key programs at the Veterans Affairs Department. Top lawmakers on the House VA Committee are leading a series of bills that would reauthorize the department’s Veteran Readiness and Employment program. This is the third wave of VA reauthorization bills lawmakers have introduced. The legislation would also move the Labor Department’s Veterans Education and Training Service program to the VA.
  (Chairman Bost, House Republicans introduce Veteran Education and Workforce Reforms, acquisition improvements through reauthorization strategy - House Veterans Affairs Committee)
• The protests of GSA's OneGov deals for AI tools don't make the grade. The Government Accountability Office dismissed the complaints filed by AskSage over the low-cost contracts for artificial intelligence tools made by GSA under its OneGov program. In a decision released yesterday, GAO says its dismissal is on jurisdictional grounds as it does not review matters of contract administration. GAO says because GSA modified existing contracts under its schedule program, it doesn't generally review protests of allegedly improper contract modifications because such matters are related to contract administration and therefore not subject to review pursuant to its bid protest function. AskSage filed multiple protests in August, claiming GSA's deals for these AI tools are inconsistent with commercial practices and risked “an impermissible vendor lock-in scenario."
  (GAO dismisses protests of GSA's OneGov deals for AI tools - Government Accountability Office)
• President Trump has tapped Lt. Gen. Joshua Rudd to lead both U.S. Cyber Command and the National Security Agency. NSA and Cyber Command have been without a permanent leader since April when Trump fired Gen. Timothy Haugh from the role. The Defense Department also announced the nomination of Marine Corps Maj. Gen. Lorna Mahlock to serve as deputy commander of U.S. Cyber Command. The role does not require congressional approval.
  (Trump nominates Lt. Gen. Joshua Rudd to lead Cyber Command - Department of Defense)
• Most civilian federal employees are set for a 1% pay bump beginning in January. President Trump signed an executive order Thursday afternoon, finalizing the 1% pay raise for 2026, for most feds on the General Schedule. It’s the smallest annual increase civilian employees have received since 2021, and does not include any locality pay adjustments. Both law enforcement officers and military members will likely receive a larger pay raise of 3.8% in the new year.
  (Trump finalizes 1% federal pay raise for 2026 - Federal News Network)
• Federal employees are in for a holiday treat, with two additional days off next week. President Donald Trump signed an executive order yesterday declaring both the day before and the day after Christmas as holidays for the federal workforce this year. Christmas Day is already a federal holiday, but presidents will often give additional days off for feds around the holidays. Certain employees, however, will still need to report for duty those days for national security, defense and other public needs.
  (Trump gives most federal employees two days off around Christmas - Federal News Network)
• The IRS is moving 1,000 IT employees out of its tech shop with few signs of what work they’ll do next. Impacted employees say they have few details about what work they’ll be doing, and have been told by the agency to instead “focus on completing an orderly transition of your current work.” The notice they received states that they will no longer be working on IRS IT projects. Employees must upload their resumes to be considered for other jobs at the IRS and the Treasury Department. Last month, IRS IT directed hundreds of its employees to complete a “technical skills assessment.”
  ( IRS moves 1,000 IT employees out of its tech shop, with few signs of what work they’ll do next - Federal News Network)
• More than 4,300 8(a) small businesses have extra time to collect and submit data to the Small Business Administration as part of the agency's ongoing program audit. SBA set a new deadline of Jan. 19, giving vendors nearly two more weeks to compile 13 different datasets. Along with deadline extension, SBA also posted answers to 14 questions it received from firms to help inform the process. SBA asked every company in the 8(a) program on Dec. 5 to submit information to help inform its ongoing audit seeking to root out fraud.
  (8(a) firms get two more weeks to submit data to SBA - Small Business Adminisrtration)
• President Trump’s “Warrior Dividend” bonus for service members, which he suggested would be funded by tariff revenue, is actually a one-time basic allowance for housing stipend already approved by Congress. The $1,776 bonus payment Trump announced while addressing the nation Wednesday night will be paid using funds Congress appropriated to the Defense Department in the One Big Beautiful Bill Act to supplement the basic allowance for housing. The funding was originally intended to address rising housing costs and reduce service members’ out-of-pocket housing expenses. The Pentagon will disburse $2.6 billion of that funding as a one-time payment to roughly 1.28 million active-duty service members.
  (Trump’s ‘Warrior Dividend’ bonuses for troops is housing money approved by Congress - Federal News Network)
• Federal employees have a final chance to weigh in on their experience in the workplace this year. The window for taking the Partnership for Public Service’s “Public Service Viewpoint Survey” closes at midnight tonight. The Partnership launched its own external questionnaire for federal employees, after the Trump administration canceled the 2025 Federal Employee Viewpoint Survey earlier this year.
  (Public Service Viewpoint Survey - Partnership for Public Service)

The post House lawmakers seek reauthorization of key VA programs first appeared on Federal News Network.

© AP/Pablo Martinez Monsivais

Interview transcript

Terry Gerton Before we get into the case that we’re going to talk about today, can you give us a rundown of the difference between the Trade Agreements Act and the Buy America Act, because that plays into the case we’ll examine.

Dan Ramish Absolutely. So there are two domestic sourcing regimes that apply to government contracts, the Trade Agreements Act and the Buy American Act. And generally, the line between the two statutory regimes is dictated by the value of the procurement. So the Buy American Act applies to contracts that are below the free trade agreement thresholds. The most notable one is the World Trade Agreement Government Procurement Agreement, or WTO GPA, which has thresholds of 174,000 for supply and service contracts and then 6,708,000 construction contracts. The sort of basic difference is, of course, the Buy American Act has been around a long time and establishes preferences for American-made goods. The Trade Agreements Act kind of came in with the free trade movement and established equal treatment for trading partner countries. And there are also a number of other so-called designated countries, mostly developing countries. And the products of those countries can also be used along with domestic products. But there’s a critical point on how these two frameworks are applied, which is that the Buy American Act institutes a price preference, whereas the Trade Agreements Act prohibits procurement of foreign products that are not designated countries.

Terry Gerton Sounds like it could be a pretty confusing space for contracting officers, so I think it will be helpful to walk through this case. The Veterans Affairs Department was engaged in buying medical supplies and pharmaceuticals. Tell us about this particular case.

Dan Ramish Yes. So the procurement was for a drug called Prasugrel, which is a blood thinner that’s used to reduce risk of heart attacks and strokes. And the prasugrel was available to the VA on Cosette’s federal supply schedule contract and also on an open market basis. But the agency wanted to establish a standardized contract to obtain volume discounts essentially and have set prices that it could rely on and anticipated that the contract would be used both by the VA and also by other agencies, the Department of Defense and Indian Health Service and the Bureau of Prisons. And so they established in the solicitation fixed price indefinite delivery requirements contract that was gonna have a base year and four option periods. And so, they put this out for bid, Golden State Medical Supplies proposed a generic version of the Prasugrel drug that was manufactured in India. And India is not compliant with the Trade Agreements Act, they’re not a trading partner, not a developing country that is a designated country for TAA, so non-compliant with TAA. Cosette Pharmaceuticals proposed to supply a brand name version of the drug that was much more expensive. And their drug was manufactured in Germany, the active pharmaceutical ingredient was from Japan. Now, in some cases, they’re questions about which is the actual country of origin for Trade Agreements Act purposes, but both Germany and Japan are TAA compliant countries. So that wasn’t an issue. Everyone agreed that Cosette’s drug was compliant with TAA and Golden State Medical Supplies’ drug was not compliant. And there were a number of other drugs also from India that other offerors supplied, all generic. So the VA decided to award to Golden State Medical Supplies. They argued that the Trade Agreements Act exception applied because Cosette’s price was excessively high and they argued that the offer was therefore insufficient to fulfill the government’s requirement, which is one of the narrow exceptions of the Trade Agreements Act.

Terry Gerton I’m speaking with Dan Ramish. He’s a partner at Haynes Boone. So Dan, if you’re the contracting officer and you’re looking at this wide differential in prices, how would you know to make a choice one way or the other?

Dan Ramish Well, so the solicitation in this case was lowest price technically acceptable. So of course, the VA wanted to get the, you know, the lowest available price for these drugs, they’re standardized. And so it was understandable. And I think the court certainly saw where the agency was coming from in trying to get a good deal for the taxpayer. However, the court said, well, you have to look at the language of the statute and this exception for offers where no offers are received that meet the government’s requirement isn’t intended to encompass price. And in part, the court looked at the difference between the Buy American Act, which does actually specifically have an unreasonable cost exception, and the Trade Agreements Act, which only says, well, if you don’t receive any compliant offers or offers that meet the government requirement than you can procure from foreign sources.

Terry Gerton So the Court of Federal Claims sided with Cosette, the more expensive one that met the Trade Agreement Act requirements. What did the court say specifically about VA’s interpretation of the Trade Agreements Act?

Dan Ramish The VA’s approach was, in one part, to say that it was making use of this insufficiency to fulfill the government’s requirement exception. They also essentially excluded Cosette from the competitive range because of their price. And the court said, well, that approach wasn’t appropriate and didn’t comply with the Trade Agreements Act because you’re not allowed to effectively compare the price of a compliant, Trade Agreements Act product with non-compliant products, that that’s an apples to oranges comparison, and that that couldn’t be a valid basis for excluding Cosette from the competitive range.

Terry Gerton So does that mean that government agencies are locked into buying these really expensive products if they’re the only TAA compliant option? Do they have other choices? What did the court say about that?

Dan Ramish So the court pointed out that the statute, among other things, includes the option of a waiver issuance by the agency head, which is available on a case-by-case basis when it’s in the national interest. There was no waiver here. So the agency, if they felt there was a compelling interest, could have the agency head issue a waiver. They also could cancel solicitation, issue the drug, solicitation on the open market. And so they weren’t locked into making an award. And of course they needed to establish that there was a fair and reasonable price that they were paying for the award, but they couldn’t ignore the requirements of the Trade Agreements Act and award to a non-compliant offer when there was Trade Agreement Act compliant offer that was received.

The post A recent court ruling could reshape how agencies source under the Trade Agreements Act first appeared on Federal News Network.

© The Associated Press

Interview transcript

Terry Gerton Anthropic says Chinese hackers used its Claude chatbot to automate a cyber espionage campaign against tech firms, financial institutions, and government agencies, marking what could be the first large-scale AI-driven attack. Joining me to explain what this means for defenders and what’s next for nation-state tactics is the former department head of AI security at MITRE and co-founder of AI security consulting firm Fire Mountain Labs, Dr. Josh Harguess. Dr. Harguess, thank you for joining me.

Josh Harguess Thank you very much for having me.

Terry Gerton We’re going to talk about something that really made the news not too long ago. Anthropic said that its AI tool Claude was used by Chinese hackers with minimal human intervention to launch a cyber espionage campaign. Can you tell us more about what really happened?

Josh Harguess Yeah, I can. So a really nice report that they lay it out, really detailed, but some of the high marks. So they used Claude code to do this. So this is Anthropic’s own tool that allows you to sort of, you know, vibe code as it were, and create a code that was able to do these exploits. And by create, what I mean is they were able to execute something like 80 to 90% of these operations completely independently from human interaction. That 10 to 20% was sort of like human-on-the-loop, human-in-the-loop verifying, validating some of the things that came back from Claude code, like hallucinations  things that weren’t actually real, but there were plenty of exploits that were real, that were able to execute without any human intervention. And they really did this by doing these safeguard bypasses, things like social engineering, so doing prompt injection techniques, these kinds of things, convincing the tools that they were using. That everything that they’re doing was on the up and up. You know, no issues, don’t worry about what we’re trying to do. This is, you know, we’re security professionals. We’re trying to secure our own infrastructure, our own networks. So you’re doing us a service by providing this code to us. And yeah, the breach was, this was a campaign. I think they started to notice this maybe back in September. So they were able to kind of follow this campaign and eventually disrupt it.

Terry Gerton You mentioned some things like prompt injection and social engineering. Tell us a little bit more about how those were able to bypass Claude’s safety guardrails and what that means for the average person who might be a victim of some of this approach.

Josh Harguess Yeah, absolutely. So this has been around since ChatGPT Was released, so essentially these are ways to convince the model to do things that it’s not supposed to do. So particularly over the past two or three years, OpenAI, Anthropic, Google, they’ve spent a ton of money on trying to build in these safeguards so that you can’t get instructions for how to make a nuclear weapon or how to do other nefarious things that these models, they don’t want you to be able to do. However, there are ways around this and we’re seeing this even with today’s models. It’s more sophisticated. It’s not as easy as some of the early days where you just say the word poem infinitely and then it spits out user data. So now you do have to dig a little deeper. You have to do what’s called maybe crescendo attacks. You have to, you know, sort of aggregate different attacks together in order for this to be successful. But these models are all susceptible at some point to this kind of prompt injection technique.

Terry Gerton It sounds like you and others with your expertise might have been expecting something like this to come along. It’s not just something that woke up overnight.

Josh Harguess Definitely. Absolutely. We’ve been sounding the warning alarms about this for many years So it’s very well known and really that awareness piece is number one. I mean, I think a lot of people, to your point, are going to be very surprised that this is even possible

Terry Gerton So tell us more about how that 10 or 20% of human interaction played in with the cyber attack.

Josh Harguess Yeah, definitely. So, yeah, it’s interesting. So we’re not at the place where you can just say, go execute all of this for me, actually execute the campaign, you know. Get back to me in a few days when you’ve actually been able to recover these credentials and get into accounts and all that kind of thing. So right now we’re still at the phase where, you know, there’s a certain amount of trust for these models to do something that you tell it to do. And this is in, you know, your everyday task. If you’ve ever tried to write a summary of an article or something like that, you know, you’re not always gonna get 100% of what you’re expecting out of these models. So there’s some amount of human-on-the-loop or human-in-the-loop to kind of validate and verify what you are getting back. And this is no different. So, you know some of the things that came back were, you know, code that didn’t run or code that actually didn’t do the task that they were trying to do. So it was very much breaking the problem up into smaller pieces. Executing those small pieces, validating that they worked, and so on.

Terry Gerton I’m speaking with Dr. Josh Harguess. He’s the former department head for AI security at MITRE and co-founder of the AI security consulting firm, Fire Mountain Labs. The organizations that were targeted in this cyber attack, everything from financial institutions to tech companies to chemical manufacturers and government agencies, these might be the folks that you would expect to have the most resilient defense. How did they fare?

Josh Harguess Yeah, I mean, it’s difficult to protect yourself against the unknown, right? So I think a lot of these organizations, like you mentioned, they will be doing their best to protect themselves against kind of known adversaries. So they’re protecting their data, they’re protection their identities, these sorts of things, but they’ve never seen something this sophisticated kind of come at their infrastructure, and so quickly. So I think a lot times in the past if they saw a campaign like this, and it was human operated. They would be able to sort of see the signals and be able to react. In this case, the campaign was so fast acting that they weren’t able to react in time. And I think that’s really the escalation of these types of attacks.

Terry Gerton What does that mean for AI defense or hacking defense going forward? If the hacker is AI powered and can adjust so quickly, how can the defenders meet that kind of attack?

Josh Harguess Absolutely, so we’re definitely getting into that space that we were fearing in the beginning where we’re going to have to use AI tools to help us defend against these kinds of attacks. And not just these types of attacks, probably all attacks. The same exact thing is going to happen though where you’re going want to defend yourself against attacks using AI, however, that AI may not do exactly what you expect it to do all the time. So it’s the same kind of back and forth. You’re going to need a human-in-the-loop, human-on-the-loop to sort of validate, verify these defenses, check in, make sure that they’re operating as they should. These are the kinds of things that we do as a consultancy, help folks through this. So, you know, how do you secure your own AI systems? That’s a big question mark. That’s what we help people through. And you have to be able to secure your own AI systems before you can use them for these types of defenses.

Terry Gerton If AI is attacking and AI is defending and all of that is happening at machine speed, what is the risk — what are the vulnerabilities there and what is risk of escalation?

Josh Harguess Yeah, absolutely. So same as we kind of talked about earlier, you have to break the problem down into kind of consumable pieces. So look at your entire ecosystem of defense. Where can you instantiate AI? One place that’s really obvious is attacking yourself. So firming up your own defenses by pretending you’re an adversary. So red teaming your own system using these tools before someone else on the outside does that.

Terry Gerton As you look forward, what does this mean in terms of nation-state relations? How do nations prepare and how does this change the threat landscape?

Josh Harguess Yeah, certainly. So there’s multiple ways of looking at the changing of the threat landscape. My co-founder likes to talk about this in terms of these three words, intent, opportunity, and capability. Intent, that’s not really going to change. There’s always going to be bad actors that are trying to do nefarious things. Opportunity, that’s certainly expanding. So as these AI models and these AI agents kind of dig deeper into our digital infrastructures, we have new avenues for exploitation. So, you know, in this case, it was the social engineering way of getting into the models. There’s going to be other ways of getting in in the future that we’re not aware of yet. And then capability, that’s really the big one here. You know, AI is the force multiplier in this case, and that’s what we need to be utilizing, but also securing for our own systems.

The post When hackers weaponize AI, the rules of cyber defense change overnight first appeared on Federal News Network.

© Getty Images/iStockphoto/Urupong

What does mission-driven modernization really look like?

In our new Expert Edition, leaders from across federal and state government as well as industry share how agencies can align technology, data, security and workforce strategies with mission outcomes — not just modernization for modernization’s sake.

You will hear from:

• Darren Death of the Export-Import Bank of the U.S.
• Ron Leidner of Maximus
• Elizabeth McCarthy of Maximus
• Retired Col. Randy Pugh of the Naval Postgraduate School AI Task Force
• Doug Robinson of NASCIO

From AI adoption and data governance to outcome-based contracting and continuous security, their insights offer a practical roadmap for transformation.

Explore the full ebook now!

The post Expert Edition: What does mission-driven optimization look like? first appeared on Federal News Network.

© Federal News Network

The State Department didn’t just rename its procurement office as part of its reorganization. The new Bureau of Global Acquisitions is no longer buried inside the agency.

Mike Derrios, a former senior procurement executive at State, said too often the agency leadership didn’t have access to the acquisition offices and wouldn’t get the information to fully inform enterprise decisions.

“How you spend an agency’s money, what you’re spending it on, how you’re defining those requirements, how well you’re working with industry, again to get to those outcomes that you’re outsourcing for? What are you learning from that data? Times are tough financially for agencies and the more data that an acquisition line of business can offer and bring to the table, the better to help leadership think about things holistically,” said Derrios, who recently became the new executive director of the Greg and Camille Baroni Center for Government Contracting at the George Mason University, on Ask the CIO. “All of that is just incredibly valuable perspective that I don’t think is always leveraged if the voice can’t be heard. So it’s really just about getting that important seat at the table.”

State had been developing a plan to reorganize and elevate its acquisition office for several years, but the Trump administration accelerated the timeline. The new bureau became official at the end of the fiscal year.

Derrios said his team worked on the business case for the better part of five years and finally the political leadership included it as part of the broader State Department reorganization.

Bringing the procurement office deeper into the leadership suite was one of several ways Derrios drove change in State Department acquisition during his five-year tenure as the SPE. Derrios left federal service in October after more than 25 years.

“We set an ambitious course for ourselves to enact some significant changes. We rolled our sleeves up and we executed. My leadership approach has always been to galvanize people behind a vision and then challenge them to go beyond their own perceived limitations in pursuit of it. And that’s exactly what that staff did,” he said. “That is why that that organization was elevated to be a bureau, finally doing things to actually think about how the business is functioning. It’s not just how many contracts are we getting out there, but how well are we doing that work? How are we adding value to mission support? Are we thinking about how we’re improving our way of doing business and offering service to the customers, putting balance scorecards in place, you know, robust human capital plans, moving to a category management model? All of those things were just about how we were swinging for the fences.”

Driving toward category management

Derrios said moving State more toward a category management for buying common goods and services should be at the top of the next senior procurement executive’s agenda.

He said State has been working on collecting the data and developing the model over the last three years, so now is the time to move it into reality.

“We did some pretty heavy analytical work to realize that about 80% of the money was being spent in four major categories. So when you look at all the product service codes that we were obligating money on, they all fell in four big buckets so it just made sense for us to start to move in that direction in terms of how we were organized,” he said. “That gives us the opportunity to really look at the requirements in two different ways and in real time. There are opportunities with all the buyers to centralize around things like IT and professional services. They’re able to put better acquisition strategies in place, and if the work is flowing into the organization in terms of a category model, it gives us the opportunity to put a lens on the work in real time to figure out, ‘hey, do we have 20 customers all buying the same thing right now? Well, if so, let’s aggregate that demand before we go to market.’”

The four buckets of spending are:

• IT
• Professional services
• Diplomatic security services like local guard and other security related services
• Overseas construction

Derrios said the acquisition office will work with their partner offices to create specialized cadres of contracting officers to buy these specific categories of products or services.

For instance, he said if Consular Affairs has expertise in IT or professional services, they may lead the effort to buy for several organizations.

“I think what they’re going to get is contracting professionals that are building up reps, if you will, in terms of doing the same kind of contracting and building up deep market insight as a result of that. They are really understanding what’s late breaking in terms of where the market is going with technology, understanding the complexities of large services and how to help a contract or a program office avoid the pitfalls of setting up a statement of work in a way that won’t lend itself to the metrics a program office is trying to meet,” Derrios said. “There’s a ton of upside to this.”

Buying smarter through data

The other piece to category management is focused on the post-award environment. Derrios said it will let State line up their recompetes in a smarter and more efficient way.

“You can put a smarter structure in place that possibly standardizes some of their requirements and aggregates demand, so that when the recompete comes, you’re actually doing one contract again versus multiple. That was the intent behind category management,” he said. “It absolutely aligns with where the current administration is at on how to buy smarter and the skids are already greased in terms of all the process work that we did to make that shift happen. I think category management is a sea change for State Department.”

The impact from buying through category management may take some time, however. Derrios said his team did some initial analysis to determine possible cost savings, but he wasn’t ready to offer specific estimates.

Derrios said category management and other acquisition initiatives is helping the State Department become more strategic and less transactional.

“Procurement is one of the most important mission support functions in the government, and it can be very easy because of the pace and because of the high pressure environment that you’re in to fall into a place where you’re more focused on throughput rather than the strategic aspect of the work,” he said. “I think how you define your requirements, the strategy you plan to take to get to market, how you want to structure your contract and how you’re going to administer that contract to ensure it’s yielding those outcomes is where acquisition leaders should be placing the majority of their emphasis. Trying to modify your way to success after a bad contract was put in place is a recipe for disaster. I think you have to take the time up front to define what success looks like contract-by-contract.”

The post State elevates acquisition office as part of reorganization first appeared on Federal News Network.

© Federal News Network

The IRS is moving about 1,000 IT employees out of its tech shop, as part of a reorganization plan that’s been underway for months.

Impacted employees say they have few details about what work they’ll be doing, and have been told by the agency to instead “focus on completing an orderly transition of your current work.” The notice they received last week states that they will no longer be working on IRS IT projects.

According to the notice, obtained by Federal News Network, the reassignments will go into effect on Dec. 28.

“As part of the IRS’s restructuring of the IT organization, approximately 1,000 positions across IRS IT are being reassigned,” the Dec. 11 notice states. “Your position is among those identified for a directed reassignment to the Chief Operating Officer.”

Employees who received the email have until Jan. 9 to complete an “orderly transition.” That includes wrapping up current work, offloading assignments and supporting project handoffs.

“You are not expected to take IRS IT project work with you into the COO organization,” the email states. “IRS IT project work will remain within IRS IT.”

Impacted employees told Federal News Network they’re not sure what kind of work they’ll be doing as part of this reassignment. Federal News Network spoke to four IRS employees. The IRS and the Treasury Department did not respond to requests for comment.

“While this is a permanent realignment out of the CIO organization, it is not a permanent realignment into COO,” a separate internal document states. “We will be collaborating with the Human Capital Office (HCO) to align and qualify employees for positions across IRS and Treasury.”

Reassigned employees are being asked to upload their resumes no later than Jan. 23, 2026.

Two employees who received reassignment notices told Federal News Network that they also received reduction-in-force notices during the recent government shutdown.

Those RIF notices were rescinded, as part of the stopgap spending bill Congress passed in November, ending the 43-day shutdown. Language in the continuing resolution bars agencies from carrying out layoffs through Jan. 30, 2026.

“Morale at the IRS is at an all-time low, and nobody trusts anyone,” one IRS employee told Federal News Network. “This administration is getting precisely what it wanted — to destroy the IRS from within.”

The IRS told employees that the reassignments “are based on organizational alignment decisions and is not a reflection of individual performance.” The agency notice also states that reassignment will not affect an employee’s pay, benefits or bargaining unit status.

“Still complete chaos, grievances being filed for unfair moves without explanation and just fueled by who you know and connections,” a second IRS employee told Federal News Network.

Last month, IRS IT directed hundreds of its employees to complete a “technical skills assessment.” According to two IRS IT employees, the test, conducted by HackerRank, consisted of several multiple-choice questions and a coding question that made up the majority of the overall grade. One employee said the questions “had zero to do with our jobs.”

“They did this to say, ‘Look, 98% of our people failed, so we are going to move you or RIF you,’” the employee said.

The Treasury Department RIF sent RIF notices to 1,377 employees during the shutdown.  Court filings showed most of those notices went to IRS employees, especially those working in human resources and IT.

Sam Corcos, Treasury’s chief information officer and a Department of Government Efficiency representative, defended the IRS layoffs as “painful” in a recent podcast interview, but said they were a necessary tool to get the agency’s stalled IT modernization efforts back on track.

“It’s very hard to fire people. The only way that you can really reduce the size of government is through the reduction-in-force process,” Corcos said on an Oct. 9 episode of the Modern Wisdom podcast.

During the nearly three-hour interview, Corcos said much of his time as Treasury CIO has been focused on projects at the IRS, and that the agency’s IT workforce doesn’t have the necessary skills to deliver on its long-term modernization goals.

“We’re in the process of recomposing the engineering org in the IRS, which is we have too many people within the engineering function who are not engineers,” he said.

“The goal is, let’s find who our engineers are. Let’s move the people who are not into some other function, and then we’re going to bring in more engineers,” he added.

In March, the IRS removed 50 of its IT leaders from their jobs and put them on paid administrative leave. Corcos defended that decision, saying the IRS “has had poor technical leadership for roughly 40 years.”

During the interview, Corcos said the layoffs in the federal government are more restrictive than what’s allowed in the private sector. In practice, he said government RIFs often result in agencies losing younger employees with in-demand skills, but with less tenure — something he said should be corrected.

“When you do these reductions in force, it’s basically tenure. So it doesn’t matter who your top performers are. It’s effectively irrelevant to a RIF. If you want a 20% RIF, you can your 20% youngest people, who are often your top performers, and you’ve got to remove them,” Corcos said. “I think most people would probably say that performance-based RIFs is probably good instead of tenure-based. I’m sure that’s something people are pushing for, but that would make a really big impact.”

The IRS lost more than 25% of its workforce this year, largely through voluntary incentives, including early retirements and the deferred resignation program. Despite these widespread cuts, Corcos said the agency hasn’t seen “that much fallout yet,” because the agency had increased its staffing “to ahistoric levels” under the Biden administration.

“It’s a scalpel. It’s not a chainsaw,” he said.

The IRS, in a separate memo dated Dec. 15, told staff that it is moving ahead with a reorganization of its IT division, its first major restructuring in more than 20 years. IRS IT is replacing its associate chief information officers with four “mission-focused verticals” and five “foundational areas.”

Those four verticals are:

• Taxpayer Services & Online Accounts: Jim Keith
• Tax Processing: Miji Matthews
• Compliance: Eric Markow
• Filing Season & Legislative Deliver: Craig Drake

The five foundational areas are:

• Strategy & Product Management: Courtney Williams
• Data & Platform Engineering: Rob King
• Infrastructure Tech Ops: Lou Capece
• End User Digital Services: Tanya Chiaravalle
• Cybersecurity: Houman Rasouli

“Each area is designed to support a specific part of the tax administration ecosystem and improve how technology and agency needs come together,” the memo states.

According to the internal notice, IRS IT has about 5,100 full-time employees. The agency wrote that reorganization offers a “simplified structure that strengthens the connection between technical work and the agency’s core functions.”

IRS Chief Information Officer Kaschit Pandya told employees this summer that IRS IT needed to “reset and reassess” in part because more than 2,000 IT employees have left the agency this year.

The memo states that approximately 94% of IRS IT employees work in technical roles. The remaining 6% work in operational or support staff roles — including planning, financial, contractual, governance and program work.

The Treasury Department announced in April that it is planning to consolidate IT, human resources, procurement, travel and other administrative functions carried out by multiple offices at its component agencies.

The post IRS moves 1,000 IT employees out of its tech shop, with few signs of what work they’ll do next first appeared on Federal News Network.

© AP Photo/Susan Walsh

Most civilian employees on the General Schedule are set for a 1% pay bump beginning in January, after President Donald Trump signed an executive order Thursday afternoon finalizing the 2026 federal pay raise.

The executive order aligns with Trump’s alternative pay plan from August, which also called for a 1% pay raise for the vast majority of federal employees. It’s the smallest annual increase civilian employees have received since 2021, when Trump directed a 1% increase during his last year in his first term in office.

The White House uploaded pay tables detailing the pay rates for various federal employee schedules. Unlike other recent years of pay raises, the president did not include an increase in locality pay for 2026. For most employees, the federal pay raise will officially take effect during the first full pay period after Jan. 1.

Law enforcement officers may receive bigger federal pay raises next year, although it’s not yet clear exactly which positions will see the larger pay bump. Trump’s order on Thursday directed the Office of Personnel Management to “assess whether to provide” up to a 3.8% raise for “certain federal civilian law enforcement personnel.”

Military members are also on track to receive a larger base pay raise of 3.8% for 2026. The White House proposed the pay boost for service members earlier this year, and Congress later included it in the annual National Defense Authorization Act. The White House has indicated Trump plans to sign the NDAA into law Thursday evening.

Trump’s sign-off on Thursday’s executive order marks the final step of the process to make the 2026 civilian pay raise official. Presidents have a Dec. 31 deadline to finalize the federal pay raise each year.

In past years, Congress has occasionally legislated a separate federal pay raise proposal. But this year, there was no alternative for the civilian federal pay raise included in any legislation.

Prior to 2021, the last time feds received a raise of 1% or lower was 2015, the final year of what had been a multi-year drought in civilian employee increases. More recently, most General Schedule employees received raises of 2.7% in 2022, 4.6% in 2023, 5.2% in 2024, and 2% in 2025.

This story was updated with additional details on military pay and locality pay.

The post Trump finalizes 1% federal pay raise for 2026 first appeared on Federal News Network.

© AP Photo/Mark Lennihan

Shutdowns, layoffs and hiring freezes have shaken the core of what it means to build a career in the federal government. The Washington, D.C. region now leads the country in unemployment, and the recent shutdown was one of the longest in history, with roughly half of federal workers furloughed and the other half working without pay.

For a region built on government stability, this is unfamiliar territory. And it has prompted many federal employees to ask a question they never expected to confront: What if government service is not the forever plan anymore?

The story beneath the headlines

But beneath the headlines, there is another story that should spark optimism. The private sector is not retreating from government; it is moving closer. Tech companies, especially those driving AI innovation, are expanding and deepening their presence across the Washington, D.C. region in ways we haven’t seen before.

Nvidia, now the world’s first $5 trillion company, brought its flagship GTC conference to the nation’s capital this year for the first time. The move signaled how central the region has become to the future of AI.

Google launched a public-sector division in 2022 with leadership based in the region. Since then, it has introduced Gemini for Government and hosted major public-sector events in D.C.

OpenAI, maker of ChatGPT, is opening its first Washington D.C. office next year. Recent reporting suggests the company is preparing for a possible IPO that could value it at up to $1 trillion.

And Meta CEO Mark Zuckerberg bought a home in Washington, D.C. to spend more time in the area “as Meta continues the work on policy issues related to American technology leadership.”

Why Washington, and why now

Washington, D.C. influences how technology is researched, funded and regulated. The companies shaping the next era of AI and other strategic industries will not do so alone, but in partnership with government.

This can be seen most clearly in the national security space. In today’s global strategic landscape, conversations about American strength include Nvidia and advanced computing as naturally as the Pentagon.

This is not new. The public and private sectors have long worked together toward shared goals. When then-House Speaker Nancy Pelosi (D-Calif.) once held up an iPhone and listed the federally backed technologies inside it — GPS, flat screens and voice recognition — she reminded us that government has always been a catalyst for innovation. That same spirit of shared purpose in innovation and national interest should include people, not just ideas and funding. Talented public servants should see private-sector service as equally legitimate, mission-aligned work.

Service, not sector

For decades, a federal career meant purpose, service and stability until retirement. That model is shifting. And while the transition is difficult, it presents an opportunity.

Federal employees are masters of judgment, complex systems, crisis decision-making and mission-driven leadership. These skills translate directly to work in the private sector.

A long federal career remains honorable. But for those navigating uncertainty, or simply curious about contributing in new ways, this moment calls for a new mindset. Service can take many forms. Mission transcends institutions. Public service is no longer confined to one path.

For anyone weighing a transition, the work does not start by translating a résumé into Silicon Valley speak. It starts by articulating how you think: how you assess risk, operate under pressure, and navigate complexity. It means embracing what makes you different, not trying to blend in. And it means making your expertise visible by building relationships, showing up in the right rooms, and contributing to the conversations shaping this next era.

Washington is not shrinking. It is shifting. And federal talent has never been more relevant.

Candice Bryant is a strategic communications leader with 20 years of experience at the CIA and Google.

The post Washington isn’t shrinking. It’s shifting first appeared on Federal News Network.

© Getty Images/iStockphoto/Thinkhubstudio

Federal employees will get two additional days off next week, both on Dec. 24 and Dec. 26, according to an executive order President Donald Trump signed Thursday afternoon.

Federal employees already get Dec. 25 off for Christmas Day as a standard federal holiday.

Despite the additional days off for most, Trump’s executive order clarified that some agencies and offices may need to remain open, and that certain federal employees may still need to report for duty for “national security, defense or other public need.”

There is no guarantee that presidents will grant federal employees extra time off around Christmas, but many have done so in recent years. Former President Joe Biden gave federal employees Christmas Eve off in 2024. And during Trump’s first term in office, he gave federal employees an extra day off for Christmas Eve in 2020, 2019 and 2018.

This year is the first time in recent years that federal employees have received two additional days off around the holiday.

In 2014, former President Barack Obama gave federal employees the day off on Friday, Dec. 26, and in 2012, the former president gave employees the day off on Monday, Dec. 24.

Former President George W. Bush gave federal employees Monday, Dec. 24 off in both 2007 and 2001.

This story was updated with additional details.

The post Trump gives most federal employees two days off around Christmas first appeared on Federal News Network.

© AP Photo/Manuel Balce Ceneta

Interview transcript

Terry Gerton There’s been a lot of talk lately, certainly from lawmakers, from senior military leaders about the topic of lawful and unlawful orders. Describe the current situation from your perspective.

Frank Rosenblatt Well, military members have special license to use violence in armed conflict but this license is not unrestrained. Otherwise, we would just have mobs working. So a professional armed force really depends on discipline, and a key ingredient of discipline is obedience. So military members, have to follow orders. If you don’t like what your boss says at Starbucks, then they can fire you, but they can’t prosecute you. It’s different in the military. There are consequences if you don’t obey what your superiors tell you to do. But at the same time, this doesn’t work like they tried to do at Nuremberg, where I was just following orders. We do not want or expect our military members to unthinkingly obey, so orders are presumptively lawful that they receive, but they also have a duty to disobey any orders that are manifestly unlawful.

Terry Gerton That can be a tricky situation in execution. Describe for me or define for me what makes an order lawful or unlawful.

Frank Rosenblatt Well, the standard of manifestly [unlawful] is that an ordinary person of reasonable sense and understanding would know right away, I’m just not allowed to do this. And the classic example people think about is the My Lai massacre when Capt. Medina supposedly told his lieutenant, Calley, go clear the enemy out of there. Lt. Calley then did his translation of this and said, kill everyone. And the soldiers who worked for Calley should have known. I think it’s helpful to look beyond the Calley example because I think the reality of orders is more complex. There’s a story about a dog handler at Abu Ghraib. He was trained in the use of the military working dog, but he was told by his superiors when he worked at the prison, we need you to derogate from your training a little bit. We want you to use these dogs to help us with interrogations and to scare the prisoners. And so he thought, sure, I’ll go ahead and do this because my superiors are telling him to. It’s questionable whether everyone in that situation would have said, I know this is wrong. But looking years later, the military court looked and said, nope, you shouldn’t have obeyed that order. It’s manifestly unlawful.

Terry Gerton So how does that differ from a personal disagreement? I don’t think that’s the right answer, but maybe it’s lawful, maybe it is not. How does a service member decide?

Frank Rosenblatt We do see this. Matters of conscience, religious belief, or politics are no excuse. You must follow the orders even if you don’t like the president, even if you find the mission to be wrong or even distasteful. We’re seeing a lot of this because, Terry, I work with an organization called The Orders Project. It’s ordersproject.com. It is part of our national institute. And we receive calls from people who have questions about their orders. And here we see the spectrum. People say, what if I’m asked to do this? Or I’m told that we’re going to Chicago. What should I do? And so the National Guard deployments are very interesting because the legal status of them changes by the day. We just saw a new decision on the National Guard deployments in Los Angeles. So let’s say we get a call from someone who says, I’m being told that I’m going to deploy to Chicago in a couple months. It would take a crystal ball, not legal analysis, to say that’s going to be lawful or unlawful. We just don’t know how the courts will decide. So in that hypothetical, we would say you do need to plan and go on this mission unless you have an opportunity to not re-enlist. That is something that you presumptively will have to do, even if deploying to Chicago wasn’t the reason why you decided to join the military.

Terry Gerton I’m speaking with Professor Frank Rosenblatt from the Mississippi College School of Law. He’s a recognized expert in military justice, a former U.S. Army JAG officer, and president of the National Institute for Military Justice. Frank, you were talking there about a situation where a service member has some lead time between what they’re being told they’re going to have to do and actually having to go do it. In some of these operations, though, they’re making decisions in real time. So what should folks be thinking about? You know, if they get an order to fire and they have seconds to decide whether to do that or not.

Frank Rosenblatt This is really happening. And I’ll tell you one scenario that people talk about that’s based on reality. Let’s say a senior elected official says, I want you to shoot protesters in the legs. Then you would think and know, OK, that’s not lawful. But it’s not as easy as that. Because if you say, sir, that’s  unlawful, that might just pull you out of the picture and not be part of more consequential decisions. So that person does not have time to call a lawyer. And it’s really a test of their own judgment and mettle. What we would not expect would be direct compliance with that order. We think maybe we could seek clarification or interpret this in a way and give guidance to subordinates that excises that illegal element. You could take that and then translate that as we need to demonstrate our presence. We need to comply with the law. In other words, I’m saying that there are times when military members should disobey orders.

Terry Gerton Typically, it’s going to be a senior official who’s making the decision. We don’t necessarily rely on the junior operator to make this call in live action. But if they do refuse an order that later turns out to be lawful, or they execute an order that later turned out to unlawful, what are the repercussions?

Frank Rosenblatt This is why it’s so tricky. It’s really a high wire act that we’re asking our military members to do. We are putting them in legal jeopardy when we are boundary pushing in how we do military operations. On the one hand, if you push back on something and you don’t comply, and it turns out that was a lawful order, then you’re going to face consequences for that disobedience. Everything from administrative sanctions to being removed from your job, possibly even a court-martial. But if you do something that you find out later is unlawful, you can also be punished for that.

Terry Gerton So what is the role of the Orders Project in helping to clarify this really complicated conversation?

Frank Rosenblatt This topic obviously has received a lot of nationwide attention lately, and what that means is there are a lot voices out there that represent different religious beliefs, political beliefs, and they’re saying is we want to help soldiers. Sometimes they’re urging disobedience. That’s not what we do. What we’re trying to do is, you know, the National Institute, we’ve been around since 1991, we’re a collection of military law experts, and we want there to be some sort of source that is authenticated that military members know that when I call this, I’m going to get it straight. I’m gonna hear from somebody who, you know, thumbs through the judge’s bench book, the manual for courts martial, and can actually tell me and give me sound legal advice that’s actually based in military law and not based on, you know, some other agenda.

Terry Gerton I think we haven’t heard the end of this conversation, we’re going to continue to follow through on it. So are there reforms or education efforts that you would suggest that could help military service members, political appointees better understand the issues that are at stake here and make the right call from the beginning.

Frank Rosenblatt What I would like to emphasize is, you know, I’m a law professor and a former judge advocate, but I actually want to de-emphasize the role of lawyers in this. I think that the issues with orders come when we ask people on the fly to do something that they haven’t had the time to think through, rehearse, and train upon. I think these issues, Terry, of lawful and unlawful orders come down to if it’s not a legal briefing that’s going to solve everyone’s questions. But when they can practice and build their expertise and competence and see where the boundaries are of their behavior. Every time our military goes to do something, whether that’s operating in cities in Iraq or now in these boat strikes in the Caribbean, if we have the chance to practice this and work through contingencies, then our military members will be emboldened, they’ll be more confident, they’ll know exactly what the right and left limits are.

Terry Gerton It feels like the military is being asked to push a lot of boundaries right now. Would you say from your perspective, we’ve been in situations like this before? Are there lessons we can learn from the past that would help us better define the space right now?

Frank Rosenblatt When we think back to 9/11, for example, there was a strong demand to immediately begin military operations. And there wasn’t really a lot of chance to rehearse this and to know exactly what we were doing and to integrate all of the different perspectives. But I do think what’s important in this is that we have a process. At every military operational command, there are staff officers who each bring a different level of expertise. There are commanders who are trained. If we let them function, let them do their jobs, and we do this without trying to rush people or without political interference. Now sometimes we have to respond to emergencies and there isn’t that time. But we should trust and we should have a lot of confidence in our military members and our commanders. They want to do the right thing. Let’s give them the tools and the opportunity and they won’t let us down.

Terry Gerton Where do you hope this current discussion of lawful and unlawful orders takes us? What do you think the outcome will be?

Frank Rosenblatt In some sense, the temperature has been awful hot on this, and it’s not really, I think, wise for this to be a political issue. And actually, if you listen to Republicans and Democrats, they’re largely saying the same message about this, but they’re not trusting the motives of each other. But maybe the bright side of this, the opportunity here, is the attention on this will give a greater appreciation for the difficulty that we put military members in when we rush them to do things, and when we are really pushing the limits of what we have done before, whether that’s boat strikes in the Caribbean or National Guard deployments in cities.

The post Service members face a simple truth with complex consequences: Follow lawful orders, refuse unlawful ones first appeared on Federal News Network.

© Getty Images/iStockphoto/roibu

Interview transcript

Terry Gerton We touched base with NobleReach back in the summer. How is the program going and what are you learning from your first placements?

Arun Gupta It’s a great question, Terry. We’ve now had two cohorts, one that’s gone through and completed the program and one, second one that we’ve launched. We just had the second one back for their first quarterly session  after being placed. And so let me give a little bit of context. the first one was entirely federal. So they were all in federal agencies across eight federal agencies, including Space Force, Navy, Commerce, CISA, HUD, FDA. And then the ones in our second cohort, as I talk about them, we’ve expanded into state and local as well. So they’re across 10 states. In the first one we had about 20, in the second one we have about 30. So in that context, with the ones that have gone through it, the first ones and have completed the program, I will say one can have a theory on the case about how it can change people’s lives, how it could change their perspective. It’s another thing to see it in action. You know, what we learned was the following. Look, this first cohort was there during a transition between administrations. So they started in the previous administration and obviously ended in this one. And what they found is that they were welcomed by both. They actually visited the White House with both administrations, and that’s a subtle but powerful thing to see, feel, and hear. That the idea of tech talent coming into government is not a political thing, it’s something that … is what’s good for the country. Second, I think what they all saw as well is that the kind of work and the types of problems that they were getting to work on were far more interesting and stimulating than when they looked at many of their peers at some of the more traditional kind of coming out of school jobs. So much so that when we talked to them after the cohort about how many of you want to stay in public service, over 80% of them were like, you know, they would to continue in public service in some capacity. So what we saw with this group is, you know, point one is that both administrations really welcomed them in the work that they were doing. Second, what they saw was the types of problems that they’re getting to work on were far more interesting than what they would see with their peers that are in the more traditional jobs, so much so that 80% of them continue wanting to stay in public service in the near term. Third, what we really saw with them as well was a sense of community. The importance of not just, you know, I think if each one had gone into their own agency on their own, it would have been a[n] okay experience. What made it really transformative was being part of a larger community as well, so that they can compare notes as to like, well, what’s Space Force doing versus Navy? And take those learnings back into the office. And I think that’s an important piece of it. Fourth, the mentorship that they got was greatly appreciated. And they talked about that and they talked about it in the context of not only mentors that were in public service, but a lot of the mentors that we assigned them or aligned them with had careers in both public and private. And I think that was really important, Terry, because I think they really noticed and saw that they’re not making a decision for life, but these are experiences that they are having and how they can benefit them over the course of their journey. Again, a very subtle but important aspect of like how we change the perception of coming into public services, not being something that you’re having to commit to for 30 years, but something that can be part of the fabric of your career journey.

Terry Gerton So you’ve talked to us a little bit about how the participants felt and what they learned. What kind of feedback did you get from the agencies? And can you talk a little more about some of the specific projects that your first and second cohorts are working on?

Arun Gupta Yeah, you know, look, I can give you the high-level kind of  work that they did. You know, we actually do a net promoter score. And so we take it seriously to see like, how are the agencies looking at what we’re doing? And in that context, you now, they were off the charts and all the agencies came back very strong with what they really appreciated was being done with the work that was being. But more importantly, not only with their capability but with their attitude. And, you know, there’s an interesting anecdote … with a couple of people in Space Force. The problem their team was trying to address had been addressed at Navy. And the team at Space Force didn’t have contacts at the Navy, believe it or not. But our scholar, you know, knew one of our scholars is at the Navy and reached out to him. And they then connected and then, you know, weeks later you had those two groups collaborating on a somewhat meaningful project. And I say that because, you know, with that, you can create a level of collaboration that is an unintended benefit to what happens. And that’s what we saw. Justin Fannelli, who’s over at the Navy and the CTO there — he and I just did a panel with them at NDIA to their board. And we had one of our scholars there that worked with them and, you know, the work that he was getting to do and the fact that, you know, Justin now takes the scholar to all his AI meetings, right? You know, sitting down with three star generals and talking to them about what they’re doing to the point where, you know, other groups and agencies go like, how do I get one of them? Right. And when I say one of them, it’s not only, again, someone that’s versant and capable in technology and AI, but it’s also someone that has this sense of mission and purpose, and is looking to marry that with that capability and curiosity, right. And so they can ask some of the more obvious questions and that could be curious around like … Why do we do things this way? You know, which can be very simple and very basic, but at the same time can be profound when you can say like, oh, if we used AI, we don’t need, we could do it this way, right? And so it’s beyond even just the projects. It’s inculcating a different way of thinking.

Terry Gerton I’m speaking with Arun Gupta, he’s CEO of NobleReach. The problems that you’re talking about are things that the OPM director, Scott Cooper, has himself spoken about recently, hiring more tech talent, making it easier to move between private sector and public sector and back again. How is NobleReach in this scholar program working with OPM to really tackle some of the institutional barriers that make that mobility hard?

Arun Gupta That was a great question. And look, we’ve … been collaborating with Scott and his team and think highly of the way that they’re thinking about, you know, the talent issue and how we can support that. And, you know, what we’ve seen is that there’s an alignment around a vision that we have to change the narrative that people need to think about coming into government for, you know, 30 years, but they can come in for two to three, much like we have Teach for America and have a profound impact not only on them but then on the organization as well. And so you know ways that we’re collaborating and talking about things is just sharing the learnings that we’ve seen, you know, because we’ve had the benefit now of two years of being out there with programs seeing what works for the students. You know, like what it meant, the types of mentors, even not even just having mentors but which ones work, which ones resonate, right? What do you need to see in the agencies? You need a city that makes an experience a really meaningful one for the students. You know, we call it the scaffolding. But what is the scaffold? It’s not only connecting them to the job, but it’s supporting them while they’re there. And how do we build that community? A big lever for us here is that it’s not about a transactional recruiting connection to a young professional to a job. But it’s building a broader community of what we call dual citizens, public-private sector citizens. Right, people that have had experience in both the public and the private sector, that can speak the language of both, that have, you know, understand the culture of both. But then over time have networks in both. And thereby we rebuild trust because they’re trusted in both areas. And so I think, you now, those are various ways that we’re collaborating with Scott. You know, being able to identify which agencies can benefit from tech talent today, the kinds of projects that we can leverage and I think the interesting thing is, and he’s been a great partner here is, people assume that the bottleneck is getting young professionals to come in and it’s not what we’ve seen in our numbers as we’ve been recruiting is that young professionals want to serve, they want to be doing something meaningful right now. I think there’s a lot of change taking place in society, geopolitical, technological, environmental. And this is a group that’s lived through COVID. And I think when you have that kind of change and the ground feels unsettled, you don’t focus as much on yourself, but you reach out to others for stability. And I that’s what’s happening. And so in that context, I think where Scott and his team can also be helpful is helping us identify the agencies. Because right now we’re doing that relationship by relationship, but being able to more broadly go to agencies and saying, You know, look, we really think this is important.

Terry Gerton So what’s next for NobleReach? You’re talking about cohorts in the numbers around 20 or 30. Do you see a massive scaling up to classes of 100 or 150? New agencies, new exposure? What’s next?

Arun Gupta Yes and yes, Terry. You know, I think, look, our North Star has always been to scale. Our end game isn’t to have 20 or 30, which is nothing wrong with that. I just think if we want to have impact, which is what we’re trying to optimize on, scale’s important. So, you know, I think in this upcoming year, we’re looking at hundreds, a couple hundred, and that includes federal, state, and local, and we’re seeing a level of broader interest around that. You know, our goal is to continue to scale to multiple hundreds, you know, get to a thousand, and, you know, really build because I think that’s where you start to change the social narrative as well, Terry. Because there’s a broader objective here. And that is to start, you know, restoring a level of respect again, for going and serving in public service, as Wendy Kopp would say as well. Like, having students do that in the earlier part of their career has a force multiplier impact on the kinds of careers they have and the impact they have over the rest of their career. And I think we’re at that interesting inflection point where we have the potential to shift — you know, we use this term internally, like shift from why to wow. And what I mean by that is rather than people asking, when you go, say you’re going into government to do work in AI, going like, why would you do that when you can do all these other things? They go, wow, you got selected to do that, right? And it’s that initial reaction by your peers that I think starts to set a tone. And I think with the folks that we’re chatting with, partners that believe in the same thing, and we’re seeing that with governors, we’re seen that with agency heads, you see that with someone like Scott, leadership at OPM, Michael Kratios at OSTP, that there’s a real desire to kind of like get young folks energized about this, and so that’s what we’re looking to do, and I think that the potential’s there.

The post Can a year in government spark a lifetime of innovation? first appeared on Federal News Network.

© Getty Images/Tirachard

• There’s a new recruitment opportunity at Health and Human Services. The agency has just launched the Roy Wilkins Fellowship. It’s reserved for students at Historically Black Colleges and Universities, or HBCUs, who are interested in public service. Many of HHS’s divisions will host career fairs to promote the new fellowship, including the National Institutes of Health and the Centers for Disease Control and Prevention. The opportunity comes in response to an executive order President Trump signed in April, on promoting innovation at HBCU’s.
  (Department of Health and Human Services - Roy Wilkins Fellowship)
• The Senate passes the fiscal 2026 National Defense Authorization Act. The bill authorizes roughly $900 billion in defense spending, about $8 billion more than the White House requested. The legislation includes a 3.8% pay raise for military personnel, bans diversity, equity and inclusion programs and cuts funding for climate-related initiatives. Lawmakers say the bill will deliver “the most significant acquisition reforms in a generation.” The measure now heads to President Trump for his signature.
  (Senate passes NDAA, approves 3.8% military pay raise - Senate Armed Services Committee)
• A coalition of nonprofits is suing the Trump administration over its attempts to defund the Council of the Inspectors General on Integrity and Efficiency. The lawsuit filed in federal court this week argues the Office of Management and Budget is illegally withholding funds from CIGIE. OMB first declined to apportion funding for CIGIE in late September. A spokesman said the group of IGs was corrupt without offering more detail. After bipartisan pushback, OMB apportioned limited funding for CIGIE through the end of January. The council provides support and training for I-G offices across government.
  (Lawsuit filed to protect crucial oversight watchdogs from Trump-Vance administration assault - Democracy Forward)
• Agencies may soon have a new source for recruiting early-career tech talent. The Office of Personnel Management is planning to create a student volunteer program, called “semester of service.” OPM says it will partner with universities and trade schools to recruit students interested in one-semester internships in government. Part of the goal will be to make the program available across the country and outside the D.C. area. OPM is targeting an initial cohort of about 200 student interns interested in technology, with a potential to expand the program over time.
  (“Semester of service” student volunteer service program - Office of Personnel Management)
• With the Senate's passage of the 2026 defense authorization bill, the much-hated Price Reduction Clause required for vendors under the GSA schedule might officially be dead. A provision in the bill changes the statutory standard for the schedule program to "best value" from "lowest overall cost alternative." The Price Reduction Clause required vendors to provide the government with their lowest price at all times. GSA requested this provision in the NDAA as part of its long-standing move away from the PRC and toward transactional data reporting. GSA says this change will increase competition and reduce the administrative burden on contractors.
  (GSA gets a win for its schedules with NDAA provision - Venable)
• The Trump administration's top IT priorities are starting to bear fruit. Federal CIO Greg Barbaccia detailed his top three priorities for 2026 in a new video posted on X. One is hiring a qualified technology workforce. Two is improving software licensing. "And three, securing the foundation. We will be setting one standard for how government technology works for the American people, from our websites to our use of artificial intelligence." This foundation is starting to be seen in recently launched websites for the Tech Force initiative, the Merry Christmas.gov and Trump Accounts sites through the National Design Studio. Barbaccia says more details and the initial results of his first-year priorities will be released in the coming months.
  (Federal CIO’s priorities moving into implementation phase - Federal News Network)
• Defense technology companies broadly agree on what secure software looks like but say the Pentagon lacks consistent and standardized methods for attestation processes. In response to the DoD chief information officer’s requests for information, industry overwhelmingly pointed to established cybersecurity frameworks such as the National Institute of Standards and Technology’s Secure Software Development Framework for managing software and supply-chain risk. But vendors said it is unclear what qualifies as a valid attestation, what documentation must be included in a body of evidence, how often attestations are required and whether companies are allowed to self-attest.
  (Industry flags DoD’s lack of standardized software attestation processes - Federal News Network)
• House lawmakers say there should be an independent review into whether there was whistleblower retaliation at the Federal Emergency Management Agency. House Democratic leaders say the Office of Special Counsel should review whether FEMA staff who were reinstated and then put back on administrative leave were illegally retaliated against. In a letter to OSC, the lawmakers reference a finding by FEMA legal counsel that found the employees’ disclosure was protected by whistleblower laws and the FIrst Amendment. The employees were first suspended in August after signing their names to the Katrina Declaration, a public letter that warned about steep staff cuts and other changes at FEMA under the Trump administration.
  (House Dems call on OSC to review potential FEMA whistleblower retaliation - Federal News Network)
• The Postal Service is looking to open up its last-mile delivery network to more shippers, in a bid to bring in added revenue. USPS already has agreements with shipping giants like Amazon and UPS to get their packages to their final destination. But it’s giving other delivery companies an opportunity to strike similar deals. Last-mile delivery is the most expensive leg of deliveries and USPS goes to more addresses than its private-sector competitors. USPS will accept bids from companies in late January or early February.
  (Postal service plans to open last-mile delivery network to more shippers in money-raising move - Federal News Network)
• A federal judge has ordered the reversal of hundreds of layoffs finalized during the recent government shutdown. A federal judge in San Francisco says she’ll reverse the terminations of hundreds of federal employees finalized during the recent government shutdown. Unions asked the court to rescind layoffs at the departments of Education and State, as well as the Small Business Administration and the General Services Administration. These agencies sent reduction in force notices to employees before the recent government shutdown. In most cases, separations were scheduled to take effect in October or November, during the shutdown. The preliminary injunction will cover about 680 federal employees.
  (Federal judge orders reversal of hundreds of layoffs finalized during shutdown - Federal News Network)

The post There’s a new recruitment opportunity at HHS first appeared on Federal News Network.

© AP Photo/Jacquelyn Martin

President Donald Trump’s “Warrior Dividend” bonus for service members, which he suggested would be funded by tariff revenue, is actually a one-time basic allowance for housing stipend already approved by Congress, according to a senior administration official.

The $1,776 bonus payment Trump announced while addressing the nation Wednesday night will be paid using funds Congress appropriated to the Defense Department in the One Big Beautiful Bill Act, which was passed into law in July, to supplement the basic allowance for housing.

Congress appropriated $2.9 billion to supplement the basic allowance for housing, and the Pentagon will disburse $2.6 billion of that funding as a one-time payment to roughly 1.28 million active-duty service members and 174,000 Reserve Component members.

“The Secretary of War directed the department to use some of the Basic Allowance for Housing funds to provide a one-time payment to service members during this holiday season to help improve their housing and quality of life,” a DoD official told Federal News Network. 

Active-duty service members in pay grades O-6 and below are eligible for the payment, along with National Guard and Reserve members in the same grades who were on active-duty orders of 31 days or more as of Nov. 30.

This payment will be made outside of the regular pay cycle by Dec. 20. 

The senior administration official told Federal News Network the Defense Department service members who are not currently receiving housing allowances are also eligible to receive the bonus.

The basic allowance for housing funding in the Big Beautiful Bill was originally intended to address rising housing costs and reduce service members’ out-of-pocket housing expenses.

Trump suggested during his speech that the bonuses would be funded by excess tariff revenues.

“We made a lot more money than anybody thought because of tariffs, and the bill helped us along. Nobody deserves it more than our military, and I say congratulations,” Trump said.

The White House needs congressional approval to redirect tariff revenue. Trump has previously floated the idea of sending $2,000 checks to millions of Americans using tariff revenue, but Treasury Secretary Scott Bessent said the move would require congressional authorization.

“We need legislation for that,” Bessent said on Nov. 16.

Defense Secretary Pete Hegseth said the payment would be tax-free and framed it as part of the department’s effort to improve quality of life for military families.

“This has never happened before … This warrior dividend serves as yet another example of how the War Department is working to improve the quality of life for our military personnel and their families. I can think of no better Americans to receive this check right before Christmas, whether it’s for pay, housing, … all elements of what we’re doing are to rebuild our military,” Hegseth said on social media platform X. “To the American warrior, President Trump and I and the entire war department, we have your back.”

The housing stipend is expected to reach service members’ accounts about a week before they receive a 3.8% pay raise authorized in the fiscal 2026 defense policy bill the Senate approved on Wednesday.

If you would like to contact this reporter about recent changes in the federal government, please email anastasia.obis@federalnewsnetwork.com or reach out on Signal at (301) 830-2747.

The post Trump’s ‘Warrior Dividend’ for troops is housing money approved by Congress first appeared on Federal News Network.

© Federal News Network

Interview transcript

Terry Gerton You have a recent article that warns about air traffic chaos, especially related to the shutdown that we saw in November. And once again, air traffic control was sort of the straw that broke the camel’s back. What were the key pain points that you saw?

Chris Edwards Well, when the federal government doesn’t decide on its annual budget and the appropriations process, sometimes we get a government shutdown, as most of your listeners know. And sometimes when shutdowns happen, it affects the air traffic control system because the air-traffic control system is run as part of the Department of Transportation, as kind of a regular bureaucracy. And so we’ve seen this sorts of interruptions on air traffic and control in previous shutdowns 2013 and 2018. And the recent one where the government shut down for a month and millions of American airline passengers were delayed and had their flights canceled.

Terry Gerton The Department of Transportation is now offering $10,000 bonuses to air traffic controllers who had perfect attendance. Is pay the key issue here?

Chris Edwards No, I think the problem is that the funding stream of our air traffic control system is the federal government budget. And I’ve written extensively about how other countries such as Canada and the U.K. Have taken their air traffic controls system and moved it out of the regular government budget and given it a dedicated funding stream. So in Canada, they set up a non-profit corporation. They put their air traffic controllers in there, and it’s funded separately by fees on airlines and airport landings. So the stream is insulated from political battles that may happen. Back in 2016, the House Transportation Committee here in the United States passed out a bill of, out a committee that would sort of set up a Canadian-style system where we’d set a non-profit corporate entity. We’d put the air traffic control in there, and we would fund that system separately from the regular government budget.

Terry Gerton That sounds similar to the way Amtrak is run, and they’ve certainly had their funding challenges there. How would it work differently for air traffic control?

Chris Edwards So Amtrak is still reliant on the federal government for money for capital investment. The way the Canadians and the British have set up their systems is that they are completely independently funded for both the operating and the capital purposes. So the Canadian and British air traffic control systems are not subsidized, which is the way I think it should be because aviation is an industry like any other. There’s no reason why users shouldn’t pay for services. Air traffic control is a service and I think that the cost should ultimately land on people who use the air traffic system.

Terry Gerton You mentioned capital investment there. Certainly, the FAA and Department of Transportation have spent, let’s say, tens of billions of dollars trying to modernize the next-gen air traffic control. And they haven’t been very successful yet. All of those funds would be passed on to passengers, right, airport passengers? How would we get enough capital investment to really move forward in those critical functionalities?

Chris Edwards So when you move the system to the private sector, like on the non-profit system, like in Canada, the system, of course, raises money through fees, as we talked about, but can also issue bonds to raise money for capital, just like private companies do. And that system has worked really well in Canada and Britain. In fact, both Canada and Britain, in some ways, their technology is more advanced than ours on air traffic control. You touched on the next gen system. As some listeners may know, the Government Accountability Office, the inspector general for the DOT has been complaining about FAA’s poor performance on its capital upgrades for years and years in fact for over two decades now there’s a long series of government reports criticizing the FAA For the excessive bureaucracy or the risk aversion. You know, they’re not getting the job done in terms of adding the advanced technology we need in our air traffic control system.

Terry Gerton I’m speaking with Chris Edwards. He occupies the Kiltz Family Chair in Fiscal Studies at the Cato Institute. I wanna explore a couple of other things about privatization with you because you’ve also made the argument that the TSA screening function should be moved out of government funding. Talk us through that logic.

Chris Edwards So the logic there again is, is partly that, I’d like to get the politicians and their micromanagement out of some of these functions where we can. I mean, to go back to the air traffic controllers for a minute, the Washington Post had a nice story a few weeks ago about how we only have one training academy for air traffic, controllers, and we have a short and a shortage now on a lot of air traffic control facilities. This is Partly because Congress hasn’t allowed the creation of an additional training academy for traffic controllers it seems to be that’s the sort of micro that the problematic micromanagement you get when congress tries to control these sort of functions. With airport screening the idea is you decentralize the screening to individual airports, you have the Department of Transportation do safety oversight like they like they do now but the actual screening would be controlled by airports. That would give airports more flexibility to meet the sort of individual demands and unique demands the airports face. And we wouldn’t get sort of system-wide problems. We wouldn’t these system- wide mistakes. We’d get different experiences in the airports. The airports could learn from each other. The way Canada does it is they contract out their services to big expert security agencies. And many European countries do this too. The British do this. And that system works well also.

Terry Gerton What does the airline industry have to say about these proposals to privatize?

Chris Edwards Well, back in 2016, the airlines, all of them, except Delta actually supported the privatization plan passed through the House Transportation Committee. So Delta was the outlier there. Most airlines were on board with privatization back then. I think that the airlines should rethink now that we’ve had another government shutdown. I worry that the budget battles in Washington are going to get bigger and nastier. Unfortunately, in coming years, because deficits and debt are going to keep growing, there’s going to be a lot of pressure to cut spending. So I think we need to — the airlines, the air traffic controllers union and others, the other stakeholders need to — rethink the funding for air traffic control because I think the budget battles are going to get worse in Washington.

Terry Gerton So if the airlines support privatization, what are the biggest political obstacles that you see that are keeping it from happening?

Chris Edwards Well, unfortunately in the American political system, you only sort of need, you know, one sort of veto point and a whole reform plan can go down. So back in 2016, the House Transportation Committee passes the reform bill through, but the Senate Transportation Committee wasn’t too excited about it. Back then President Trump in his first term supported the plan. His transportation secretary, Elaine Chao, supported it. And the air traffic controllers union supported this privatization back in 2016 as well because, again, they’re concerned about stable funding. And they looked at the Canadian system and they could see that it works very well. Indeed, back then in 2016, members of Congress went up to Canada, looked at this system and so did our air traffic controllers union. They all thought it worked very well and looked good, and that was sort of the basis for that reform bill. Today, I think we’ve had another government shutdown. There was very damaging. Millions of passengers were inconvenienced. The economy lost money from the shutdown. I think this is time, it’s time now for Congress to rethink the structure of our air traffic control system.

Terry Gerton Air traffic control is really a global industry. I mean, you get on a plane in Dallas and you fly to Frankfurt or in Seattle and you flight to Beijing. What are our international partners in air traffic control saying about the U.S. System and how they would like it to be improved?

Chris Edwards Well, the U.S. System, you know, works well. I don’t think we’re at the leading edge of technology anymore, but it does work well. We have a giant system, but I worry about the future. The skies are getting more crowded all the time. Aviation demand is going up. The skies you’re getting more congested. Our technology is falling behind. We hear that from the GAO consistently year after year. So we’re not at the crunch point yet, but I worry. We’ve got to invest more and move that technology ahead to make progress. I mean, just to give you one example on that, the U.K. And Canada are moving ahead with what are called remote towers. These are, rather than the traditional air towers you see at airports where you have the controllers up top looking at the airfields. Visually the new idea is you put a bunch of sort of fancy technology and cameras with different sort of visual wavelengths looking at airports and you have the controllers looking at the runways on big screens with all kinds of advanced technology. These systems save money and they’re safer. And London City Airport now has a system like this in place and Canada’s moving ahead with this as well. That’s the type of technology where the FAA has been really hesitant. I think because it’s a government agency, frankly, it’s a little too risk-averse. So I think by opening up air traffic control, we get more entrepreneurs in and more innovation. And just the last point on that is, we’ve seen this with NASA or the space agency, that by opening a little bit and letting entrepreneurs like Elon Musk and Jeff Bezos get in there with new ideas, new ways of doing things, I think it’s been very beneficial for America’s space agency. So I like that same sort of innovation in air traffic control.

The post What reforms can fix our fragile air traffic control system? first appeared on Federal News Network.

© Getty Images/iStockphoto/gorodenkoff

Defense technology companies broadly agree on what secure software looks like. Less consistent, though, is industry-wide understanding of the Defense Department’s mechanisms for demonstrating security compliance. Instead, stakeholders generally see a lack of “consistent and standardized methods for attestation processes,” according to recent industry feedback.

A new summary document released by Acting DoD CIO Katie Arrington compiled and analyzed industry responses to three separate DoD requests for information on advancing and securing software for the federal government.

“Overall, there was a strong call for the DoW to define a legitimate attestation, identify what is required to complete an attestation, and to ensure consistency of these standards across the DoW,” the document states. “Additional hurdles such as resource constraints, difficulties managing supply chain opacity, and cultural barriers further underscore the intricacies of enforcing a robust secure software development practice.”

In response to the DoD CIO’s requests for information under the office’s recently launched Software Fast Track Initiative, industry overwhelmingly pointed to established cybersecurity frameworks such as the National Institute of Standards and Technology’s Secure Software Development Framework and the widely used Open Worldwide Application Security Project standards for managing software and supply-chain risk. More than 75% of respondents said they rely on NIST’s secure software framework, which aligns with DoD’s approach to software security and risk management.

But companies told Pentagon IT leadership that uncertainty around compliance remains a major obstacle. Vendors said it is unclear what qualifies as a valid attestation, what documentation must be included in a body of evidence, how often attestations are required and whether companies are allowed to self-attest to security practices or must rely on third-party assessments. Since NIST’s secure software guidance is designed as a framework rather than a checklist, vendors warned that compliance is open to interpretation and risks inconsistent application across the department.

Arrington announced the Software Fast Track, or SWFT Initiative, in April with the aim to reform the ways DoD buys, tests and authorizes secure software. Arrington has argued that the Pentagon’s existing processes for approving software are too slow. Since returning to the Pentagon in March in acting CIO capacity, she has pushed to overhaul the department’s legacy processes for buying software, namely the Risk Management Framework (RMF) and the authority to operate (ATO) approval process. She previously said she is “blowing up the RMF” and that she hopes ATOs are “something I never hear about again.”

The SWFT effort intends to shift away from rigid checklist processes toward dynamic, continuous authorization to operate. To inform the shift, the CIO office issued three requests for information asking vendors for insights around tools in use, external assessment methodologies, and how automation and artificial intelligence could help the department accelerate secure software adoption.

Not only did the first RFI, focused on Software Fast Track tools, reveal that companies are concerned about inconsistent attestation requirements, responses also flagged challenges with integrating the secure software framework into existing workflows. 

“The amount of evidence required for NIST SP 800-218 compliance would likely require automation and integration of multiple tools within existing infrastructure. Similarly, integrating manual documentation and effort into existing logical processes and workflows could be challenging,” the Software Fast Track RFI summary reads. 

At the same time, about 90% of respondents said they would provide software bills of materials — detailed inventories of the components used to build a software product — to the department. Most said those SBOMs would cover their own software.

Nearly all companies said they already perform software risk assessments and would provide DoD officials with risk assessments artifacts. Most said those artifacts are generated through automated tools, and the majority made clear “their willingness to provide these artifacts in an efficient manner through standardized formats and secure exchange processes.”

To that end, companies recommended allowing vendors to submit artifacts directly into DoD platforms such as Enterprise Mission Assurance Support Service (eMASS) through application programming interfaces to expedite software security reviews.

External assessments

Industry respondents said most companies already rely on a mix of internal and external audits to assess software security.

Internal audit functions typically include continuous monitoring, code reviews and regular red-teaming exercises designed to identify vulnerabilities before they can be exploited. Meanwhile, external assessments are often conducted by third-party auditors or independent penetration testers to provide objective validation of a company’s security posture. 

Top compliance regimes include the Federal Risk and Authorization Management Program, NIST cybersecurity standards and Service Organization Control (SOC), which “further evidences a mature security posture among organizations.”

At the same time, companies stressed that any external assessment functions would require clear guardrails. Respondents said assessment organizations should demonstrate relevant experience in high-security environments, secure data handling methodologies, established quality management and high degree of independence. Moreover, such assessments should be conducted by qualified personnel with industry-recognized certifications and a strong understanding of DoD security frameworks.

Applying automation and AI tools

Industry respondents said automation and artificial intelligence could deliver the biggest gains in speeding DoD software risk assessments, particularly by reducing manual paperwork and enabling continuous monitoring. Companies emphasized that automation and AI serve different purposes, with automation best suited for executing repetitive, rule-based tasks, while AI can “make decisions and learn to perform tasks with a human-like intelligence.”

Companies also warned about significant challenges in applying automation and AI. Vendors cited concerns around AI explainability, data quality and model reliability, noting that authorizing officials must be able to understand how risk determinations are made. 

Arrington said the Software Fast Track Initiative is on track to roll out early next year.

“People that think SWFT wouldn’t happen — joke’s on you. If it wasn’t for the furlough, that would have gone live in the beginning in November. So look in early January,” Arrington said during the Defense Information Systems Agency’s annual Forecast to Industry event on Dec. 8. “Software Fast Track: so you can ingest software and we can get it approved in days, not months and years. Making sure that we have a baseline called eMASS that can make sure that if an ATO is granted, then an ATO is reciprocated. We have the Software Assurance playbook. If anybody doesn’t know about that one, it’s when software has vulnerabilities. We work through them to remediate them, blowing up the RMF. We’re already starting to do it using continuous monitoring, the ten tenants of what it needs to be.”

The post Industry flags DoD’s lack of standardized software attestation processes first appeared on Federal News Network.

© The Associated Press

Senior House Democrats are calling on the Office of Special Counsel to investigate potential whistleblower retaliation after the Federal Emergency Management Agency renewed suspensions for FEMA employees who signed a public letter.

The FEMA staff were placed back on administrative leave despite an agency legal finding, referenced by the letter, that found the employees’ disclosure was protected by law.

In a Dec. 17 letter to acting Special Counsel Jamieson Greer, ranking members on several House committees said OSC should review the FEMA situation. OSC’s primary mission is to protect federal employees from prohibited personnel practices, especially whistleblower retaliation.

The letter comes after FEMA placed 14 signers of the “Katrina Declaration” back on administrative leave after briefly reinstating them earlier this month. At the time, a Department of Homeland Security spokeswoman said the employees “were wrongly and without authorization reinstated by bureaucrats acting outside their authority,” and that “the unauthorized reinstatement was swiftly corrected by senior leadership.”

More than 190 current and former FEMA employees signed the letter in August. FEMA subsequently placed staff who signed the letter with their names on administrative leave.

“We expect that the Office of Special Counsel will find clear evidence of whistleblower retaliation, reinstate the FEMA employees, and pursue disciplinary action against all officials who retaliated against them,” the Democrat letter states. “Should FEMA or DHS refuse to comply with your recommended actions, we urge that the case be referred to the Merit Systems Protection Board for proper enforcement.”

The letter was signed by House Homeland Security Committee Ranking Member Bennie Thompson (D-Miss.), Committee on Transportation and Infrastructure Ranking Member Rick Larsen (D-Wash.), Committee on Oversight and Reform Ranking Member Robert Garcia (D-Calif.) and Rep. Greg Stanton (D-N.Y.), ranking member on the infrastructure committee’s subcommittee on public buildings, economic development and emergency management.

Their letter references a Nov. 25 email from an employee in FEMA’s human resources branch to the supervisor of one of the suspended staff members. The email, shared with Federal News Network, references a report of investigation (ROI) and recommends the FEMA manager close the issue without any disciplinary action.

“Although the ROI substantiated the employee’s involvement with the so-called Katrina Declaration, FEMA’s legal counsel has advised that the employee’s actions are protected under the Whistleblower Protection Act (5 U.S.C. § 2302(b)(8)) and the First Amendment of the U.S. Constitution,” the employee wrote.

“These protections ensure that employees can disclose information related to misconduct, abuse, or violations of law without fear of retaliation, provided the disclosure is made in good faith and aligns with statutory protections. As a result, my recommendation is that this matter be closed with no disciplinary action,” the employee continued.

FEMA did not immediately respond to a request for comment.

Staff who signed the letter and were placed on administrative leave have claimed DHS illegally retaliated against them. In September, they wrote OSC, congressional committees, and the DHS inspector general, urging them to investigate the situation.

The Katrina Declaration letter pushes back against many changes at FEMA enacted under the Trump administration and Homeland Security Secretary Kristi Noem. It warns that staffing cuts, a lack of experienced leadership, and other shake-ups at the agency have left it less ready to respond to a major disaster than at any time since Hurricane Katrina.

Noem shot back at the letter, arguing that “the same bureaucrats who presided over decades of inefficiency are now objecting to reform.”

Meanwhile, the White House recently delayed the issuance of a long-awaited report by the Trump-appointed FEMA Review Council. The report was set to serve as a blueprint for the administration’s FEMA reforms.

The post House Dems call on OSC to review potential FEMA whistleblower retaliation first appeared on Federal News Network.

© AP Photo/Gene J. Puskar

A federal judge in San Francisco is reversing the terminations of hundreds of federal employees finalized during the recent government shutdown.

A preliminary injuction, signed Wednesday by Judge Susan Illston, orders the departments of Education and State, as well as the Small Business Administration and the General Services Administration, to rescind reduction in force notices for employees who were terminated between Oct. 1 and Nov. 12 — the start and end dates of the shutdown.

“Absent a contrary ruling from a higher court,” Illston is giving agencies until Dec. 23 to carry out the terms of her preliminary injunction.

“Defendants must do what the continuing resolution says. They may not take any further steps to implement or carry out a RIF through January 30, 2026, regardless of when the RIF notice first issued,” Illston wrote.

These agencies sent RIF notices to employees before the recent government shutdown. In most cases, separations were scheduled to take effect in October or November, during the shutdown.

The American Federation of Government Employees and the American Foreign Service Association, who are leading a lawsuit with other unions, argued agencies that finalized these RIFs during the government shutdown violated a stopgap spending bill passed by Congress that prohibited layoffs through Jan. 30, 2026.

The court issued a temporary restraining order earlier this month that blocked layoffs of nearly 250 Foreign Service officers from being finalized at the State Department. Those layoffs were originally scheduled for Nov. 10, but were pushed back to Dec. 5, and remain on hold.

The Trump administration has followed a narrower interpretation of the stopgap spending bill, and has only reinstated federal employees who received RIF notices between Oct. 1 and Nov. 12.

The continuing resolution Congress passed on Nov. 12 states that between Nov. 12, 2025 and Jan. 30, 2026, “no federal funds may be used to initiate, carry out, implement, or otherwise notice a reduction in force to reduce the number of employees within any department.”

It also states that “any reduction in force proposed, noticed, initiated, executed, implemented, or otherwise taken by an executive agency between October 1, 2025, and the date of enactment, shall have no force or effect.”

At a hearing before the U.S. District Court for the Northern District of California, Illston said she would grant the preliminary injunction requested by the unions, because the “chaotic nature of these RIFs has been continuing.”

“The continuing resolution, ending the longest shutdown the government has experienced to date, said that no federal funds would be spent RIF-ing people through Jan. 30. But that is not what is happening in some of these agencies,” Illston said.

The judge’s order will impact about 680 total federal employees. That includes nearly 250 Foreign Service officers at the State Department, 200 employees at GSA, 150 at the Education Department’s Office for Civil Rights, and nearly 80 at SBA.

During the hearing, Illston said she would consider the Justice Department’s request to delay her preliminary injunction from going into effect for a few days. This would give the Trump administration time to consider whether it will ask a federal appeals court to stay her ruling.

Illston said this would minimize some of the “whiplash” some federal employees have felt in other court cases, in which lower courts have reinstated them, only for an appeals court to allow layoffs to continue.

“They’d have to send a notice, and then another notice, and a notice saying, ‘Forget what we said yesterday.’ It would be terrible,” Illston said.

Brad Rosenberg, a DOJ attorney representing the Trump administration, said that rescinding layoffs now would be “logistically a big lift” for agencies, especially if the courts later allow those RIFs to proceed.

“If a RIF is rescinded, and if this court either decides at final judgment in this case, or if the government were to appeal, and an appellate court were to stay or vacate this Court’s preliminary injunction, government agencies would presumably have to start all over again with that, with that process, and it would be awfully hard to unscramble that egg,” Rosenberg said.

“That’s not going to provide the type of long-term relief that I suspect plaintiffs are seeking here,” he added.

Rosenberg argued that employees should bring their individual cases before the Merit Systems Protection Board. An appeals court recently allowed President Donald Trump to proceed with firing a Democratic member of the MSPB.

“This is merely the administration trying to carry out its policy objectives. And I realize that those policy objectives have consequences for individuals, and that they can be significant consequences, although we do think that those consequences can be remediated through proper channeling to the Merit Systems Protection Board,” he said.

Danielle Leonard, an attorney representing the plaintiff unions, said the “mandate was clear” from Congress, and that agencies should “nullify those RIFs.”

“We have Congress stepping in here and being incredibly clear about what the public interest needs in this very circumstance, and the public interest is in restoring these employees to their employment status and giving them clarity,” Leonard said. “Congress could have just said, ‘Stop.’ Congress could have just said, ‘Halt, let’s just freeze everything.’ They went further than that,” Leonard said.

Leonard said recently separated federal employees face “real and ongoing harm,” including eviction notices and unpaid bills.

“We have seen agencies exploit their lack of communication to keep employees in the dark, to keep them confused. They have not even told them whether they’re still employed when they directly ask. There absolutely has been harm,” she said.

AFGE National President Everett Kelley called Illston’s ruling “another victory for federal employees and for the rule of law.”

“When Congress voted to end the longest government shutdown in history, it spoke clearly and unambiguously that further reductions-in-force were prohibited, and any RIFs that occurred during the shutdown were required to be reversed. The administration’s continued defiance of that mandate is part of a troubling pattern of egregious actions against federal employees and the American public,” Kelley said.

John Dinkelman, president of the American Foreign Service Association, said Congress was clear that “reductions in force were prohibited” when it passed the continuing resolution, and that the administration’s efforts to proceed with RIFs were “unlawful.”

“Today’s ruling confirms this,” Dinkelman said.  “We will continue to fight to ensure that Foreign Service professionals are treated with the respect the law demands.”

The post Federal judge orders reversal of hundreds of layoffs finalized during shutdown first appeared on Federal News Network.

© Getty Images/iStockphoto/BrianAJackson

In outlining his top three priorities as the calendar turns into 2026, Federal Chief Information Officer Greg Barbaccia didn’t necessarily break new ground.

Barbaccia said in a video posted on X that since January, when he arrived in the position from the private sector, his focus has been on three specific areas.

“One, fixing the talent pipeline. We’re making sure we hire, train and empower the technical experts we need. We have exciting new initiatives related to that happening right now. Two, buy smarter. No more paying top dollar for tools we don’t use or can’t connect. We’re eliminating waste, duplication and decades old rules that slow us down. Follow along as we go on that journey together. And three, securing the foundation. We will be setting one standard for how government technology works for the American people, from our websites to our use of artificial intelligence,” Barbaccia said. “Over the next few months, I’ll share exactly what we’re doing and the results we’ve already seen. America is long overdue for a major tech upgrade, and we’re delivering it. My promise is simple, government tech will be transparent, efficient and worthy of the United States of America.”

Earlier this year, I was honored to be appointed White House Chief Information Officer. What do we do? The White House CIO role is about ensuring technology works for taxpayers and agency employees alike, from secure systems to seamless services. pic.twitter.com/DfMzRFfF5l

— Gregory Barbaccia (@GregBarbaccia) December 15, 2025

What is new about Barbaccia’s top priorities is how the Trump administration is starting to turn initiatives and plans into reality.

Take the goal of fixing the talent pipeline. It’s been clear the so-called Department of Government Efficiency went too far in cutting probationary employees and pushing others to take the Deferred Resignation Program. Add to that the administration’s hiring freeze, and the need to bring technology talent, along with many other types of expertise, back into government is clear.

To that end, the Office of Personnel Management is leading a new recruitment initiative, the Tech Force, with a goal of hiring 1,000 new employees for agencies that include the departments of State, Treasury, Defense, Interior, Agriculture and Labor, as well as the IRS, OPM and the General Services Administration, among many others.

OPM Director Scott Kupor wrote on his blog that these early-career engineers will work “directly with the most senior leaders across cabinet-level government agencies to tackle our nation’s top technical challenges.”

“We are going to bootstrap a network effect to fuel the next 50+ years of government hiring by demonstrating the government offers brilliant engineers the opportunity to solve the world’s most challenging and largest scale technology projects and that the private sector values this experience by translating it into awesome post-government employment opportunities,” he wrote. “The more engineers we recruit into Tech Force, the more critical technical problems we will solve, the more Tech Force graduates take their skills to the private sector – that’s the flywheel that will enable us to grow a definitive, world changing pipeline of early-career talent into the federal government.”

Priority 2: Website modernization

The creation of the Tech Force also flows into Barbaccia’s third priority around securing the foundation and setting one standard for how government technology works for the American people.

OPM, working with the National Design Studio in the White House, launched the Tech Force website for potential engineers to learn more about the program and apply to join.

NDS, led by Joe Gebbia, who is the co-founder of Airbnb, has been rolling out an updated look to federal websites, starting with several new ones like Tech Force.

Gebbia, who President Donald Trump named as the nation’s first chief design officer in August, also recently unveiled merrychristmas.gov, which is highlighting 12 days of government design history. For example, day one, Dec. 14, focused on the Works Progress Administration’s Federal Art Project’s poster program during the Great Depression, and day two, Dec. 15, highlighted the Great Seal of the United States, created in 1782.

Additionally, Gebbia today launched the new website Trumpaccounts.gov during an event at the Treasury Department, using similar design principles.

Barbaccia kicked off the website modernization effort last spring by asking agencies to consolidate and update their public-facing platforms. Barbaccia asked agencies to submit data to OMB about their public-facing websites, including the underlying technological infrastructure they run on and the contracts that support them.

The resulting data call from July showed that the 24 largest departments and agencies inventoried more than 7,200 total websites. Documents obtained by Federal News Network show agencies plan to eliminate 332 of those websites — less than 5% of their total web presence.

Priority 3: Software licenses

The software inventory and consolidation priority has been the most public facing of the three up until now.

GSA has led the effort under the OneGov strategy and now has created 15 enterprisewide software contracts with deep discounts.

Laura Stanton, the deputy commissioner of the Federal Acquisition Service at GSA, said at the recent ACT-IAC Executive Leadership Conference that 43 agencies already have taken advantage of the enterprisewide contracts for artificial intelligence, for example.

GSA also has made the specific OneGov agreements public through its IT Vendor Management Office and is providing agencies with fact sheets and help to use the new discounted deals.

Birgit Smeltzer, the acting director of the Office of IT Products within the Office of Information Technology Category (ITC) in GSA’s Federal Acquisition Service, said at the ELC conference that her office is helping others find and make the most of those OneGov deals.

“The culture shift that I’m seeing is agencies will move away from doing their own thing and come to us to help them create those contracts and get those cost savings through the OneGov strategy,” she said. “What we are hopeful for is that when the renewals start to come out [for existing contracts], we can start collecting that information and help agencies save even more money than they can on their current contract and bring them into the OneGov fold.”

The post Barbaccia’s 3 priorities for 2026 already in motion first appeared on Federal News Network.

© Amelia Brust/Federal News Network