Patching in Federal Government Networks

Posted on by Tyler Jaeger

Ivanti is committed to our customers who uphold the Nation’s highest commitments. To this end Ivanti believes that the mission our customers fulfill should not be impeded or constrained by the security stance they take. In these security conscious situations, it’s considered both mandatory and best practice for nodes within these networks to be either disconnected or entirely air-gapped.

(Context: A disconnected network can traverse its own internal network/intranet but is disconnected from the broader internet. Conversely – an air gapped environment is even further isolated – being entirely independent with no connectivity to either a larger intranet or internet.)

Despite these efforts – the risk of exploitation is not absolved simply by disconnecting or placing nodes into an air-gapped state. Network isolation of these servers & endpoints is only one aspect within a zero-trust security paradigm that these Sys-Admins have to contend with.

Technical administrators of these environments are still responsible for maintaining their systems against on-going vulnerabilities. The patching of these systems acts as a counter measure against insider threats within these systems. These vulnerabilities are more than the standard Patch Tuesday Windows OS vulnerabilities. A significant majority of these vulnerabilities exist in the 3rd party Application Eco-System. According to The U.S. National Vulnerability Database – Microsoft exploits only account for 15% of total vulnerabilities today.

Ivanti Patching in Federal Gov Networks Blog Embedded Image 2024

Patching these systems can be extremely tedious and time-consuming, but also manually intensive. This time could be better spent performing strategic security measures, or not spent at all. As a result of this lengthy process critical systems can be impacted and left open to vulnerabilities. A report from the GAO (As detailed in Pg. 46 of the GAO Report 16-501: Agencies Need to Improve Controls over Selected High-Impact Systems) shows that this has historically left even critical vulnerabilities unpatched after a significant time period (In the report – several years). To address these issues, Ivanti assists our customers by automating the remediation of the vulnerabilities found within their system, while also providing a record of truth, and reporting to these workflows.

Ivanti’s Disconnected Patching Capability

Ivanti’s product portfolio not only includes its flagship cloud-based Product Suite, and also a strong array of On-Premise based products. Two products worth highlighting for this are Ivanti Security Controls (ISEC), and Ivanti Endpoint Manager (EPM). Both products have On-Premise deployment options which extend into Disconnected and Air-Gapped Use-Cases.

At a high-level, Ivanti services disconnected / airgapped environments via the use of servers placed within those environments. Those servers then act as a repository for OS patches (Incl. Windows, Linux, and Mac), along with 3rd Party Application Patches. Reference this example diagram of a disconnected instance of Ivanti ISEC. In this example, a central environment is used to download and prepare patches for the environment. Then, one-to-many disconnected environment can then be stood up with patches and management provided via a ‘File Transfer Service’. This service can mean two things: either an approved Media Devices to enable transfers when no connectivity can exist, or a staged approach in which connectivity for a Centralized console is alternated between the Internet and a Disconnected Environment. Where approved, this prevents a direct link between the internet and the disconnected environment.

One additional note with this diagram is that both the Central Rollup Console and Connected Environment can also be connected on temporarily, even if only to update definitions in support the disconnected portions of the deployment.

Ivanti Endpoint Manager (EPM)

On the flipside, we can take the disconnected / connected philosophy we mentioned in ISEC and apply it to our EPM product. Like with ISEC an admin can create multiple EPM consoles, or cores without any additional charges. Those cores can be deployed as disconnected or ‘dark’ cores. Vulnerability Definitions and Patches can then be copied from a connected environment into the disconnected environment via the same preferred ‘File Transfer Client’ of choice. This methodology has been proven amongst our customer base who have effectively deployed this into disconnected and airgapped instances for both ISEC and EPM.

Modernized & Automated Patching Workflows

Modernizing the patching process means reducing the Mean Time to Patch, and strategically securing against vulnerabilities. To that end, Ivanti provides Neurons for Risk Based Vulnerability Management – a Vulnerability Management system that provides contextualization around threats (Ex. ‘Trending’ Vulnerabilities or Vulnerabilities could be executed without physical access to the target).

RBVM also provides the necessary patches and remediation for those vulnerabilities. By integrating our Patching and RBVM we modernize patching into a strategic and automated process. Files containing the vulnerabilities deemed most risky can be loaded into solutions like EPM to determine and provide patches. This workflow can still apply even in disconnected and airgapped use cases. RBVM could connect to the Rollup Core while disseminating patches via the process mentioned above.

How Ivanti can Help

Between Ivanti’s EPM & ISEC products, a System Administrator would have full range to patch the Windows, MacOS, and Linux Servers and Workstations within their environments. Patches also extend to 3rd Party Applications in which a significant portion of vulnerabilities originate. Ivanti also has a team of QA testers that validate the patches within its 3rd Party Patch Catalog to ensure no patches will cause a crash to the system. This patching can apply to both connected, and disconnected environments without any additional charges for scaling your Console Server Deployments.

In the case of ISEC – ISEC can discover and patch endpoints both with an agent and agentlessly. ISEC can also integrate with On-Premise VMware ESXi environments and patch ESXi hosts, as well as images and offline VM’s, thus further centralizing and reducing time to patch across the environment. Conversely – EPM provides users with a full suite of Endpoint Management capabilities in addition to patching including Discovery and Data Normalization, OS Provisioning, Software Distribution, User Profile Management, Remote Control, and Integrated Patching and Endpoint Security.

Additional Resources

For further reading, please consider Ivanti’s Product documentation around this subject. These references can provide additional documentation around how to establish:

About Ivanti

Ivanti was created in 2017 with the merger of Landesk and HEAT software. We are a powerhouse IT solution with over 30 years of combined experience. Ivanti finds, heals and protects every device, everywhere – automatically. Whether your team is down the hall or spread around the globe, Ivanti makes it easy and secure for them to do what they do best.

Ivanti is committed to supporting our customers requiring either Cloud or On-Premise deployment requirements. In both of those deployment paths Ivanti’s Portfolio contains accredited solutions including the following certifications: DoD ATO, Army CoN, Common Criteria, DoDIN APL, DISA STIG, DoD IL2 & IL5 Private Cloud, DoD ATO, NIAP MDM PP v4, NIAP Common Criteria, NSA CSFC, FIPS 140-2, FedRAMP Moderate, & SOC 2 Compliances.

Connect with an Ivanti representative today and learn more about how Ivanti can support your MultiCloud initiatives.

Ransomware Security Strategies

Posted on by Alex Whitworth

One of the first challenges in combatting ransomware is recognizing the imminence of an attack and the impact it could have on an individual’s personal organization. For 60% of companies surveyed by ActualTech Media and Ransomeware.org, they reported spending zero to four hours on ransomware preparedness per month.^[¹^] Getting collective buy-in from administrators can be difficult since the cybersecurity measures put into place cannot show their full value without being hit by a ransomware attack; however, when compared to the number and scale of attacks occurring, greater attention to cybersecurity is imperative. The NIST Cybersecurity Framework (CSF) provides a guiding set of principles that inform strategies for mitigating ransomware risk. Addressing ransomware starts with identification of a security program followed by protection, prevention, detection, recovery and then security improvements. Ideally companies would follow this CSF outline but in reality, for most organizations the path looks different. Due to feasibility and order of highest critical priority, many companies first establish detection and recovery methods followed by protection, prevention, and security improvement.

RANSOMWARE DETECTION AND RECOVERY

When ransomware hits an organization, the biggest immediate concern is finding the problem and returning to business operations as usual. Many resources exist to assist with this endeavor including asset management tools that automatically inventory all devices on the network and monitor for potential ways malware can get in. Implementing edge detection allows companies to be alerted and quickly identify early on if the network has been compromised and which accounts and devices require isolation and additional measures to prevent the further spread to other servers, accounts and storage units. Anti-virus programs are also helpful to monitor endpoints for indicators of compromise or malware. By achieving early detection, companies can contain the malware and reduce data loss.^[²^] It also aids in preventing extended downtime which is very costly for operations and business reputation. Apart from the actual ransom, the downtime alone caused by cyberattacks in 2020 cost $20.9 billion to American businesses.^[¹^]

Once malware has been detected, a company’s recovery plan and preparation are put to the test. IT specialists and company administrators need to have an emergency plan in place so there are straightforward steps to recovery. Backups not only need to be created and stored off-site, but also updated on a regular basis and tested to ensure that they are a solid base for a system restoration. With most traditional backup systems, the data cannot be recovered fast enough to neutralize the ransomware’s impact on operations. Instead, a new strategy must be adopted that shifts from 200,000 files taking eight plus hours to restore via the traditional backups, to millions of files being recovered in minutes. Granular, immutable, verifiable snapshots are required to successfully recover all of an organization’s data.^[²^]

The Sophos “State of Ransomware” report indicated that 77% of healthcare organizations that did not experience a ransomware attack in 2021 attributed it to efforts such as backups and cyber insurance, which help with remediation but not prevention. This exposed an ongoing misunderstanding within the industry on cybersecurity methods.^[³^] Obtaining cyber-insurance does not prevent future attacks; however, instituting proper security strategies does decrease the susceptibility to ransomware. Recovery tools and insurance provide support during post-breach response but ultimately, in conjunction, organizations should strive to prevent the attack in the first place which requires implementing protection and prevention. According to the Government Accountability Office (GAO), cyber-insurance is a valuable resource to employ but noted that it is increasingly harder to acquire, due to the massive volume of cyberattacks, a higher bar of entry and more requirements to gain coverage and receive payouts. This leaves organizations who do not have sufficient security or insurance to face the recovery process and expensive remediation costs alone.^[⁴^]

RANSOMWARE PROTECTION AND PREVENTION

While most organizations invest in attack detection and recovery strategies, the protection aspect of the NIST CSF is equally important and an essential element to reduce the amount of recovery needed. Protection and prevention of ransomware attacks begins with establishing system routines and measures that make it more difficult for hackers to infiltrate. Through implementing Zero Trust user principles such as Multi-Factor Authentication (MFA), institutions and agencies can protect themselves by verifying the identity of employees. Poor password hygiene is one of the leading gateways to malware infiltration, making thorough employee training and password management software a baseline to reduce risk. The average user has access to over 20 million corporate files, making each employee a critical part of keeping the network safe and a huge liability if they are not vigilant and following best practices.^[²^] Segmentation of the network to provide user-specific access to data and system resources also creates safety barriers, so in the event of an attack the entire network is not automatically compromised. Around 80% of critical infrastructure companies without Zero Trust policies experience an $1.17 million increase in breach costs bringing to an average of $5.4 million per attack in 2022.^[⁵^]

Comprehensive Zero Trust authentication and data access control to limit complete access to the entire company’s files is a first step in this process. File indexing, which classifies the level of sensitivity of information contained, allows companies to better allocate resources to prioritize their protection of the most important or confidential files.^[²^] When processes are automated through these and other resources, it eases IT teams’ responsibilities and reduces the chance of error. Incorporating artificial intelligence (AI) and machine learning (ML) also expedites the identification of confidential information with metadata tags, along with advanced detection of suspicious network and user activity, and thereby minimizes inefficiencies.^[⁶^]

Organizations must rigorously search for security gaps and proactively work to close them. Some other measures to incorporate include:

Filtering for phishing emails and providing awareness training to minimize the possibility of a user accidentally clicking a malicious link
Utilizing firewalls to block unusual network traffic and segment the network to impede malware system communications
Monitoring software licenses to ensure they are updated and systems are adequately patched
Removing expired and extraneous user credentials and unused legacy technology
Tracking vulnerabilities on devices like IoTs, OTs, and employees’ personal devices used for work (BYODs) throughout the entire connection lifecycle
Implementing Zero Trust cloud security with container scanning and proxies like a Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA)

RANSOMWARE SECURITY IMPROVEMENT

Following an attack, companies have the opportunity to grow and improve from the situation as well as share resources with other public and private sector companies to strengthen defenses. Incident reporting is a key strategy to prevent future ransomware incidents and a top priority for the Cybersecurity and Infrastructure Security Agency (CISA). Agencies and organizations must support each other to defend against these cyber threats that affect every industry.^[⁷^]

To support this greater focus on information sharing, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 took effect in March requiring a more stringent timeline and adherence to disclosing cybersecurity attacks and ransomware payments to the government. CISA also now has the authority to subpoena critical infrastructure organizations if they do not report any cybersecurity incidents within 72 hours of a cyberattack and 24 hours of a ransom payment.^[⁸^]

This threat information sharing requirement along with other recent rules on reporting attack incidents strengthen organizations’ security posture and reduce the success rates of cyberattacks. Through these joint efforts and public-private partnerships, companies can recover faster, resume normal operations and support other businesses in the defense of their industry and the nation.^[⁹^]

To assist with incorporating these cybersecurity best practices, Congress passed the Infrastructure Investment and Jobs Act Public Law 117–58 which offers $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”^[¹⁰^]

RANSOMWARE RISK MITIGATION

Tech modernization, while crucial to agencies and organizations’ survival and growth, also presents unique challenges in protecting those technologies.^[11] In their journey to securing their legacy and updated systems, companies must take the time to honestly evaluate their cybersecurity standing across the ransomware cycle and ensure their readiness to handle an attack. Utilizing NIST CSF security strategies and other resources help organizations to mitigate risk and empower other companies to learn and protect their systems. By implementing best practices and technologies to address cyber hacks and data breaches, companies are valuing both their customers and their own bottom line. Proactive cybersecurity measures are key for all companies to stem the tide of ransomware attacks and protect the continued growth of their organizations.

Learn about the current state of ransomware and its impact across sectors in our Ransomware Series. Visit our website to learn how Carahsoft and its partners are providing solutions to assist in the fight against ransomware.

Resources:

[1] “Everything You Need to Know About Ransomware,” Ransomware.org, https://ransomware.org/

[2] “Protect, Detect & Recover: The Three Prongs of a Ransomware Defense Strategy for Your Enterprise Files,” Nasuni, https://media.erepublic.com/document/Whitepaper-_A_Three_Prong_Ransomware_Strategy_-_Nasuni.pdf

[3] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[4] “Healthcare data breach costs reach record high at $10M per attack: IBM report,” Fierce Healthcare, https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report

[5] “Cyber Attacks Against Critical Infrastructure Quietly Increase,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cyber-attacks-against-critical-infrastructure-quietly-increase

[6] “Four Best Practices for Protecting Data Wherever it Exists,” Dell Technologies and Carahsoft, https://www.carahsoft.com/2nd-page/dell-4-best-practices-federal-data-security-protection-report-2022#page=4

[7] “Ransomware Hackers Will Still Target Smaller Critical Infrastructure, CISA Director Warns,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/ransomware-hackers-will-still-target-smaller-critical-infrastructure-cisa-director-warns/374953/

[8] “DHS Convenes Regulators, Law Enforcement Agencies on Cyber Incident Reporting,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/dhs-convenes-regulators-law-enforcement-agencies-cyber-incident-reporting/374968/

[9] “Ransomware Attacks on Hospitals Have Changed,” AHA Center for Health Innovation, https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed

[10] “FACT SHEET: Top 10 Programs in the Bipartisan Infrastructure Investment and Jobs Act That You May Not Have Heard About.” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/03/fact-sheet-top-10-programs-in-the-bipartisan-infrastructure-investment-and-jobs-act-that-you-may-not-have-heard-about/

[11] “Global Data Protection Index 2021,” Dell Technologies, https://www.dell.com/en-us/dt/data-protection/gdpi/index.htm#pdf-overlay=//www.delltechnologies.com/asset/en-us/products/data-protection/industry-market/global-data-protection-index-key-findings.pdf

Infographic Resources:

“Ransomware and Energy and Utilities,” AT&T Cybersecurity, https://cybersecurity.att.com/blogs/security-essentials/ransomware-and-energy-and-utilities

The GAO Report’s Insight on the Expansion of Facial Recognition Tech

Posted on by Steve Jacyna

Facial recognition technology capabilities and usage are expanding at an unprecedented rate. Clearview AI, a third-party facial recognition contractor for the government, claims that nearly everyone in the world will be identifiable upon achieving the collection of 100 billion photos for their facial recognition system by the beginning of 2023.^[¹^] Statements like this and other reports have generated increased concern and investigations to determine the extent of facial recognition technology and what role it should play within the government.

The GAO Report and Defining FRT

The most recent Government Accountability Office (GAO) report published in August 2021 followed heightened public concern regarding the use of facial recognition technology (FRT) by federal government agencies. At the request of Congress, the report surveyed 24 agencies listed in the Chief Financial Officers Act of 1990 over the 2020 fiscal year.^[²^]

Facial recognition, one of several types of biometric identifiers like DNA and fingerprints, maps out a mathematical formula of an individual’s face. This faceprint or facial signature creates a unique way to verify identity. A FRT system’s algorithm then compares the information to find matches within the database. Experts attribute some of the controversies surrounding FRT to a misunderstanding of its definition and the differentiations between functions. Facial verification seeks to confirm identity by comparing two photos to ensure they are the same person. Facial identification pulls from a database for the closest matches to a photo. Facial analysis classifies a face’s personal characteristics and determines expressions.^[²^]The report distinguishes between the different facets of the technology but for the purpose of the study, the GAO includes all of the above under the umbrella of FRT.

Federal Usage of FRT

In the GAO survey, researchers evaluated current usage and discovered that of the 24 agencies surveyed, 18 used facial recognition technology during 2020 for one or more purposes.^[³^]

Agencies that applied FRT include:

Department of Agriculture
Department of Commerce
Department of Defense
Department of Energy
Department of Health and Human Services
Department of Homeland Security
Department of the Interior
Department of Justice
Department of State
Department of the Treasury
Department of Veterans Affairs
U.S. Agency of Internal Development
Environmental Protection Agency
General Services Administration
National Aeronautics and Space Administration
National Science Foundation
Office of Personnel Management
Social Security Administration

The top three uses include digital access or cybersecurity, domestic law enforcement, and physical security. Sixteen agencies attested to incorporating FRT for digital access or cybersecurity which mostly comprised employees unlocking agency phones. FRT was used by six agencies to generate leads in criminal investigations by identifying victims or criminals and creating possible person of interest lists. Five agencies employed FRT for additional physical security such as building access. Other uses included border and transportation security, national security and defense, research and development, and medical assessment.^[³^]

To run these recognition searches, the government continues to build internal databases, purchase external commercial software, and collaborate with other internal agencies to cross check and obtain additional records. The Defense, Justice, and Homeland Security departments own two thirds of federal FRT systems.^[⁴^]

The most prominent third-party system government agencies use, Clearview AI, is wrapped in lawsuits and controversy over their collection of photos pulled from social media to build their database without users’ knowledge or consent. Some statements claim up to 3,100 or 17% of federal, state, county, and municipal agencies employed Clearview’s technology.^[⁵^] More government agencies hope to use Clearview’s system to draw from their exponentially expanding 2022 repository of over 10.5 billion faces.^[⁶^]

Government Expansion of FRT

According to the GAO report, the Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury and Veterans Affairs departments intend to continue expanding facial recognition usage. By 2023, these government agencies plan to have developed or purchased 17 additional FRT systems, accessed two more local systems, and begun two more Clearview AI contracts.^[²^]

Over the 20 years that government agencies and police have utilized FRT, they were generally restricted to only scanning government-provided images like mug shots and driver’s license photos.^[⁷^] Now, access to systems like Clearview have changed that. Most of the expansion plans fall under three categories: system updates, problem solving, and new features.

The State Department wants to implement a new FRT-based program using the Personal Identification Secure Comparison and Evaluation System (PISCES) border management system to evaluate travelers for suspected terrorists. The DHS plans to pilot a similar program with TSA and forecasts by 2023, facial recognition will be used on 97% of travelers.^[⁸^] Other additions include the U.S. Marshals Service plans to construct a touchless prisoner identification system for the jail and prison networks. Pending funding approval, the Department of Agriculture hopes to use FRT to scan live surveillance videos for people on watchlists.

Ten agencies working on research and development seek to improve systems’ accuracy, reduce false match rates by increasing the algorithms’ training database, and teach FRT to recognize individuals wearing masks.^[⁵^]Through their research, the State Department hopes to eliminate the challenge of aging confusing recognition systems. The Department of Transportation’s research would allow for FRT to evaluate commercial truck drivers, train drivers, and air traffic controllers’ eyes for signs of distraction, drowsiness or fatigue.^[⁹^] While government agencies have extensive plans for FRT, they must navigate around several unclear, nuanced areas.

Challenges Facing the Future Use of FRT

The major concerns with government FRT and protests to its expansion stem from issues with racial bias, inaccuracy, loss of privacy, and a lack of oversight. Initial reviews into FRT systems in the late 2010s returned some troubling data regarding the technology’s accuracy and bias. Recent studies reveal significant system improvement; however, other challenges remain at the forefront.

Results of the GAO survey showed that 13 agencies were unaware of their employees’ usage of non-federal facial recognitions systems. This discovery prompted the GAO’s recommendation that agencies initiate a tracking mechanism to close this oversight gap and address the risks involved with employing non-federal systems like Clearview.^[¹⁰^] In early 2021 before the GAO report was released, over 35 civil rights groups had already petitioned for legislation that would halt government usage of FRT and finalize legal standards of usage.^[¹⁰^] Currently, no federal regulations are in place to provide accountability regarding these issues and local bans that many cities and states have resorted to do not inhibit federal usage. In the absence of congressional laws, Amazon and Microsoft enforced moratoriums and temporary bans on selling their facial recognition technology to the government.^[¹¹^]

Until official regulations fall into place, government agencies are pursuing the latest system updates and upgrades. The GAO report offers a better frame of reference on current usage and insight into government agencies’ plans for growth.

Visit our website to learn how Carahsoft is helping government agencies connect technology and industry partners with best-of-breed artificial intelligence, machine learning, and high performance computing capabilities to meet mission needs.

[1] “Clearview AI plans to put almost every human face in its database,” Silicon Republic, https://www.siliconrepublic.com/enterprise/clearview-ai-100-billion-photos-facial-recognition-database

[2] “FACIAL RECOGNITION TECHNOLOGY: Current and Planned Uses by Federal Agencies,” United States Government Accountability Office, https://www.gao.gov/assets/gao-21-526.pdf

[3] “Facial Recognition Technology: Current and Planned Uses by Federal Agencies,” United States Government Accountability Office, https://www.gao.gov/products/gao-21-526

[4] “Summary of the GAO Report on Federal Use of Facial Recognition Technology,” Lawfare, https://www.lawfareblog.com/summary-gao-report-federal-use-facial-recognition-technology

[5] “US government agencies plan to increase their use of facial recognition technology,” Technology Review, https://www.technologyreview.com/2021/08/24/1032967/us-government-agencies-plan-to-increase-their-use-of-facial-recognition-technology/

[6] “Clearview AI aims to put almost every human in facial recognition database,” Ars Technica, https://arstechnica.com/tech-policy/2022/02/clearview-ai-aims-to-put-almost-every-human-in-facial-recognition-database/

[7] “The Secretive Company That Might End Privacy as We Know It,” The New York Times, https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

[8] “What is Facial Recognition – Definition and Explanation,” Kaspersky, https://www.kaspersky.com/resource-center/definitions/what-is-facial-recognition

[9] “Federal government to expand use of facial recognition despite growing concerns,” The Washington Post, https://www.washingtonpost.com/technology/2021/08/25/federal-facial-recognition-expansion/

[10] “Calls for Biden to ban facial recognition grow after GAO report’s findings,” Daily Dot, https://www.dailydot.com/debug/facial-recognition-gao-biden/

[11] “Rules around facial recognition and policing remain blurry,” CNBC, https://www.cnbc.com/2021/06/12/a-year-later-tech-companies-calls-to-regulate-facial-recognition-met-with-little-progress.html

Conversations With CXOs: Crash Course on the Future of Government

Posted on by The Carahsoft Team

For government employees looking to build successful and satisfying careers in public service, the curriculum is changing. It’s not enough to develop mastery of agency processes and policies or to stockpile continuing education credits on traditional core competencies. Instead, public servants need to develop a working knowledge of current trends in IT and management that are reshaping how government operates. IT and management: That’s the operative phrase. Technology is continually improving the efficiency of work processes and the productivity of employees. But efficiency and productivity only go so far. It’s at the intersection of technology and management that real change is happening. Agencies are gaining new insights into their operations and services, and using those insights to fuel innovations across their organizations. Government employees at all levels have the opportunity to be part of this transformation, but they need to get up to speed on the key trends. Where are they to begin? Download the guide to read more about four competencies that could be critical to the careers of public servants.

Edge Computing Raises Ransomware Risk

“The problem is that edge computing – in which data is being aggregated, accessed or processed outside the network perimeter – is leaving data exposed to cyber criminals who see an opportunity to make money through ransomware schemes. According to Gartner, a research and consulting firm, edge computing will grow 75% by 2025. In government, the surge is being fueled both by a growth in end-user devices in mobile and remote computing and in non-traditional devices associated with the Internet of Things (IoT) and operational technology (OT), such as sensors and cameras. In many cases, agencies support edge computing by moving data into the cloud, rather than requiring end-users or devices to go through the data center. This hybrid cloud environment mitigates performance and latency problems but also makes the network perimeter even more porous.”

Read more insights from HPE’s Distinguished Technologist for Cyber Security, James M.T. Morrison.

Agencies Need to Maintain a Sense of Cyber Urgency

“Security isn’t just the responsibility of individuals. Agencies also must ensure they treat security as a top priority. SolarWinds recommends two areas of focus: Prioritize the development of cyber experts. Given the high demand for cyber experts, agencies should focus more energy on developing talent in house. Shopp said one approach is to convert IT professionals, who are already tech savvy, into cyber professionals. Prioritize collaboration between tech pros and leaders. Policies and strategies aimed at reducing risk should reflect both technical and organizational expertise and requirements. Shopp said agencies also should collaborate more with trusted industry partners. SolarWinds, for example, isn’t just a technology vendor; it also has a large development shop, as many government agencies do, and can exchange ideas about cyber strategies, tools, and best practices.”

Read more insights from SolarWinds’ Group Vice President of Product Management, Brandon Shopp.

How to Move DevOps from Disarray to Unity

“An agency’s initial forays into integrating their development and operations teams can bear fruit quickly, leading to better quality software produced at a faster clip. The risk is that an organization will treat its initial forays as the endgame, not realizing that a more mature approach, with greater payoffs, is possible. In short, the DevOps initiatives never grow up. GitLab, which has years of experience helping organizations with DevOps adoption, has identified four stages in a DevOps journey, culminating in an approach that delivers even greater benefits than envisioned at the outset.”

Read more insights from GitLab’s Federal Solutions Architect, Sameer Kamani, and Senior Public Sector Solutions Architect, Daniel Marquard.

Why Stronger Security Hinges on Identity Data

“To understand the need for an Intelligent Identity Data Platform, consider two scenarios. In the first case, a user logs into an application from her office at 2 p.m. each day. In this case, she will be considered a low risk, based on three factors: Her credentials, her usage patterns and location data. In the second scenario, this same user logs into the application from her office but at 2 a.m. The aberration in her routine (i.e., usage pattern) raises a red flag, as would a change in her location. Even this simple use case requires an agency to have a holistic picture of an end-user, which is not possible without a central platform.”

Read more insights from Radiant Logic’s Vice President of Solutions Architects and Senior Technical Evangelist, Wade Ellery.

The Case for Data Literacy

“Someone who works in national defense requires different data skills from those in environmental or financial management auditing. ‘We firmly believe it’s not a one-size-fits-all approach,’ Ariga said. Training must be catered to tradecraft. It’s the reason GAO is creating its own data literacy curriculum specific to the oversight community, instead of relying on third-party training that focuses on generic, often commercial aims. Additionally, the best time for people to learn data skills is when they actually need them. On-demand tools such as microlearning videos and a walk-in Genius Bar ensure staff can access data solutions and build literacy when they need, instead of waiting months to register for a class.”

Read more insights from the Government Accountability Office’s Chief Data Scientist and Director of the Innovation Lab, Taka Ariga.

The Future of AI Hangs on Ethics, Trust

“Over the next five years or so, we could see a revolution in the use of AI, Sivagnanam said. Think about the self-driving car industry. At this point, human drivers are still a necessary part of the equation. But AI pioneers are hard at work trying to change that, and quickly. Similar advances are likely in other applications of AI. Over the next three to five years, Sivagnanam hopes to see the AI industry mature. As part of that, he expects to see the development of regulations and guidelines around AI and ethics, both from the federal government and from industry organizations. That work is already getting underway, and NSF is playing a role. Through a grants program called Fairness in Artificial Intelligence (FAI), NSF supports researchers working on ethical challenges in AI.”

Read more insights from the U.S. National Science Foundation’s Chief Architect, Chezian Sivagnanam.

Q&A: Getting Schooled on Zero Trust Security

“Zero trust means zero trust. We’re monitoring your internal systems. To an extent, we are monitoring what individuals are doing. That’s not to say we’re Big Brother. We’re not monitoring the keystrokes of every user in the state or anything like that. For the agencies, multi-factor [authentication] is a huge one. We’ve seen time and time again accounts get compromised because they had a bad username and password. If that’s the only thing protecting a system, that’s not enough. The bottom line is we know people create bad passwords. That’s a given. You can increase awareness about how to create good passwords, and you certainly want to try that. In many cases, people will just figure out ways around complexity requirements to get an easy-to-remember password versus a secure and strong password. You want to encourage people to have unique passwords for every single site. At some point, you need to give them a secure method of being able to remember all these passwords.”

Read more insights from Connecticut’s CISO, Jeff Brown.

3 Tenets for Advancing Equity in Your Everyday Work

“If there were one thing you could do to eliminate health disparities or advance health equity, what would it be? This is a question that Dr. Leandris Liburd gets asked often, but it’s not one she’s fond of. The answer isn’t a simple one, and the COVID-19 pandemic has magnified that truth. There isn’t a magic pill to ensure that no one is denied the possibility of being healthy because they belong to a group that has been economically or socially disadvantaged. And measuring success is about more than data points. Choosing one thing to advance health equity ‘is not possible when you’re dealing with these kinds of complexities,’ Liburd said in an interview with GovLoop. ‘So we have to do a lot of things at the same time.’”

Read more insights from the CDC’s Director of the Office of Minority Health and Health Equity, Dr. Leandris Liburd.

Download the full GovLoop Guide for more insights from chief information officers, a chief data scientist and other senior leaders in federal, state and local government.

Technology’s Role in Hire-to-Retire in Government

Posted on by Greg Brundidge

Human capital is the most important resource for any enterprise. However, the Government Accountability Office reported in 2020 that 60% of newly hired government employees only remained for two years. Such a talent drain forces government agencies to consume resources on constantly recruiting and training new personnel.

Agencies are routinely looking for ways to retain talented individuals and provide meaningful career paths, while cutting operational waste and redundancy. Employee lifecycle tools in end-to-end, hire-to-retire (H2R) integrated human resources processes are designed to streamline human resources employment and improve the retention of skilled employees. This provides enormous benefits to both agency management and employees.

Digital Transformation

The government doesn’t always make effective use of its employee data and require more efficient ways to access, query, and visualize the information. Across the government, agency leaders and HR teams are leveraging digital transformation to improve the H2R lifecycle.

Innovative programs use automation, analytics, artificial intelligence, omnichannel engagement, and other capabilities to create a 360-degree view of every employee. This allows HR leaders to provide systems that deliver an improved customer experience—offering tailored, personalized options from the start of an individual’s career, through their training, development, and career progression to the time they retire. The personalized employee experience includes an intuitive, single sign-on from anywhere capability and processes can be streamlined with mobile self-service capabilities.

The HR team can build solutions with helpful apps—from helpdesks to time and attendance–enabling employees to be more engaged. The right blend of people and technology can be a huge boon to employee effectiveness, productivity, and retention. Using a digital transformation plan to digitize form completion and other individual manual processes, agencies save money and free up employees for higher priority work.

Talent Recruitment

Technology can be invaluable when recruiting new employees. AI solutions provide a more collaborative and effective recruiting experience by automating processes with real-time tracking HR offices can deliver the right content to the candidate at the right stage of the hiring process. Information can be automatically sent to specific candidates with an appropriate cadence that makes them feel wanted. With AI managing applications and qualifications, hiring is easier for everyone.

Onboarding

The right technologies help agencies streamline mandated in-processing forms, individual benefit programs, and personnel record management. Less manual labor and faster processing means employees can start working sooner. Technology gives new hires a smoother experience—from offer acceptance through the training and mission orientation activities in the first year of employment. New employee training and orientation can be integrated into one standardized platform, so managers can track each employee’s progress in real-time. This makes the employee’s onboarding experience more positive and increases agency efficiency.

Workforce Planning

Leaders can use platforms to visualize data, equipping them to make data-driven decisions and draw insights from trends. Greater visibility into the available talent pool allows supervisors to use personnel resources effectively. They can evaluate mission needs, discover workforce talent gaps, and formulate appropriate recruiting efforts.

Employee Development

Providing timely and effective training and education helps improve employee retention. By the time an employee is completely onboarded, agencies have a lot of information about them, including training needs, special skills, and preliminary career development goals. With that data, the right digital transformation solution can help employees identify where they want to go next and which skills they will need.

With these tools, education and training can be tailored for each individual’s career goals. Automated systems can alert people to relevant opportunities and give access to training without requiring employees to fill out forms or talk to HR staff. With information at their fingertips for both employees and managers, the agency community remains connected.

Personalization

Many legacy HR systems are impersonal and one-size-fits-all. Systems that allow for personalization increase engagement by doing something very simple: making employees feel valued, noticed, and cared for. AI and machine learning capabilities allow computers to be more interactive with employees so they can pinpoint relevant data and offer very specific opportunities.

Setting Goals

Managers often struggle to set mission goals and then translate them into workforce tasks. With a comprehensive digital transformation solution, management can set specific mission goals and measurements and link them to performance objectives for individual employees. Because all the information is managed on a single, holistic platform, managers can link mission goals to an individual’s desire for a specific kind of assignment or training. With a 360-degree view of an employee, supervisors can also set performance goals with employees and then check progress and provide feedback quarterly or semiannually, helping both the employees and the agencies realize their long-term goals.

View our webinar to learn more about how government and industry thought leaders are using Hire to Retire.

| Carahsoft

Tag Archives: GAO