Episode 84

Exploring AI Trends and Cybersecurity Evolution in the Federal Tech Landscape with Jason Miller

Jason Miller is the Executive Editor of Federal News Network and has covered the federal technology space over the course of five Presidential administrations. He brings his wealth of knowledge as he joins Tech Transforms to talk about AI, the top things government agencies are working towards this year and his predictions around FedRAMP changes. Jason also pulls on his decades of experience as he discusses events that changed the nation's approach to cybersecurity and the longstanding need to have data that is better, faster and easier to use.

Key Topics

  • 00:00 AI's impact on texting and cloud's significance.
  • 04:17 Federal Enterprise Risk Management in government tech.
  • 07:20 AI trends shifting toward real-time application.
  • 11:22 2025 and 2027 deadlines for zero trust.
  • 13:31 CISOs and CIOs adapting to modern technology.
  • 16:45 Frustration with FedRAMP leads to reform efforts.
  • 21:39 Applying similar model to expand decision-making.
  • 23:37 GSA discussed OSCAL at private industry day.
  • 27:55 CISA's role has grown within DHS.
  • 30:33 Increased transparency in cybersecurity changed approach significantly.
  • 34:17 Reflecting on the 2006 significance of data.
  • 39:19 AFCEA events bring together good people.
  • 42:53 Fascination with government architecture and dedicated government workers.
  • 44:35 Promoting positivity and accountability in government industry.

Cybersecurity Evolution: Examining Technology's Political Neutrality and AI Commitment Through Administrative Changes

Consistent Focus on Cybersecurity Evolution Across Political Administrations

Jason expressed a clear conviction that technology issues are largely immune to political fluctuation and are a continuity in government agendas. Reflecting on his experience across five administrations, he noted that the foundational technological discussions, such as cloud adoption, cybersecurity enhancement and overall IT improvement are fundamentally preserved through transitions in political leadership. He highlighted that the drive to enhance government IT is typically powered by the resilience and dedication of public servants, who generally carry on valuable reforms and initiatives regardless of the sitting administration's politics. These individuals are essential to sustaining progress and ensuring that technology remains a key priority for effective governance.

Federal IT Policies Consistency: "No one comes in and says, I'm against AI, or cloud is bad, move back on premise, or cybersecurity, defund cybersecurity. I think those are the issues that stay the same." — Jason Miller

Executive Orders and AI Adoption

Addressing the specifics of executive orders, particularly those influencing the implementation and development of artificial intelligence (AI), Jason examined their historical persistence and their potential to shape operational practices in the government sector. He and Mark discussed how the stability of AI-related orders through various administrations is indicative of a broader governmental consensus on the integral role AI holds in modernizing federal operations. Despite changes in leadership, the incoming officials frequently uphold the momentum established by their predecessors when it comes to leveraging AI. Indicating a shared, bipartisan recognition of its strategic importance to the government's future capabilities and efficiencies.

Cybersecurity Evolution: Zero Trust Principles and Network Security Challenges in Federal Agencies

Zero Trust and Cybersecurity Budgeting

During the podcast, Carolyn and Jason delve into the current trends and expectations for federal cybersecurity advancements, with a particular focus on zero trust architecture. Their discussion acknowledged that agencies are on a tight schedule to meet the guidelines set forth by the Office of Management and Budget, which has highlighted 2025 as the target year for civilian agencies to embrace specific zero trust requirements. While the Department of Defense has until 2027.

Moving past the traditional perimeter defense model, zero trust principles necessitate an ongoing and multifaceted approach to security, which includes sizable budget implications. Jason underscored the importance of the 2024 fiscal year. Noting it as the first time federal budgets are being crafted with clear delineations for zero trust capabilities. This shift in focus is exemplified by the rollout of endpoint detection and response (EDR) technologies. Vital components in this architecture that ensure rigorous monitoring and real-time responsiveness to cyber threats.

Understanding the Cybersecurity Evolution

Jason underscored the complexities of network security as federal entities confront the expanding cybersecurity landscape. Highlighted was the layered approach needed to fortify cybersecurity, starting with IAM. This segment illuminated the government's drive to update antiquated systems with modern identification and credentialing processes to better regulate access control. The discussion spilled into a critical analysis of data layer security, emphasizing the necessity for agencies to marshal their applications and data against unauthorized access. Furthermore, Jason hinted at the broader horizon of security measures, which now includes OT and IoT devices. The intertwining of these technologies with standard IT infrastructure adds layers of complexity for security protocols. The conversation shined a light on the massive task that lies ahead as agencies work to comprehend and safeguard the expanded network perimeters and develop strategies to encapsulate a variety of devices under a comprehensive cybersecurity shell.

The Evolution of AI in Cybersecurity: "We can take data that was 3 years ago or data over the last 3 years and look for trends that we can then use for our future. I think what they're looking for now is more real time, more immediate, especially if you think about, like, cybersecurity." — Jason Miller

Innovations and Challenges in Tech Reporting

Timeliness in Problem Reporting

Jason believes that being proactive is vital when it comes to identifying and addressing potential issues within federal agencies. He highlighted that by the time an oversight report, such as those from the Government Accountability Office or an Inspector General's office, is made public, the concerned agency has likely been aware of the issue and has already taken steps to address it. This underlines the criticality of immediate agency reactions to problems. In the context of these reports, Jason suggested reading the agency's responses first. They provide the most current view of what's happening and the actions taken, often making them more newsworthy than the findings of the report itself.

ACT-IAC and AFCEA Gatherings Key to Cybersecurity Evolution Dialogue

Without specifically endorsing any one event, Jason acknowledged the importance of various industry gatherings where government and industry leaders convene to discuss pressing topics. He emphasized the ACT-IAC and the AFCEA events as beneficial arenas that enable him to engage deeply in conversations that can lead to actionable insights and meaningful connections. He also mentioned that these events provide an opportunity to interact with federal agency leaders outside the formal constraints of an office setting. This can lead to more open and candid exchanges of ideas and experiences within the government tech community. The ACT-IAC conferences and AFCEA's branch-specific IT days, according to Jason, yield particularly high-value discussions that contribute to both immediate news items and broader thematic reporting.

Probing the Cybersecurity Evolution

Jason's Insight on Federal Tech Trends

Jason brings a wealth of knowledge specific to federal government technology trends. He highlights AI as a prevalent topic within current discussions. His emphasis on AI signifies the shift from its former buzzword status to a fundamental tool in federal IT arsenals, especially regarding applications in cybersecurity and immediate data analysis. Jason notes that this mirrors the pattern of past tech trends in the industry, where initial hype evolves into concrete implementations. The conversation underscores the fact that while AI is gaining traction in strategic planning and operations, it is critical to discern genuine AI adoption from mere marketing.

AI Shift Reflects Cybersecurity Evolution and Predictive Technology Integration in Government Operations

As the conversation progresses, Jason, Carolyn and Mark explore how the vigorous enthusiasm around AI aligns with patterns observed during the advent of previous technologies. The cycle of tech trends typically begins with a surge of excitement and culminates with the practical integration of technology within government operations. Jason points out that although AI is the topic du jour, the government's drive towards embracing real-time and predictive capabilities of AI is indicative of its elevated role compared to earlier technology hypes. This shift spotlights AI's increasing value in enhancing operational efficiency and decision-making processes across various federal agencies.

Appreciating Government Employees: “There's so many great people who work for the government who want to do the right thing or trying to do the right thing, that work hard every day, that don't just show up at 9 and leave at 5 and take a 2 hour lunch." — Jason Miller

The FedRAMP Overhaul Debate

Rethinking FedRAMP

FedRAMP's reform was a critical topic addressed by Jason, who noted industry-wide eagerness for revising the program's long-standing framework. Not only has the cost of compliance become a pressing issue for businesses aiming to secure their cloud solutions, but the time-consuming journey through the certification labyrinth has compounded their challenges. Advancements in technology and a shift towards better automation capabilities have supported the argument for modernizing FedRAMP. The white paper presented by the General Services Administration responded to such pressures with the goal of making the process more efficient. Jason also mentioned a legislative angle with Representative Connolly's involvement, marking the congressional ear tuned to the private sector's concerns about the program's current state.

Predicting the Future of FedRAMP

Moving forward, while discussing federal efforts to enhance cloud security protocols, Jason described the nuances in predicting FedRAMP's evolution. He cited the Department of Defense's actions as a positive development, in which they suggested frameworks for accepting FedRAMP certifications reciprocally, depending on security levels. This reciprocity aims to foster mutual trust and reduce redundancy in security validations. However, Jason exercised caution in providing a timeline by which tangible reforms might materialize for businesses pursuing FedRAMP accreditations. Despite the uncertainties, he recognized automation, specifically via OSCAL, as a potential accelerant for the much-needed reform, bringing about quicker, more cost-effective compliance processes.

Tracking the Cybersecurity Evolution: From 2006 Data Breach to Contemporary Data Protection Strategies

Analyzing the Cybersecurity Evolution Post-2006 Veterans Affairs Data Mishandling

Jason provided context on the evolution of cybersecurity. Drawing from an incident in 2006 when the Veterans Affairs department mishandled tapes containing sensitive data of millions of veterans. This episode, he explained, was an eye-opener, underscoring the importance of data security within the federal government. The aftermath was a pivot towards greater openness about cybersecurity issues. Moving away from a more secretive posture to one where sharing of information became essential for strengthening overall security. What we observe now is a more concerted effort within government circles to collaborate, engage with industry partners, and cultivate a proactive stance on cybersecurity threats, with agencies actively communicating about and learning from security incidents.

Emphasizing Data Protection

The conversation highlighted the criticality of data protection as it has become the nucleus of many governmental operations and decision-making processes. Since the intrusion into the Office of Personnel Management's records, there has been a palpable shift, gearing towards more robust data safeguards. Jason pointed out how being well-informed about such dynamics is crucial. Entailing an immersion in various activities such as attending industry events, networking with key players, and thorough analysis of inspector general and Governmental Accountability Office reports. Such proactive engagement helps in staying abreast of the current and emerging landscape of federal technology, especially the methodologies and strategies deployed to protect the troves of sensitive data managed by government entities.

About Our Guest

Jason Miller has served as executive editor of Federal News Network since 2008. In this role, he directs the news coverage on all federal issues. He has also produced several news series – among them on whistleblower retaliation at the Small Business Association, the impact of the Technology Modernization Fund and the ever-changing role of agency CIOs.

Episode Links

Transcript
Carolyn Ford [:

Hi, thanks for joining Tech Transforms. I'm Carolyn Ford here with Mark Senell. Hey, Mark.

Mark Senell [:

Good morning, Carolyn.

Carolyn Ford [:

So today, we get to welcome Jason Miller who's the Executive Editor of Federal News Network and has served as the executive editor for Federal News Network since 2008. I frequently read Federal News Network and Jason's pieces, and I'm thrilled to have him on the show today to hear more of his insights into what he's covering and the key federal issues he's tracking this year. With a career dedicated to covering the federal government, Jason is in a key position to share insights, to share what he's hearing, happening in the federal government, technology trends, including zero trust, workforce modernization, FedRAMP, and more. So with that, welcome to Tech Transforms, Jason.

Jason Miller [:

Oh, thank you. The tables have turned as they say. I have to answer questions instead of asking the questions.

Carolyn Ford [:

Well, we're really glad that you're willing to answer the questions today.

Mark Senell [:

And thanks for joining us on this, snowy morning here in D.C.

Jason Miller [:

Exactly. Oh, have fun. So, there's lots to talk about, always is, and that's what keeps me going each Monday morning and each year I do this.

Carolyn Ford [:

Alright. Well, let's let's just dive in. The first question I wanna tackle, it's a little bit of a softball. So as the executive editor of Federal News Network for the last 16 years and a news editor at Government Computer News, prior to that, you've had a front row seat to a wealth of federal government technology news. So through your career, what are the biggest technology trends that you're seeing right now and coming up in 2024 for the federal government?

Jason Miller [:

Unfortunately or fortunately, depending on where you sit, you gotta start with artificial intelligence. You know, unfortunately, one part is that it's a buzzword right now. Everyone wants to talk about it. All people in your community or the vendor community wanna sell something that's related to AI. So so that, you know, that's kinda forcing us to think about, okay, how do we cover it? What does AI look like? Why is AI important? Ask questions about, like, okay, are people really using AI? Or is this the latest shiny object that vendors are polishing up to sell, because everything has AI. Right? You have the auto fill-in in your Office 365. That's AI.

Jason Miller [:

If you have an Apple phone, it gives you suggestions for your texting. Right? That's AI. And then there's real AI and then then there's a whole move to generative AI and ChatGPT and the excitement around that. So I think that's number 1 in in terms of just the buzz worthy stuff. When you dig a little deeper, when you say, okay, what's really happening within the agencies? What are they really looking at? You know, the big topics are, of course, the ones we talk a lot about. Cloud, you know, 12, 13 years after the initial cloud first strategy from OMB, we're still are talking a lot about cloud. I think think, you know, I would push down on that and say that the agencies are pretty well moved to the cloud and a lot of infrastructure, a lot of platform. The big thing I hear from a lot of CIOs these days is software.

Jason Miller [:

Gotta move to software as a service. You gotta put more apps in the cloud and take advantage of the benefits of software as a service. So I think that's something to look out for in 2024. Zero Trust, cybersecurity, never ending, interest. So, we'll continue to talk about that. And then, of course, customer experience, user experience, total experience. I think people have to coin a new phrase every every few months, every few years about something. This idea of employee experience plus user experience equals total experience, that's been another big issue that's coming up.

Jason Miller [:

And then I think finally, the one that people maybe, don't put a lot of stock into that we'll be covering is, you know, understanding risk management. I'm a big fan of the Association of Federal Enterprise Risk Management. They're a good group of people that probably don't get as much attention in the federal world as FIRM or AFCEA and some of these other good government organizations, ACT-IAC. But, enterprise risk management is a growing trend across government that has a huge tech angle to it that I'm sure we will be spending a lot of time on. And I'm sure I've missed something too, by the way. There's there's a 101 other things that people go, you didn't talk about this or you didn't talk about that. But

Mark Senell [:

I certainly wanna, I certainly wanna touch on that in in FedRAMP. But, before we get to that, so so, Jason, you've been you've been in the industry for, you know, a while. You've seen a lot of different kind of trends happening over the last couple of decades. Does the does the vibe or the the, the talk about AI seem different to you than some of the other trends that we've seen over the past couple of decades?

Jason Miller [:

Not really. I think, there is always a big push. You get a lot of conferences, a lot of speeches, a lot of people talking about it. And then when you dig deeper, okay, who's really doing it? And that goes for cloud, that goes for certain cybersecurity tools. So I think it's just the latest shiny object. And again, I'm not saying AI is bad or good. It's not a a judgment on people selling AI tools and capabilities. I'll just offer that there's a lot of excitement for it because we have an executive order, we have a draft OMB memo, We have people.

Jason Miller [:

There's a lot of kind of push. ChatGPT when it was released to a year or so ago or 9 months ago, got a lot of attention in the mainstream, kinda general press. So I think folks just glom onto these. I think we saw the same thing with cloud computing, and we saw the same thing with customer experience. You saw it's just part of that cycle that comes and goes. And whether it's 6 from 6 months from now, a year from now, whatever it is, we're gonna be back to, okay, what's the next thing that people are excited about? And it may be AI related, it may not be.

Carolyn Ford [:

Well, it's interesting because everything you mentioned, we've been talking about I'm I'm, you know, reeling back through the list that you ticked off. I feel like every single one of them, we've been talking about them for at least a decade and one will like one will trend up and then down, including AI. I mean, Mission Impossible, man. It kinda Mission Impossible, ChatGPT really pushed AI to the front. But all of them I mean, none of these are new. Are they?

Jason Miller [:

Well, AI is new. If if you're really looking at really advanced AI, predictive AI

Carolyn Ford [:

New the way we're okay. So the this is a new way that we're thinking about it, talking about it, new advances, but we've been talking AI for a long time.

Jason Miller [:

You've been we've been talking what they call kinda, call it laggard AI. Right? We can take data that was 3 years ago or data over the last 3 years and look for trends that we can then use for our future. I think what they're looking for now is more real time, more immediate, especially if you think about, like, cybersecurity. Right? How can how can you take what's happening on our network right now, apply these AI models, and know make a decision in real time or near real time? I think that's the difference in in discussion that I'm hearing. Again, I don't have a comment on whether it's happening or not. You know, can it you know, I don't know what companies are doing behind the curtain just like I don't know what agencies are doing behind the curtain to say, are they really taking, data in the last 24 hours and then making a change to their network in the next 24 hours because of based on that data? Sure. Yes. Maybe.

Jason Miller [:

No. You know, your your guess is sure better than mine.

Mark Senell [:

I mean, seeing as we're in an election year, do you think that, like, the executive order around AI that came out, regardless of who wins the election and, you know, what party comes in or administration comes in, is that the kind of thing that stands the test of time, and will be adopted by, you know, different administrations that come in?

Jason Miller [:

Interestingly, I've, the one thing that stays the same across almost all administrations and I guess this would be, the one coming up next. It will be my 5th administration. I guess I started covering government during the Clinton administration, very end of Clinton administration. So, Bush, Obama, Trump, Biden, so far. So this would be my 5 and a half. I don't know. Seems a long time when you start talking about it. How many administrations you've been through? But the technology is kind of always stays the same in the sense of the discussion.

Jason Miller [:

Right? No one comes in and says, I'm against AI, or cloud is bad, move back on premise, or cybersecurity, defund cybersecurity. I think those are are the issues that stay the same. And, you know, you can say what you want about different administrations, Republicans, Democrats, like them, dislike them, support them, not support them. The people they bring in to do government management, and I'll be very general here because not everyone's perfect, generally are good people who wanna do the right thing. So you can disagree with policy discussions whether or not, you know, they the Trump administration should have tried to force OPM and GSA to to merge. That was probably not a bet a great discussion or great, attempt. At the same time, Suzette Kent is the federal CIO, pushed forward a lot of really important topics that still today are are being pushed forward. If you go behind the Trump, the Obama folks, you can disagree with the use of 18 F or or USDS.

Jason Miller [:

They, you know, U.S. Digital Service have created a lot of consternation in in industry and government. But what they wanna do underneath that, you know, improve software development, improve delivery, improve user experience, improve security, nobody argues against that. So I think the administrations are less important than the people who actually come behind them who all support.

Mark Senell [:

So it's a fairly it's a fairly political politically neutral area?

Jason Miller [:

Oh, it has to be. And I think that's the beauty of what we cover. Right? I don't have to get into the silliness of politics. And that's why you always tell people, oh, well, if I'm out of town and, if I say, oh, you know, oh, you're from D.C. Uh-oh. That place. Oh, what do you do in D.C? Oh, I'm a journalist. Oh, and I always preface very quickly say, I don't cover the silliness of D.C.

Jason Miller [:

I cover the interesting stuff.

Carolyn Ford [:

Yeah. The tech. So so another thing you mentioned was zero trust, and this is another, for lack of better term, buzzword that I've been using, hearing for a decade plus. Right? But so so correct me if I'm wrong. I think there are some mandates in place this year that agencies have to have some level of a zero trust architecture in place. Is that am I on track here?

Jason Miller [:

Yeah. The so they are on a, they have a goal for 2025 to hit certain requirements under the OMB memo for civilian agencies, defense department agencies, and services, military services have until 2027. So, I think, there's a this is a big year in many regards for zero trust because the deadlines, the capabilities they have to put in place and the deadlines that are coming, the time is shrinking, and they had to get their budgets forward. You know, I talked to Chris DeRusha, the Federal Chief Information Security Officer earlier this, fall, and, we had a a zero trust cyber exchange event on Federal News Network where he talked about, hey. This is the, you know, this 2024 budgets, the 1st year where they've been able to actually specifically budget for zero trust capabilities. And, again, this is not, like, under the heading zero trust capabilities. It's a cybersecurity budget of the they pushed it to 13, 14, $15,000,000,000 across government. And I think a lot of that, they can parse out and say how much we are pushing towards a zero trust architecture, zero trust capabilities.

Jason Miller [:

So, I did an interview with, cybersecurity infrastructure security agency that continues diagnostics and mitigation program, in the in the last few weeks or the last few months now. And one of the things they talked about was endpoint detection and response. It's a capability that they're completing the rollout under CDM in 2024. And that directs that directly relates to the zero trust capabilities that they have to push out. Know at the endpoint who's on your network, what's on your network, and then secure that endpoints. So I think that's a great example of something that, hey, this is a check mark that a lot of agencies will be able to do in 2024, but it's it's part of that forgive my cliche journey for the zero trust architecture that never ends.

Carolyn Ford [:

So so in addition to the endpoint detection, did I get the term right endpoint identification and detection?

Jason Miller [:

Endpoint detection and response, EDR. Yeah.

Carolyn Ford [:

So in addition to that, what are some other trends for what are you seeing the agencies? Like, what what's on their checklist to have in place or get in place this year?

Jason Miller [:

When I talk to CISOs and CIOs and people in the federal technology world a lot of them talk about the big 3 right? They talk about identity credential management, which is interesting to me because when you go back to 2004, 2005, and you had something called HSPD 12, Homeland Security Presidential Directive 12, which called for the use of, you know, PIV cards or smart ID cards as a way to log on to your computers and log on to your network. the thought was, well, didn't you already have this in place, you know, 10 years ago because you were on a mandate 20 years ago now to have this on? So I think what a lot of agencies are finding is yes, but, we could do it for on premise. But now that we're moving to the cloud, we have to have a different or a better or an improved identity management credentialing system. And then you have other companies and products that are much better suited and more modern. So they wanna bring in that modern technology. So I assume ICAM is a big one. EDR is a big one. A lot of folks are now starting to look at the application layer and the data layer and say, okay.

Jason Miller [:

What can we do around that? So I think you'll get a lot of agencies starting to look at, okay. How do we protect our applications and data differently? If you remember during the, end of the Obama administration into the Trump administration, there's a push for high valued assets, HVAs. I think that's still a big push, but now agencies have, you know, they've protected the gooey middle. Right? The tootsie pop analogy, and now they're kinda get hardening it out. So I got my gooey middle data that's been hardened. Okay. Now can I harden out the less gooey and continue to build the shell to protect? And I think that's a that's a big push this year. And then, you know, I think the hardest one will be the network layer, and I think a lot of agencies are struggling with what does the cloud network look like.

Jason Miller [:

We have certain things that we can get from Office 365 and Microsoft, Amazon or Oracle or or Google, but can we continue? The network is bigger and bigger and bigger. And one quick example of that is the guidance this year from OMB on the Federal Information Security Management Act or Modernization Act depending on which FISMA you wanna talk about. But the FISMA guidance specifically called out OT, operational technology, Internet of things technology as, hey, you need an inventory. You need to tell us how you're going to protect this OT because OT now and IT are so intertwined that that's a big concern for us. So, that maybe isn't everything, but I'm sure I missed something. But there there's that's a lot of what what we are hearing and seeing.

Mark Senell [:

Yep. That's great. So so I know I know. I am curious to to get your thoughts and talk about FedRAMP and what's going on there. You wanna kick us off, Carolyn, and

Carolyn Ford [:

Well, yeah. I mean, I was just thinking, you know, you mentioned something, Jason, about how, you know, back in 2004, we had the physical cards and people are saying, well, didn't we already do this this with zero trust? And things have changed, and it seems like we're seeing that with FedRAMP, especially in this last year where we're, like, FedRAMP moderate has been good. It's been the standard. It's been enough, and things have changed enough in cybersecurity that we gotta uplevel. Is that what you're seeing?

Jason Miller [:

So I think when when it comes to FedRAMP, there's 2 things going on here. I think the frustration by industry and agencies has reached a pretty peak level. I think the I think people realize there's a lot of benefits to FedRAMP. I think there's a lot of, value in it for the most part. I think the frustration is the time it takes to get through the process and the cost on the industry side to get through the process. And I think that a lot of agencies are saying we gotta have a better way to approach. And I think that frustration, gave GSA and OMB an opportunity to rethink FedRAMP. Additionally, you had the law, the FedRAMP law from Jerry Connolly, the congressman from Virginia who obviously has a lot of industry in his district who I'm sure got an earful time and again from his people who donate money to his campaign.

Jason Miller [:

I shouldn't have said that out loud. But, but to be fair, there's a lot of concern about it. And to be fair, it is a, been a problem that FedRAMP and the PMO have tried to address over the years with different approaches like FedRAMP ready and FedRAMP tailored. So I think that this is just an opportunity for them to say, hey. It's been 11 years, 12 years since the original memo. Better technology, more automation, the move to OSCAL, which is a open machine readable. All those are good things that can open the door to improving the process. And I think that's really what with the journey that OMB kicked off with that draft memo.

Jason Miller [:

I know they're reviewing comments or they will be reviewing comments soon enough. And so, you know, I think something to look out for maybe summertime, maybe next fall. You know, these things always take longer. Policies always take longer than you think they should.

Mark Senell [:

Well, I certainly I feel that, here at Dynatrace. I know we're we're FedRAMP Moderate today, and we're actively pursuing FedRAMP High. So, we feel those struggles, as part of industry there.

Jason Miller [:

And that's that's one of the other things I know, Carolyn, you wanna jump in. More and more companies, more and more agencies are looking for FedRAMP High. DOD just put out a memo in the in the last couple Tech weeks regarding reciprocity between IL 5 and FedRAMP, and I think that's a great sign, that shows, you know, the DOD CIO John Sherman, OMB, GSA Mark all kind of trying to work together to make this process a little better. I know we could talk about CMMC and reciprocity, but let's, you know, save that for it later down in our discussion.

Carolyn Ford [:

So did I haven't seen that yet. So did it go as far as to say that if you're IL5, then you're grandfathered into FedRAMP High and vice versa?

Jason Miller [:

They weren't that they they weren't that exciting. No. No. No. I, you put me on the spot and try to remember what the memo said. I think what they're saying is there are and I can make sure you all get a link to add it to your To your website. I think what they're saying is x amount and controls are in in FedRAMP high or equal to IL5, but we also want you to do y, you know, x plus 5x plus 10 more controls.

Jason Miller [:

So I think they're saying we want reciprocity up to a certain point, and then we want you to to really, you know, think about some of the other ones. But let me make sure I'll I'll get you that link so you all can post it. So make sure folks get it right. I don't wanna send folks down the bad path and have them go. Jason said and then Jason was wrong because, I read the memo

Mark Senell [:

We appreciate that.

Carolyn Ford [:

Yeah. And the reciprocity piece, done a few pieces on the memo. Just I'm I'm wondering how agencies, industry have responded to that memo. Like, are they happy about it? Do they think it's really gonna like, what's the temperature around the memo?

Jason Miller [:

I think generally speaking, folks are excited. There's still a lot of questions that need to be answered, and I think that's the issue we're having with, the comments. Right? Submit your comments. Let them be real look at those comments. Let GSA and OMB get together, put their big heads together hopefully, and maybe even, make some changes or decisions. I think there's a lot of excitement around automation. How can we auto add automation to this process to make it better, faster, cheaper? I think there's a lot of excitement over the changes to the joint authorization board to create this FedRAMP board and then this technical advisory board underneath the this, the new FedRAMP board. It's gonna be modeled very similar to the technology modernization fund board, and I think that's a good sign that they found this model that seems to work for TMF.

Jason Miller [:

Can they then apply the similar model to FedRAMP? That way you don't have only 3 people trying to make all these jab decisions, but a bigger board of 6 or 7 people they can maybe take on more authorizations and look at them, but at the same time, get advice from a group of technical experts to keep the FedRAMP requirements up to date, modernized, and then also deal with, hey. This is a problem. How can we fix it? So I think those are some of the things I've heard. The questions revolve around how will things work, and is there gonna be more money, and how are they gonna, address reciprocity again with whether GDIL, you know, the impact tech levels, or more more broadly in, how they're gonna get agencies to say, Dynatrace was approved by HHS Can can can interior then take it and then also, you know, do a Right. A short term review of it to get it into process more quickly.

Carolyn Ford [:

Mhmm.

Mark Senell [:

Yep. Yep. That that'll be exciting to to to see happen. Do now what are you hearing about the reality of an overhaul taking place in in, like, the timing and how quickly, you know, companies could could see the benefits of this?

Jason Miller [:

I would say from a realistic and based on what I've seen over the last 25 years looking at the policies, you're not going to see a benefit of this as a company for 18 months. And I know some people maybe, you know, that may be the right, you know, the sadness meter just dropped. But think about the way organizations, governments specifically works. Once that final policy is out, there's an implementation plan. That implementation plan then takes time, resources, money. It's not like, okay. We'll flip a switch. There are some things that I think GSA and OMB can do more immediately.

Jason Miller [:

I think, you know, instituting OSCAL as a, you know, kind of that the machine readable format language to help with reviews more quickly, add some automation is something they could do more quickly. They put out, the GSA held an industry day, back in November, and I will, wag my finger at GSA to say they did not do a good job of making this public. They put the RFI or or draft RFP behind the firewall, so no one could see it except for if you were on that specific alliance or GSA schedule contract. It's a soapbox a month. I could spend 20 more minutes on that soapbox. I will will not torment you with that soapbox. But they held an industry day to bring in a GRC solution, and they made it, unfortunately, not invite only, but very private and instead of going wider to get better ideas. But I know they're looking at making an award for that GRC solution.

Jason Miller [:

Even if they put the RFP out in the next week, it make the award in in in February, there's still 6 to 9 months to implement the GRC. So, again, this is why I say it's an easily in 18 months to really start seeing big changes.

Mark Senell [:

Well, you know, Carolyn, that, not great for us because we're already way down the path, in pursuing FedRAMP High. So

Carolyn Ford [:

And also 18 months sounds super fast to me. I mean, we're talking about the federal government.

Mark Senell [:

Well, the older we get, the faster time flies. Right?

Carolyn Ford [:

There we go. Yeah. Yeah. So

Jason Miller [:

You also you also Carolyn said I'm trying to be optimistic, and you went right cynical. So I thought I was supposed to be a cynical one in this conversation.

Carolyn Ford [:

Well, one of us have, you know, it's more fun if we we each take a say.

Jason Miller [:

There you go.

Carolyn Ford [:

Jason, how do you feel about looking into your crystal ball and doing some predictions around FedRAMP? Beyond 18 months. So so, yeah, you've predicted about 18 months for some of

Mark Senell [:

these change to take place.

Carolyn Ford [:

For some of these changes to start happening. Do you wanna make any other predictions or you just wanna stick with that one?

Jason Miller [:

Yeah. Mostly mostly, you know, I always like to quote Rocky 3 when people ask me for predictions. It's a big, you know, when Clubber Lang, matches up with Rocky and and, you know, you know, he said they asked him during the press conference, what's your prediction? And he just said pain. Pain. So, I don't I don't wanna know. I mean, I think there's so many pieces and parts that are still moving with FedRAMP that it's hard to really say, what changes and which ones will come and when. I wanna make sure I'm clear. I wanna give GSA and OMB credit.

Jason Miller [:

They they don't sit on their hands. They're not just waiting and waiting and waiting. There are constant changes. If you follow the FedRAMP blog like I do, I think there's always something new happening. You know, Brian Conrad, who's running FedRAMP, is really out there speaking about it, really trying to get folks to to to be involved. So 18 months to to there's some some of these big, big major changes, but I think there'll see be some incremental change, this this year for sure. Which ones and what it looks like. You know, it's it's it's it's a guessing game at this point for me.

Mark Senell [:

I wanted to ask you a question about this, Jason, because you you brought it up. So OMB and GSA kind of, driving the train here around this. But what are you hearing about CISA's involvement in this whole process? Because it because because it I saw this in a recent interview that you had done, and it it just made me start thinking, well, yeah. Aren't they the aren't isn't this right up their alley?

Jason Miller [:

So as we know the beginning of from the beginning of FedRAMP to JAB DHS was called out. DHS, DOD and GSA were kind of the 3 big, the big 3 of the JAB, joint authorization board. CISA had been included in in some ways, but but not in as part of the jab. The question in the OMB memo is where's CISA's role? There are some things that talk about CISA specifically, but a lot of it talks about DHS. And, you know, Mark, I think your question is one that's not answerable yet. And I think there's some concerns from what I've heard from folks at CISA. Well, shouldn't we really be involved? Shouldn't we take the lead? Not really the DOD CIO I'm sorry. The DHS CIO's office.

Jason Miller [:

Because no offense to them, they're looking out for DHS, and CISA is looking out for government wide. And I think that's one of the big major changes we've seen over the last 10, 12 years is the role of CISA and the role of DHS. You know, MPPD did not play the same big role that CISA does today even though the organization is basically the same just with a new name. I think what CISA has done around CDM, what they've done around, some of their other government wide initiatives has brought them into a good space for for FedRAMP. I think that's one thing I will be looking out for in the memo to see if if OMB and GSA make changes and specifically call out CISA or if they just call it DHS and then leave it to the DHS secretary and the leadership to say, I want CISA on this. I want the DHS CIO on this or how how that works. Mark, as you know, egos are big sometimes, and, I wanna be able to say I was on FedRAMP, and sometimes that can be, get in the way.

Mark Senell [:

Yeah. Okay. Interesting. Well, we'll see how that plays out for sure.

Carolyn Ford [:

Yeah. So okay. We got your predictions, pain.

Jason Miller [:

Pain. You're gonna do it right, Carolyn. Pain.

Carolyn Ford [:

We got your 2024 prediction. What about looking back over your career? What do you think the biggest impact, like things that have happened? Maybe CISA might be one of those things, but what what do you think has had the biggest impact in the in the federal government over the last 25 years?

Jason Miller [:

The recognition that cybersecurity is not just that those people in the backroom's responsibility has really been the biggest change and impact. I'll tell you if you permit me to to to to tell a little story. Back in 2006, the Veterans Affairs department lost the records of 26,000,000 veterans. They had some tapes stolen or lost some tapes out of the back of a truck. That was the biggest news story of the day, and it was all tapes. That's you know, I can say I've never seen a a tape, but there was tapes. I think that really kicked off this idea that, hey, people's information and data is really important, and we need to do better protecting it. The second one I'll offer is, DOD, within the year or so later, gave, my news team back at government computer news, the first real set of interviews about cyber attacks against their networks.

Jason Miller [:

And that was the first time they came out and said we are experiencing these these huge cyber attacks. We had heard rumors and there have been stories about things called Titan Rain and other attacks that took over their network or tried to or or stole data, but the DOD would never really talk too much about it. It was always kind of good reporting by journalists on background. And for whatever reason, DOD decided it was time to talk about it. And I think those two events really changed the approach to cybersecurity, changed the discussion around cybersecurity. And I think CISA is a huge benefit of that more openness, that more transparency, this idea that, hey, Carolyn. If we instead of this idea that, well, I won't tell Carolyn and she won't tell me, and we'll both get hit by the same zero day because we were embarrassed or didn't wanna talk about it. So I think that transparency around cybersecurity, that understanding that, you know, rising tide lifts all boats.

Jason Miller [:

So they you know, we've heard that over the years. But but when it comes to cybersecurity, that openness has been the really the big, big change that we've seen. And I think, you know, the government gets a lot of bad press or a lot of they don't get a lot of credit for making their cybersecurity better. But if you think about what's happened really since the OPM breach back in 2014, 2015 time frame, it's hard for me to point to any one cyber incident that has really taken the government offline, taken it by storm. Have there been some? I'm sure there are. Do we know about them? You know, there's less reporting on a major cyber attack, a major cyber incident. A lot of times what we find is, oh, that agency forgot to close a porch or some sort of had some sort of software problem that potentially exposed data of 100s of 1000s of people. Bad.

Jason Miller [:

Don't get me wrong. But it's not, oh, the Chinese broken and stole 100 of thousands of people's data. And and, yes, a lot of people will be very cynical, Carolyn, and say, well, that's because they already have it all. They took it from OPM. So why do they need to come back and take it again? And that's probably true. But I think the government has gotten a lot better around cybersecurity. And I think, you know, that that's part of the reason is because of the, part of the reason is because places like CISA, OMB have been become more collaborative with industry and because industry has been more collaborative with with government.

Jason Miller [:

And, I think that would be the one thing I I'd point to is the biggest change or, you know, that I've seen over the last 15, 20 years.

Mark Senell [:

That's really insightful. And it's true. You know? The government doesn't get the credit that they they probably deserve, and this is one of those areas where they do a lot of good work. You know?

Carolyn Ford [:

Yeah. And I think it's really the first thing you said that cybersecurity is everybody's responsibility. It made me think of a quote by General McCrystal. He talks about either putting your brains in the foot locker or taking them out of the foot locker. And it just reminded me of, yeah, we need to you know, don't outsource our power, take our brains out of the Foot Locker. Like, we're responsible right down to the end user for our own cybersecurity. The guys driving the truck, you know, all that data with those tapes, which I'm I'm imagining, like, cassette tapes. Yeah.

Mark Senell [:

No. No. Like, real real real reels.

Carolyn Ford [:

Like, movie reels?

Jason Miller [:

Yeah. Like that. Do

Mark Senell [:

Do you remember in the eighties, the movie, War Games with the Yeah.

Jason Miller [:

Yeah.

Mark Senell [:

You know, the big reel to reel

Carolyn Ford [:

Oh, okay. Okay. Okay. Yeah. Wow.

Jason Miller [:

Yeah. Goes back. So, you know what? I think the other one I'll just point to highlight is, you know, back again, 2006 time frame, we had written a story, and the story was titled It's All About the Data. Mhmm. And it was, we had this great artist at the time, a graphic artist who put together their kind of this Roman or Greek figure and pointing. And I don't remember exactly what it was, but it was this kind of very kinda like, it's all about the data. And, I think that's that's that's something that we started talking about years years ago. But the more the more we talk about it, the more further away we get from that 2006 kind of first, woah, right, moment.

Jason Miller [:

It it really is all about the data. Everything is data driven now. You know, we we don't we don't write a story without someone saying, well, we gotta be better at making data driven decisions. So I think that's probably the other thing I'll kinda throw at you as a big change is understanding the power, the value, and the need to have better, faster, data, easier to use, secure, and the like. I think some of these things have come to be, the more over to the forefront. The ball keeps bouncing.

Carolyn Ford [:

Yeah.

Mark Senell [:

Yep.

Carolyn Ford [:

I love it. So all about, you know, transparency around cybersecurity attacks, the collaboration between industry and government. I've seen that in my career with government. A lot more willingness to collaborate with government and industry. Okay. I'm gonna take us to our Tech talk questions. Just our kinda quick fun questions, Jason.

Carolyn Ford [:

And, Mark, unless you have any more serious questions to throw at Jason.

Mark Senell [:

No. Let her rip.

Carolyn Ford [:

Tech Talk's very serious. So alright. As a reporter, Jason, how do you stay how do you stay abreast of the latest tech news coming from the federal government?

Jason Miller [:

Yes. So much of what we do is go into events. Going and listening and talking to people. I always tell folks whenever I go to an event, I'm there for two reasons. Reason 1 is of course looking for news. But reason 2 is just to listen and learn. And I think that's the most powerful thing we can do. You know, there'll be plenty of opportunities to sit on a webinar, a panel, go to a breakfast, and there's no news that comes from it.

Jason Miller [:

But I've learned something that maybe it clicks and creates a bigger story. Oh, you know, I keep hearing this thing. Maybe that's a a a bigger story, a trend that I wanna highlight. Sometimes it's just about meeting people, and you say to somebody, hey. You mentioned x y z. Can you talk more about it? And they go, not at this time, but give me, you know, a month call me in 2 months and we have a we'll have a lot to say in 2 months. And I'll say, oh, okay. Great.

Jason Miller [:

So so much of what we do is just showing up and being part of the discussion. So so I think that that's a big piece of it. The other thing is, you know, we we spend a lot of time reading press releases, reading reports, reading, GA, you know, GAO and IG reports. I'm not a big fan of IG and GAO reports to say, okay. This is what's exactly happening. But, you know, I'll give you my trick, Carolyn, and this is this is not a big secret. But, always whenever you read an IG report or GA report, you gotta read the bat the last page first. What did the agency's comments say? Because that's really what's happening today.

Jason Miller [:

If you read what the GAO found, it's a lagging indicator. And if you think about it, right, if someone comes to your company and says, hey, you have this problem. By the time you potentially file it in your SCC filing or whatever it is, it's 6 months old or a month old and you've already started to address the problem because you're not gonna let a problem sit until the report comes out. So in in some ways, it's it's it's you know, GAO reports and IG reports as an example aren't the news. It's what the agency's response is because that's what's changed.

Mark Senell [:

That's what we're saying. Up, Jason.

Jason Miller [:

Yeah. We spend a lot of time just doing those things, kinda understanding, learning, and listening.

Carolyn Ford [:

I mean, I'm not asking you to endorse any events, but I'm wondering if you have, like, your 2 or 3, like, events that you will not miss for the year.

Jason Miller [:

Events. Wow. I think I think that there's so many events that happen. Yeah. Mostly, we look at them, on a case by case basis. But I think the ones we generally go to are ACT-IAC has their 2 big conferences. One's been in Hershey in in October time frame, Imagination Nation, and then the other one has been sometimes at the, Hyatt in Cambridge, Maryland.

Jason Miller [:

They have a different name for it. But anyways, those are always 2 good ones because they bring a lot of good people together, and it it's kind of like it's nice to kinda not have the, feds and industry show up and leave because they're in D.C. and they can get have to get back to their office for a big meeting. So there's a little more time you get, a little more social atmosphere. But also people tend to come with with good discussion points. I personally try to do most, of the big AFCEA events. AFCEA Bethesda has their health IT coming up that I'm moderating at the end of January. Those they have a law enforcement day coming up. Those are good ones.

Jason Miller [:

Again, the same reasons. They bring a lot of really good people together, and they wanna they wanna really push out kind of what's happening in this space. And the other ones I never missed is AFCEA. NOVA does their Army IT day, Navy IT day, Air Force IT day. Those are day long events in the DC area that are just super even if, you know, I don't spend a ton of time covering DOD. I have colleagues who spend much more time and much more knowledgeable. But I love going to those because the quality of speaker and the quality of discussion that happens, again, you learn so much from that. I was just at the recent Army IT Day.

Jason Miller [:

And again, I we walked away with a bunch of ideas and concepts and trends and the and the like. There's plenty I'm missing. I'm sure my friends at Affirm will be, unhappy with me that I didn't mention their their, monthly stuff. And I'm sure that there are other events that are really worthwhile.

Mark Senell [:

Those are good ones.

Carolyn Ford [:

Yeah. Those are good things

Mark Senell [:

that list.

Carolyn Ford [:

Alright, Mark. You get to last ask the last question before we launch.

Mark Senell [:

Okay. So, Jason, other than Carolyn and me or even our own Willie Hicks, who's the most interesting person or persons that you've interviewed or the story that you've covered?

Jason Miller [:

Most interesting person or people I've interviewed. Wow. Someone asked me once just recently, what was your favorite interview or favorite story? And I'm always like, wow. I don't really think of it. Like, right? Like, you have no favorite kids, you have no favorite animals, you know, dogs, cats. They're all wonderful in their own way.

Carolyn Ford [:

Oh, I do.

Mark Senell [:

Or something like that.

Carolyn Ford [:

I have favorites.

Jason Miller [:

I feel like, I will offer this. Anytime I get to go to the White House or the old executive office building, I was there recently for a CX anniversary event, it's always a great feeling. No matter the administration, no matter who I'm talking to, no matter the level they're at, it's just a good feeling to to say, hey. I you always kinda tell my my family, I can't talk to you today. I'm going to the White House. Right? Like, it's it's become a joke over the years. And it's not because I feel like I'm I'm, it's just a great place to be. It's a good feeling to be.

Jason Miller [:

And at the same time, I think there's a lot of federal agencies you walk into and you just are amazed by the beauty of the agency themselves. Right? The old buildings that were built, you know, 70, 80, 90 years ago and the archi You know, the interior department has some great murals that I didn't realize were there until one of their CIOs gave me a tour once. The archives, I got a special tour once of the archives kinda underneath the archives. They showed me where all the drawers Mark, and they were like, don't Tech anything because you don't have white gloves on, but they showed me that back room.

Mark Senell [:

Oh, that's neat.

Jason Miller [:

Yeah. I got to see we did a story about architecture of the National Archives building, but not architecture like enterprise architecture, which bores everyone, but actual, like, where the wires go to get the high speed Internet and the network cables and how they made changes to that. This is years ago. And I thought that was really, interesting. And then you meet a lot of people who just do their job every day really Senell. and one of the things, my wife has always kinda made fun of me for is that when whenever people if we're at a party or meeting people or whatever and people talk about, oh, the government. Right? I always am a big defender of the people who work for the government. They're not all perfect, and they're not all always doing the you put on quotes here, right thing, but there are there's there's so many great people who work for the government who wanna do the right thing or trying to do the right thing, that work hard every day, that don't just show up at 9 and leave at 5 and take a 2 hour lunch.

Jason Miller [:

They're some of the best people who are just due to the day to day, the week to week, the hour to hour to make things work. So I always remind people when they complain, I say, are you complaining about the government or are you complaining about congress? Because did you eat food today? Oh, yeah. I ate food today. Was that food safe? Are you in the bathroom right now throwing up because you had food poisoning? No. Okay. That's the government. Did you drive today? Oh, yeah. Oh, on roads? Oh, yeah.

Jason Miller [:

Well, that's the government. Did you did you do you have any people in your family that get Social Security or veterans benefits? Oh, yeah. I do. Did they get their checks? Oh, yeah. That's the government. So we always have to kinda remind people about what the government does and the impact they do. And unfortunately, the government doesn't do a great job of selling their own story.

Jason Miller [:

And while our audience is government industry like you all, we've think part of our goal is to kind of make sure people know that there's a lot of good and important work that happens. And at the same time, we don't shy away from calling out bad things too, but, you know, we don't start, you know, any interview or any story with, okay, Mark. Okay, Carolyn. When did you stop stealing the money? Come on. Just tell me when you stop still stealing the money, and then we can get to the real stuff. You know, you start with the with the positivity and believe people do a good job, and that's, you know, why I've been doing this for 25 years. Right? I I

Mark Senell [:

That's great.

Jason Miller [:

Every day I like to get up.

Carolyn Ford [:

I love it.

Mark Senell [:

That's great. That's a great way to end the podcast.

Carolyn Ford [:

That is the perfect way to end the podcast. Yeah.

Mark Senell [:

Yeah.

Carolyn Ford [:

And I wholeheartedly agree. Thank you so much, Jason, for your time, your insight. This was really fun.

Jason Miller [:

Well, my pleasure. My pleasure. It's always fun to be, as I said, on the other side of the, questioning once in a while and, you know, thanks for having me on.

Mark Senell [:

We very much appreciate you being here.

Carolyn Ford [:

Yeah. And thank you listeners for joining. Share this episode, smash that like button, and we will talk to you next time on Tech Transforms.

About the Podcast

Show artwork for Tech Transforms
Tech Transforms
Tech Transforms talks to some of the most prominent influencers shaping government technology.

About your hosts

Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is a passionate leader, doer, adventurer, guided by her father's philosophy: "leave everything and everyone better than you found them."
She brings over two decades of marketing experience to the intersection of technology, innovation, humanity, and the public good.
Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is passionate about connecting with people to learn how the power of technology is impacting their lives and how they are using technology to shape the world. She has worked in high tech and federal-focused cybersecurity for more than 15 years. Prior to co-hosting Tech Transforms, Carolyn launched and hosted the award-winning podcast "To The Point Cybersecurity".