Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

A Unified Identity: Login and Customer Experience

Posted on by Tiffany Goddard

While in-person services used to be the primary channel of access to Government services, this is no longer the case as more customers turn to digital services. To provide excellent Customer Experience (CX), the Government must prioritize creating digital channels for customers to sign up, apply for and purchase Government services. During Carahsoft’s 2023 Customer Experience and Engagement Summit, panelists discussed how agencies can create an easy-access experience for customers that is unified across all Government agencies.

Simple, United Services

Customers want easy access to services, and this requires a secure, trusted, personal Government-issued digital identity. Having an individualized login allows customers to establish their identity online before completing important tasks, such as making child support payments or searching for unemployment insurance. To be as secure and validated as possible, these logins should be operated by an organization that does not have a motive to leverage private information to sell customer data for profit.

To maintain the core principles of effective customer service, logins should have a common set of controls that validate digital identities. To create a reliable login account, there are three core principles to follow.

Logins must be usable by everyone including constituents without a bank account or a home. Employees cannot have implicit biases and must be ready and willing to serve everyone.
The data that people provide must always remain private. With a Government-issued digital identity, customers will be providing sensitive information to prove their identity. This must be protected to preserve trust in the Government.
Programs should be based on private sector technologies. Government agencies do not need to reinvent or reimagine technology. Rather, they should leverage products that are already built well and bring them together in a way that employs the best innovation in the private sector.

The Benefits of Accessibility

Having a digital identity could allow customers to have a single account that is accessible across Federal, State and Local Government. When customers need to transfer to a different department, an identity-tied login creates an easy way to share their history with new agencies. Centralized login accounts can connect the customer through various platforms, such as email, phone call, in-person and online. IT (information technology) is one of the few categories that has a spending increase into the double digits, which reinforces technology as the primary trend in Government innovation.

As with any digital ability, security concerns must be addressed. Since control of login credentials allows control of identity and data, agencies need to know that the person who is logging in is not an impersonator. By privatizing accounts and their login information, this avoids the information being manipulated or sold.

Government agencies are in the best position possible to combat this. The White House allocated agencies a budget to address CX initiatives. Panelists expressed that many excellent partners in the industry are ready to deliver on these cybersecurity initiatives. For the first time, CX is part of the President’s Management Agenda. The entire administration unified around the agreement that CX is vital to the Government, and the digital sphere must be the first step in reconstructing CX. With this support, agencies can spearhead the movement in providing simple, effective and secure service to elevate CX.

Check out the rest of the 2023 Government Customer Experience series to learn more about Carahsoft’s insights from CX industry thought-leaders at the summit.

To learn more about the latest in the CX landscape and how Carahsoft’s industry-leading partners can support your Customer Experience initiatives, please visit our resource hub to access all on demand recordings and information from the 2023 Government Customer Experience and Engagement Summit.

Four Lessons I Learned from My Company’s Response to the SUNBURST Attack

Posted on by Tim Brown

Saturday, December 12, 2020, is a day I’ll never forget. That was the day I learned nation-state threat actors had exploited our software in what would later be known as SUNBURST. Because it’s been written about thousands of times before, I won’t rehash the particulars of the event itself here. Instead, I’d like to share four lessons I learned about how to respond to a large-scale cyberattack.

1. The first days: Preparation helps control the chaos

I often refer to the days immediately following December 12, 2020, as “controlled chaos.” The chaos portion is self-explanatory, but what about the “controlled” part?

Simply put, we were in control the entire time, no matter how chaotic things seemed, because we’d prepared for such an incident. We ran tabletop exercises, planned for different scenarios, mapped out hypothetical intrusions, tested our response methods, and looked for and plugged potential security holes. We also built an incident response team comprised of representatives from across the company. It included members from our security, legal, marketing, IT, and engineering teams, and our board of directors.

As you plan your threat response, consider the following:

Do you have a cybersecurity incident response playbook?
Have you performed tabletop exercises and run various attack scenarios?
Do you have the right people on the incident response team—a good mix of strategic and tactical expertise?
Do you have ways to contact people, even on the weekend (or during a pandemic)?
Do you have a list of backup contacts in case someone isn’t available?
Do you have alternative communication methods established in case you cannot trust your existing ones?

2. The initial weeks: Separating teams creates an agile and efficient response

SolarWinds Attack Response Blog Embedded Image 2023

We quickly learned we needed to split our team into different groups for an agile and efficient response. Thus, one big team became multiple smaller teams, each overseen by leaders within their respective organizations (i.e., the legal team was led by our general counsel, the engineering team by our head of engineering, and so forth). These teams would work independently, then reconvene each evening to share what they learned, discuss solutions and ideas, and so on.

Having different teams allowed individuals to focus on each facet of the response. For example, engineering could focus on how the attack affected our build while IT investigated how the attackers got in. The communications team created responses for customers, partners, and the press, and what ultimately became the government affairs team devised a plan to contact various government agencies.

We also learned organizing these teams was impossible without a third-party “quarterback.” So, we brought in an external organization to coordinate our teams’ work. They set up meetings and ensured everyone was on the same page and information was being shared.

As you coordinate your teams, ask:

Do we have a plan in place to get teams together?
Do we have a third-party “security helper” on call or retainer? (This is often a good insurance policy)
Do we have enough teams to cover every aspect of our business?

3. The following weeks and months: Unbiased partners help amplify the truth

At the time, there was a lot of misinformation floating around. We were being outnumbered, out-marketed, and out-communicated. And unfortunately, social media made misinformation spread like wildfire—and has helped it be equally hard to extinguish.

To help, we partnered with reputable and experienced organizations like the Cybersecurity and Infrastructure Agency (CISA), Krebs Stamos Group, and others. The organizations performed forensics while amplifying the truth about the attack, helping people understand this was not just an isolated incident.

Amplifying the truth was the only agenda our partners had. Sadly, that’s not the norm. I discovered many organizations out there want to promote their brand or have ulterior motives. Fortunately, the organizations we worked with had no such baggage.

Indeed, they allowed us to focus on ensuring our customers were in the right state. We wanted to be there to answer their questions, assure them, and, most of all, make sure they were secure and protected. Our partners helped us block out the noise so we could focus on helping our customers.

To summarize:

Bring in the correct partners and add new partners as necessary
Watch out for hidden agendas
Prioritize what’s most important to you (For us, our customers were our top priority)
Don’t spend time responding to every inaccuracy; it will only distract you from your priorities
Stay focused

4. The final months: Going above and beyond leads to an exemplary outcome

As the months wore on, I remember a colleague telling me, “If you’re going to come out of this, you have to be special. It won’t be enough just to fix the issue. You need to really go above and beyond.”

As it turns out, we fixed the issue—but did much more than that. We found the source for SUNBURST and made it publicly available. We testified before the U.S. House and Senate. We implemented assistance programs to help our customers. We held briefings with the FBI and other global law enforcement agencies.

We ensured the world knew what we were doing and why we were doing it. In being transparent, we were helping others understand what we went through so they could better protect themselves. It’s not enough to be transparent, of course. To get through it and come out stronger, we needed to have products and services people love and enjoy using, which leads me to three final recommendations:

Be open and honest throughout the entire process
Communicate early and often—not just to your customers, partners, and employees but to the world
Make the type of products you would want them to use, and make them Secure by Design

The months have turned into years. The tenets of transparency and humility have served us well. The SUNBURST incident has turned into a catalyst for good. Supply chain security is now front of mind for many. Executive orders and cyber security strategies are leading us towards attestation for software security. Executive and boardroom conversations have security as a necessary topic, and the security defenders of the world are being looked upon for guidance in managing cyber risk.

The investigation into SUNBURST formally concluded in May 2021—six months after the attack was first uncovered. But I like to think our response to the attack will live on for much longer. Because what started as a dark day in December 2020 made us a stronger, more resilient, and better company. I hope the lessons I learned can help you do the same.

Contact our team today to learn more about how SolarWinds can support your organization’s software and cybersecurity mission.

Utilizing Data to Improve in Customer Experience

Posted on by Tiffany Goddard

The main goal in customer service is to provide for customer needs and preferences. Through data and feedback, agencies can revitalize and refocus services to best support customers. At Carahsoft’s 2023 Government Customer Experience and Engagement Summit, panelists reviewed the usage of data in improving the customer experience (CX).

Maintaining Pace with Customer Needs

Expectations from customers have changed rapidly. The pandemic forced customers to increasingly operate via the internet, from important telehealth visits with doctors to completing the mundane task of buying groceries. To match audience needs, Government services must follow suite and digitize.

While digitization is vital, agencies must begin by investing energy and resources into the foundation of CX. To create successful digitization, agencies must focus on swiftly delivering value. Components such as success, personalization and digital equity will follow naturally. Implementing iterative feedback strategies and routines to talk one-on-one with the people directly involved refines usability in agency services.

Providing Equitable Service Through Data

Creating swift and efficient Government services can be difficult and gathering data on customer feedback is the key to improving them. By collecting data through live user testing, agencies can demonstrate how well services are working. This insight can be utilized to encourage the Federal Government to continue or increase funding for State and Local initiatives.

Agencies should encourage reviews as much as possible. By gathering feedback, agencies can use the information gained from data to implement measures alleviating processes that customers carry out. Feedback on digital services can be used by agencies to revitalize their websites around customer needs. Digital services should be simple, accurate, equitable and accessible. Sometimes, this means agencies will need to continue redesigning initiatives, even if they performed adequately in test cases. While this can be cumbersome, being equitable for all users is a vital part of customer service. Pilot programs and generative artificial intelligence can alleviate this process and aid in experimenting with new technologies or designs.

With the overwhelming switch to digitization and the automation process, agencies must not lose sight of maintaining security standards to protect the sensitive information they hold. Implementing data protection and resiliency ensures that in case of data loss, agencies can get services back up and running again.

Equitable service means considering the audience. Whether the audience even has access to technology or in-person services, is a large factor in how CX is provided. For services geared for older customers, such as Medicaid, physical copies may be necessary to reach a large part of the audience. Some customers may need help accessing information. Government agencies can make a difference in these communities by offering additional assistance, including teaching seniors how to use technology or signing them up for medication deliveries. Without considering the audience, and without providing an extra helping hand, Government agencies cannot ensure equitable and proper service to their customer base.

Ultimately, agencies need to stay relevant, accurate and up to date with customer needs while also recognizing that it takes time and effort to perfect services. However, by interpreting data to consider different perspectives and needs, and by applying that data to expand support services and platforms, agencies can provide excellent customer service and experiences.

Read the previous blog and check back soon to read the rest of Carahsoft’s insights from CX industry thought leaders at the summit.

Ransomware Protection for Kubernetes Data in the Public Sector

Posted on by Gaurav Rishi

Kubernetes is a powerful platform for deploying and managing containerized applications in the cloud. It offers many benefits such as scalability, portability, resilience and automation. However, Kubernetes also poses some challenges when it comes to data protection and security, especially in the public sector where sensitive data and compliance regulations are involved. That’s why we are excited to continue our strategic partnership with Carahsoft Technology Corp., the leading government IT solutions provider, to deliver Kasten K10 by Veeam, the market-leading Kubernetes data protection solution, to public sector customers across the U.S.

In this blog post, we will explore some of the common issues that public sector organizations face when using Kubernetes, and how Kasten K10 by Veeam can help them overcome these challenges with a simple, secure and scalable solution for Kubernetes data protection.

The challenges of Kubernetes Data Protection in the Public Sector

One of the main challenges of Kubernetes data protection in the public sector is the complexity and diversity of the Kubernetes environment. Kubernetes clusters can span multiple clouds, regions and zones, and contain hundreds or thousands of applications and microservices. Each application may have its own data sources, dependencies and configurations, which need to be backed up and restored consistently and reliably.

Veeam Ransomware Protection Blog Embedded Image 2023

Another challenge is the security and compliance of the Kubernetes data. Public sector organizations often deal with sensitive data such as personal information, health records, financial transactions or national security secrets. These data need to be protected from unauthorized access, modification or deletion, as well as from external threats such as ransomware attacks. Moreover, public sector organizations need to comply with various regulations and operate in secure environments, which requires cluster deployments in compliant hybrid environments spanning examples like AWS GovCloud and Red Hat OpenShift.

A third challenge is the scalability and performance of the Kubernetes data protection solution. As Kubernetes clusters grow in size and complexity, so does the amount of data that needs to be backed up and restored. Public sector organizations need a solution that can handle large volumes of data without compromising the availability or performance of the Kubernetes applications. They also need a solution that can scale up or down as needed, without requiring manual intervention or complex configuration changes.

The Solution: Kasten K10 by Veeam

Kasten K10 by Veeam is a purpose-built solution for Kubernetes data protection that addresses all these challenges and more. Kasten K10 is designed to simplify and automate the backup and recovery of Kubernetes applications and their data across any environment. It offers the following features and benefits for public sector organizations:

Application-centric approach: Kasten K10 treats each Kubernetes application as a unit of backup and recovery, rather than individual containers or volumes. This ensures that the application state and dependencies are preserved across backups and restores, regardless of where they are running or how they are configured.
Policy-driven automation: Kasten K10 allows public sector organizations to define backup policies based on application metadata such as labels, annotations, namespaces or clusters. These policies can specify the frequency, retention, location, encryption and compression of the backups, as well as any custom actions or hooks that need to be executed before or after the backup. Kasten K10 then automatically applies these policies to the matching applications, eliminating the need for manual backups or scripts.
Secure and compliant data protection: Kasten K10 encrypts all backup data at rest and in transit using AES-256 encryption keys that are stored in a secure key management system. Kasten K10 also supports role-based access control (RBAC) and audit logging to ensure that only authorized users can access or modify the backup data. Additionally, Kasten K10 provides ransomware protection by creating immutable backups that cannot be overwritten or deleted by malicious actors.
Scalable and performant architecture: Kasten K10 leverages a distributed architecture that scales with the Kubernetes cluster. It uses parallelism and deduplication to optimize the backup, restore performance and reduce the storage footprint. It also supports incremental backups and restores to minimize the network bandwidth and application downtime.
Application portability: Kasten K10 enables public sector organizations to ensure application portability across diverse Kubernetes environments by using Transform Sets. Transform Sets are a set of rules that can modify the application configuration during backup or restore, such as changing namespaces, labels, annotations, storage classes, or secrets. This allows public sector organizations to migrate their applications from one cluster to another, or from one cloud to another, without breaking their functionality or security.

Next Steps

We hope this blog post provided valuable insights into how Kasten K10 by Veeam can help you protect your Kubernetes data in the public sector. If you want to learn more, here are some next steps you can take:

Watch this video to see Kasten K10 in action and learn how it can simplify and automate your Kubernetes data protection workflows: https://youtu.be/gu3J6ZeWwK8

Try the full-featured and FREE edition of Kasten K10 today with this super-quick installation in less than 10 minutes: https://www.kasten.io/free-kubernetes

Don’t miss this opportunity to take your Kubernetes data protection to the next level with Kasten K10 by Veeam and Carahsoft. We look forward to hearing from you soon! Download our full Gorilla Guide to Securing Cloud Native Applications on Kubernetes.

Transforming Digital Services and Modernizing Risk Posture in Colorado

Posted on by Robert Moore

Throughout Colorado State and Local departments, utilizing emerging technology is imperative to combating cyber threats and improving efficiency. At the Carahsoft Digital Transformation Roadshow in Denver, Colorado, Government IT and industry leaders engaged in dynamic discussions around transforming Colorado through technology.

Transforming Technology in Government

Reducing technical debt is a pivotal step in transforming the way Colorado responds to citizens and facilitates digital services. Modernization contributes to building a streamlined constituent experience, enabling data integration for better decision-making and lowering the cost of ownership. That further requires top technology talent to redesign aging technology systems and deliver better outcomes for the state.

The Digital Government strategic plan gathered over 2,000 Coloradans to understand their experience with Digital Government. The group heard from citizens requesting easier forms and more accessible Government services. From that survey, administration learned that State and Local departments can make an impact through three initiatives: expanding broadband access, making Government accessible by reducing burden of access for constituents and reducing poverty.

Change and increased needs seem to be the only constants in today’s world. Workloads are ever increasing and requirements from new and unexpected sources are creating backlogs that are becoming critical. This can put an incredible burden on plans, resources and personnel. The next step is looking at how technology and innovation can improve these new processes and address new demands through live chats, Artificial Intelligence (AI) modeling, etc. There is immense opportunity for Local agencies in Colorado to use this technology to make workflows more efficient, learn about their citizens and offer that instant gratification that customers have come to expect.

One of the biggest challenges Local Government faces is the interoperability across departments to share resources and capabilities. By focusing on utilizing new technologies to encourage that interoperability and optimize through data, user experience improves. There also must be a balance when handling sensitive data within these departments, as well as an effort to avoid technology sprawl and cost complexity. Automation and AI is foundational when it comes to daily operations and best practices as innovative technical solutions continue to make access from the edge easier, more transparent and secure.

The Role of Emerging Technologies in Digital Government

By eliminating legacy systems and investing in emerging enterprise technologies, agencies are generating cost savings, increasing security and accessibility and providing a more holistic, human-centered Government experience for Colorado.

Understanding how Colorado is securing the remote workforce in light of the telework and deployment explosion is important to connect where those emerging technologies can improve communication and networking issues. It is important that the state gets broadband access to its most rural and underserved communities to expand high-speed internet and 5G to increase citizen engagement with Government services. By utilizing endpoint detection, multi-factor authentication and mobile device management, Colorado protects citizens’ data and gains an understanding of user behavior to protect the data from any cyber threats.

The emerging technology approach is also about an innovative mindset to use tools in a better way that improves citizens’ digital experience. Colorado has been modernizing its approach to citizen-facing services by consolidating into simple, quick and more digital interactions to ease how citizens access essential services and programs with the state.

Technology acceleration takes center stage as part of Colorado’s Digital Government Strategic Plan. For the City and County of Denver, collaboration is imperative for coordinating technology deployment across the State and Local Government and within communities, at speeds capable of meeting the plan’s timelines. With these modernization efforts and changes across the state, agencies must invest in change management by preparing citizens for more digitized services. This includes walking residents through new processes and applications as incremental changes occur.

Combating Cyber Threats in Government

As their communities increasingly become targets of hackers and other cyber criminals, State and Local agencies must stand united to prevent and recover from cyberattacks. Cybersecurity risks range from data exploitation, insider threats, third-party practices as outsourcing increases, ransomware, identity theft and fraudulent access to State Government services.

Risk tolerance and risk posture must factor in human risk, application risk, physical security risk, datacenter risk and cloud risk to comprehensively assess cyber threats. As a result of the COVID-19 pandemic, the workforce access changed overnight, creating an even greater need for multi-factor authentication, password management, cloud security and Zero Trust compliance.

Data integrity attacks include unauthorized insertion, deletion or modification of data to Government information such as emails, employee records, financial records and citizen data. Public facing identity is a big aspect going forward for Colorado agencies.

The safeguards in use today ensure data is secure, protected and effectively backed up, yet readily available when needed. Lifecycle management is critical to making sure users have the right level of access to the right applications. Today, most agencies are in a position where if someone logs in, they make an identity claim with a username and password and a one-time code. The agency should then know what application that user accessed, and the process stops there; however, with the diversity in endpoints, more information needs to be acquired. Agencies can then make better risk-based decisions on who is allowed to log in, thereby protecting their environment, detecting and remediating threats while continuing to modernize their risk posture.

Emerging technologies and new digital services provide State and Local agencies more opportunities to easily connect with their citizens and make sure the user experience is as smooth as possible. As increased access to applications and Government data continues, agencies must continuously improve their risk posture to protect citizens’ sensitive information by upholding Zero Trust best practices.

Visit our roadshow resource hub to learn more about the State and Local Roadshow Series: Digital Transformation.

Diversity, Equity and Inclusion as a Pillar of CX Service Delivery

Posted on by Tiffany Goddard

Integrating DEIA Into the Larger CX Picture

The Whitehouse Executive Order on Diversity, Equity, Inclusion and Accessibility (DEIA) in the Federal Workforce promotes standards that can be applied to improving Government customer experience (CX). These include strengthening the ability to recruit, hire, develop, promote and retain the nation’s talent, removing barriers to equal opportunity and creating a space where all employees and customers are treated with dignity and respect. The standards offer Federal and State and Local Government agencies the opportunity to move toward equitable service delivery.

Developing a DEIA strategy involves a multitude of moving pieces like analyzing data, enforcing requirements, measuring effectiveness and ensuring progress. All of these areas culminate in sustainable cultural intelligence for organizations. Starting the conversation around DEIA in the context of CX begins with the on-going theme of communication rooted in trust—especially employee and customer trust in the Government. During Carahsoft’s 2023 Customer Experience and Engagement Summit, panelists examined how their organizations are creating more trusting, inclusive and resilient workplace environments which translates to improved services for customers.

A Focus on Human-Centered Design

In the realm of CX, trust is one of the most important aspects of customer, employee and leadership interactions. One panelist found that previously coming from a background in the user experience (UX) transformation space, all human-centered design exclusively existed within UX. In furthering their understanding of the broader CX spectrum, they discovered that UX is only a small part of the CX journey. While UX refers to the way users interact with an organization’s specific products, CX is how users view an organization’s brand and experiences with the business. The critical missing component to elevate CX is communication and transparency to build trust. Much of the progress made through DEIA initiatives aims to rebuild trust with undervalued communities so they feel secure receiving assistance both personally and virtually.

To truly develop more equitable service delivery models, organizations must be able to manage workplace tension by building both internal and external progress. For example, the National Science Foundation (NSF) has worked to provide tools for success in both areas through various touchpoints. Externally, NSF teams launched a redesign of the agency’s website that allowed them to collect information from several demographic communities. In doing so, the NSF was able to redesign language inputs and outputs to better serve their website visitors. Internally, the NSF has implemented a call-listening program that analyzes empathy, psychological safety and compassion to protect not only customers, but employees as well. The NSF has also designed a DEIA maturity model, which helps to measure the efficacy of DEIA capabilities, identify critical barriers and benefits to employee advancement and operationalize a sense of inclusion and belonging across the foundation.

Moderating Workforce Development for the Future

Recruiting, hiring and retaining employees is successful when an organization considers a wide range of talent representation. Also, being data-informed is critical for an agency’s mission. Collecting data via methods like staff surveys to identify members’ interests and strengths as well as understand where that talent can best serve the agency is imperative for progress. Baking this into daily processes by working with human resources counterparts ensures the DNA of the organization is varied. Ultimately, diversity within CX talent can positively set one organization and the way its employees interact with customers apart from another.

Read the previous blog and check back soon to read the rest of Carahsoft’s insights from CX industry thought leaders at the summit.

Following the Funding of Innovation in Customer Experience

Posted on by Tiffany Goddard

In the world of business, methodology is always changing along with users. While this innovation can be expensive, it is vital that agencies move alongside the private sector with technology implementation and customer service standards. At Carahsoft’s 2023 Government Customer Experience and Engagement Summit, panelists discussed ways to cut costs and foster innovation.

Innovating to Maintain Pace with Customer Needs

When a business works with clients, most of its focus will naturally be on the customer experience (CX). What was a revolutionary addition in the past, may be an expected feature in the present. As a result, agencies need to continually adapt and grow. Technology can be used to spearhead that innovation. Many people who interface with Government systems are also Government employees, so quality software is vital both internally and externally.

Agencies should design interfaces with CX at the forefront. Professionals, such as designers, whose job is to understand how users adapt to natural patterns in software, should have a seat at the table to help integrate new features. This way, new technology is as easy to understand as possible, by as many people as possible. Allowing users to get involved in iterative cycles as updates are added will allow agencies to evolve their solutions as they go. By following previous successes, the overall user experience will improve.

The speed and agility of technology and service systems is one vital component. Both customers and employees will grow frustrated with slow, out of date technology and appreciate Government initiative for agile development. By rolling out iterative cycles during changes, users have the opportunity to evolve with solutions.

Cost Effective Service

Public agencies have been advocating for more funding to keep pace with the financial challenge of customer service. The current presidential administration has issued several executive orders that promote enhancing customer service and experience in the public sphere including additional funding for agencies to implement those upgrades. However, acquiring these funds requires having modern and secure technology and technical strategy already executed in an agency. Although implementing modern technology and the securest cybersecurity strategies can be expensive, it will help agencies save costs down the road.

If agencies do not qualify for Government funding, there are additional initiatives they can implement in the meantime. Agencies can partner with technology vendors to develop solutions that will improve CX. By leveraging existing data, such as data from performance.gov or analytics.usa.gov, agencies can figure out ways to improve customer service. Paying attention to internal service metrics such as the number of closed cases, time to close cases, success rate and satisfaction level can illustrate how well a company is performing with CX before reviews come in. Agencies can decrease helpdesk wait times and lower costs by focusing on self-remediation. Through championing these efforts alongside quality partners and vendors, agencies can view CX problems through different lenses, leading to the best possible process. Agencies can also utilize pilot programs to test situations out before implementing them and affecting both employees and users. Technology should be used to positively influence user behavior. By guiding a wide variety of customers through services with simple, easy to understand instructions, agencies can help both customers and employees which will keep wait times down and save money.

Read the previous blog and check back soon to read the rest of Carahsoft’s insights from CX industry thought leaders at the summit.

IRS Uses Digital Signatures for Improved Public Experiences

Posted on by Ashley Weston

At the start of March 2022, the IRS launched the Taxpayer Experience Office (TEO) to improve taxpayers’ experience with digital tools, such as fully transparent accounts, expanded e-File and payment options, digital signatures, and secure two-way messaging. TEO is working with their IT, digitalization, and policy shops to identify projects that will produce the most modernization, according to agency officials. The four offices are meant to coordinate the expedition of either internal or external processes, depending on the ROI, with TEO handling the former and the Enterprise Digitalization and Case Management Office (EDCMO) the latter. “For its part, EDCMO focuses on taking paper processes digital where the cost savings are highest and the processing hours and employees in seats lowest”.^[¹^]The main goal is to optimize business processes and technology, which normally begins with small digital transformations, but EDCMO already achieved a 178% ROI in its first year, which indicates a promising future for their endeavors.^[¹^]

Opportunities in the Field of Digital Modernization

The IRS issued the first wave of job postings for more than 200 technologists back in March of 2022, as it plans to hire to continue modernizing IT. Positions range from entry-level to supervisory across system development, architecture, engineering, cybersecurity, IT operations, network services and customer support.

Desired skillsets are cloud, zero-trust security, low- and no-code enterprise platforms, machine learning and artificial intelligence, and NoSQL databases. The IRS faces a daunting, largely paper-based backlog of tax returns every year, so shifting to digital will help streamline to make these yearly processes run smoother and faster. As was the case with COVID-19 recovery, the IRS is also called upon to administer relief, like Economic Impact Payments and advance payments of the Child Tax Credit. They are also instances of processes that could be made more efficient by implementing digital solutions because of the quicker turnaround that those platforms provide in comparison to manual, paper-based ones.^[¹^]

Digital Signature Service Authorization and Adoption within Government Agencies

The IRS is a notable example, but agencies within the Department of Defense are leaning into the trend of digital signature use as well. This initiative requires an effort in tandem from the industry side and the government side to achieve the necessary compliances for ensuring proper security across platforms. One of the main authorizations that these government entities and digital services must adhere to is the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security authorizations for Cloud Service Offerings. According to the FedRAMP Program Management Office, there are two ways to authorize a Cloud Service Offering (CSO) through FedRAMP—via an individual agency or the Joint Authorization Board (JAB). The authorization process involves selecting an authorization process, preparation, authorization, and then continuous monitoring as part of the main steps. There are currently 20 Cloud Service Providers (CSPs) under the status of “ready,” 96 “in process,” and 309 classified as “authorized” through the program. Digital signature solutions, being cloud-based services, must adhere to this type of authorization to be considered for use within many government agencies. As more agencies vouch for these services and work together with CSPs to secure certifications, more agencies, in turn, are also able to adopt them to achieve maximum efficiency.^[²^]

What Can Digital Signatures Help Accomplish?

Digital signatures greatly reduce the time spent during transactions. As noted across articles and input from the most successful signature providers featured on LinkedIn, they can greatly improve the day-to-day for businesses operating in a post-pandemic hybrid world, and the same benefits apply to government agencies.

Most notably, trusted digital signatures can help in the following:

Security: A digital signature confirms that all signers are who they claim to be, and it prevents retroactive alterations to the signed document or tampering in general.

Time: Signing a document with ink does not take any longer than signing with a digital signature, but the time it takes to move a wet signature document along to each recipient can take days or even weeks. In comparison, a digitally signed document can be delivered in minutes via email.

Collaboration: Working remote or employing physical distancing interfere with the ability to come together for document transactions. Even with the re-appearance of in-person operations, digital signatures allow quicker turnaround and provide the additional convenience of eliminating the need to convene in person.

The Environment: From the number of trees that go into printed sheets of paper to the amount of carbon emissions that can be saved, digital signatures are the green alternative to paper-based wet signatures.

Legality: Digital signatures uphold in legality across the US and globally, specifically by adhering to the E-Sign Act of 2000 and the Uniform Electronic Transactions Act (UETA).

Check out this on-demand webinar for more information on this series and how Adobe can support your organization’s digital transformation initiatives.

Resources:

[1] Nyczepir, Dave. “IRS Teams Old and New Working in Tandem on IT Modernization.” FedScoop, March 21, 2022. https://fedscoop.com/irs-teams-it-modernization-2022/.

[2] How to Become FedRAMP Authorized. Accessed July 5, 2023. https://www.fedramp.gov/.

Accelerating Mission Success with Technology

Posted on by Bethany Blackwell

The pandemic triggered disruptions to supply chains, workforce management and other daily government operations. Rather than abating, those challenges have continued to evolve. The war in Ukraine has brought new security concerns, and financial uncertainties have made it even more imperative for government agencies to be able to pivot quickly. Digital transformation is essential to meet such ever-changing, unpredictable demands. Flexible, cost-effective technology solutions enable government agencies to analyze data for better decision-making in areas as diverse as cybersecurity, public health and military operations. Investments in modern technologies have the added benefit of making government work more attractive to talented professionals with innovative ideas and a willingness to try new approaches. Such people are a crucial element of any digital transformation. Learn how you can rethink every aspect of operations in ways that spur innovation and advance the ability to respond to new challenges and opportunities as quickly as they arise in Carahsoft’s Innovation in Government® report.

How Connected Data Heals the Post-COVID Supply Chain

“Public-sector leaders need to think big, start small and scale fast. The best approach is to pick a chunk of the business that is consequential and show everyone incremental results. Executive buy-in is also important but sometimes comes later, after several bottom-up iterations that are so successful they are impossible to overlook. The National Telecommunications and Information Administration’s new grants portal is an excellent example. The end-to- end, FedRAMP-authorized system gives NTIA and its customers the digital tools they need to apply for broadband grant programs and support the government’s management of the projects funded with the grants.”

Read more insights from Maj. Gen. (Ret.) Allan Day, Ph.D., Vice President of Logistics/Sustainment of Global Public Sector at Salesforce.

Technology Expands Access and Reduces Public Health Service Challenges

“Digitization helps health workforce challenges as well as addressing the service backlog and supporting expanded access. Digital service delivery is far more efficient, freeing up clinician time to deliver health care in-person for patients who are unable or unwilling to access services digitally or when virtual encounters are not the most appropriate channel. And digitization done well provides rich, real-time data to better understand gaps and inequities and thus improve digital services and inform timely program and policy development.”

Read more insights from Karen Hay, Digital Transformation Leader of Global Public Health at Salesforce.

What the Talent Shortage in Aerospace and Defense Companies is Really Telling Us

“Quick wins are essential. Quick wins are the battles in the bigger war of transforming your organization. These are the smaller localized wins within business units outside of large enterprise changes. They become easy-to-understand success stories that give teams a taste of how a transformed organization can thrive. They are powerful social proof that leaders can use to educate and inspire.”

Read more insights from Mike Mulcahy, Digital Transformation and Strategy Development Leader for Global Public-Sector Aerospace and Government System Integrators at Salesforce.

How Digitizing Infrastructure Protects Against a New Generation of Cyberattacks

“Chicago’s 311 call center is an excellent example of transformation in action. It is the point of entry for residents, business owners and visitors to access information about city programs, services and events. Chicago 311 allows citizens to access that information without long hold times and with minimal impact on staff. Since its launch, Chicago 311 has become an essential resource for activities as varied as simple informational inquiries and requests for tree trimming and pothole repairs. More broadly, the service has shown how the right cloud platform can transform the traditional call center into a modern contact center that unlocks everything from back-office information to self-service capabilities across a single, secure and connected experience.”

Read more insights from Paul Baltzell , Vice President of Strategy and Business Development for State and Local at Salesforce.

Empowering Citizens Through Platform Investments

“CIOs are facing the challenge of how to modernize by using platform technology. Most have moved into the cloud, but modernizing with a platform is a new way of thinking. It means deciding which platforms to adopt and which use cases to build onto these platforms. Modernization means reducing the technology stack. When agencies choose the right platform, they benefit from the use cases that are already on it so they don’t have to start from scratch.”

Read more insights from Scott Brock, Vice President of Strategy and Business Development for State and Local at Salesforce.

How Technology Investments Can Help Close the Talent Gap

“A November 2022 memo from the Office of the Secretary of Defense confirmed the seriousness of the situation with respect to retention after return-to-work policies went into effect. Focusing on our nation’s cybersecurity priorities, the statement called for expanding the workforce through apprenticeship programs and other nontraditional means of closing the talent gap. There is a solution: with the right investment in technology and talent, leaders can manage through the current challenges and achieve a posture where positive change is a constant, iterative and accepted part of the landscape.”

Read more insights from Dr. Michael Parker, Vice President of Business Development at Salesforce.

Download the full Innovation in Government® report for more insights from IT modernization thought leaders and additional industry research from FCW.