The government’s growing enthusiasm for generative AI has produced a wave of pilots and proof-of-concepts, many accompanied by impressive-sounding metrics: thousands of users, millions of logins, glowing testimonials. Yet these numbers often say little about whether a tool is secure, compliant, scalable or delivering real mission impact.

Long story short: We’re measuring the wrong things.

Government GenAI adoption has become a numbers game, where participation metrics stand in for real impact. User counts and dashboard activity make for great talking points, but they rarely prove that the tool is even useful. It’s the digital equivalent of celebrating app downloads without asking whether anyone is successfully using it as intended.

Let’s break this down.

The illusion of progress

When agencies track logins or active users, they’re measuring engagement, not outcomes. A system can have ten thousand users and still fail to deliver the speed, accuracy or automation necessary to produce a mission advantage. Conversely, a small team using the right AI model securely and effectively can save millions, accelerate decisions and reduce workload.

The same goes for pilots. Pilots are meant to test and learn, not to be paraded as finished products. Yet too often, we treat pilots as production wins, announcing them before they’ve cleared compliance, accreditation or scalability hurdles. That’s not innovation. It’s optics.

A flashy dashboard showing usage spikes may build leadership’s confidence, but it masks deeper issues like technical debt, manual workarounds or models trained on the wrong data. We’ve confused visibility with value.

This issue is underscored by recent oversight reports, including the Government Accountability Office’s 2025 assessment of the Defense Department’s major technology programs. GAO found that despite the appearance of transparency through tools like the Federal IT Dashboard, many initiatives failed to include reliable data on cost and schedule, leaving leaders with a distorted view of progress and success.

Measuring what actually matters

If we’re serious about responsible AI, we need to measure four things that reflect real impact, not surface-level activity.

• Workflow improvement: Did the GenAI reduce time-to-decision or automate manual tasks that actually move the mission forward? In many cases, the most valuable gains come from cutting hours or days off repetitive workflows, freeing up people to focus on higher-value analysis and strategy. That is measurable productivity, not just engagement.
• Cost efficiency: Did it cut contract or operational costs without increasing risk? Generative AI that automates a labor-intensive process but still requires teams of contractors to monitor or correct it is not saving money; it’s shifting the spend. True efficiency shows up in leaner operations, fewer redundant tools, and measurable ROI against program budgets.
• Security and compliance: Is it operating at the right Impact Level (IL) and compliant with FedRAMP, Federal Acquisition Regulations Part 12, and executive orders on trustworthy AI? Too often, pilots skip these steps, forcing rework or abandonment when systems can’t pass accreditation. Security and compliance are not afterthoughts. They’re the foundation of mission-ready AI.
• Scalability and reuse: Can it expand across components, missions or agencies without a complete rebuild? The ability to deploy once and reuse securely across multiple environments is the difference between a science project and a true platform. Reuse drives standardization, lowers costs, and builds the kind of AI ecosystem government needs to sustain modernization.

These metrics are not as easy to brag about in a press release, but they tell the truth. They reveal whether an AI tool is improving decision cycles, strengthening compliance, and saving taxpayer dollars, not just generating impressive numbers.

Bridging the gap between pilots and progress

To move beyond surface-level experimentation, agencies must start investing in proven, secure solutions from day one. That means selecting tools that already meet enterprise standards for security, interoperability and governance rather than funding pilots that will never scale. Small, disconnected prototypes may demonstrate capability, but they do not deliver sustained mission impact — and impact is the only metric that matters.

True modernization requires a shift from experimentation to execution. Agencies should focus on shared architectures, reusable models and platforms that can integrate across missions. The goal isn’t more pilots, but measurable, sustainable performance that strengthens readiness, improves accountability, and delivers real returns on public investment.

The cost of complacency

As long as agencies reward activity over outcomes, taxpayers will keep paying for tools that look good but underperform. The private sector learned this lesson years ago: Dashboards and usage charts don’t pay the bills. Results do.

If the government wants to close the capability gap, it must apply the same rigor to AI performance that it applies to cybersecurity and acquisition. That means establishing clear metrics for speed to impact, mission alignment and security compliance. It means moving from “how many” to “how much better.”

Nicolas Chaillan is founder and CEO of Ask Sage.

The post Beyond vanity metrics: Rethinking AI impact in government first appeared on Federal News Network.

If you build parts for the Defense Department or the aerospace sector, you already know the files that drive your machines, such as G-code, CAD build instructions or even basic QA logs, are gold. Those digital instructions often contain controlled unclassified information or classified data. If that information leaks, the fallout could include lost contracts, compliance penalties or even national security risks that can ripple throughout the supply chain. 

But here’s the kicker: It’s not just the files themselves. Every job you run generates “downstream” data like build logs, tolerances, sensor feedback and quality checks. All of that can be just as sensitive. Too often, those outputs end up sitting unprotected on a machine’s hard drive or in a shared spreadsheet, which is a tempting target for anyone looking to steal designs or disrupt operations, or compromise a defense supply chain partner. 

The old ways don’t cut it anymore

Traditional cybersecurity in manufacturing has centered on access permissions, firewalls or antivirus software. Those are fine for keeping casual threats at bay, but they weren’t built for the fine-grained control Defense work now demands. Static permissions can’t tell if the right operator is using the right machine at the right time. And they certainly can’t guarantee the file disappears from the machine when the job ends. 

That gap leaves manufacturers vulnerable to insider threats, accidental leaks or hackers who slip past perimeter defenses. The DoD’s Cybersecurity Maturity Model Certification and similar frameworks are raising the bar by making manufacturers responsible not just for how they store sensitive files, but for how they deliver, use and retire them on the shop floor, especially when those files connect to broader supply chain operations. 

A new way to think about trust 

Forward-thinking manufacturers are moving toward what’s sometimes called a “machine trust” or “vault” model. The concept is simple to explain, even if the technology under the hood is seemingly sophisticated: 

• Start with a secure vault: Sensitive files never sit on desktops or thumb drives. They’re stored in a protected environment that only releases them when specific rules are met. 

• Verify the operator and machine: Before a job starts, the system checks the operator’s clearance, training and shift assignment — then matches the job to the correct machine. 

• Deliver files directly: The file travels straight to the machine without ever exposing its contents to the operator. The human presses “go,” but can’t copy or alter the instructions. 

• Capture the results: Once the job is complete, any data the process produced, including logs, measurements and feedback, is pulled back into the vault. 

• Wipe and log: The machine is cleared of leftovers, and a tamper-proof log is in place every step of the way.

This approach keeps sensitive information from lingering where it shouldn’t. It also creates a clean audit trail. And that’s something regulators and prime contractors increasingly expect across interconnected supply chain networks. 

Why it matters beyond defense

Although the pressure is high in defense and aerospace, the benefits apply far more broadly. Medical device makers face strict FDA rules and can’t risk leaks of proprietary designs. Energy companies worry about sabotage or espionage that could have serious safety or environmental consequences. Even commercial aerospace suppliers and advanced automotive firms are adopting these practices to protect intellectual property and maintain customer trust. 

Building confidence on the shop floor  

For manufacturers, this shift isn’t about adding red tape. It’s about ensuring your shop can keep serving high-value, high-risk customers without interruption. By tying together the operator’s identity, the machine’s authorization, and the lifecycle of every sensitive file, you reduce your attack surface dramatically. 

The manufacturing world is becoming more digital by the day, and that means the old idea of locking sensitive information in a filing cabinet is obsolete. Security now has to live where the work happens. And that’s right at the machine level. Treat your machine files and their output as critical assets, enforce zero-trust principles on the shop floor, and adopt workflows that make security automatic rather than optional. 

Rob Sims is chief technology officer and co-founder of Alchemi Data Management.   

The post Locking down the digital shop floor: Why defense manufacturers need to rethink data security first appeared on Federal News Network.

Federal teams spent the last year testing AI applications, measuring return on investment, and separating hype from reality. They identified where AI delivers results and where it falls short, gaining the experience and resources needed to drive real transformation.  

In the year ahead, we will see this shift from piloting applications to implementing AI solutions that fundamentally reshape how the government serves its citizens. Federal agencies will enter 2026 knowing what works and ready to act, positioning AI to deliver its most significant impact yet on government priorities. 

Three transformations will define this transition by breaking through decades-old modernization barriers, moving from reactive to proactive cybersecurity, and democratizing software development beyond traditional IT departments. Each build on the others to create compounding returns across government operations. 

AI-driven federal modernization at scale  

Modernization has long been a challenging government priority. With AI, agencies can finally achieve it at scale. 

Outdated IT systems and code cost the government hundreds of millions of dollars annually to maintain and operate. Still, the processes required to retire them, including code refactoring, are time-consuming and traditionally have been unable to scale. This is where AI can make long-held modernization goals attainable. 

AI-powered refactoring tools translate between programming generations, automatically converting decades-old COBOL and Fortran systems into modern, maintainable code while preserving critical business logic. These tools also identify security vulnerabilities, ensure compliance, and generate documentation throughout the modernization process. 

Legacy system updates will transform from multi-year projects to months-long sprints. Agencies that adopt AI-driven modernization will complete system updates 10 times faster than traditional approaches, freeing up resources for innovation rather than maintenance. 

Shifting from reactive to proactive security

While we can’t predict the next major cybersecurity incident, we do have the tools to change our approach to security. In the coming year, AI-powered defense systems will become one of the most effective ways to stay ahead of breaches. 

Continuous threat monitoring and automated remediation using AI will predict and prevent attacks before they occur, rather than responding after the damage is done. 

Sophisticated adversaries now have access to AI tools that can exploit vulnerabilities faster than human security teams can patch them. Without AI-powered proactive measures, agencies will struggle to keep pace with well-resourced bad actors. 

Agencies that successfully implement proactive AI security models will achieve measurably lower breach rates and faster threat response times, establishing a new benchmark for government cybersecurity excellence. 

Making everyone a developer

AI is democratizing software development across government, finally realizing the decade-old prediction that ‘everyone can be a developer.’  

This transformation extends software creation across all government roles. Mission specialists, policy experts and administrators can now build applications and automate workflows without traditional programming skills. This exponentially increases government development capacity as subject matter experts translate their domain knowledge into functional software solutions.  

 Human ingenuity drives creative problem-solving while AI handles technical implementation. This shift is accelerating rapidly, with 89% of executives expecting agentic AI to become the industry standard for software development within three years. 

AI-powered development platforms automatically maintain security and compliance standards, enabling agencies to build development capacity across all departments rather than just within IT. 

The compounding impact of AI transformation

Agencies that prioritize human-AI collaboration across modernization, cybersecurity and development will build high-performing teams that combine technical excellence with mission expertise. The combination creates capabilities that neither humans nor AI could achieve independently. 

Success requires viewing these three transformations as interconnected investments that advance together. Each capability strengthens and accelerates the others to deliver secure software faster while maintaining the highest standards of governance. 

The agencies that move first on all three fronts will set the standard for the rest of the government. More importantly, they’ll prove that transformation timelines can be measured in months, not years. 

Bob Stevens is vice president of Americas and public sector at GitLab. 

The post The year AI moves from pilots to practice: Three predictions for government in 2026 first appeared on Federal News Network.

Against the backdrop of Ukraine, growing East/West geopolitical tensions, and persistent cybersecurity attacks by nation-state threat actors, defense organizations are accelerating their efforts to harden digital infrastructure, including secure data exchange across borders and federated environments.

At its 2025 summit, for instance, NATO leaders agreed that future defense budgets must rise, and for the first time, the alliance’s spending target formally incorporates cybersecurity alongside more familiar priorities, including personnel and equipment. As a result, cyber resilience is now treated as a defined component of the broader defense investment framework.

Domestically, the U.S. military is also significantly raising its game. Announced earlier this year, the Army’s Unified Network Plan sets out a data-centric approach to modernizing networks, in an approach designed to create a secure backbone that links tactical units to command centers while embedding zero trust principles throughout. Among various other key priorities, it emphasizes resilience, interoperability with allies, and the implementation of a standardized data exchange through frameworks such as the Unified Data Reference Architecture.

The Department of the Navy’s Zero Trust Blueprint takes a similar path, laying out a phased strategy to integrate zero trust across enterprise IT and tactical systems. In particular, it mandates continuous verification of users, devices and files, and also identifies secure cross-domain transfers between classified and unclassified environments as a critical priority.

The Navy is also preparing to operate in contested environments where connectivity is unreliable, which is often referred to as denied, degraded, intermittent and limited (DDIL) scenarios. For instance, a submarine with no signal access must still operate securely, a challenge the Navy is aiming to address head-on.

The risks of reactive technologies

Despite this clear domestic and international commitment to zero trust strategies, however, an important security blind spot remains in the infrastructure of many defense organizations: file security. To explain, traditional approaches to file security were designed around perimeter control and reactive detection, technologies that remain crucial to a comprehensive approach.

A big part of the challenge, however, is that these tools, including antivirus, sandboxing and signature-based analysis, struggle to identify new or modified threats, leaving organizations particularly exposed to zero-day exploits and advanced persistent attacks. In practice, this means adversaries can exploit vulnerabilities in common formats such as PDFs, Office documents and email attachments to bypass defenses and gain a foothold inside sensitive networks.

In defense environments that require immediate and frictionless collaboration across complex domains and jurisdictions, these limitations present potentially serious risks. Specifically, files move constantly between classified and unclassified systems, between sovereign networks, and across cloud environments that host shared mission data. Once a file crosses the boundary, legacy controls cannot provide reliable security assurance, and consequently, a reliance on implicit trust or the absence of sufficient sanitization can allow hidden threats to spread laterally, with obvious consequences.

The zero trust data format

These initiatives indicate a clear direction of travel: defense organizations are moving toward architectures where data must be trusted only when verified, shared on common standards, and protected consistently across domains. The challenge lies in enforcing these principles in practice when information crosses networks, jurisdictions and classifications.

This is where Zero Trust Data Format (ZTDF) provides an essential foundation by extending zero trust to the file itself and ensuring that protection and policy travel with the data wherever it goes. It applies zero trust principles directly to individual data objects, including files, emails and structured datasets, by embedding encryption, access controls and auditability inside the data itself.

Instead of relying on the security of the network it passes through, each file carries its own protection, ensuring that policy and assurance travel with the data wherever it goes. ZTDF is also gaining traction in defense circles, having been ratified by NATO’s Combined Communications-Electronics Board as an interoperable standard for cross-border use. The underlying point is that nations need assurance that sensitive information can be shared with allies without losing control over how it is handled or exposing it to unnecessary risk.

On a broader level, these issues are indicative of a more general move towards comprehensive zero trust architectures across both public and private sectors. Civilian organizations that don’t already have adequate measures in place would be well advised to take note, particularly in light of the extremely damaging ransomware attacks that continue to make headlines.

Paul Farrington is chief product officer at Glasswall.

The post Why deeper defense collaboration demands a zero trust approach to cybersecurity first appeared on Federal News Network.

Earlier this year, the Government Accountability Office shared a report on AI agents as policymakers look to balance the promise of the new capabilities with concern about potential misuse and other unintended consequences.

The report will help support a shift that’s already happening related to AI agents. We’re no longer asking what generative AI can create, but what autonomous AI can do. These systems are no longer simply responding — now, they sense, plan and act.

The GAO’s report isn’t an “AI 101,” but rather sets a baseline for government to make informed, mission-driven choices before AI agents become haphazardly embedded in critical operations. The message is clear: Don’t just adopt AI, adopt it smart.

There are steps agencies can take to facilitate smart adoption from the start of their AI journey. To prepare, they will need to increase digital literacy, recognize and understand the shift from genAI to agentic AI and identify where they are on the spectrum of autonomy.

Increasing digital literacy

AI systems can create great efficiencies, but they also require a significant shift in thinking, skill sets and workflows for federal employees.

A major part of this is understanding the data. Government wants to move away from rigid systems of record and into an approach where data can move around freely. Users who were hired to become experts on one tool for a particular mission need to increase their understanding of all aspects of the project and the tools that touch it.

Workers who use government datasets require a deeper knowledge of this information. Government datasets are particularly complex, requiring an understanding of nuances around source, frequency of updates, data quality and legal constraints.

These users need to understand what’s available, how it’s structured and its limits in order to ask AI the right questions and receive valuable responses. Poorly framed questions can result in incomplete, inaccurate or misleading answers.

At a basic level, there are some skills all government employees need to prepare for a workplace that benefits from agentic AI.

Even non-technical staff need to understand the data landscape, enabling collaboration with IT and data teams to accelerate problem-solving and innovation. All government employees must be able to navigate dashboards and basic tools, ask sharper, more targeted questions of data and AI, recognize limitations like bias, gaps or outdated info, and make decisions informed by facts, not assumptions.

Shifting from GenAI to agentic AI

Overall, we’re seeing a major shift from AI pilots to solutions. Within that, we’re seeing an overall transition from generative to agentic AI. This requires both understanding the limits of agentic AI and how to show results and deliver return on investment.

As the GAO’s report recognizes, use of agentic AI in government is currently limited to software development and autonomous vehicles — but it ultimately will enable more complex tasks and support all federal agencies.

As government use of agentic AI expands, we’ll see increased efficiency and greater overall support for the workforce. Agentic AI shines by performing rules-based, repeatable tasks that slow humans down — ideally, it will amplify, not replace humans.

When looking to identify prime candidates for agentic AI projects, agencies should prioritize routine but labor intensive workflows that follow clear rules. These can include tasks like document processing, data entry and compliance checks.

AI is also valuable in situations where it can triage, recommend or surface insights, then passing final decision making on to a human. Knowledge management and retrieval is also an ideal function for agentic AI, helping government workers to quickly find accurate, relevant information.

There are a few ways agencies can prepare for this shift, beginning with an inventory of automation-ready workflows and investment in data readiness and workforce upskilling.

Understanding the spectrum of autonomy

Like the move from cloud-first to cloud-smart, agencies need to understand the spectrum of autonomy.

The question is not whether to use AI agents. It’s how to match the right level of autonomy to the mission, with governance scaled to the risk. As a guideline, less agentic AI is the right fit for routine, low-risk, high-volume tasks. Overall, for these types of programs, agencies should be thinking about efficiency with guardrails.

For example, cyber defense functions like detecting anomalies, auto-triaging alerts, isolating compromised assets and generating response playbooks for security analysts do not require much agentic AI support. On the other hand, tasks like autonomously containing active intrusions, dynamically adjusting network defenses and escalating only edge cases or ambiguous threats to human operators greatly benefit from the use of agentic AI.

Similarly in the realm of logistics and supply chain, tasks like anticipating demand surges using predictive analytics, automatically initiating replenishment and suggesting optimized delivery routes for approval only require a low level of agentic AI, while it plays a more significant role for dynamic rerouting shipments in response to disruptions or coordination of cross-agency assets.

Through reports like the recent one from GAO and other guidelines and efforts by the federal government, agencies are positioned for significant progress and increased efficiencies in the years to come. Agentic AI will undeniably become a core piece of agencies’ technology toolsets — now is the time to prepare.

Laura Stash is executive vice president of solutions architecture at iTech AG.

The post GAO on AI agents: Lead with intelligent AI adoption first appeared on Federal News Network.

After a failed attempt earlier this year, President Trump is poised to sign an executive order that would pre-empt states from enacting their own forms of AI regulation. While the exact text is unknown today, a draft was previously leaked that outlines how the Trump administration would leverage the Justice Department to challenge state AI laws, in an attempt to cast regulation of AI as both an issue of interstate commerce — solidly in federal jurisdiction — and a blocker to innovation needed to maintain a strong national security posture. However, signing this EO will only inject further uncertainty into the regulatory landscape, spur prolonged legal battles, and undermine the Trump administration’s goals to unleash AI innovation.

The EO will make the AI trust gap worse

An EO that punishes states for attempting to introduce trust and oversight into the ecosystem will actually have the inverse intended effect. A KPMG study from Spring 2025 showed that 59% of  Americans surveyed simply do not trust AI systems. This sentiment has been registered in similar studies, which translates to a majority of Americans distrusting AI systems, or at the very least, remaining skeptical.

Implementing the EO would further exacerbate the distrust because there will be fewer barriers to prevent bad actors from entering the ecosystem. The threat of bad actors manipulating and harnessing AI with malintentions can further degrade trust in AI systems, which can slow AI investment and innovation, in addition to impacts on consumer and business confidence in AI. However, even when bad actors can be properly contained, the perception of AI being unregulated could erode trust, especially in highly regulated sectors like the public sector, healthcare or finance. Lower trust means lower AI adoption rates at a time when AI companies may need it most. There is an existing ‘adoption and revenue gap’ in the AI space, which has led to legitimate fears of an AI bubble. A burst in this bubble could be disastrous for AI investment and slow the growth of US AI companies.

In addition, regulation itself functions as a form of risk transference. Without clear regulatory guardrails, organizations, especially those in highly regulated sectors, must assume full responsibility for evaluating, validating and monitoring AI systems. This significantly increases the perceived liability of deploying AI. For example, the CIO of a large hospital system is far less likely to approve a new AI tool if their organization must shoulder the entire burden of due diligence and potential downstream harm.

We believe in a balanced, shared responsibility model on risk. Well-designed, evidence-backed regulations shift part of this burden to regulators, who establish baseline safety, transparency and accountability requirements. When some categories of risk are managed at the regulatory level, individual organizations face lower overhead, less uncertainty, and fewer barriers to adoption. This risk-sharing effect reduces friction in the market and can meaningfully accelerate AI procurement decisions.

Without such regulatory scaffolding, every enterprise must reinvent its own governance framework, often at great cost, which slows adoption and contributes to the current “adoption and revenue gap” facing AI companies. At a time when confidence in AI markets is fragile, the absence of regulation can amplify uncertainty, reduce investment appetite, and heighten the risk of an AI bubble contraction.

Inevitable lawsuits will further fragment AI ecosystem

According to the leaked draft, the EO’s main order directs the DOJ to establish a task force to evaluate state AI laws for any onerous impacts and sue states for enacting “unconstitutional” AI laws. States have been preparing for this and will almost immediately sue the Trump administration once the EO is signed. While the states and the federal government fight it out in the courts, companies will be caught in the crossfire as they wait for judges to decide whether enforcement deadlines can come into effect while litigation is pending. Compliance with existing state laws, some of which address AI in critical sectors such as insurance and healthcare, would also be thrown into disarray as the courts decide whether the executive branch can unilaterally pre-empt state legislatures.

If the regulatory ecosystem was already messy and difficult to navigate, then a nationwide legal battle over AI and federalism will only intensify the problem. Companies are already struggling to understand their obligations under laws in places like California, Colorado, Utah and Texas. Pulling the rug out from under these companies means that countless dollars will be spent trying to anticipate whether their compliance programs will be relevant or necessary in a couple of years.

A solution in search of a problem

A key complaint about state laws is that they miss the mark on addressing critical issues through the AI supply chain. Issues such as allocating liability, workforce displacement, and training data sources remain largely untouched by state laws. Instead, state lawmakers have prioritized high-level rules for frontier models providers, which have left companies struggling to answer these legal questions on their own. The EO would not offer much help and would actually hinder progress towards fixing these gaps. Leaving the questions unanswered makes it difficult for companies to confidentially invest in trustworthy AI products and services.

What needs to happen next?

Sidelining state legislatures is not the answer to accelerating AI innovation and improving AI adoption. In some respects, having a federal AI law to set the floor on how AI technologies can be developed with trust and security in mind will calm the uncertain regulatory seas. However, states also have a vital role to play when it comes to how AI can be used in certain instances. For instance, states handle insurance regulations and it would make sense to allow them to pass laws that speak to their unique markets. At the end of the day, the best outcome for AI innovation is when states and the federal government work in tandem to build a robust, common sense regulatory safety net that provides companies with clear and simplified rules of the road.

Andrew Gamino-Cheong is co-founder and CTO of Trustible.

The post AI executive order could deepen trust crisis, not solve it first appeared on Federal News Network.

The U.S. government is seeing increasing cyber and physical threats targeting the critical infrastructure Americans rely on every day, including federal systems. Just last month, U.S. officials issued an emergency directive ordering federal agencies to defend their networks against hackers exploiting flaws in Cisco’s software. In July, an investigation revealed that engineers based in China were given indirect access to the cloud platform used by multiple federal agencies. And last year, a Chinese espionage group targeted at least 200 U.S. organizations, including the Army National Guard, in an operation known as Salt Typhoon.

Cyberthreats to U.S. government systems are a significant national security risk that expose the country to spying, sabotage and more. In light of these threats, it might be tempting for federal agencies and other recently-hacked government organizations to hunker down or seek refuge in a traditional GovCloud. Doing so may give the illusion of a quick fix, but will ultimately undermine President Trump’s priorities and U.S. national security, and is a step backwards technologically.

To understand why a return to GovClouds is such a bad idea, it is worth revisiting the history behind why the government has shifted from GovClouds to commercial clouds in the first place. The emergence of modern cloud technology in the early 2000s fundamentally changed enterprise IT, including how the U.S. government operates. For decades prior, federal agencies relied on government-owned servers to store data and run their networks. Taking advantage of the cloud, however, meant relocating those functions to off-site data centers managed by private companies and, as a result, relinquishing some control over who managed and accessed their information.

In 2011, the U.S. government started the Federal Risk and Authorization Management Program (FedRAMP) to safely accelerate federal agencies’ adoption and secure use of cloud services. To sell cloud products to the government, companies had to prove that any personnel handling federal data had the proper authorizations and background screenings. The approach made sense at the time, because the goal was to provide a standardized approach to security assessments and authorizations as this new technology was adopted.

However, FedRAMP — and the Defense Information Systems Agency, which manages the evaluation and authorization of cloud services for the Defense Department — led many cloud providers to create separate cloud environments dedicated to serving federal agencies, GovClouds, rather than running government workloads in their commercial cloud environments. While this made compliance with the assessments and authorizations easier, it came at a cost: GovClouds badly lagged behind commercial cloud in terms of capacity, performance and security, with less than 5% of government cloud environments possessing the full characteristics of current cloud computing.

GovClouds are isolated environments and are slow to roll out security updates and new features, including AI, therefore limiting the public sector’s access to rapidly advancing technologies. Isolation may seem like a good idea that reduces external threats, but it does little to eliminate insider threats — which account for the majority of data breaches — and it deprives government customers of the constant learning and adaptation of commercial technology.

Over time, these problems pushed federal agencies away from GovClouds in favor of the evident security and performance advantages of commercial cloud: continuous roll out of new features and updates, consolidated security operations that take advantage of economies of scale and scope, and lower cost.

GovClouds are also very expensive to build and operate, and those costs are passed onto American taxpayers. These are among the reasons why President Donald Trump issued an executive order tasking federal agencies to adopt commercial solutions for federal contracts wherever possible.

In light of recent events, it would be a colossal mistake for the government to retreat to GovClouds now — especially as it increasingly looks to adopt AI. President Trump’s AI Action Plan put forward an ambitious strategy to ensure American AI leadership abroad, but also to use AI to transform the federal government. The computing power necessary for that transformation will be immense and only increase year after year — and a GovCloud will not be able to keep up. Following through on the President’s AI Action Plan will simply require more than what GovClouds can offer.

As the U.S. government faces increasingly severe cyber threats, let’s not forget the lessons of the past. GovClouds are the technological equivalent of the Maginot Line: expensive, easy to quantify and seemingly impregnable, but unable to defend against modern attacks. The federal government needs to look forward, not back, to secure its systems and push toward President Trump’s vision for the future.

Andrew Grotto founded and directs the program on geopolitics, technology and governance at Stanford University’s Center for International Security and Cooperation. He serves as the faculty lead for the cyber policy and security specialization in Stanford’s master’s in international policy program, where he teaches courses on cyber policy and economic statecraft. He is also a visiting fellow at the Hoover Institution. He was the senior director for cyber policy on the National Security Council in the Obama and Trump administrations.

The post Look forward, not back, in response to cyber threats first appeared on Federal News Network.

For years, the conversation about artificial intelligence in government focused on model development — how to train algorithms, deploy pilots and integrate machine learning into existing workflows. That foundation remains critical. But today, federal leaders are asking a different question: What does an AI-native government look like?

The answer may lie in AI agents — autonomous, adaptive systems capable of perceiving, reasoning, planning and acting across data environments. Unlike traditional AI models that provide insights or automate discrete tasks, AI agents can take initiative, interact with other systems, and continuously adapt to mission needs. These systems depend on seamless access to 100% of mission-relevant data, not just data in a single environment. Without that foundation — data that’s unified, governed and accessible across hybrid infrastructures — AI agents remain constrained tools rather than autonomous actors. In short, they represent a move from static tools to dynamic, mission-aligned infrastructure.

For federal agencies, this shift opens up important opportunities. AI agents can help agencies improve citizen services, accelerate national security decision-making, and scale mission delivery in ways that were once unthinkable. But realizing that potential requires more than adopting new technology. It requires building the digital foundations (data architectures, governance frameworks and accountability measures) that can support AI agents as core elements of federal digital infrastructure.

A new phase for AI: Why agents are different

Federal agencies have decades of experience digitizing processes: electronic health records at the Department of Veterans Affairs, online tax filing for the IRS, and digital services portals for immigration at Customs and Immigration Services and the Department of Homeland Security. AI has expanded those capabilities by enabling advanced analytics and automation. But most government AI systems today remain tethered to narrowly defined functions. They can classify, predict or recommend, but they do not act independently or coordinate across environments.

AI agents are different. Think of them as mission teammates rather than tools. For example, in federal cybersecurity, instead of just flagging anomalies, an AI agent could prioritize threats, initiate containment steps and escalate issues to human analysts — all while learning from each encounter. In citizen-facing services, an AI agent could guide individuals through complex benefit applications, tailoring support based on real-time context rather than static forms.

This evolution mirrors the shift from mainframes to networks, or from static websites to dynamic cloud platforms. AI agents are not simply another application to bolt onto existing workflows. They are emerging as a new layer of digital infrastructure that will underpin how federal agencies design, deliver and scale mission services.

Building the foundations: Beyond silos

To function effectively, AI agents need access to diverse, distributed data. They must be able to perceive information across silos, reason with context and act with relevance. That makes data architecture the critical enabler.

Most federal data remains fragmented across on-premises systems, multi-cloud environments and interagency ecosystems. AI agents cannot thrive in those silos. They require hybrid data architectures that integrate separate sources, ensure interoperability and provide governed access at scale.

By investing in architectures that unify structured and unstructured data, agencies can empower AI agents to operate seamlessly across environments. For instance, in disaster response, an AI agent might simultaneously draw on Federal Emergency Management Agency data, National Oceanic and Atmospheric Administration weather models, Defense Department logistics systems, and public health records from the Department of Health and Human Services — coordinating actions across federal entities and with state partners. Without hybrid architectures, that level of coordination is impossible.

The second layer: Governance, trust, transparency

Equally as important is governance. Federal leaders cannot separate innovation from responsibility. AI agents must operate within clear rules of transparency, accountability and security. Without trust, their adoption will stall.

Governance begins with ensuring that the data fueling AI agents is accurate, secure and responsibly managed. It extends to monitoring agent behaviors, documenting decision processes, and ensuring alignment with legal and ethical standards. Federal agencies must ask: How do we verify what an AI agent did? How do we ensure its reasoning is explainable? How do we maintain human oversight in critical decisions?

By embedding governance frameworks from day one, agencies can avoid the pitfalls of opaque automation. Just as cybersecurity became a foundational consideration in every IT system, governance must become a foundational consideration for every AI agent deployed in the federal mission space.

For the federal government, trust is also non-negotiable. Citizens are owed AI agents that act fairly, protect their data, and align with democratic values. Transparency through being able to see how decisions are made and how outcomes are validated will be essential to earning that trust.

Agencies can lead by adopting principles of responsible AI: documenting model provenance, publishing accountability standards, and ensuring diverse oversight. Trust is not a constraint; it is a mission enabler. Without it, the promise of AI agents will remain unrealized.

Preparing today for tomorrow

The question for federal leaders is not whether AI agents will shape the future of government service; it is how quickly agencies will prepare for that future. The steps are clear:

• Invest in data infrastructure: Build hybrid, interoperable architectures that give AI agents access to 100% of mission-relevant federal data, wherever it resides.
• Embed governance from the start: Establish frameworks for transparency, accountability and oversight before AI agents scale.
• Cultivate trust: Communicate openly with citizens, publish standards and ensure that AI systems reflect public values.
• Experiment with mission scenarios: Pilot AI agents in targeted federal use cases (cyber defense and benefits delivery, for instance) while developing playbooks for broader adoption.

We are at a turning point. Just as networks and cloud computing became indispensable layers of federal IT, AI agents are poised to become the next foundational layer of digital infrastructure. They will not replace federal employees, but they will augment them — expanding capacity, accelerating insight, and enabling agencies to meet rising expectations for speed, precision and personalization.

The future of the federal government will not be built on static systems. It will be built on adaptive, agentic infrastructure that can perceive, reason, plan and act alongside humans. Agencies that prepare today — by investing in hybrid architectures, embedding governance and cultivating trust — will be best positioned to lead tomorrow.

In the coming years, AI agents will not just support federal missions. They will help define them. The question is whether agencies will see them as one more tool, or as what they truly are: the next layer of digital infrastructure for public service.

Dario Perez is vice president of federal civilian and SLED at Cloudera.

The post AI agents: The next layer of federal digital infrastructure first appeared on Federal News Network.

If 2025 felt like a whirlwind for regulatory compliance, you’re not imagining it. Between the finalization of Cybersecurity Model Maturity Certification 2.0 rules, the launch of FedRAMP’s 20x initiative promising faster authorizations, and new AI governance requirements from the Office of Management and Budget and the National Institute of Standards and Technology, organizations working with federal agencies faced enormous regulatory change.

As we head into 2026, the tempo isn’t slowing. The Defense Department is phasing CMMC into contracts to protect the defense industrial base. FedRAMP continues evolving as more agencies migrate critical systems to the cloud. And AI regulations are moving from principles to prescriptive requirements as governments grapple with the risks and opportunities of deploying AI at scale.

After leading hundreds of companies through compliance journeys and assessments — and going through them ourselves — we’ve learned that while each framework has nuances, three universal lessons apply.

Three lessons that apply to each framework

1) These frameworks are not like the ones you already know.

The biggest mistake? Treating CMMC like SOC 2 or assuming FedRAMP is “ISO 27001 for government.”

For example, CMMC Level 2 requires implementing all 110 NIST 800-171 requirements and 320 assessment objectives. Your system security plan alone could reach 200 pages. Budget more time, resources and specialized expertise than you think you need.

2) Scoping is a critical first step that organizations often get wrong.

Determining what’s in scope is one of the hardest and most important steps. I’ve seen companies believe 80% of infrastructure was in scope for CMMC, only to learn it was closer to 30%. Be ruthless about where controlled unclassified information actually lives. Every system you include can add months of work and tens of thousands in costs.

For FedRAMP, define your authorization boundary early. For AI governance, inventory every AI system, including embedded features in SaaS tools. Invest in scoping before implementing controls.

3) Automation is mission-critical, not optional.

Manual processes don’t scale when juggling multiple frameworks, and they leave you vulnerable to errors and inefficiencies. That’s why FedRAMP 20x and other frameworks today are evolving to put automation at the center of the process. Organizations that want continuous improvement must treat automation as core infrastructure, especially for monitoring controls, collecting evidence and surfacing real-time compliance data.

The real cost of playing catch-Up

Companies treating compliance as a last-minute sprint face hundreds of thousands of dollars in average costs for CMMC Level 2 alone. They scramble, rush documentation and often fail their first assessment — and non-compliance can come at a hefty price.

Organizations that delay addressing compliance gaps are vulnerable to security risks. IBM’s 2025 Cost of a Data Breach Report showed that noncompliance with regulations increases the average cost of a breach by nearly $174,000.

Regulatory actions are rising too. The Department of Health and Human Services’ Office for Civil Rights issued 19 settlements and over $8 million in fines for HIPAA violations this year to date, already the highest on record for a single year.

Organizations that start early spend less and use compliance as a competitive advantage. When you’re behind, compliance is a burden; when you’re ahead, it’s a differentiator.

What you need to know right now

For CMMC 2.0

If you’re a prime contractor, subcontractor handling CUI, or external service provider in the DoD supply chain, start now.

Identify what type of information you handle, what certification level you need, and define your scope. Build your system security plan early and categorize assets as CUI, security-protected, contract-risk managed or out of scope.

When selecting a C3PAO assessor, look for transparent pricing, strong references and clear data-handling processes. You can achieve conditional certification with a plan of action and milestones, but you have only 180 days to remediate and must score at least 80% in SPRS.

For FedRAMP 20x

Keep in mind that FedRAMP isn’t a one-time audit. The true 20x objective is not just to speed up authorizations, but to achieve smarter and stronger security — and this requires preparation.

These steps are non-negotiable:

• Build continuous monitoring infrastructure and processes from day one.
• Ensure your authorization boundary is correct and your architecture documentation is precise. Ambiguity causes delays that stretch timelines beyond a year.
• Automate evidence collection and continuous monitoring for monthly deliverables required to maintain authorization.

For AI governance

Federal AI regulations are quickly moving from principles to requirements. Establish AI governance councils now. Inventory AI systems comprehensively, document training data provenance, implement bias testing protocols and create transparency mechanisms.

As OMB and NIST frameworks take hold, AI governance will become a standard procurement requirement through 2026.

Five steps to start today

1) Start with an honest gap assessment.

Most companies are further behind than they think, particularly on incident response and supply chain risk management. Know your baseline before building your roadmap.

2) Treat documentation like code.

Your system security plan, policies and authorization package shouldn’t be static Word documents. Your documentation needs to be a living architecture that is version-controlled, regularly updated and, ideally, machine readable.

3) Build compliance into procurement.

Create vendor risk assessment processes that evaluate CMMC readiness, FedRAMP authorization status and AI governance practices before signing contracts. For CMMC, ensure vendors provide Customer Responsibility Matrices documenting which NIST 800-171 controls they are responsible for.

4) Invest in your people.

Build exceptional compliance programs by upskilling existing staff. Send operations teams to CMMC training. Have developers learn secure coding for FedRAMP environments. Create AI literacy programs. Make compliance competency a core skill.

5) Prepare for continuous monitoring.

CMMC includes provisions for ongoing assessments and affirmations of compliance. FedRAMP requires continuous monitoring. AI governance demands continuous bias testing. Invest in automation systems and tools like trust centers that are able to demonstrate your up-to-date security and compliance posture any day of the year.

The opportunity in the complexity

Despite the challenges, companies getting compliance right are winning work they couldn’t before. Defense contractors and small businesses can use CMMC certification to compete for prime contracts. Cloud service providers who achieve FedRAMP authorization can significantly accelerate their federal sales cycles, cutting months from procurement timelines. AI startups land pilots by demonstrating responsible AI practices.

The companies that thrive treat compliance as something they control, not something that happens to them. They build security-first cultures, invest in the right tools and training, and transform compliance from cost center to competitive advantage.

The best time to start was yesterday. The second-best time is today, because 2026 promises even more compliance complexity, and it’s coming faster than you think.

Shrav Mehta is the founder and CEO of Secureframe.

The post Getting ahead of CMMC, FedRAMP and AI Compliance before it gets ahead of you first appeared on Federal News Network.

America’s AI Action Plan outlines a comprehensive strategy for the country’s leadership in AI. The plan seeks, in part, to accelerate AI adoption in the federal government. However, there is a gap in that vision: agencies have been slow to adopt AI tools to better serve the public. The biggest barrier to adopting and scaling trustworthy AI isn’t policy or compute power — it’s the foundation beneath the surface. How agencies store, access and govern their records will determine whether AI succeeds or stalls. Those records aren’t just for retention purposes; they are the fuel AI models need to power operational efficiencies through streamlined workflows and uncover mission insights that enable timely, accurate decisions. Without robust digitalization and data governance, federal records cannot serve as the reliable fuel AI models need to drive innovation.

Before AI adoption can take hold, agencies must do something far less glamorous but absolutely essential: modernize their records. Many still need to automate records management, beginning with opening archival boxes, assessing what is inside, and deciding what is worth keeping. This essential process transforms inaccessible, unstructured records into structured, connected datasets that AI models can actually use. Without it, agencies are not just delaying AI adoption, they’re building on a poor foundation that will collapse under the weight of daily mission demands.

If you do not know the contents of the box, how confident can you be that the records aren’t crucial to automating a process with AI? In AI terms, if you enlist the help of a model like OpenAI, the results will only be as good as the digitized data behind it. The greater the knowledge base, the faster AI can be adopted and scaled to positively impact public service. Here is where agencies can start preparing their records — their knowledge base — to lay a defensible foundation for AI adoption.

Step 1: Inventory and prioritize what you already have

Many agencies are sitting on decades’ worth of records, housed in a mix of storage boxes, shared drives, aging databases, and under-governed digital repositories. These records often lack consistent metadata, classification tags or digital traceability, making them difficult to find, harder to govern, and nearly impossible to automate.

This fragmentation is not new. According to NARA’s 2023 FEREM report, only 61% of agencies were rated as low-risk in their management of electronic records — indicating that many still face gaps in easily accessible records, digitalization and data governance. This leaves thousands of unstructured repositories vulnerable to security risks and unable to be fed into an AI model. A comprehensive inventory allows agencies to see what they have, determine what is mission-critical, and prioritize records cleanup. Not everything needs to be digitalized. But everything needs to be accounted for. This early triage is what ensures digitalization, automation and analytics are focused on the right things, maximizing return while minimizing risk.

Without this step, agencies risk building powerful AI models on unreliable data, a setup that undermines outcomes and invites compliance pitfalls.

Step 2: Make digitalization the bedrock of modernization

One of the biggest misconceptions around modernization is that digitalization is a tactical compliance task with limited strategic value. In reality, digitalization is what turns idle content into usable data. It’s the on-ramp to AI driven automation across the agency, including one-click records management and data-driven policymaking.

By focusing on high-impact records — those that intersect with mission-critical workflows, the Freedom of Information Act, cybersecurity enforcement or policy enforcement — agencies can start to build a foundation that’s not just compliant, but future-ready. These records form the connective tissue between systems, workforce, data and decisions.

The Government Accountability Office estimates that up to 80% of federal IT budgets are still spent maintaining legacy systems. Resources that, if reallocated, could help fund strategic digitalization and unlock real efficiency gains. The opportunity cost of delay is increasing exponentially everyday.

Step 3: Align records governance with AI strategy

Modern AI adoption isn’t just about models and computation; it’s about trust, traceability, and compliance. That’s why strong information governance is essential.

Agencies moving fastest on AI are pairing records management modernization with evolving governance frameworks, synchronizing classification structures, retention schedules and access controls with broader digital strategies. The Office of Management and Budget’s 2025 AI Risk Management guidance is clear: explainability, reliability and auditability must be built in from the start.

When AI deployment evolves in step with a diligent records management program centered on data governance, agencies are better positioned to accelerate innovation, build public trust, and avoid costly rework. For example, labeling records with standardized metadata from the outset enables rapid, digital retrieval during audits or investigations, a need that’s only increasing as AI use expands. This alignment is critical as agencies adopt FedRAMP Moderate-certified platforms to run sensitive workloads and meet compliance requirements. These platforms raise the baseline for performance and security, but they only matter if the data moving through them is usable, well-governed and reliable.

Infrastructure integrity: The hidden foundation of AI

Strengthening the digital backbone is only half of the modernization equation. Agencies must also ensure the physical infrastructure supporting their systems can withstand growing operational, environmental, and cybersecurity demands.

Colocation data centers play a critical role in this continuity — offering secure, federally compliant environments that safeguard sensitive data and maintain uptime for mission-critical systems. These facilities provide the stability, scalability and redundancy needed to sustain AI-driven workloads, bridging the gap between digital transformation and operational resilience.

By pairing strong information governance with resilient colocation infrastructure, agencies can create a true foundation for AI, one that ensures innovation isn’t just possible, but sustainable in even the most complex mission environments.

Melissa Carson is general manager for Iron Mountain Government Solutions.

The post Three steps to build a data foundation for federal AI innovation first appeared on Federal News Network.

The Justice Department recently resolved several investigations into federal contractors’ cybersecurity requirements as part of the federal government’s Civil Cyber-Fraud Initiative. The initiative, first announced in 2021, ushered in the DOJ’s efforts to pursue cybersecurity-related fraud by government contractors and grant recipients pursuant to the False Claims Act. Since then, the DOJ has publicly announced approximately 15 settlements against federal contractors, with the DOJ undoubtedly conducting even more investigations outside of the public’s view.

As an initial matter, these latest settlements signal that the new administration has every intention of continuing to prioritize government contractors’ cybersecurity practices and combating new and emerging cyber threats to the security of sensitive government information and critical systems. These settlements also coincide with the lead up to the Nov. 10 effective date of the Defense Department’s final rule amending the Defense Federal Acquisition Regulation Supplement, which incorporates the standards of the Cybersecurity Maturity Model Certification.

Key DOJ cyber-fraud decisions

The first of these four recent DOJ settlements was announced in July 2025, and resulted in Hill Associates agreeing to pay the United States a minimum of $14.75 million. In this case, Hill Associates provided certain IT services to the General Services Administration. According to the DOJ’s allegations, Hill Associates had not passed the technical evaluations required by GSA for a contractor to offer certain highly adaptive cybersecurity services to government customers. Nevertheless, the contractor submitted claims charging the government for such cybersecurity services, which the DOJ alleged violated the FCA.

The second settlement, United States ex. rel. Lenore v. Illumina Inc., was announced later in July 2025, and resulted in Illumina agreeing to pay $9.8 million — albeit with Illumina denying the DOJ’s allegations. According to the DOJ, Illumina violated the FCA by selling federal agencies, including the departments of Health and Human Services, Homeland Security and Agriculture, certain genomic sequencing systems that contained cybersecurity vulnerabilities. Specifically, the DOJ alleged that with respect to the cybersecurity of its product, Illumina: (1) falsely represented that its software and systems adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology; (2) knowingly failed to incorporate product cybersecurity in its software design, development, installation and on-market monitoring; (3) failed to properly support and resource personnel, systems and processes tasked with product security; and (4) failed to adequately correct design features that introduced cybersecurity vulnerabilities.

That same day, the DOJ announced its third settlement, which was with Aero Turbine Inc., and Gallant Capital Partners, LLC (collectively, “Aero”), and resulted in a $1.75 million settlement. This settlement resolved the DOJ’s allegations that Aero violated the FCA by knowingly failing to comply with the cybersecurity requirements of its contract with the Department of the Air Force. Pursuant to the contract, Aero was required to implement the security requirements outlined by NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” but failed to fully do so. This included failing to control the flow of and limit unauthorized access to sensitive defense information when it provided an unauthorized Egypt-based software company and its personnel with files containing sensitive Defense information.

The fourth and latest DOJ settlement was announced in Sept. 2025, and resolved the DOJ’s FCA lawsuit against the Georgia Tech Research Corporation. As part of the settlement, GRTC agreed to pay $875,000 to resolve allegations resulting from a whistleblower complaint that it failed to meet the cybersecurity requirements in its DoD contracts. Specifically, the DOJ alleged that until December 2021, the contractor failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks while conducting sensitive cyber-defense research for the DoD. The DOJ further alleged that the contractor did not have a system security plan setting out cybersecurity controls, as required by the government contract. Lastly, the DOJ alleged that the contractor submitted a false summary level cybersecurity assessment score of 98 to the DoD, with the score being premised on a “fictitious” environment, and did not apply to any system being used to process, store or transmit sensitive Defense information.

Takeaways for federal contractors

These recent enforcement actions provide valuable guidance for federal contractors.

• DOJ has explicitly stated that cyber fraud can exist regardless of whether a federal contractor experienced a cyber breach.
• DOJ is focused on several practices to support allegations of cyber fraud, including a federal contractor’s cybersecurity practices during product development and deployment, as well as contractors’ statements regarding assessment scores and underlying representations.
• DOJ takes whistleblower complaints seriously, with several of these actions stemming from complaints by federal contractors’ former employees.
• To mitigate these risks, federal contractors should ensure that they understand and operationalize their contractual obligations, particularly with respect to the new DFARS obligations.
• Federal contractors would be well advised to:
  • (1) review and understand their cybersecurity contractional obligations;
  • (2) develop processes to work with the appropriate internal teams (information security, information technology, etc.) to ensure that contractual obligations have been appropriately implemented; and
  • (3) develop processes to monitor compliance with the contractual obligations on an ongoing basis.

Joshua Mullen, Luke Cass, Christopher Lockwood and Tyler Bridegan are partners at Womble Bond Dickinson (US) LLP.

The post Cybersecurity in focus: DOJ aggressively investigating contractors’ cybersecurity practices first appeared on Federal News Network.

The Cyberspace Solarium Commission’s (CSC 2.0) annual implementation report has sparked fresh concern from representatives and cybersecurity leaders that U.S. cyber progress is slowing. Bureaucratic delays, budget constraints and uneven policy follow-through, particularly around the Cybersecurity and Infrastructure Security Agency’s authorities and funding, are all apparent.

But does this paint the full picture of the technical implementation and enforcement of U.S. cybersecurity? Hardly.

Beneath the policy layer, the technical and strategic modernization of U.S. cybersecurity is actually accelerating faster than ever. While there’s a lot of doom and gloom at the civilian policy level, it’s important we acknowledge the progress individual agencies have made and provide constructive steps to continue to capitalize on that progress.

A defining moment came with the finalization of the CMMC 2.0 rule, which is now effective and entered its first implementation phase on Nov. 10. More than 80,000 defense industrial base vendors will be required by contract to comply with rigorous cybersecurity controls aligned to NIST 800-171, with a hard assessment deadline in 2026.

CMMC 2.0 ensures that cybersecurity is no longer a checkbox exercise or a “nice-to-have” policy objective. It’s now a legal and contractual requirement. By the time full assessments begin in 2026, the Defense Department will have reshaped the entire DIB into a verified ecosystem of secure software and systems providers.

That’s a significant milestone that will set the stage for the operationalization of accountability for government technology.

Equally as transformative is the DoD’s quiet revolution in risk management. In September 2025, the DoD introduced its Cybersecurity Risk Management Construct (CRMC). This is a long-awaited, direct successor to the outdated, paperwork-heavy Risk Management Framework.

The new construct adopts the continuous authority to operate (cATO) model, enabling near-real-time monitoring and risk response. It’s a move away from static compliance documentation toward dynamic, data-driven assurance, reflecting the pace of modern software delivery.

The DoD’s transformation is being powered by the Software Fast Track (SWFT) initiative, launched in mid-2025 to modernize acquisition. SWFT brings DevSecOps automation directly into the authorization process, ensuring secure software can reach warfighters faster and without compromising security. It’s a fundamental shift from compliance to continuous validation.

Lastly, the CSC 2.0’s report doesn’t touch on the work being done by the National Institute of Standards and Technology to operationalize the AI Risk Management Framework for 2026. This will bring much-needed clarity to secure and responsible AI adoption across government and industry.

It’s easy to equate stalled legislation or delayed budgets with a lack of progress. But in cybersecurity, the most impactful advancements rarely happen in congressional hearings. They happen in codebases, acquisition reforms and audit protocols. The policy narrative may be sluggish, but in those areas, we are actually seeing healthy progress as the technical foundation of U.S. cyber defense is advancing rapidly.

Through CMMC enforcement, cATO adoption, automated software assurance and AI governance, federal cybersecurity is entering an implementation era where secure software supply chains and continuous monitoring are not aspirations, but expectations.

With all that said, does this mean the CSC 2.0’s findings should be ignored? Absolutely not.

The reality is that we don’t have a cybersecurity problem; we have an insecure software problem. By not driving forward policy at the civilian-level to change the economics in such a way that incentivizes ensuring the delivery of secure software, we may be ceding the very progress I just outlined.

However, to say “U.S. cyber progress stalls” is to overlook this reality. The truth is that 2025 marks the year where U.S. cybersecurity finally shifted from policy to practice.

Antoine Harden is the vice president of federal sales at Sonatype.

The post US cyber progress isn’t stalled — it’s evolving first appeared on Federal News Network.

Federal agencies face an ever-evolving threat landscape, with cyberattacks escalating in both frequency and sophistication. To keep pace, advancing digital modernization isn’t just an aspiration; it’s a necessity. Central to this effort is the Trusted Internet Connections (TIC) 3.0 initiative, which offers agencies a transformative approach to secure and modernize their IT infrastructure.

TIC 3.0 empowers agencies with the flexibility to securely access applications, data and the internet, providing them with the tools they need to enhance their cyber posture and meet the evolving security guidance from the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency. Yet, despite these advantages, many agencies are still operating under the outdated TIC 2.0 model, which creates persistent security gaps, slows user experience, and drives higher operating costs, ultimately hindering progress toward today’s modernization and adaptive security goals.

Why agencies must move beyond TIC 2.0

TIC 2.0, introduced over a decade ago, aimed to consolidate federal agencies’ internet connections through a limited number of TIC access points. These access points were equipped with legacy, inflexible and costly perimeter defenses, including firewalls, web proxies, traffic inspection tools and intrusion detection systems, designed to keep threats out. While effective for their time, these static controls weren’t designed for today’s cloud-first, mobile workforce. Often referred to as a “castle and moat” architecture, this perimeter-based security model was effective when TIC 2.0 first came out, but is now outdated and insufficient against today’s dynamic threat landscape.

Recognizing these limitations, OMB introduced TIC 3.0 in 2019 to better support the cybersecurity needs of a mobile, cloud-connected workforce. TIC 3.0 facilitates agencies’ transition from traditional perimeter-based solutions, such as Managed Trusted Internet Protocol Service (MTIPS) and legacy VPNs, to modern Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks. This new model brings security closer to the user and the data, improving performance, scalability and visibility across hybrid environments.

The inefficiencies of TIC 2.0

In addition to the inefficiencies of a “castle and moat” architecture, TIC 2.0 presents significant trade-offs for agencies operating in hybrid and multi-cloud environments:

• Latency on end users: TIC 2.0 moves data to where the security is located, rather than positioning security closer to where the data resides. This slows performance, hampers visibility, and frustrates end users.
• Legacy systems challenges: outdated hardware and rigid network paths prevent IT teams from managing access dynamically. While modern technologies deliver richer visibility and stronger data protection, legacy architectures hold agencies back from adopting them at scale.
• Outages and disruptions: past TIC iterations often struggle to integrate cloud services with modern security tools. This can create bottlenecks and downtime that disrupt operations and delay modernization efforts.

TIC 3.0 was designed specifically to overcome these challenges, offering a more flexible, distributed framework that aligns with modern security and mission requirements.

“TIC tax” on agencies — and users

TIC 2.0 also results in higher operational and performance costs. Since TIC 2.0 relies on traditional perimeter-based solutions — such as legacy VPNs, expensive private circuits and inflexible, vulnerable firewall stacks — agencies often face additional investments to maintain these outdated systems, a burden commonly referred to as the “TIC Tax.”

But the TIC Tax isn’t just financial. It also shows up in hidden costs to the end user. Under TIC 2.0, network traffic must be routed through a small number of approved TIC Access Points, most of which are concentrated around Washington, D.C. As a result, a user on the West Coast or at an embassy overseas may find their traffic backhauled thousands of miles before reaching its destination.

In an era where modern applications are measured in milliseconds, those delays translate into lost productivity, degraded user experience, and architectural inefficiency. What many users don’t realize is that a single web session isn’t just one exchange; it’s often thousands of tiny connections constantly flowing between the user’s device and the application server. Each of those interactions takes time, and when traffic must travel back and forth across the country — or around the world — the cumulative delay becomes a real, felt cost for the end user.

Every detour adds friction, not only for users trying to access applications, but also for security teams struggling to manage complex routing paths that no longer align with how distributed work and cloud-based systems operate. That’s why OMB, CISA and the General Services Administration have worked together under TIC 3.0 to modernize connectivity, eliminating the need for backhauling and enabling secure, direct-to-cloud options that prioritize both performance and protection.

For example, agencies adopting TIC 3.0 can leverage broadband internet services (BIS), a lower-cost, more flexible transport option that connects users directly to agency networks and cloud services through software-defined wide area network (SD-WAN) and SASE solutions.

With BIS, agencies are no longer constrained to rely on costly, fixed point-to-point or MPLS circuits to connect branch offices, data centers, headquarters and cloud environments. Instead, they can securely leverage commercial internet services to simplify connectivity, improve resiliency, and accelerate access to applications. This approach not only reduces operational expenses but also minimizes latency, supports zero trust principles, and enables agencies to build a safe, flexible and repeatable solution that meets TIC security objectives without taxing the user experience.

How TIC 2.0 hinders zero trust progress

Another inefficiency — and perhaps one of the most significant — of TIC 2.0 is its incompatibility with zero trust principles. As federal leaders move into the next phase of zero trust, focused on efficiency, automation and rationalizing cyber investments, TIC 2.0’s limitations are even more apparent.

Under TIC 2.0’s “castle and moat” model, all traffic, whether for email, web services or domain name systems, must be routed through a small number of geographically constrained access points. TIC 3.0, in contrast, adopts a decentralized model that leverages SASE and SSE platforms to enforce policy closer to the user and data source, improving both security and performance.

To visualize the difference, think of entering a baseball stadium. Under TIC 2.0’s “castle and moat” approach, once you show your ticket at the entrance, you can move freely throughout the stadium. TIC 3.0’s decentralized approach still checks your ticket, but ushers and staff ensure you stay in the right section, verifying continuously rather than once.

At its core, TIC 3.0 is about moving trust decisions closer to the resource. Unlike TIC 2.0, where data must travel to centralized security stacks, TIC 3.0 brings enforcement to the edge, closer to where users, devices and workloads actually reside. This aligns directly with zero trust principles of continuous verification, least privilege access and minimized attack surface.

How TIC 3.0 addresses TIC 2.0 inefficiencies

By decentralizing security and embracing SASE-based architectures, TIC 3.0 reduces latency, increases efficiency and enables agencies to apply modern cybersecurity practices more effectively. It gives system owners better visibility and control over network operations while allowing IT teams to manage threats in real time. The result is smoother, faster and more resilient user experiences.

With TIC 3.0, agencies can finally break free from the limitations of earlier TIC iterations. This modern framework not only resolves past inefficiencies, it creates a scalable, cloud-first foundation that evolves with emerging threats and technologies. TIC 3.0 supports zero trust priorities around integration, efficiency and rationalized investment, helping agencies shift from maintaining legacy infrastructure to enabling secure digital transformation.

Federal IT modernization isn’t just about replacing technology; it’s about redefining trust, performance and resilience for a cloud-first world. TIC 3.0 provides the framework, but true transformation comes from operationalizing that framework through platforms that are global, scalable, and adaptive to mission needs.

By extending security to where users and data truly live — at the edge — agencies can modernize without compromise: improving performance while advancing zero trust maturity. In that vision, TIC 3.0 isn’t simply an evolution of policy; it’s the foundation for how the federal enterprise securely connects to the future.

Sean Connelly is executive director for global zero trust strategy and policy at Zscaler and former zero trust initiative director and TIC program manager at CISA.

The post How the inefficiencies of TIC 2.0 hinder agencies’ cybersecurity progress first appeared on Federal News Network.

Today’s evolving financial landscape requires organizations to transform obsolete systems into future-ready infrastructures. Financial systems in particular need to align with compliance standards. The shift from reactive problem-solving to proactive transformation involves eliminating redundancies, automating processes, embedding analytics, integrating cloud platforms, enhancing data interoperability and adopting zero trust cybersecurity.

Here are eight best practices for implementing automation technology or taking on any modernization challenge:

1. Lead with people-centric change management. No technology or solution will work without day one buy-in from the people who will use it. Communication at every step sets the stage for success. Flow charts and brainstorming sessions with key stakeholders allow managers to talk through a workflow that addresses everyone’s needs. Touch points and progress updates keep stakeholders informed, and robust user training ensures adoption and mission alignment.
2. Streamline processes before you digitize. In a federal financial system, it’s common for accounts payable and receivable operations to function in isolation. A rigorous analysis sets the stage for creating a more efficient workflow that eliminates redundancy and obsolete manual processes. It’s essential to study the policies and procedures that guide workflows in manual or legacy systems and translate them to intelligent automation technology. Here, it’s often helpful to look at other federal agencies to see what has worked and lessons learned.
3. Automate intelligently to enhance mission focus. Automation for its own sake goes nowhere. It must be targeted not just to cut costs but also to free up the skilled federal workforce from repetitive, low-value tasks better suited for machine learning. Once liberated by artificial intelligence and automation, workers can focus on high-level analysis, strategic planning, and mission-critical objectives.
4. Mandate data interoperability for a single source of truth. In too many cases, one set of information does not connect to or integrate with another. Worse than these data silos are manual processes. Employees often work offline from Excel spreadsheets, making it even tougher to integrate the operations of federal agencies. Modernized core systems allow for the secure, seamless sharing of data to drive cross-agency collaboration, ensure comprehensive reporting and guarantee accurate analytics.
5. Embed analytics to drive proactive decision-making. Why look behind when you can look ahead? Cleaner financial statements stem from real-time, predictive insights. Upgraded systems integrate dashboards, data visualizations, reports and other forms of business intelligence. Their streamlined views empower leaders to anticipate future needs and challenges.
6. Build on a secure and scalable cloud framework. Rather than stack new technology on an obsolete core, cloud computing systems evolve as technology improves and make enhanced cybersecurity possible. What’s more, cloud technology can scale to handle massive data loads, integrate new tools and provide superior accessibility that a modern federal workforce demands.
7. Secure by design with a zero trust architecture. In the current threat landscape, security cannot be an afterthought. In a zero trust environment, no external data or outsider enters a system and third parties are granted access only after a thorough vetting. Continuous authentication is crucial. To work across systems, data scientists and data miners will extract only what is needed and clean the data first.
8. Develop your battle plan. Just as in the military, proactive transformation requires a clear, strategic roadmap. Follow these steps to produce a battle plan unique to your organization’s needs and challenges:

• Conduct a comprehensive assessment. Analyze your current financial systems to identify pain points, redundancies and areas where manual processes are a bottleneck. This analysis will streamline your processes before you digitize them.
• Convene key stakeholders. Map out new workflows and secure buy-in across the organization. Communication is fundamental, from initial brainstorming sessions to ongoing progress updates.
• Create a phased process. Instead of a massive, disruptive overhaul, implement your plan in manageable iterations. Focus on intelligently automating one or two key processes first, such as accounts payable or receivable. Use these initial wins to demonstrate value and build momentum. Embed analytics as you go to measure progress and make proactive adjustments.
• Scale up. Use this solid foundation in a secure cloud framework to integrate new tools, enhance data interoperability, and ensure that your system is both future-ready and protected by a zero trust architecture.

This structured approach will improve decision-making, transparency and service delivery while meeting compliance mandates as you move your organization from reactive problem-solving to a proactive and successful transformation.

Tabatha Turman is the founder and CEO of Integrated Finance and Accounting Solutions.

The post From obsolete to obligatory: 8 best practices for upgrading federal financial systems first appeared on Federal News Network.

There are some topics families dread broaching during the holidays. For federal employees, reductions-in-force (RIFs) and government shutdown furloughs may be added to the list of tough topics to navigate this year. If you are dreading this topic, you are not alone. Here are some options for how to navigate this conversation this year.

Talking about career change: Why family conversations matter

Whether you are experiencing a workforce reduction, transitioning between industries, or determining your next steps, your family can serve as a valuable source of emotional support and practical guidance. Open, honest communication can help your loved ones understand your motivations, fears and aspirations as you navigate this transition. Changing careers in the current environment can be especially difficult, and navigating conversations about this transition may be different than previous career transition conversations you have had with family and friends. Having this conversation in a healthy way can make a difference in your mental state during an already complex time. This conversation does not have to lead to interpersonal conflicts or distress. Consider these tips when thinking about having the conversation.

1. Prepare for the conversation and remain constructive.

Have a plan. Being prepared will help you communicate your intentions clearly and confidently when you are ready to navigate career transition conversations. Before sitting down with your family for the holidays, take some time to reflect on how you want to have conversations about career transition with your family and keep these things in mind.

Your mental state. If you are struggling with negative thoughts, consider taking those thoughts captive and reframing them. For example, if you are thinking “This time last year I was talking about getting promoted, how can I tell my family I was a part of the RIF?” Consider reevaluating that thought. Remember that being a part of a recent RIF may not be indicative of your capability, performance or value to the organization.

Your disposition. Improve your disposition by implementing or increasing healthy habits. Getting proper sleep, exercise and diet throughout the holidays can improve your mood so that you can converse more positively, have the patience to deal with challenging family members, and approach tough conversations with a clear head.

Clearing your cognitive pallet: Limit influences that sour your mood. Feed your mind uplifting information and focus on things within your actual span of control. For example, you cannot control whether the government is open or remains closed, but you can control what you do with the time that you have during this furlough. Excepted employees still working can contribute to a supportive work environment by extending grace to fellow excepted employees each day at the office.

 2. Choose the right time and setting.

Have the conversation when you are in the best mental space. If you are energized and positive upon arrival at family events, consider initiating the conversation early. If you prefer to incorporate the discussion into table chat or when the family has settled after dinner, plan to have the talk then.

If you prefer not to have the conversation during the holidays, consider discussing the transition during a designated family time. A 2023 Harvard Family Study found that families who engage in weekly meetings report 50% stronger emotional bonds compared to those who do not. If your family has designated quality time, this may be a better alternative than a holiday gathering. Holidays can be stressful and emotionally charged for some family members, making it difficult to have a healthy conversation.

 3. Consider your communication strategy.

Consider with which family members it makes sense to have this conversation: Having unhealthy conversations may sap your energy and negatively affect your mood, so choose wisely. Decide how you plan to respond when you are invited to share information with the family or whether you want to initiate the talk. Having conversations with supportive family members can be helpful and cathartic. You may even find more support than you anticipated when you are open and honest.

Remember that “open and honest” is not “open kimono”: Discussing a career transition with those other than your spouse does not require a detailed account of your personal and private matters. Acknowledging this as a “challenging time of transition” may be sufficient. Resist the temptation to invite family members into the intricacies of your marriage, bedroom or finances.

Consider the outcomes you want from the conversation. Jot down key points to help you stay focused during the discussion. For example, if you do not want to have the conversation repeatedly, carve out a specific time to share what you are comfortable sharing and close the conversation with something like, “That’s all I have to share about that.” As the questions come throughout the holidays, refer to when you will discuss or when you already discussed the topic. Here is an example: Uncle Bill says, “I heard you were let go, I thought you were doing well there, what happened?” Consider responding with a closed statement like, “We talked about it before dinner,” or “I plan to talk about it after dinner.”

Tailor the talk to your comfort level: You could share something like, “As some of you may know, [organization] conducted a RIF this year. My division was a part of that RIF. That is all I have to share about that.” If your family is helpful, you may want to add something like, “However, I am interested in learning about options if you have job leads or opportunities for me to continue using my skills and expertise in [career area].” Let your family know if you are seeking new challenges, personal fulfillment or better work-life balance if you feel that they can help. Honest communication can help build trust and understanding, and could even help you land your next job.

 4. Listen to their concerns and neutralize criticism.

Your family may have questions or worries about finances, stability or future plans. Listen attentively and acknowledge their feelings. Let them know you value their opinions and support. This may sound something like, “I hear you. I am thinking about those things, too. I appreciate your concern and appreciate your support during this transition.” If the conversation is not constructive consider closing it with something like, “I’ve heard you,” or “We’ve heard you.”

5. Share your plan.

If your family is supportive, broadly discuss how you plan to approach your career transition. Outline steps you will take, such as updating your skills, networking, or seeking guidance from mentors. Sharing your plan demonstrates responsibility and helps alleviate uncertainty. You may share varying levels of detail with different family members based on the relationship or their ability to help.

5. Invite support and collaboration.

Ask your family for their support and input. Whether it is helping with research, offering encouragement, or brainstorming together, involving them in the process can strengthen your bond and make the transition smoother. This may need to be tailored for certain family members if family dynamics are complex.

7. Keep the conversation going.

Career transitions are ongoing journeys. Keep your family updated on your progress, celebrate small victories, and address new challenges together. Regular check-ins can help maintain open lines of communication and foster a supportive environment. If your family is incapable or unwilling to be supportive through this transition, consider keeping the conversation going with a supportive group of friends, former co-workers or faith community. Support systems are not exclusive to biological families.

Don’t go it alone

Talking with your family about a career transition is an opportunity to build a foundation of understanding and support. With preparation, empathy and honest dialogue, you can navigate this change together and set the stage for a successful new chapter.

It is important to recognize that each career journey presents its own distinct challenges and opportunities. This time of transition is significant and anomalous in many ways, so you may have trepidation about having career transition conversations. Consider seeking support and guidance from family members, friends, and current and former colleagues as you pursue new endeavors. You do not have to traverse this transition alone.

Jamel Harling is an executive coach, ombuds and advisor at Better Than Good Solutions.

The post Tips and strategies for navigating career transition conversations with your family during the holidays first appeared on Federal News Network.

The federal government’s ability to deliver results for the American people hinges on the effectiveness of its leadership. At the core of this leadership is the Senior Executive Service, a cadre of high-level officials entrusted with the responsibility of translating presidential priorities into operational outcomes. The stakes are high: Senior executive leadership affects whether the president’s agenda is properly implemented and whether agencies deliver on their missions. SES officials are the president’s senior-most career executives, and their leadership affects the lives of millions of Americans every day.

Given the gravity of their responsibilities, SES members must be equipped with the right knowledge and tools. Statutory mandates require both the Office of Personnel Management and federal agencies to provide ongoing executive development. And for good reason. Just as private-sector CEOs may benefit from executive development programs, our senior executives need the same level of preparation tailored to the constitutional role they hold and the scale of the missions they lead.

Historically, federal leadership programs have imitated academic or private-sector programs — many of which are expensive, time-consuming and not designed to meet the unique needs of government executives. With the closure of the Federal Executive Institute, OPM is refocusing and reimagining executive development, building on the best leadership development theories and practices with a renewed focus on the specific job knowledge, skills and tools SES officials need to be successful in their jobs.

Thus, to ensure the successful implementation of the president’s agenda by equipping SES through high-quality, targeted training programs, OPM has launched the Senior Executive Development Program (SEDP) — a targeted, administration-driven training initiative designed to ensure SES officials have the knowledge, context and clarity necessary to carry out the president’s agenda and best serve the American people.

The SEDP reflects a significant shift in how we approach executive development. More than just generic leadership training, the program will equip senior executives with the practical knowledge and skills to thrive as government leaders, covering topics such as constitutional governance, budget and policymaking, executive core qualifications, and strategic human capital management. Rather than relying on just generalized management theory one could get from academic or private-sector programs, this program provides high-impact, directly relevant training that speaks to the needs of today’s federal executives. The curriculum is designed around the constitutional role of the executive, the rule of law, merit system principles, and the operational realities of modern governance and leading responsive and efficient bureaucratic organizations. Participants will hear from seasoned career executive colleagues and administration officials on topics directly applicable to the complex missions and organizations they lead.

The SEDP is not a one-size-fits-all program. It’s designed to be flexible and scalable, leveraging high-quality recorded video modules delivered through OPM’s centralized learning management system. This approach allows executives to learn on demand, at their own pace, while maintaining full access to their day-to-day responsibilities. It also allows OPM to track participation and outcomes — ensuring transparency, accountability and a strong return on investment.

The goal is clear: to strengthen our federal leadership by ensuring every SES member has technical expertise and a true understanding of their constitutional responsibilities and the president’s vision. The success of any administration depends on its ability to act. And acting depends on leadership.

Through the Senior Executive Development Program, OPM is reaffirming its commitment to preparing that leadership – ensuring that America’s senior executives are ready, responsive and capable of delivering for the American people.

Scott Kupor is director of the Office of Personnel Management.

The post Strengthening executive leadership to serve our nation first appeared on Federal News Network.