Interview transcript

Terry Gerton You know, it turns out that not everything was shut down during the shutdown. The Department of Education issued a final regulation on Halloween that picked up on a March 7 executive order related to the public service loan forgiveness program. Tell us about what this new regulation does.

Randall Thomas That’s right, Terry. The regulations finalized proposed regulations that were issued in August and that implement that executive order. And that executive order directed Education to propose revisions to the PSLF regulations to ensure the definition of public service excludes organizations that engage in activities that have a substantial illegal purpose. That executive order stated that it was the policy of the administration that individuals employed by organizations whose activities have a substantial legal purpose shall not be eligible for the PSLF program. Education amended the regulations to provide that a qualifying employer for purposes of the program does not include organizations that engage in these specific enumerated activities in the regulation such that they have a substantial illegal purpose. Qualifying employers, for people who are familiar with the program or those who aren’t, generally include federal, state, local government agencies, Section 501(C)(3) organizations, and certain other entities. And these regulations were issued after … the PSLF statute was enacted in 2007 and first became effective in 2009. And those regulations have been amended seven times since they were first promulgated. The new regulations establish that to be considered a qualifying employer, an organization must not engage in an illegal activity such that it has substantial illegal purpose. And with that language and that standard, Education is effectively adopting the IRS’s illegality doctrine in these regulations. Education states that the IRS’ use of the doctrine is a basis for Education to issue the regulations. Education also listed several activities deemed to reflect a substantial illegal purpose, which we’ll probably cover in a few minutes, and the proposed regulations received nearly 14,000 comments [and] were generally finalized without substantive changes.

Terry Gerton I think most people would agree that agencies that are engaging in illegal behavior ought not to be subject to loan forgiveness. What is new about this regulation, especially when it comes to defining the illegal activities?

Randall Thomas Yeah, so historically, like we mentioned just a minute ago, Terry, this was a status test and not a conduct test by the Department of Education. You could look to a Section 501(C)(3) organization and see that the IRS had made a determination with respect to that exempt status. And the IRS separately employs an illegality doctrine, but now the Department of Education has said that it will also apply the illegality doctrine based on a preponderance of the evidence to determine whether an organization is operating for a substantial illegal purpose. And here they define certain illegal activities as indicative of having a substantial illegal purpose. Those activities were also all noted in the executive order from March of this year, and they include aiding or abetting violations of federal immigration laws, supporting terrorism, the use of puberty blockers or sex hormones for minors in violation of federal or state law, engaging in the trafficking of children to another state for purposes of emancipation from their lawful parents in a violation of federal or state law, engaging in a pattern of aiding and abetting illegal discrimination, and engaging in a pattern of violating state laws, which is defined as a final non-default judgment by a state court of trespassing, disorderly conduct, public nuisance, vandalism, or obstruction of highways.

Terry Gerton Well those are pretty specific. How will the Department of Education actually determine if an agency or an organization engages in those activities? What will they look at?

Randall Thomas So the employer disqualification process here requires Education to find that an employer has a substantial illegal purpose by a preponderance of the evidence after weighing the employer’s illegal conduct and narrowly focusing on only the illegal conduct enumerated in the regulation. The preamble to the regulation notes that a determination by Education regarding illegality only represents Education’s conclusion that the organization is not a qualifying employer and does not represent a determination by the IRS regarding tax exempt status. Education will determine that a qualifying employer violated the applicable standard when it receives an application in which the employer fails to certify that it did not participate in activities that have a substantial illegal purpose, or when it otherwise determines that a qualifying employer engaged in these activities unless Education approves a corrective plan signed by the employer. There’s an employer reconsideration process that gives employers the right to submit additional information and seek review and determinations. That process is aimed at providing due process to ensure that Education considers all relevant information prior to taking action to remove eligibility and to ensure that employers will be given an opportunity to respond, except in cases where there’s conclusive evidence that the employer engages in activities such that it has an illegal purpose, substantial legal purpose, rather. And Education presumes that the following evidence is conclusive. That includes a final judgment by a state or federal court whereby the employer is found to have engaged in illegal activities such that it has a substantial illegal purpose, a plea of guilty or no contest, whereby the employer admits to having engaged in illegal activities that have a substantial illegal purpose, or pleads no contest to allegations that it engaged in illegal activities with a substantial illegal purpose, or a settlement that includes admission by the employer that engaged in illegal activities that have a substantial illegal purpose. It provides that nothing in the determination process shall be construed to authorize Education to determine an employer has a substantial illegal purpose based upon the employer or its employees exercising their First Amendment rights or any other rights protected under the Constitution. And Education notes that even without such explicit references, the regulation could not be enforced in a manner that contravenes the First Amendment and that lawful activity will not disqualify an organization, no matter how controversial or unpopular it may be.

Terry Gerton I’m speaking with Randall Thomas. He’s a partner at Morgan, Lewis and Bockius. All right, that’s a lot of legal speak about the requirements. What if any new responsibilities or risks does this create for the public service organizations who might have borrowers participating in the program?

Randall Thomas Yeah, so two impacts here, the qualifying employers and also the borrowers, of course. The employers now bear the responsibility of affirmatively certifying that they are not engaged in activities with a substantial illegal purpose. They face disqualification now based on this new preponderance of the evidence standard, and certain things like judgments, no contest pleas, and settlements are treated as conclusive evidence that the employer engages in activities such that it has a substantial illegal purpose. Employers will want to engage counsel to think about how the PSLF regulations may apply and whether the employer’s activities expose it to any PSLF disqualification risk under the new regulations. And, you know, you probably want to do that with an eye toward these activities that the regulations say are indicative of a substantial legal purpose. There’s also the borrower impact, and thankfully these regulations don’t have an effective date until July 1, 2026. So you do have some headway — runway to figure out how they’re going to apply to your employer. For borrowers, the regulations will remove PSLF eligibility for individual borrowers during periods of employment by organizations that have been disqualified. Where an employer is deemed to have engaged in activities that breach federal or state law, affected borrowers won’t receive credit toward loan forgiveness for months worked after the determination date of ineligibility, but borrowers will receive full credit for work performed until the effective date of Education’s determination that the employer no longer qualifies. And under the regulations, Education is required to notify borrowers of a qualifying employer’s status. If the qualifying employer is at risk of becoming or becomes ineligible to participate in a PSLF program, the borrower cannot request reconsideration of a determination by Education that resulted in the employer losing status because the employer has a substantial illegal purpose.

Terry Gerton Are any of these new regulations being tested in legal cases?

Randall Thomas There are several cases that have been filed so far challenging the regulation.

Terry Gerton And what is the status of any of those? Can you derive any sense of where this might go in the future?

Randall Thomas I can’t opine right now. I don’t think that any — well, I think that it’s too premature. These regulations were just finalized a little bit over three weeks ago. And I don’t know that there’s been any action on these cases.

Terry Gerton What do you think this signals for the future then of the Public Service Loan Forgiveness Program? Do you think the authorities will continue to be tightened and the eligibility requirements strengthened?

Randall Thomas Yeah, Terry, I have no expectation about whether they will or won’t be tightened any further, but the new rule is clearly designed to tighten PSLF standards, and the administration through the executive order and Education in the preamble to the regulations, they say as much. The preamble to the regulation discusses at length the aim of the regulation in ensuring that taxpayer dollars are not misused and strengthening accountability and enhancing program integrity. The preamble states that the regulations will protect hardworking taxpayers from shouldering the cost of improper subsidies granted employees of organizations that undermine national security — and I’m quoting the regulation here — and American values through criminal activity. I can’t speak to the policy or the balance between accountability and access to forgiveness. I will note that Education notes in the preamble to the regulation that it disagrees with [the] assertion that the rule will have a significant macroeconomic effect on labor markets in education, health care, social services. They stated that they found no basis to conclude widespread effects would be likely and that they expected most organizations to voluntarily comply with the rule, such that Education anticipates that it will take action to remove eligibility for less than 10 organizations per year.

The post A final regulation issued on Halloween has reshaped the Public Student Loan Forgiveness program first appeared on Federal News Network.

© The Associated Press

Videos and eyewitness accounts reveal how Australia's worst mass shooting in nearly three decades unfolded.

Narges Mohammadi told her family in a phone call that she was beaten on the head and neck by plainclothes agents in Mashhad last week.

At least 70 homes have been inundated in Safi's old city centre, officials say.

Messi's India tour had a chaotic start after angry fans in Kolkata damaged a stadium after failing to catch a glimpse of him.

Russia is trying to "bully, fearmonger and manipulate" the UK and its allies with attacks under the threshold of all-out war, the new head of MI6 has said.

Forecasters have issued a new yellow warning for rain as parts of the UK could face flooding and travel disruption in the coming days.

Sir Keir Starmer has insisted none of the budget leaks and leadership speculation has come from him - as he vowed to "get to the bottom" of the briefings.

For Naval Air Warfare Center Weapons Division mechanical engineer Vincent Malpaya and many others, the Innovation Lab at Naval Air Weapons Station China Lake, Calif., allows them solve problems fast and the space to do it.

A "hero" pedestrian climbed into the car of Liverpool parade attacker Paul Doyle and stopped him, a court has heard.

Four people have been charged with plotting New Year's Eve bomb attacks in California.

The systems architecture for using commercial clouds has served federal agencies well for nearly 20 years.

The cloud movement sparked innovation in the design and deployment of applications, but the exploding use of artificial intelligence calls for a new cloud architecture, suggests Anish Patel, the head of federal civilian at cloud services company Cloudflare.

“If we think about the next generation of services that are going to rely on AI, there’s really a need for a new architecture in that,” Patel said during Federal News Network’s Industry Exchange Cloud 2025. “And so, how does that public cloud architecture, evolve?”

AI compute demands necessitate cloud evolution

He said the principal reason for this need derives from the compute demands of AI.

“AI is really the first thing since the development of the computer that’s been revolutionary on that compute scale,” Patel said.

Developers are folding AI into applications, along with technologies such as post-quantum cryptography and blockchain. Until now, those elements weren’t typically part of digital services.

“But when you combine all those things now,” Patel said, “thinking about the speed of interaction and how reliant you are on a network that’s trusted and reliable becomes really critical.”

Therefore, the resulting architecture must distribute compute power closer to clusters of end users, rather than executing solely in a given commercial cloud.

“If you can bring both that compute and that internet power as close to the end user as possible, that’s game-changing for where the internet is and where AI applications are going,” Patel said. Otherwise, the sheer processor cycle demands of AI will cause performance problems evident to users.

Architecting a reliable cloud architecture for all users

In thinking about the next architecture, IT staffs must consider both their organizations’ own users and external constituents, customers and business partners. Patel noted that many agencies have workforces scattered throughout the country. The need for reliability and low latency equals that of external users.

With reduced workforces, agencies will need to increase that reliability because the paper-based, office visit and telephone options may cease to exist.

“What’s coming next isn’t just that digital services are generally available, and when it’s not, you can pick up the phone or go into an office,” Patel said. “It’s just to be expected that all services are digital, and that service has an uptime and reliability level greater than TikTok or Twitter.”

He added, “There is a new generation of architectural thinking that has to come along with a distributed architecture.”

Patel made the analogy of search. Early Internet search functions, characterized by services like Ask Jeeves, were slow. Google, he said, revolutionized that with instantaneous results.

Today, when using public-facing generative AI sites, users “see it thinking, and there’s a couple of seconds there of it processing, and then it spits out an answer.”

That’s OK for now, he said, but the next generation of AI-enabled digital services will need the same step-function increase in performance that occurred with search.

The distributed architecture also includes distributed data, Patel noted. He said this requires special attention to data sovereignty, privacy and transparency — and secure handling.

“I may be a U.S. citizen traveling overseas, needing access to certain information in a particular country,” he said. “Especially if I’m an agency who’s globally distributed or has people that are traveling all over the world, I want to be able to process my information in a way that adheres to U.S. laws and follows the FedRAMP standard.”

Planning for distributed cloud architecture? Start with your users

Instituting a distributed architecture starts at the application development stage, Patel said.

“You have to start building for where the users are, wherever they are, and adjust to the users’ expectations,” he said. Also important? Building “for the next generation of services that aren’t fully built yet.”

Use of a containerized microservices approach helps because it lets an organization modify or upgrade parts and pieces of an application much more easily than traditional development techniques.

Still, Patel said, until recently “if it was distributed, it was on the agency and the IT folks to come figure out a way to distribute that application, have a disaster recovery strategy, et cetera. If you’re doing that manually, it’s still a highly complicated process, and you still have this scenario where it becomes overwhelming for the IT organization.”

That’s where companies like Cloudflare come in, Patel said. Cloudflare has built a hyper-distributed network together with the services for organizations to use. The company pioneered the idea of easy-to-adopt security for the Hypertext Transport Protocol, so organizations could readily obtain HTTPS status.

“You can now build your applications once and distribute everywhere at the same time, all over the place, and you don’t have to think about it,” he said. “You’re essentially offloading the capabilities of that application, infrastructure and services to vendors who are designed to essentially distribute this across the globe.”

Ensuring FedRAMP compliance in hyper-distributed cloud environments

That raises the question of FedRAMP compliance, the need for which would appear to severely limit the physical facilities on which federal applications can execute. That in turn means federal customers can’t always access the range of cloud services available to commercial customers.

Patel said that, in supporting a mission to “build a better internet,” Cloudflare wants “to ensure that everybody gets the same internet.” Its solution is to build the FedRAMP standards into the architecture itself, so that distributed instances of an application inherit compliance that was built into the original version.

“That means,” he said, “if there’s new services that are offered — new capabilities — and you need to extend the services to be tightly controlled in a particular way to a particular geography, you have the full control to be able to do that.”

The control ensures an agency can maintain public trust in an application and adjust how distributed instances operate.

“You may have certain areas where certain applications that you just want distributed everywhere,” Patel said, “and you need it to just be available for the user as fast as possible.”

On the other hand, he added, “You may have some cases where it makes more sense to for the application to be highly centralized in particular way and be able to route it to the right location.”

For example, at a local clinic somewhere offering medical services to veterans, “you want to make sure, regardless of the Wi-Fi they may have or the device they may have, that experience is still secure but performant, so the veteran can get through the process.”  

Discover more articles and videos now on our Federal News Network’s Industry Exchange Cloud 2025.

The post Industry Exchange Cloud 2025: Cloudflare’s Anish Patel on AI driving need for new cloud architecture first appeared on Federal News Network.

© Federal News Network

Ukrainian strike underwater drones have attacked a Russian naval base in Novorossiysk, in what Ukrainian officials describe as the first combat use of underwater drones to disable a modern diesel-electric submarine. According to Ukrainian sources, underwater drones known as “Sub Sea Baby” detonated beneath a Russian Project 636.3 submarine of the Varshavyanka class, known in […]

Northrop Grumman has completed a new demonstration of its mine countermeasures technology, showing that its AN/AQS-24 minehunting system can be integrated with an uncrewed surface platform to meet emerging U.S. Navy operational requirements. According to a company statement, Northrop Grumman Corporation successfully demonstrated the integration of its AN/AQS-24 minehunting system with a Mine Countermeasures Unmanned […]

China’s newest long-endurance stealth unmanned aerial vehicle, the CH-7, has completed its maiden flight. State broadcaster CCTV said on Monday that China’s new high-altitude, high-speed, long-endurance CH-7 had recently completed its first flight. The outlet reported that the aircraft demonstrated long endurance, stealth, and high cruising speed, and was designed to meet “the needs of […]

India’s defense industry is pressing ahead with new strike options as JSR Dynamics has showcased its LRP2GM, a lightweight stealth cruise missile, to the Indian Navy, highlighting a domestically developed system aimed at long-range precision missions. According to the company website, the weapon is described as a “light weight cruise missile termed as long range […]

Germany has decided to move forward with an additional purchase of Airbus H145M light combat helicopters, exercising an option included in a 2023 contract and expanding the country’s planned fleet as it continues to modernize its rotary-wing forces. According to Airbus Helicopters, Germany has ordered 20 additional H145M helicopters, bringing the total number under contract […]

Donald Trump has launched an extraordinary attack on film director Rob Reiner, who was found stabbed to death with his wife on Sunday, as it was revealed his son has been arrested on murder charges.

Identity, credential and access management, a foundational pillar of zero trust, centers on three key elements: widespread use of phishing-resistant multifactor authentication, elimination of unnecessary administrative privileges and continuous monitoring and authorization. 

Tony Goulding, cyber evangelist at Delinea, said one area where agencies are seeing the most success is deploying phishing-resistant MFA.

The Office of Management and Budget’s M-22-09 memo and the Cybersecurity and Infrastructure Security Agency’s accompanying guidance expect agencies to use phishing-resistant multifactor authentication whenever possible. 

While CISA’s guidance is somewhat flexible, emphasizing that “any form of MFA is better than no MFA,” it still reinforces that phishing-resistant methods should be the end goal for ICAM and zero trust.

“In a perfect world, and really aligning with the spirit and the direction of OMB as well as CISA, it means that you’ve really got to try hard to get this MFA in place,” Goulding said during Federal News Network’s Industry Exchange Cloud 2025.

Making progress on multifactor authentication

But some applications and use cases simply cannot support phishing-resistant MFA, particularly older systems that were never designed to accommodate hardware tokens, he pointed out. Temporary contractors also pose hurdles since agencies often cannot easily issue full Personal Identity Verification or Common Access Card credentials.

And in other cases — including legacy environments or remote devices — the technical limitations make deploying modern authentication methods challenging.

“Those are scenarios where organizations are employing, pretty much across the board, a migration plan to replace or migrate their applications and their systems to more modern systems that can accommodate fishing-resistant MFA. Of course, there’s an element of cost and logistics in doing that because you’re going to have to spend money to do it. You’re going to have to update processes. But it is a path that the majority of the organizations that we deal with are actually taking,” Goulding said. 

Doing away with excessive access privileges

The second key element of ICAM — eliminating standing administrative privileges — is forcing agencies to reevaluate the thousands of high-privileged accounts scattered across their networks. Privileged identities, often created out of convenience, represent one of the most exploited attack vectors, Goulding said.

Many organizations, particularly those running Linux and Unix environments where the administrators create local privileged accounts, typically have full privileges and are rarely monitored, making them a prime target for attackers, he said.

“The first step is eliminating those that are unnecessary and then allowing the administrator to use their existing identity. They may have an ID account, for example, that becomes the only account that they will use, and it needs to have minimum rights,” Goulding said. “The third thing is that you then give them the ability to elevate their privileges when they need to elevate their privileges for a legitimate administrative purpose.”

He added, “Those are three of the key things that we’re seeing agencies make tremendous strides in deploying.”

Embracing real-time continuous monitoring

The final must do, Goulding pointed out, is continuous monitoring and authorization. Admittedly, this remains a persistent challenge across the agencies, he said.

“No more point-in-time checks — you want to move more toward evidence-driven, ongoing verification,” Goulding said.

“We’ve actually been very successful in enabling our customers, both agencies and commercial, because our solution generates a stream of identity and access and privileged access signals. Things like elevation request: Elevation is important because if you’re doing least privilege, then you’ve got to give legitimate administrators the ability to elevate privilege just in time — when it’s necessary to do that.”

Session recording — long considered valuable but rarely used due to lack of staff to review recordings — is another area where monitoring is evolving. Goulding said artificial intelligence now allows agencies to automatically scan session recordings on Linux and Windows systems, flagging unusual behavior such as if shadow accounts are created or attempts are made to add additional privileges to a low-privileged, compromised account.

“These session recordings are gold, but they’re never actually reviewed. So automation can really help in making sure that that happens,” he said.

Looking ahead, Goulding warned agencies about “not falling into the trap of trying to cherry pick best-of-breed parts of a solution.” Instead, he recommended that agency teams embrace modern cloud-native software as a service platforms that can scale, update and integrate easily.

Discover more articles and videos now on our Industry Exchange Cloud 2025 event page.

The post Industry Exchange Cloud 2025: Delinea’s Tony Goulding on how to achieve 3 pillars of ICAM first appeared on Federal News Network.

© Federal News Network

At least 70 homes have been inundated in Safi's old city centre, officials say.