Nextgov/FCW - All Content

‘It would be insane’ for spy agencies to not have AI model early access, lawmaker says

David DiMolfetta — Tue, 12 May 2026 14:09:00 -0400

Rep. Jim Himes, D-Conn., the top Democrat on the House Intelligence Committee, said Tuesday it would be “insane” for U.S. intelligence agencies to not have early access to advanced artificial intelligence models that could be used for hacking and cyberdefense.

His remarks, delivered on a panel at Politico’s Security Summit, come as the Trump administration is reportedly considering a major AI executive order and debating whether the Commerce Department or intelligence community should oversee evaluations of AI models. They also come as President Donald Trump makes a planned trip to China this week, where he is expected to discuss AI matters with Chinese President Xi Jinping.

“Making sure that, in particular, where our real computational brains are, the National Security Agency, making sure they have access to the most capable hacking tools … it would be insane not to do that, right?” he said.

The NSA, the spy community’s premiere hacking, codebreaking and foreign eavesdropping giant, has been testing Mythos, a major Anthropic model that’s been held back from full public release due to its substantial cyber capabilities, multiple people familiar with the matter said.

On Monday, The Washington Post reported the Trump administration is split over whether to give spy agencies or the Commerce Department dibs at evaluating models. Commerce officials are pushing back against a White House proposal to house an AI evaluation center within the intelligence community, according to the report.

Himes said the Commerce Department should also have a role to play in AI policy.

“Across the government, we should be looking at these capabilities,” he said, adding that “we ought to be cultivating — not damaging — our relationship with the producer of this remarkable new technology,” in a nod to the ongoing legal complaints Anthropic has lodged at the Defense Department, which deemed it a supply chain risk earlier this year after the company said it wouldn’t meet certain Pentagon demands.

Himes said he doesn’t think the legal spat between the DOD and Anthropic has set back the intelligence community in the near term, though “if this drags out, if [Defense Secretary] Pete Hegseth gets a bee in his bonnet about this and just decides to target because his ego is damaged … that will be a massive liability for United States national security.”

Officials are circulating draft policy documents with language clarifying the government’s ability to use private sector tech without outside stipulations, Nextgov/FCW reported last week. It’s not clear if the contracting language is part of a coming executive order or a separate policy initiative.

The ongoing discussions highlight how the Trump administration is closely examining cyber threats brought on by advanced AI models and is looking to take a more hands-on approach toward the AI sector, despite prior laissez-faire positions.

]]>

Lawmakers propose to establish AI guardrails for VA in FY27 funding

Edward Graham — Tue, 12 May 2026 12:21:00 -0400

Proposed amendments to the fiscal year 2027 funding bill for the Department of Veterans Affairs include several measures seeking to limit the use of decisional or unapproved artificial intelligence tools by the agency.

The House Rules Committee is set to hold a hearing on the VA funding proposal and proposed amendments Tuesday afternoon. The FY27 funding package passed out of the House Appropriations Committee last month.

Separate proposals offered by Reps. Paul Gosar, R-Ariz., and James Walkinshaw, D-Va., specifically call for additional oversight of VA’s uses of AI to ensure they are being deployed appropriately. Although both proposed amendments may not make it into the final funding package voted on by the full House, they signal lingering lawmaker unease about the VA’s use of the emerging capabilities to augment department operations.

Gosar’s measure would block VA funding from being used “to make a final determination with respect to the approval or denial of a claim for disability compensation under the laws administered by the Secretary of Veterans Affairs using artificial intelligence.”

VA has used AI and automation to speed up its processing of veterans benefits claims, although some lawmakers and veteran service organizations have expressed concern about officials ceding too much of their decisionmaking authority to the technologies. The agency has stressed that humans always make the final claims decisions and that the AI tools act as more of an automated information retrieval system.

Gosar spokesman Anthony Foti said the congressman’s amendment would “establish a clear safeguard within the VA disability claims process” to ensure that human reviewers always make the final decisions, adding that Gosar “believes it is important to establish appropriate guardrails before these technologies are relied upon for consequential adjudicative decisions.”

Even though VA is already leveraging some AI tools to speed up benefits processing, the agency is looking to further expand its suite of claims-focused technologies. VA’s 2025 AI use case inventory, which was released in January, included 28 instances of the technologies being leveraged for claims processing, with the majority of these examples still listed as being in the pre-deployment phase.

“Disability determinations often involve nuanced medical evidence, individualized circumstances, and credibility assessments that require human judgment and oversight,” Foti said. “The amendment is designed to ensure that AI serves as a support tool — not as the final decision-maker — in matters directly impacting veterans’ healthcare access, financial stability, and earned benefits.”

Walkinshaw’s amendment, meanwhile, looks to address uses of the emerging capabilities that may be operating without agency oversight.

Within 180 days of the funding bill’s enactment, Walkinshaw’s proposal would require VA to submit a report to relevant congressional committees detailing “the use of unapproved artificial intelligence models or artificial intelligence-powered applications, also known as ‘’shadow AI’’, within information technology networks of the Department of Veterans Affairs, and any cybersecurity risks and data exposure vulnerabilities introduced by such use.”

These ‘shadow’ uses of AI often entail employees using technology not approved by the agency to conduct work and that operate outside of traditional restrictions.

Walkinshaw’s office was not able to immediately respond to a request for comment.

]]>

Anthropic and nonprofit partner to streamline benefits administration with AI

Kaitlyn Levinson — Mon, 11 May 2026 16:00:00 -0400

CHICAGO — The civic tech nonprofit Code for America is partnering with artificial intelligence company Anthropic to develop tools aimed at helping caseworkers enhance public benefits administration across the nation.

The organizations are working together to develop an AI-enabled solution to improve the accuracy and timeliness of benefits service delivery under the Supplemental Nutrition Assistance Program, Jana Rhyu, vice president of product at Code for America, announced Friday at a summit hosted by the organization in Chicago last week.

The SNAP Policy Navigator tool is built on federal regulations, state manual selections, official policy directives and other documents to help caseworkers “quickly and accurately get an answer to [a] very specific policy question” when they are working with clients, said Michael Lai, who leads state and local government AI at Anthropic.

The tool leverages Anthropic’s Claude chatbot and is built on a model context protocol to ensure a secure two-way connection between data sources and AI applications, Rhyu said. A caseworker can input a simple, policy-based question, such as how a client’s change in income or a new federal policy could impact their benefits, and the tool outputs an up-to-date response in plain language with cited sources and suggested next steps.

The user “gets clarity on policy, not a decision on overall eligibility. The decision stays with [them],” she said.

The announcement comes as state and local public benefit agencies scramble to comply with rule changes to the federal food assistance program made last July under President Donald Trump’s “Big, Beautiful Bill.” The law subjects participants to expanded work requirements, shifts administrative costs to states based on their SNAP payment error rates, and requires that the Thrifty Food Plan — the model used to calculate the lowest-cost nutritional meal for a family of four — be cost-neutral to changes in food prices.

Since its passage, SNAP participation has declined by more than 3 million people across 36 states as of January, and further reductions are expected once the new rules are fully implemented, according to the Center on Budget and Policy Priorities.

“Policy is constantly changing, and the complexities of policy implementation are immense, which places an even bigger burden on the caseworkers,” Rhyu said.

That’s why it’s critical for resources like the SNAP Policy Navigator tool to help reduce caseworkers’ administrative burden of sifting through and trying to apply intricate policies to individual cases, she said.

Indeed, the complex rules regarding eligibility and exemptions present common barriers to benefits access and having to explain those to residents who depend on the timely and accurate delivery of public assistance to meet their everyday needs only adds to it, Lai said.

Such challenges are exacerbated by funding uncertainty, workforce shortages and increasing caseloads that many states and localities are grappling with across the U.S.

He pointed to one former caseworker who described their job as “an email inbox that's always full, where each one requires care and attention, but you're constantly getting interrupted as you try to work through the never ending inbox of people to help.”

In addition to the SNAP Policy Navigator, Code for America and Anthropic will develop a suite of Claude-based tools to further assist benefit workers with answering policy questions, reviewing eligibility documents and drafting communications to benefit recipients, Code for America leaders said in an announcement last week.

“We know that caseworkers are really overburdened in general, but especially at this moment with HR 1 as well, and so AI shouldn't be used for AI’s sake,” Lai said. “We want it ultimately to be helping in this human way and trying to make benefits administration more efficient, more accurate and more human centered.”

]]>

Canvas breach spotlights cybercriminal appetite for student data

David DiMolfetta — Mon, 11 May 2026 12:00:00 -0400

A major cybercrime gang’s hack of Canvas is highlighting how education technology providers have become attractive targets for cybercriminals, whose access to student records, login credentials and other sensitive data can create opportunities for fraud, identity theft, extortion and future intrusions.

ShinyHunters on Thursday claimed responsibility for a hack into Instructure’s Canvas platform that facilitates course materials and class management for thousands of institutions. An extensive document posted by the hackers and obtained by Route Fifty lists some 9,000 customers apparently impacted in the breach, including Georgetown, Harvard and Cornell universities. It’s not clear whether all victims listed were accessed, or what data may have been stolen.

As Instructure worked to restore services, the hackers appeared to launch follow-on attacks, while students flooded social media during final exam season with photos and videos showing compromised Canvas pages appearing upon login. ShinyHunters claims it accessed names, email addresses, student identification and private messages.

The hacking group said Saturday it would not comment further. An extortion message posted on affected sites says that Instructure has until May 12 to reach out to the hackers. ShinyHunters has since removed Instructure from their Pay-or-Leak portal and the company says Canvas functions have been restored.

Route Fifty has asked Instructure if it is negotiating with the group or has paid a ransom to prevent data from being leaked.

The FBI is likely investigating the incident, according to two people familiar with the matter who requested anonymity to communicate their understanding of the government’s response to the breach.

An FBI spokesperson said on Friday that the bureau is aware of the compromise.

“If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. By receiving a message, that does not necessarily mean your personal information has been compromised,” their statement said.

Hackers often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims, the FBI spokesperson added. “We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the [Learning Management System] provider, or law enforcement and to verify the contact through known channels before responding.”

Universities are a “treasure trove” of data and ransomware hackers know this, said Cynthia Kaiser, a former senior FBI cyber official. “At the same time, the openness that defines higher education can make these institutions more exposed than many other organizations.”

Kaiser, now vice president of the Ransomware Research Center at Halcyon, said that criminal hacker groups frequently obtain credentials from other intrusions and use them to carry out other hacks.

“You have to remember that groups like ShinyHunters, Lapsus$ and Scattered Spider often log in rather than hack in,” she said, referring to a slew of major criminal hacker gangs that have made headlines for their intrusions over the years.

Any stolen data wouldn’t enable immediate financial theft, though it’s highly valuable for targeted phishing and social-engineering attacks, said Adam Marrè, a former FBI special agent and Chief Information Security Officer at Arctic Wolf.

“The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate. Students, parents, and educators should stay alert for unexpected or urgent messages, avoid clicking unverified links, enable multi-factor authentication on email accounts and be cautious with any request for personal information,” he said.

The House Homeland Security Committee is investigating the matter, according to a letter sent Monday to Instructure CEO Steve Daly from Rep. Andrew Garbarino, R-N.Y., the panel’s chairman. He asked company executives to brief lawmakers and staff by May 21.

Instructure said in a blog post that the unauthorized access involved information like usernames, email addresses, course names, enrollment information and messages. The company also “identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited.”

It’s not known how long it took for the hackers to craft the plan for the intrusion, but the fact that they carried it out during final exams “shows the level of planning that went into this attack,” said Damien Skeeles, a senior manager at Filigran, which sells open-source cybersecurity solutions.

“You wonder how much more planning went into it, and how many more acts there are to follow,” he said.

]]>

Agentic AI just proved it can fix federal procurement — now let’s scale it

KJ Lian and Anil Chaudhry — Mon, 11 May 2026 09:00:00 -0400

The views expressed in this article are those of the authors and do not necessarily reflect the official policy or position of their employers.

Every year, federal agencies evaluate thousands of vendor proposals worth billions of taxpayer dollars, and they do it with a process that is slow, inconsistent and an inefficient use of personnel time.

Contracting officers manually cross-reference dense submissions against hundreds of Federal Acquisition Regulation (FAR) clauses, Defense Federal Acquisition Regulation Supplement requirements and a growing web of executive orders. Critical gaps remain despite the diligent efforts of procurement teams. Timelines stretch from weeks into months. The cost is mission delay, wasted funding and eroded public trust.

This is not a theoretical problem; it is a daily operational reality. Even as the FAR overhaul aims to simplify compliance, procurement team burdens keep growing.

That’s why the ATARC Agentic AI Lab set out to answer a specific question: can a team of specialized AI agents — not a chatbot or search tool, but autonomous agents working in coordination — evaluate a federal proposal against real regulatory requirements and surface genuine compliance risks? We didn’t want a demo. We wanted proof.

We got it.

Our proof of concept deployed three specialized AI agents: a FAR compliance agent, an executive order agent and a technical evaluation agent against a real-world-modeled $8.5 million vendor proposal for a fictitious agency data modernization initiative. Each agent independently analyzed the submission from its domain, querying curated regulatory knowledge bases and generating detailed findings with precise FAR citations.

The results were striking. The agents identified gaps in small business subcontracting documentation, security framework specifics and cost justification. Where the proposal was strong, particularly its alignment with executive orders on AI policy, the agents recognized that too.

Here’s what matters most: humans never left the loop. The agents performed the analytical labor, document review, citation matching, cross-referencing across domains. Every final determination, every exception judgment, every award decision remained with the reviewer. The AI didn’t replace expertise. It multiplied it.

We also learned what doesn’t work yet. The system needs confidence scoring so reviewers know when to trust a finding. It needs context-aware interpretation for agency-specific deviations and acquisition strategy trade-offs no general model can anticipate. These are solvable engineering challenges, not fundamental limitations.

The broader lesson extends well beyond pre-award compliance review. The multi-agent architecture we validated — specialized agents with distinct knowledge domains, coordinating through a shared orchestration layer — is a reusable pattern. Grant evaluations at federal health agencies. Regulatory impact assessments at EPA. Small business compliance support that levels the playing field for new market entrants. The pattern scales because the problem scales.

Agencies should implement agentic AI tools against real procurement workloads and share findings openly. The Office of Federal Procurement Policy should issue guidance encouraging AI-assisted document review with clear human-in-the-loop standards.

We have the proof. In today’s budget-constrained environment, where every dollar must stretch further and mission delivery is harder than ever, agentic AI offers a genuine path to doing more with less. The question is no longer whether this technology can help. The question is whether we will move from pilot to production before that opportunity passes.

KJ Lian is the senior manager of the emerging tech solutions team for federal civilian at Amazon Web Services. Anil Chaudhry is a senior advisor for AI at the Department of Transportation. Both Lian and Chaudhry are co-chairs of the ATARC Agentic Al Lab.

]]>

Tech bills of the week: Limiting data harvesting; AI for financial fraud prevention; and more

Alexandra Kelley and Edward Graham — Fri, 08 May 2026 16:46:00 -0400

Securing online user data

A new House bill adds to the growing volume of legislation seeking to bolster data privacy protections by prohibiting companies from requiring online users to give access to their data as a condition of service.

The You Own the Data — or YODA — Act, introduced by Rep. Michael Cloud, R-Texas, tackles longstanding data privacy issues by limiting data collection from website hosts beyond “what is reasonably necessary to provide the requested service,” and bans tracking cookies without explicit user permission.

“The Constitution protects Americans’ right to private property and privacy from unwarranted searches and seizures. That principle doesn’t disappear the moment you open a browser,” Cloud said in the press release.

The measure enables the Federal Trade Commission and state attorneys general to enforce the YODA Act’s pillars. Notably, it creates recourse for individuals whose data has been illegally harvested to bring civil suits against companies with an annual gross revenue of $50 million or more.

Using advanced tech to combat financial fraud

Rep. Mike Flood, R-Neb., formally introduced legislation on Thursday that would direct federal banking agencies to conduct a study on the use of artificial intelligence and other advanced technologies in fraud detection and prevention, “with particular attention to community financial institutions.”

The bill — the Bank Fraud Technology Advancement Act — also includes a section calling for the agencies to establish a voluntary “community bank fraud technology pilot program” one year after completion of the required study, saying that it would help “facilitate community financial institution access to advanced fraud detection tools.”

A draft of Flood’s measure was previously discussed during a March House Financial Services Subcommittee on Financial Institutions hearing.

Counter-drone measures for the National Guard

Rep. Michael McCaul, R-Texas, introduced a bipartisan measure on Thursday that seeks to enhance counter-drone measures at large-scale events — such as the upcoming FIFA World Cup and America250 celebrations — by giving the National Guard explicit authority to mitigate potential threats posed by the unmanned aerial systems.

The proposal, the Guard the Skies Act, grants the National Guard the ability “to protect certain facilities and assets from unmanned aircraft.” The legislation is co-sponsored by Reps. Marcy Kaptur, D-Ohio, Eli Crane, R-Ariz., and Josh Gottheimer, D-N.J.

"From foreign adversaries to transnational criminal organizations, hostile actors have increasingly adopted drone technology to target critical infrastructure and innocent civilians. As the United States prepares to host millions of visitors for the FIFA World Cup, America250 celebrations, and eventually the Olympics, we must be prepared to intercept and neutralize this evolving threat,” McCaul said in a statement. “The Guard the Skies Act would leverage the National Guard — a force uniquely positioned for rapid deployment and crisis response — to protect our skies and the large-scale gatherings below.”

SBA’s AI use

A measure introduced by Rep. Hillary Scholten, D-Mich., would task the head of the Small Business Administration with implementing a recommendation from a May 4 Government Accountability Office report on uses of AI in the agency’s small business contracting and innovation research.

That watchdog called for SBA to ensure its chief information officer “establishes policies and procedures for meeting the agency’s applicable reporting requirements for AI use case inventories, including defining roles and responsibilities, and for documenting the implementation of policies and procedures and key decisions.”

Within 45 days of the bill’s passage, Scholten’s measure would require that SBA submit a report to the House and Senate Small Business committees detailing the plans it will take “to establish and implement policies and procedures to disclose artificial intelligence use.”

]]>

Unleashing AI across the US government: The data security challenge holding back decision advantage

Terry Halvorsen — Fri, 08 May 2026 14:41:00 -0400

During my years leading IT strategy at the Department of Defense and the Navy, I witnessed firsthand the frustrating paradox that continues to plague government artificial intelligence initiatives: we're sitting on mountains of valuable data that could revolutionize mission outcomes, yet we can't actually use most of it with AI systems.

The problem isn't technology adoption, since federal agencies are rapidly deploying AI and machine learning capabilities. The challenge is that our most sensitive data — the information that could provide genuine decision advantage — remains locked away because our current security architectures can't protect it at scale once AI systems begin processing it.

The promise of augmented intelligence

Let's be clear about what's at stake. When properly implemented, AI — or what I prefer to call "augmented intelligence" — represents a crucial advancement in how government operates. From predictive maintenance on weapons systems to accelerated threat detection in cybersecurity, from streamlined acquisition processes to improved resource allocation, AI has the potential to enhance every aspect of federal operations.

The Pentagon's emphasis on responsible AI — built on principles of equitable, traceable, reliable, governable and transparent usage — provides the right ethical framework. We understand that humans must remain in the loop for critical decisions, particularly those involving national security or individual rights. We've established governance structures and invested in quality, auditable data pipelines.

But here's what keeps CIOs and CISOs awake at night: all these careful preparations become meaningless if we can't secure the data during AI processing.

The decrypt-to-use vulnerability

Today's AI systems, including the increasingly popular Retrieval-Augmented Generation (RAG) models that federal agencies are deploying, have a fundamental security limitation. To analyze data, they must decrypt it first. This creates a vulnerability window where sensitive information sits exposed in memory and processing systems.

For classified defense data, this is often a complete showstopper. Legal teams won't approve AI analysis of intelligence data when the architecture requires decryption during processing. The same applies to healthcare data protected by HIPAA, financial records subject to compliance requirements or personally identifiable information covered by privacy laws.

Consider the implications: the Department of Defense collects vast amounts of operational data, but by my estimates, we use only about 5% of it on our best days. Of that small fraction, only about 25% reaches commanders in time to inform mission-critical decisions. If I told corporate executives they were throwing away 95% of their competitive advantage, they'd be terminated that day. Yet we are forced to slow down our AI usage because we lack secure methods to process sensitive data with AI.

This isn't just inefficiency; it's a national security risk. Our adversaries are aggressively deploying AI without the same ethical constraints or security concerns that rightfully slow our adoption. The country that can most effectively harness AI for intelligence analysis, operational planning and strategic decision-making will have significant advantages in future conflicts.

The RAG security challenge

Retrieval-Augmented Generation models present particularly acute security challenges. These systems combine large language models with organizational knowledge bases, allowing AI to provide contextually relevant responses based on proprietary or classified information. They're powerful tools for everything from policy analysis to technical support.

But RAG architectures require constant interaction between the AI model and data repositories. Every query triggers retrieval operations that pull sensitive information from storage, decrypt it for processing, generate results and ideally re-encrypt everything. Each step creates potential exposure points. Each handoff between systems represents a possible vulnerability.

Traditional encryption approaches — encrypt data at rest, decrypt for processing, re-encrypt for storage — simply don't work when AI systems need continuous, high-speed access to sensitive information. The decrypt-to-use model creates too many windows of vulnerability, and the performance overhead of constant encryption and decryption operations becomes prohibitive.

Federal agencies attempting to deploy RAG systems on classified or sensitive data face an impossible choice: either accept security risks that breach their compliance obligations, or forgo AI capabilities on the data where AI would provide the most value.

What's needed: processing without decryption

The solution requires a fundamentally different security architecture; one that enables AI processing on encrypted data without ever decrypting it. This isn't theoretical cryptography research; the underlying mathematics exists. What's needed is engineering that makes continuous encryption practical for real-world AI operations.

Such an architecture would allow RAG models to query encrypted databases, retrieve encrypted information, process it while encrypted and return results; all without creating those vulnerability windows that make security officers reject AI deployments. The encryption never comes off. The data is never exposed, even to the AI system itself.

This would unlock AI capabilities across government operations that are currently off-limits:

In defense and intelligence: Analysts could use AI to identify patterns across classified datasets, generate intelligence assessments and provide decision support; all while maintaining required security clearances for the data itself.

In healthcare: VA hospitals could deploy AI diagnostics and treatment recommendations using complete patient records, improving care quality without HIPAA violations.

In law enforcement: Investigators could leverage AI for case analysis and threat detection using sensitive criminal justice information that currently can't be processed by AI systems.

In financial oversight: Regulators could use AI to detect fraud patterns and compliance violations across sensitive financial data that institutions legally cannot decrypt for AI analysis.

Beyond technical solutions: cultural change

Technology alone won't solve this challenge. As I emphasized throughout my time at DOD, we need fundamental shifts in how government approaches risk management. Too often, "risk management" becomes a sophisticated way of saying "no" to innovation. We need to ban that reflex and focus instead on mission outcomes.

The right question isn't "How do we eliminate all risk?" It's "How do we enable critical capabilities while managing risks to acceptable levels?" For AI security, that means demanding encryption architectures that protect sensitive data throughout the AI processing lifecycle, not just when data sits idle in storage.

We also need acquisition reform that allows government to rapidly adopt innovative security solutions. It's absurd that a $500,000 contract costs the same to execute as a $2 billion program. Small companies developing breakthrough security technologies can't navigate our procurement bureaucracy. Meanwhile, adversaries move faster because they're unburdened by our process constraints.

The path forward

Federal agencies are making significant investments in AI infrastructure, training programs and governance frameworks. These investments will be wasted if we can't secure the sensitive data that AI needs to provide real value.

The good news is that solutions are emerging. Continuous encryption technologies that enable AI processing without decryption are moving from research labs to commercial availability. Forward-thinking agencies should be evaluating these capabilities now, running pilot programs and preparing their organizations for a security architecture that finally allows sensitive data and AI to work together.

The stakes are too high for incremental progress. Every month we wait to solve the RAG security challenge is another month where America's adversaries gain ground in the AI race. Every sensitive dataset that remains off-limits to AI is a missed opportunity for better decisions, faster response times and more effective government operations.

We built the responsible AI framework. We established governance structures. We invested in data quality. Now we need the security architecture that allows us to actually use AI on the data that matters most.

The technology to unleash AI across government operations exists. What we need now is the leadership commitment to demand it, the acquisition agility to procure it, and the cultural shift to deploy it. Our missions, and our national security, depend on it.

Terry Halvorsen served as Chief Information Officer at the U.S. Department of Defense from 2015-2017 and as CIO of the Department of the Navy. He currently serves as Vice President of Federal Client Development at IBM. He is a veteran Army intelligence officer who served during Operation Just Cause and Operation Desert Storm.

]]>

Inside the effort to connect Congress with the feds enacting its policies

Natalie Alms — Fri, 08 May 2026 08:00:00 -0400

Congress is flying blind on the effectiveness of the laws it creates.

That’s the thesis of a new project released last week by the POPVOX Foundation, a nonpartisan nonprofit, based on the input of 50 federal employees pushed out of their government jobs last year. The intent of this work was partly to gather insights on how policy implementation works in the executive branch and what barriers exist to effective government that lawmakers may not know about.

But it’s also about showing Capitol Hill what’s possible, said Anne Meeker, senior advisor for the POPVOX Foundation, which collaborated with the Niskanen Center, Civil Service Strong, the Partnership for Public Service and the Foundation for American Innovation on the work, called Departure Dialogues.

Communication between those making laws and those implementing them has been a problem for a long time, said Meeker, in part because federal employees doing the work aren’t usually authorized to go talk to Congress about what they may be dealing with as they turn statute into reality. That made last year a unique opportunity, as federal employees left the government en masse under the Trump administration's efforts to shrink the size of the federal workforce.

Typically, Congress’ current mechanisms for feedback from those closest to implementation in the government are limited. Hearings “are performative as often as they are informative,” the new report reads. Audits from the Government Accountability Office are usually retrospective, and congressionally-mandated reports are often compliance exercises.

Federal agencies have legislative affairs offices, but the information they transmit to Congress often gets filtered down to politics and top-level priorities, not the “program-level, operational oversights [of] what’s working, what’s breaking, what statutory language creates unnecessary friction,” the new report reads.

The hope is that Congress may replicate POPVOX’s process, or parts of it — including the use of AI to synthesize insights and surface patterns — so that experts have channels to communicate with lawmakers and their staff. For that reason, Departure Dialogues includes a methods report, in addition to a report on key findings and a legislative index.

One recommendation is for congressional committees to consider building structured input processes into reauthorization cycles or invite mid-level experts in for structured listening sessions.

As for what lawmakers may find if they take on the charge of hearing more from those in government agencies, one top takeaway Departure Dialogues found is that the accumulation of policies and requirements is making it difficult to get things done. Congress usually adds requirements, but it doesn’t take them away.

“One recurring challenge I encountered was the cumulative burden imposed by overlapping and sometimes conflicting legislative and reporting requirements associated with different funding streams,” Vikki Stein, who worked at the U.S. Agency for International Development for 30 years, told POPVOX.

“While each requirement was reasonable in itself, together they created inefficiencies that reduced our ability to focus on program effectiveness,” she continued. “This led to significant duplication of effort, diverting staff time and resources away from program monitoring, learning, and adaptation.”

Others told POPVOX that statutory language sometimes directly prevents them from achieving what Congress intended.

A common culprit: the Paperwork Reduction Act, a law created before the days of the internet that’s meant to reduce paperwork for Americans. Detractors say the law adds bureaucracy internally to those delivering government services who want to collect data like feedback meant to help ensure that government programs work well for people — but that it doesn’t ultimately always reduce burden on citizens the way it’s intended to.

Those writing the new report saw themes across workforce, contracting and internal communication: just as agencies and Congress are siloed, so too are agencies isolated from each other, and even teams within agencies are experiencing separation.

“The project was a little bit of an experiment to see if departing federal employees in this really politically tense moment were interested in participating,” Meeker said of the work.

“The response that we got … was really neat to see. We had so many folks really excited about this chance to say to Congress, like, ‘Look, forget the partisanship, forget the politics. This is just the one thing you need to know about how to make this program better,’” she continued. “That spirit of service was actually really kind of moving.”

]]>

US tech official calls for ‘transformational’ use of AI in scientific discovery

Edward Graham — Thu, 07 May 2026 16:50:00 -0400

The Trump administration sees greater incorporation of artificial intelligence capabilities into the scientific research space as critical for continued U.S. technology leadership, a White House official said on Thursday.

Speaking at the Special Competitive Studies Project’s AI+ Expo, U.S. Chief Technology Officer Ethan Klein said a major focus of this administration “is having better integration and tie-in across the scientific development piece, all the way through tech development, testing, prototyping and scale up.”

Klein said greater adoption of emerging capabilities like agentic AI — autonomous systems capable of executing specific tasks with minimal human oversight — will have a profound impact on scientific research. A Market Connections survey of more than 200 technology executives across government that was released on Tuesday found that 53% of respondents said their agencies were already exploring uses of agentic AI or were planning pilots of the technology.

“Across a broad swath of applications, but specifically for scientific discovery, I think agentic AI will be transformational,” said Klein, who also serves as an associate director of the White House Office of Science and Technology Policy.

Greater use of these capabilities, he said, would help to expand and enhance data collection and transform the types of experiments that can be conducted by researchers.

“I think that if we're able to actually deploy these agentic AI … agents across those workflows, they're going to see a great amount of scientific efficiency,” Klein added. "And that's incredibly important, because that underpins every one of these technologies that we're looking to develop.”

The Trump administration has already taken some steps to enhance nationwide research efforts by leveraging AI. The largest of these is the Genesis Mission, which was launched in November 2025 and seeks to further harness AI for scientific advancement.

Klein said the initiative will help bring “a bit of that muscle [when it comes to] incorporating that into the workflows that we know are going to bring forth this new era of AI-enabled scientific discovery.”

Thursday’s panel, however, was held amid ongoing concerns about how the Trump administration’s push to scale back government operations through layoffs and reductions in force is impacting research efforts.

Just last month, President Donald Trump dismissed all 22 members of the independent advisory board overseeing the National Science Foundation, which supports nationwide science and engineering research. Critics have said the purge — which comes as NSF still lacks a permanent director — will harm continued U.S. scientific leadership.

Editor’s note: Market Connections is a business division of GovExec, the parent company of Nextgov/FCW.

]]>

Pentagon will ‘never again’ rely on a single AI provider, official says

Alexandra Kelley — Thu, 07 May 2026 14:41:00 -0400

Leadership at the Pentagon reiterated the agency’s commitment to diversifying its artificial intelligence service providers, with Under Secretary of Defense for Research and Engineering Emil Michael taking the stage Thursday at an event in Washington, D.C., to stress that his department is never being “single-threaded with any one model.”

Speaking during the Special Competitive Studies Project’s AI+ Expo event, Michael said that the recent deals between eight leading AI developers and the Department of Defense are both a private sector statement of support for working with the government, as well as a step towards the Pentagon’s goal to diversify its tech stack with different providers.

“We were single-threaded on one vendor, one AI vendor at the Department of War, and to integrate into classified systems is not just putting your software on a public cloud and having it work,” Michael said, referring to his agency’s contract with Anthropic. “These are sophisticated, protective systems that take a lot of work to integrate on, so it wasn't like I could just turn on a few other models that easily. But never again we’ll be single-threaded with any one model.”

Michael continued to say that the new deals with Amazon Web Services, Google, Microsoft, NVIDIA, OpenAI, Reflection, Oracle and SpaceX are “a statement by the biggest tech companies in the world who are involved in the AI space … and have them say, ‘We support the Department of War, we support the U.S. government, and we support the… armed services for all lawful use cases.”

Michael’s comments come in the midst of an ongoing dispute between Anthropic and the Department of Defense following the company’s refusal to have its technology used in operations involving autonomous weaponry and American surveillance.

The fallout of that dispute resulted in the Pentagon designating Anthropic a supply chain risk and the White House ordering agencies to begin removing the company's products from their tech stacks. A judge put a hold on those actions in late March pending ongoing litigation over the government’s actions.

The release of Anthropic’s advanced cybersecurity-focused model, Mythos Preview, changed the discussion. Access to Mythos and its advanced capabilities for detecting cybersecurity flaws is tantalizing for the U.S. government, prompting internal drafts of policy plans that would enable some agencies to use Anthropic’s cutting-edge model.

Michael said that the advent of Mythos signals the forthcoming evolution of cyber-capable AI models.

“The Mythos moment is really a cyber moment, and it's: ‘How is the U.S. government going to deal with cyber?’” Michael said.

Major tech companies are responding to Michael’s drive to diversify the Pentagon’s vendor portfolio. Rand Waldron, the vice president of the Global Government Sector for Oracle Cloud Infrastructure, told Nextgov/FCW that Defense officials are asking cloud service providers like Oracle to prioritize interconnectedness in the effort to avoid vendor lock-in.

“From what I can see, the Department of War has some very savvy people who … don't want to go all in on one [model] because then six months later, they may need to go all in on another,” Waldron said.

He explained that there will likely be models that are more finely-tuned to particular use cases, such as code generation, data analytics, supply chain management or targeting in warfighter operations. One model from a single provider may not effectively serve each of these workflows.

“I don't believe that all those different use cases will end up being the exact same model at any given time,” Waldron said.

The Pentagon’s desire to expand the service offerings available for its workforce has precedent. Waldron said that DOD and the intelligence community have laid the foundation for a flexible approach to AI services acquisition, citing the creation of the Commercial Cloud Enterprise and Joint Warfighting Cloud Capability contracting vehicles as the blueprints for future contracting structure.

“It's not like they're trying to replace Anthropic with another model provider,” Waldron said. “They want to replace Anthropic with four model providers.”

]]>

Trump admin will push for ‘long-term’ reauthorization of key cyber data-sharing law

Edward Graham and David DiMolfetta — Thu, 07 May 2026 13:21:00 -0400

The White House is pressing Congress to extend a key cybersecurity authority that is poised to expire later this year unless renewed, a top official said Thursday.

The Cybersecurity Information Sharing Act of 2015 temporarily expired during the 43-day government shutdown that occurred late last year, but lawmakers ultimately extended it as part of the stopgap funding bill that ended that lapse. The government funding package signed into law in early February included a provision that prolonged the statute through September 2026.

Speaking at the Special Competitive Studies Project’s AI+ Expo event in Washington, D.C., National Cyber Director Sean Cairncross said the Trump administration is “pushing for a long-term reauthorization” of the law.

“I expect that, on the Hill, the right thing will be done over the course of time, and we will get there,” Cairncross said.

The measure allows private sector firms to freely transmit threat intelligence to federal partners with key legal exemptions in place. Legal carve-outs were made a core feature of the original 2015 law because cyber threat information often contains sensitive data on victims and companies. To help the U.S. trace nation-state cyber intruders and criminal hackers, those datasets often need to be shared with government cybersecurity and intelligence analysts.

The White House’s national cybersecurity strategy, which was released in March, called for enhancing communication between the public and private sectors to deter cyber threats. The same document also said the Trump administration was pursuing more offensive cyber operations against bad actors, including moving to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.”

Cairncross said part of that overall effort includes “working on new ways to share information between the private sector and the [U.S. government] that’s actionable, that's fast and in both directions” — including through the Cybersecurity and Information Sharing Act of 2015.

The national cyber director has previously pushed for a clean extension of the law, but his comments show the Trump administration is vying to prevent its lapse for a significant time period.

In the early 2010s, legislative efforts to establish a cyber threat information-sharing framework faced major hurdles amid public skepticism over government privacy abuses following Edward Snowden’s 2013 global surveillance disclosures.

The view shifted after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.

]]>

White House taps Education’s tech lead as new deputy federal CIO

Natalie Alms — Thu, 07 May 2026 11:58:00 -0400

Federal Chief Information Officer Gregory Barbaccia has a new deputy: Thomas Flagg, currently the CIO for the Education Department, according to an internal email viewed by Nextgov/FCW.

Flagg has been at Education since fall 2024, and he worked at the Labor Department for over 11 years before that.

“He understands firsthand the operational realities, constraints, frustrations, and opportunities that agency technology leaders face every day,” Barbaccia wrote in the email announcing Flagg’s new role. “I am looking forward to working with him as he brings that ground-truth knowledge into the federal policy process, helping us better interpret agency pain points and translate them into practical, effective government-wide direction.”

OMB did not return a request for comment.

Flagg joins the OMB team as Barbaccia is split between several roles, including serving as the acting director of the Technology Transformation Services within the General Services Administration. That team helps agencies across the government with their technology, including by maintaining some central solutions. It has lost about 70% of its staff since President Donald Trump took office last year.

Barbaccia is also the federal chief AI officer — overseeing the government’s AI efforts — and serves as the federal government’s service delivery lead under the Government Service Delivery Improvement Act.

]]>

Senator warns CISA election security pullback could leave midterms vulnerable

David DiMolfetta — Wed, 06 May 2026 17:34:00 -0400

Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is demanding answers from the Department of Homeland Security over what he says is a sharp decline in federal election security support ahead of the 2026 midterms, warning that cuts to the Cybersecurity and Infrastructure Security Agency could leave states more exposed to cyber threats and foreign interference.

In a letter sent Wednesday to DHS Secretary Markwayne Mullin, Warner said state and local officials have reported that CISA is no longer providing the same level of election security training, intelligence sharing and cybersecurity assistance it offered in prior election cycles.

The letter adds to growing criticism over the Trump administration’s handling of CISA and its election security mission, which has faced deep staffing reductions enacted over the last year.

“While the states are taking valiant and expensive measures to protect their elections, it is impossible for states to independently obtain intelligence, subject-matter expertise, and real-time incident reporting, and information at the scale and speed required to protect state elections from physical and cyber threats,” Warner wrote.

After this story was published, a DHS spokesperson said that, under President Joe Biden, CISA “was focused on censorship, branding, and electioneering instead of defending America’s critical infrastructure.”

Under President Donald Trump, the spokesperson said the agency is “committed to delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

“CISA’s mission is ensuring state and local election officials are cognizant of and utilize the most capable and timely threat intelligence, expertise, resources they need to defend against risks, and identify critical infrastructure security needs to maintain electoral functions,” the spokesperson added.

Efforts under the Trump administration to scale back CISA and its election security resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month.

The administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program funding, including information-sharing efforts and election security advisor positions.

Warner’s letter also cited testimony delivered last week by the head of U.S. Cyber Command and the National Security Agency, who said that foreign adversaries are expected to target the 2026 elections.

The senator asked DHS to explain what CISA is doing to warn state and local officials about malign influence campaigns and cyber threats targeting election infrastructure. He also requested records of election-related training, cybersecurity reviews, incident responses and outreach efforts that have been conducted by the agency since January 2025.

He also asked DHS whether any CISA personnel were involved in an FBI raid tied to election systems in Fulton County, Georgia — where Director of National Intelligence Tulsi Gabbard was publicly seen alongside federal officials — or in her office’s seizure and testing of voting machines in Puerto Rico.

The letter comes as the future of CISA’s election security role has become increasingly uncertain. Republican lawmakers and many Trump allies have long criticized the agency’s election-related activities, particularly after CISA publicly pushed back on false claims surrounding the 2020 election.

Editor's note: This article has been updated to include a statement from CISA.

]]>

US lists offensive cyberattacks in counterterrorism strategy

David DiMolfetta — Wed, 06 May 2026 17:04:00 -0400

Offensive cyber operations would be a part of a suite of counterterrorism responses aimed at groups deemed threats to U.S. interests, according to the Trump administration’s counterterrorism strategy that was released Wednesday.

Counter-terror activities against state actors “include offensive cyber operations against those planning to kill Americans or who support those plotting to do so,” the strategy reads.

The framework, more broadly, specifically lists narcoterrorists and transnational gangs, legacy Islamic terrorist groups and “violent left-wing extremists, including anarchists and anti-fascists” as the main entities threatening the nation.

Diplomatic, financial, cyber, and covert actions would be used to undermine or deter harmful state actors from assisting foreign terrorist organizations, the strategy says. Cyber operations would continue against Iran-backed proxy groups, it later adds.

The overt mention of offensive cyberattacks underscores the White House’s broader push to reshape foreign hackers’ behavior and follows several public acknowledgments of U.S. cyber warriors’ involvement in the administration’s military activities.

The specific nature of these offensive cyber operations is not described in the document.

The White House has helped shape a budding market for offensive cyber tools and capabilities, but executives and officials are grappling with legal questions over definitions of cyber offense and defense, as well as who would bear responsibility when private firms are involved in digital operations.

]]>

FDA launches updated AI and consolidated data platform

Alexandra Kelley — Wed, 06 May 2026 15:02:00 -0400

The Food and Drug Administration announced on Wednesday that it has launched an updated version of its internal artificial intelligence tool, called Elsa, that is being integrated with a consolidated data platform to enable faster search capabilities.

Elsa 4.0 now features expanded access to disparate agency information within a new consolidated data platform, called the Harmonized AI & Lifecycle Operations for Data. By merging HALO and Elsa, staff are able to query data and build workflows with less manual updating.

Elsa 4.0 runs on Google Cloud Platform and is built within a FedRAMP High secure designation. It isn’t trained on input data or data submitted by regulated industry, in order to safeguard sensitive information handled by FDA personnel.

“Elsa’s new capabilities once again position FDA as a leader in deploying AI tools that empower staff,” FDA Commissioner Marty Makary said in a press release. “Removing tedious burdens for staff enables them to focus more on science and makes their work streams more efficient and enjoyable. We have some of the best scientists in the world and we need to take good care of them.”

The upgrades to Elsa 4.0 include custom agentic AI, document generation, data analysis and visualization functions, voice-to-text diction, web search features and conversion of scanned documents into searchable text, among other capabilities.

The FDA initially deployed Elsa in June 2025 with a core goal of hastening the scientific review and evaluation process. The agency has also recently turned to AI to run a pilot for real-time clinical drug trials that will pull a direct data feed on the trial for FDA staff to expedite analyses and clearances of devices, drugs and medications.

The FDA has been on a broad IT modernization journey in recent months, consolidating duplicative systems and software licenses, using the savings it has achieved to reinvest in the scientific community, new technologies and to onboard as many as 3,000 new scientists. The agency has also worked to scale up employee use of generative AI from just 1% in early 2025 to over 80% today.

]]>

A NOAA-backed tool shows the hidden value of healthier shorelines

John Breeden II — Wed, 06 May 2026 14:51:00 -0400

A long time ago, when I was a local newspaper reporter in Calvert County, Maryland, I got a close look at marsh restoration projects after covering a visit by the EPA administrator and the governors of Maryland and Virginia to one such effort. After the officials left, I stayed in touch with some of the volunteers and wound up joining them on smaller weekend projects. We planted marsh grass, cleaned up trash and tracked turtles and other wildlife. It was easy enough to see the local impact as the marsh grass took hold and the shoreline became more stable, but much harder to understand the broader effect of that work.

That is part of what makes SHORE-BET so interesting. Developed by the Virginia Institute of Marine Science (VIMS) with support from a NOAA Fisheries Chesapeake Bay Research Program grant, the interactive calculator is designed to estimate the community benefits of marsh restoration and living shoreline projects in Virginia’s Middle Peninsula. NOAA says it can help landowners, communities and resource managers make shoreline decisions by translating ecological and economic benefits into something more concrete. VIMS describes it as an interactive web-based tool that lets users enter project details and receive both annual benefits and a 30-year total community benefit value.

It tries to answer a question that often gets lost in shoreline policy debates. Everybody understands the basic case for healthier marshes and more resilient shorelines. They can buffer storms, support habitats and improve water quality. But local officials and property owners still have to decide what kinds of projects to support, where to put them and how to weigh their value against more traditional interventions. SHORE-BET tries to give those decisions a little more context.

To get a feel for the tool, I tried a modest restoration scenario myself: 100 feet of shoreline in a somewhat remote area. That most closely resembled the kinds of projects I worked on years ago in Calvert County. After picking a location for my project on the SHORE-BET map, I entered all the relevant details.

A screenshot of the author's proposed project in the SHORE-BET model. (Photo courtesy of John Breeden II)

SHORE-BET estimated that my proposed small project would generate about $37,300 in community benefits over a 30-year period. The benefits were led mostly by reduced storm impacts, with additional gains tied to fish habitat, nutrient storage, carbon storage and recreational fishing.

That number was not enormous, and that was actually reassuring. It suggested that even a small project can produce measurable value without the tool having to exaggerate the case. The calculator also let me see some of the conditions shaping that estimate, including high storm exposure, low public access, high social vulnerability and a population density of 167 people per square mile. Moving the project to other areas produced slightly different results depending on conditions, population, habitat and public access. That makes it possible to experiment and see where small projects might have the greatest impact.

The ability to perform hands-on testing is part of what makes the tool feel useful rather than theoretical. It does not just celebrate restoration in broad terms. It breaks the potential value into categories that a planner, grant writer or local official could actually discuss. In the case of my little test project, reduced storm impacts accounted for the biggest share of the projected value, followed by smaller but still meaningful returns tied to nutrient removal, fish habitat, carbon storage and recreational fishing. That kind of breakdown helps explain why a project may be worthwhile even when the total does not look dramatic at first glance.

NOAA’s description of the new tool highlights that same idea. As VIMS associate professor Andrew Scheld put it, “Shoreline management decisions can have important impacts on communities in the region, such as supporting recreation and protecting property. By translating those benefits into dollars, it helps us better understand tradeoffs and make informed management decisions.”

That may be the best way to think about SHORE-BET. It’s not a flashy climate-tech dashboard, and it isn’t trying to settle every policy argument. It is a quieter kind of government-backed tool, one that helps make a category of environmental work easier to evaluate in practical terms. NOAA says the calculator can estimate benefits from reduced storm impacts, improved fish habitat and carbon removed or stored as part of the projected benefit mix.

The broader numbers help explain why that matters. NOAA says a recent VIMS study estimated that marshes and living shorelines provide roughly $90 million in annual benefits to local communities in Virginia’s Middle Peninsula, with reduced storm damage representing the largest share. The VIMS FAQ adds an important note of restraint: SHORE-BET likely underestimates the full value of marshes and living shorelines because it does not capture every use and non-use benefit. In other words, even this attempt to put restoration into dollars does not tell the whole story and could never track every local benefit.

That would certainly be true of my modest efforts to help out down in Calvert County. Over time, it was clear to see that our efforts were improving conditions in the local area. For one, we started to notice more little feeder fish in the area, an important part of the ecosystem and an anchor for the lower part of the food chain. Later on, two turtles moved in and appeared to make the area their new permanent home. Finally, when a huge coastal storm hit the area, I drove back down to the project area expecting to find devastation, but the plants had taken hold, and the shoreline looked relatively stable. A few hundred feet away from the project area, there were clear signs of erosion, plus none of the telltale signs of wildlife habitats.

So, I felt pretty good that our little project was making a difference, but we never had any way of knowing how it might also be improving the surrounding area or the Chesapeake Bay ecosystem in general. A shoreline project can involve lots of volunteers planting marsh grass, hauling away debris and watching for wildlife returning to an area. But from the ground, it can seem like a small and local effort. SHORE-BET does not change that. What it does is widen the lens, giving communities a way to see how those small projects can translate into stronger habitats, better water quality and a degree of protection that adds up over time.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

]]>

How Broadcom’s VMware buy meant a ‘fundamental shift’ for county tech

Chris Teale — Wed, 06 May 2026 14:17:00 -0400

A major technology infrastructure provider is creating huge headaches for county governments, leaders have said, and they are blaming a recent acquisition for those issues.

Broadcom bought VMware in November 2023. Multiple county technology leaders, as well as experts and observers in the private sector, told Route Fifty that, in the years since, it has set off a scramble as the company has changed licensing requirements, reduced support and raised prices. Route Fifty is owned by Nextgov/FCW's parent company, GovExec.

The changes have made for difficult decisions for cash-strapped local governments, who must choose to absorb the price hikes, take on additional products under new licenses that they may not need or otherwise shift to a new technology provider altogether. And it shows no signs of slowing down.

“The challenge goes far beyond a slight increase in renewal costs; it’s a fundamental shift in how Broadcom is managing the product roadmap and the client relationship,” one county tech leader told Route Fifty in an email on condition of anonymity to not jeopardize vendor relationships.

“Across the market, public and private alike, the Broadcom acquisition of VMware created a real shockwave,” Olivier Lambert, CEO and co-founder of open-source software company Vates, said in an email.

An Acquisition of Governments’ "Plumbing"

Broadcom began life as a division of Hewlett-Packard, known as HP Associates, in 1961. It focused mostly on semiconductor products then, and has since expanded to a wide variety of products and solutions that includes networking and wireless device connectivity, servers and storage systems and infrastructure software, as well as data centers, mainframes and the cloud.

While the company does not disclose its customers publicly, it is a strong partner of the federal government and earlier this year signed an agreement with the General Services Administration under its OneGov strategy to provide agencies with discounted access to various software products.

The company is similarly embedded in state and local governments’ technology infrastructure. A high-level official at a technology reseller, integrator and deployer, who spoke on condition of anonymity to avoid jeopardizing existing business relationships, said its involvement is as important and longstanding as “plumbing” for many governments.

Similarly, VMware’s products have become heavily embedded in government agencies’ tech stacks, especially at the state and local level. The company offers various cloud computing and virtualization services, and it plays a crucial role for government agencies still reliant on a data center. VMware also offers services like application modernization, cloud management and a zero-trust cybersecurity framework.

At one stage, the technology reseller official estimated, VMware was in use by up to 90% of state and local governments in some form.

Naveen Chhabra, principal analyst for infrastructure, private cloud and infrastructure automation at research and advisory firm Forrester, said in an interview the company’s market penetration was, “in the best of its times” over 80% across all sectors, private and public.

“Over the past two decades, VMware became the default layer running critical workloads, everything from permitting systems to public safety applications and education services,” Lambert said. “Because of that, it’s rarely just a matter of swapping one piece of software for another. Virtualization platforms are connected to backup systems, monitoring tools, automation pipelines, identity services, and disaster recovery processes. Many agencies also built internal expertise and operational procedures around VMware’s ecosystem.”

Broadcom bought VMware in a cash and stock transaction valued at $69 billion, and closed on the deal in November 2023. At the time, Broadcom President and CEO Hock Tan said in a statement the acquisition represented “another important step forward in building the world's leading infrastructure technology company.” County leaders already were curious about the impact of the acquisition on the services they received.

“The questions are always going to arise about, what is that impact going to be?” a second county tech leader said on condition of anonymity to not jeopardize vendor relationships. “Many times, when we see some of these acquisitions, typically there's an integration of personnel, and then some staff get laid off, and customer service sometimes can become a question as well. It's our due diligence as chief information officers to raise those to the forefront and get in front of that to the extent possible.”

Licensing Changes

One major impact on state and local customers was seen almost immediately, and had wide-reaching ramifications as they considered their licensing agreements with VMware and its new parent company.

A month after the deal closed, Broadcom and VMware announced what they described at the time as an effort to “simplify its portfolio and transition from a perpetual to a subscription model.” That simplification, as the companies put it, meant that the VMware Cloud Foundation division portfolio would feature two primary options: VMware Cloud Foundation — or VCF — its flagship offering of hybrid cloud to allow customers to run their applications, and the new VMware vSphere Foundation — or VVF — a simpler offering for smaller and mid-sized customers.

At the time, VMware said its VCF offering’s subscription price would be reduced by half and include higher support levels. Broadcom spokespeople did not respond to repeated inquiries and a detailed list of questions for this article.

But based on conversations with government and industry leaders, the reality on the ground has not been so positive. The first county tech leader said their government relied on the VVF license, which they said, “fully meets our operational needs.” However, that tech official said it took three months just to get a quote on renewing the VVF license, and even then, the government was only granted a one-year renewal.

“This approach has led many of us local governments to speculate that Broadcom’s goal is to eventually kill off the VVF tier and force everyone into VCF, regardless of whether they need that level of complexity,” they said.

That tech leader noted that the VCF offering, in addition to being pricier, has many more features that their local government does not need, meaning that a forced transition would have them paying for superfluous services.

Analysts have previously noted that the trend of Broadcom and VMware focusing on their higher-spending VCF clients goes beyond local governments. In a blog post last year, Chhabra and several other Forrester analysts called it a “seemingly harsh but clearly stated strategy.”

“VMware, before acquisition, had 12 different product lines, each catering to different personas in the IT organization, from infrastructure, to operations, to security, to networking, to applications,” Chhabra said in the interview. “After Broadcom acquired VMware, Broadcom made two different schemes… One is a smaller bundle. The second is the bigger bundle. And Broadcom is trying to push everyone to the bigger bundle, because that costs more. Broadcom is very reluctant in selling a smaller bundle to customers.”

Prices Jump in “Ruthless” Strategy

Despite Broadcom and VMware’s promises, leaders inside and outside of government say prices have jumped dramatically in recent years, creating difficulties for localities that have limited budgets.

Lambert said the disappearance of various programs under the previous a la carte way of buying services has had a dramatic impact.

“Historically, many public institutions benefited from discounted pricing programs,” he said. “In several cases we’ve seen, those programs disappeared, leaving agencies facing renewal costs that were several times higher, sometimes approaching 10 times their previous spend.”

Chhabra said price increases were part of the post-acquisition strategy, in a bid to dramatically increase operating margins and net margins. It’s a strategy that has proven popular with investors as earnings have stayed strong, although Chhabra estimates that even now, the company is only hitting 40% to 50% profit margins, indicating there is more to come.

“I suspect they will be even more ruthless going forward,” he said.

That makes life extremely difficult for governments as they navigate uncertain financial times. Groups like the National Association of State Chief Information Officers have consistently warned of the pressures of managing budgets while trying to modernize or even just maintain their technology offerings.

“Public-sector organizations typically operate with fixed, pre-approved budgets,” Lambert said. “When an infrastructure platform suddenly becomes dramatically more expensive, agencies cannot simply absorb the increase. That forces them into rapid evaluation of alternatives, often under tight timelines and without having planned a migration strategy in advance.”

Given those price hikes, it may be tempting for governments to terminate contracts and licenses quickly in a bid to recoup some of their money. But the tech reseller official warned that is a “nuclear approach” that ends a government’s relationship with Broadcom broadly, not just with its VMware products. Leaders “don’t realize the implications” of severing the relationship, they said.

“It's specifically designed as a lock-in mechanism for large enterprises, which most state and local [governments] are not,” the tech reseller said. “But if you're talking about a consolidated state agency, they don't have a choice. They can't cancel that contract because they still have a mainframe, they still have this other piece of security software, they still have other Broadcom relationships in place. They don't realize the termination is complete separation between their company and Broadcom, not just canceling a line item on a quote.”

Customer Support Drop Off

Multiple government leaders also said they have seen a drop-off in the level of customer support they receive from Broadcom and VMware, especially as the companies have looked to outsource their support systems.

The first county leader said they have seen a “significant decline in the quality of support and general responsiveness from their team.”

Andy Turner, manager for infrastructure and cloud engineering at Chesterfield County, Virginia, said it is a far cry from when VMware was owned by Dell, which meant there was “one throat to choke” in dealing with vendors, support and other issues. Things got much worse after Broadcom bought VMware, he said.

“We weren't getting a response,” Turner said. “Now, we don't need a ton of support from them. But when we do, it's usually something critical, and we just weren't getting any response from them whatsoever. It was days before we would get responses from support.”

The technology reseller official accused Broadcom of discriminating against smaller customers by continuing to maintain good support for their larger enterprise customers.

Making it even more complex from a support standpoint is that much of VMware’s customer support is now outsourced, Chhabra said. That could mean talking to an outsourced employee who is unfamiliar with governments’ specific rules and regulations, which could make those public-sector customers wary.

“People want some security and privacy involved, so they would have less comfort talking to an outsourced agent, outsourced supplier, than talking to the vendor directly,” Chhabra said. “That's an implication for security-focused, security minded government agencies, not as much for the regular enterprises. But it certainly brings the question of support quality into the conversation.”

Migrating Not Just "Flipping a Switch"

The combination of all those issues has many governments looking to transition their tech infrastructure away from Broadcom and VMware, but in many instances, that isn’t an easy transition to make. The second county tech leader said governments “can't just flip a switch and move away from the infrastructure.”

Staff also need reskilling, in many instances, as they are certified and trained in VMware products but may be unfamiliar with competing vendors. The second county tech leader said moving away from VMware requires a “completely different skill set.” While a lot of the knowledge is the same, “it's a completely different learning curve, different certifications.”

“I'm confident in our team's ability to adapt and implement an alternative solution,” Turner said. “The problem is, we've been using it for so long. The average tenure of my staff is probably around 10 years, probably more than that, and it’s years and years of institutional knowledge of VMware. The majority of the staff are certified for VMware; some of them have been using it for 15 years."

Migrating away from VMware can be challenging, especially for large IT organizations. And smaller organizations may have signed long-term contracts already with VMware in the hope of putting off any renewal issues for a few years.

“It requires a year or two, getting ahead of this,” the tech reseller official said. “My customers fall all along a range of proactivity. Some of them are 30-year government folks, where this is very challenging for them to take that step back and get aggressively proactive. Others are very progressive… It comes down to the customers getting ahead of it and getting proactive, because it's a significant change.”

The process of migration can be challenging, although Lambert said it’s “often less complex than many organizations initially assume,” especially for small enterprises that only have a few dozen virtual machines on VMware. Phased migrations are typically the best way to go, as agencies start with non-critical workloads to validate the new platform they are migrating to, then move their core systems once they are confident in what they are moving to.

Agencies still must consider a number of other factors, he said, including making sure that hardware is compatible to avoid replacing servers. Migration plans also should maintain operational continuity, to ensure that backup, disaster recovery and monitoring tools remain functional throughout the transition.

There is hope that migration is possible. The first county tech leader said their government is “actively executing plans” to move entirely away from Broadcom and VMware products. That effort is expected to be more or less completed this summer, and the leader said it will “ensure our long-term stability and cost-predictability.”

Overall, though, the uncertainty has created an environment, experts said, where governments are trying to break free of their current situations, but need to plan further ahead than they are used to if they are to be successful.

“People are fleeing where they can,” the tech reseller official said. “But they can only flee if they get ahead of it by a year or two.”

]]>

VA still on pace with EHR deployment after rollouts earlier this year, officials say

Natalie Alms — Tue, 05 May 2026 17:50:00 -0400

Almost a month after the Department of Veterans Affairs restarted deployments of its new electronic health record system at four Michigan-based medical facilities, ending a yearslong pause on the rollouts of updated software, the VA says the new EHR is working well.

“The deployments in Michigan went remarkably well, and it is in part because we are learning and growing and building upon the success of our partners in the federal space,” said Dr. Neil Evans, the acting program executive officer at the VA’s EHRM Integration Office, during a Tuesday event.

The VA rollout is part of a bigger deployment of an interoperable Oracle Health system across different agencies, including the Pentagon and U.S. Coast Guard.

Lance Scott, the chief technology officer for that federal EHRM effort, characterized the recent VA rollouts as “absolutely phenomenal” during the event, which was hosted by the federal EHR office.

The resumption of deployments at the VA last month followed a pause of the program in 2023 due to technical, safety and usability concerns with the software, although the VA did later help with a joint rollout of the system with the Pentagon in March 2024 at a site in Chicago.

The Michigan rollouts this year are significant, as they mark the first time the VA has deployed the new EHR on its own after the rollout pause.

The VA used the time during the “program reset” to make improvements, said Evans.

“One of the focus areas that we focused on is, ‘Let's do the work that we need to do to optimize the federal EHR to meet VA’s needs based on listening to our end users — at that time, we had five live sites — and understanding the lessons learned,’” he said. “We revisited a lot of our original design decisions for how the EHR was configured.”

“We came into closer alignment with our [Defense Department], [National Oceanic and Atmospheric Administration] and Coast Guard colleagues on those design decisions, and frankly, some of the work we did directly benefited our partners,” he said. “And we got really, really, really serious about standardizing at the national level the workflows and connected systems that work with the federal EHR.”

Now, the VA is at an “inflection point,” Evans said, staring down an accelerated schedule of deployments. The plan is for nine more sites to go live this year, 26 in 2027 and the rest by early 2031.

“Deployment, deployment, deployment — that is clearly our top priority,” he said.

Successful EHR deployments on an accelerated timeline are of high importance for VA Secretary Doug Collins, even as watchdogs and lawmakers flagged potential pitfalls — especially the cost of the project — leading up to the restart last month.

Before the next deployments in August, the VA will be making improvements to the system based on a recent “deep dive” on the Michigan rollouts, said Evans, although he didn’t offer specifics on those improvements.

“The federal EHR is not a static entity. This is not a set of technologies that we deploy and forget about,” he said. “This is a set of technologies that we need to continue to optimize in perpetuity.”

Among the things the department is looking at next for the system is the addition of ambient dictation, which helps provide clinical information by capturing patient-clinician interactions and using artificial intelligence to make sense of them.

James Perkins — acting program executive officer in the Program Executive Office, Defense Healthcare Management Systems — echoed the importance of iterative improvement, saying that although the Pentagon completed the baseline deployment of the federal EHR two years ago, “that means that we finished the beginning.”

“We’re constantly optimizing it and we’re modernizing it,” he said, also pointing to the potential of ambient dictation. “We’re bringing in new capabilities.”

At NOAA, which went live with the federal EHR system in June 2023, bringing the system “out to sea” is the next frontier, said Cmdr. Scott Miller, the director of the office of health services at NOAA.

Medical officers on the agency’s marine fleet currently use physical records and then upload them online once they’re back on land, but new connectivity on ships is set to change that, said Miller.

“It really has taken us from essentially the Dark Ages, so to speak, of the manual paper charts to the digitized EHR that we have today,” he said.

]]>

Commerce AI center will evaluate Google Deepmind, Microsoft and xAI models

Alexandra Kelley — Tue, 05 May 2026 17:37:00 -0400

The Center for Artificial Intelligence Standards and Innovation will be conducting testing on leading AI models from Google Deepmind, Microsoft and xAI to evaluate their security prior to deployment, the Commerce Department announced Tuesday.

CAISI, housed within the National Institute of Standards and Technology, will oversee the testing as well as best practices development related to commercial AI systems. The models will be tested in classified environments.

The agreements between Google Deepmind, Microsoft and xAI and Commerce build off of earlier voluntary agreements, and were renegotiated to support the Trump administration’s AI Action plan.

“Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications,” said CAISI Director Chris Fall. “These expanded industry collaborations help us scale our work in the public interest at a critical moment.”

CAISI’s evaluations will look at the national security-related risks and capabilities of each model. This effort hinges on information sharing between CAISI and model developers, and CAISI will study models that have reduced or removed safeguards to better understand their unmitigated capabilities.

Prior to evaluating U.S.-based AI models, CAISI recently examined Chinese model DeepSeek, concluding it underperformed in several areas like accuracy, security and cost efficiency.

The announcement follows recent reports that the administration is considering an executive order that would create government protocols to test AI models prior to market deployment. The news was first reported by The New York Times on Monday and confirmed to Nextgov/FCW on Tuesday.

Among industry groups, initial reactions to the agreements have been supportive. Business Software Alliance Senior Vice President of Global Policy Aaron Cooper said that CAISI brings the necessary expertise to work with private sector partners to evaluate frontier models for safety and national security risks.

“Today’s announcement reinforces CAISI’s role as the right institutional home within government for advancing evaluation and measurement science and convening AI companies and stakeholders on a voluntary basis around responsible practices,” Cooper said in a statement. “BSA has highlighted why frontier model evaluation should be led at the federal level, reflecting the national security implications at stake; a strong role for CAISI can also help further global collaboration and alignment on safety and security.”

]]>

Agency leader says AI is helping resource-strained workforce identify more fraud

Sean Michael Newhouse — Tue, 05 May 2026 16:00:00 -0400

An anti-fraud official from the Centers for Medicare and Medicaid Services said that artificial intelligence is enhancing her workforce’s capability to spot scams.

“There's a lot of fraud in the healthcare sector. The estimates on the conservative side are about $100 billion and, depending on who else you talk to, you can easily double or triple that with different calculations,” said Jeneen Iwugo — the acting director for the CMS Center for Program Integrity — at the UiPath Public Sector Summit on Tuesday. “I have a modest budget of $1 billion, so the size of the problem is much bigger than the budget I'm given to find it.”

Specifically, Iwugo explained that AI tools are helping CPI’s roughly 500 employees better identify fraud across the four to five million claims they review every day.

“My team uses AI to comb through those claims and that data and figure out where the risk is the greatest,” she said. “I cannot investigate everything that looks weird, so I have to restratify my work to make sure that I am auditing and reviewing those instances where we have the biggest risk for something fraudulent happening.”

Iwugo emphasized that the Trump administration’s prioritization of combating fraud has given her office more flexibility.

“The longer leash I get, the more I'm able to push the needle with using AI, getting into the agentic AI space, the more of that $100 billion I'll be able to recapture,” she said.

Going forward, Iwugo stated that CMS is piloting programs in which AI doesn’t just review potentially fraudulent claims but also recommends to employees what the possible penalties could be.

“Once I get there, I will be able to take off and capture a lot more of the fraud that I know exists, that I'm able to detect, but that I'm just watching because I can't move fast enough,” she said.

Iwugo also touted that CPI in fiscal 2024 saved Medicare an estimated $26.3 billion, which is a return on investment of $14.6 for every $1 invested and an improvement from fiscal 2023 when the agency projected that it recovered $14.9 billion.

Agencies reported there were 3,611 individual AI use cases in 2025, which is more than double from 2024. The Veterans Affairs Department, as one example, is using the technology to speed up processing of veterans’ benefits claims, but congressional Democrats argued that it is worsening error rates.

]]>

10 years after OPM data breach, identity protection benefits for affected feds start to expire

Eric Katz and David DiMolfetta — Tue, 05 May 2026 14:14:00 -0400

A decade after the 2015 breach of the Office of Personnel Management exposed roughly 22 million records, identity theft protection services for affected federal workers and their families are beginning to expire, marking the end of a long-running federal response to one of the government’s most damaging cyber intrusions.

Those who signed up for the MyIDCare program OPM established 10 years ago are receiving emails on a rolling basis informing them their services will expire 10 years to the day of their enrollment. The notices began going out to enrollees late last year and will continue through September, the end of the current fiscal year.

“This is to notify you that the credit monitoring and identity theft insurance coverage you were provided by the Federal government has a 10-year term, which ends on [10 years after enrollment date],” reads an April email viewed by Government Executive from MyIDCare, the OPM-backed service that offered credit monitoring, dark web scanning, insurance and recovery services to those impacted in the breach. The emails are now being sent to breach victims who enrolled in the services.

“This service was provided following the 2015 OPM cybersecurity incidents and has helped safeguard your identity. OPM provided identity and credit monitoring through MylDCare, powered by IDX, in accordance with the Consolidated Appropriations Act of 2017 for a period of 10 years from 2015 - 2025,” it adds. The email gives users the ability to continue coverage, and links to a URL where they can explore options.

The hack was discovered in 2015, but the intrusions, which were overwhelmingly assessed to have been linked to China, began at least a year prior. OPM disclosed two data breaches in 2015: one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families. More than 22.1 million people were impacted by the breaches.

Shortly after the hack was discovered, OPM offered three years and up to $1 million worth of protection services. Congress subsequently required the agency to expand the program to cover 10 years and up to $5 million.

OPM signed two contracts with ID Experts — now IDX — to provide the services, the first worth $340 million and the second worth up to $416 million.

Funding for services officially ended at the end of September, when the federal fiscal year calendar resets.

An OPM spokesperson said the agency looked into extending the program but decided it was too expensive.

“OPM evaluated extending the contract and determined it would not be a responsible use of taxpayer resources, given the high cost of the program and the very low level of claims in recent years,” an agency spokesperson said. “OPM remains committed to protecting sensitive data through robust cybersecurity, privacy, and risk management programs, with continuous monitoring to safeguard personnel information.”

The Government Accountability Office has criticized OPM for overpaying for the services, saying the level of coverage is “likely unnecessary” and may be distorting the identity theft insurance market.

Plaintiffs in a class action lawsuit reached a settlement in 2022 with the government that made $63 million available for those who could demonstrate financial hardship as a result of the breach. A federal judge closed out the case in 2024 after OPM and the Treasury Department doled out just $4.8 million to just more than 5,000 individuals. The remaining $58.2 million was returned to the U.S. Treasury.

One former federal contractor affected in the breach, who requested anonymity to speak candidly, reflected that personally identifying information exposed in the hack used to be viewed as the “most detrimental thing to all of us.”

Today, that’s no longer the case. “Our information continues to be pilfered time and time again,” the former contractor added. “It’s just fascinating how far we’ve come from caring about security and wanting to take the right measures to treating it like an afterthought.”

The end-of-services notifications caught some recipients by surprise. IDX has since peppered recipients with marketing emails imploring them to re-enroll in the service at their own expense, offering 50% off discounts and warning “you’re unprotected” in subject lines.

“It’s disturbing given that the government’s negligence caused people’s personal information to be stolen, and China still has that information,” said one former federal employee who received the termination notice.

One current senior federal agency official affected in the breach told Government Executive that 10 years is sufficient for coverage. “I can understand why they cut it off. It costs money to do that,” the senior official said.

The official added: “I think it’s incumbent on people themselves to protect their credit in their reporting and make sure they keep tabs on it. You can’t expect the government to continue to do that.” They said they would consider enrolling in the plan offered by IDX to continue coverage.

Some lawmakers have continued to push for lifetime coverage for those impacted by the breach, though legislative efforts have failed to advance. Sen. Mark Warner, D-Va. in a letter to OPM last year highlighted the ongoing threats that breach victims still face.

“The federal workforce was dangerously exposed by the 2015 OPM breach, and millions of impacted individuals will continue to be at risk because of the breach, likely for the remainder of their lives,” Warner said. “Current and former public servants should not be abandoned to bear the risks of the federal government’s failure to protect their sensitive information.”

]]>

Trump admin floats policy language limiting contractor say on agency uses of technology

Alexandra Kelley and David DiMolfetta — Tue, 05 May 2026 14:12:00 -0400

The federal government is circulating draft policy documents that contain language clarifying the government’s ability to use private sector technology without outside stipulations for how they do so, two sources familiar with their development told Nextgov/FCW.

While it remains unclear if the language being passed between various government agencies — namely the Department of Defense and components of the Trump administration — will manifest into an executive order or finalized policy, that language centers on ensuring the government has control over how its acquired technology products are used.

One source familiar with the ongoing development told Nextgov/FCW that the goal of the language is to clarify that “it is for that democratically elected government to determine what is a lawful and appropriate use of a particular technology, not solely a company.”

The White House is mulling an executive order that would create a working group for AI models before they are deployed, according to a person familiar with the matter. The New York Times first reported the administration’s consideration of the order. It’s not clear if the contracting language is a separate initiative or would be a provision embedded into a forthcoming directive.

Other language featured in the draft documents examines how the government can manage emerging cybersecurity threats posed by AI models like Anthropic’s Mythos Preview and OpenAI’s GPT 5.5, according to the same source and another person familiar with the matter.

The discussions and draft documents highlight how the Trump administration is looking to take a more hands-on approach on the AI sector, despite prior policy positions that signaled a more permissive environment for the evolving technology.

“There is likely going to be another wave of AI government statements,” the first source said.

When asked to confirm the existence of these documents, a White House official told Nextgov/FCW that “any policy announcement will come directly from the President. Discussion about potential executive orders or policy directives are pure speculation.” The Department of Defense referred questions to the White House.

The Trump administration’s efforts to refine the government’s rights when licensing private sector AI models and systems follow a dispute between Anthropic and the Department of Defense over using the company’s AI products in autonomous weaponry and domestic surveillance.

The Pentagon designated Anthropic a supply chain risk, and federal agencies were subsequently required to offload the company’s products from federal workloads. Some lawmakers took issue with the perceived retaliation on behalf of the administration, and Rep. Sam Liccardo, D-Calif., attempted to amend the Defense Production Act to prevent government blacklisting in March.

The administration has telegraphed some of its wants for the relationship between vendors and industries since that debacle, with Emil Michael, the undersecretary of defense for research and engineering, saying on a March episode of the All-In podcast that “all lawful use seems like a good thing” to benchmark against.

Anthropic model capabilities piqued government officials' interest, however, when the company announced the release of its new high-powered Mythos Preview model and associated Project Glasswing for select companies to test in their digital networks.

Leadership at the Pentagon has not been wholly opposed to guardrails on tech use in defense and warfighter operations. Michael told CNBC on May 1 that the Pentagon wants guardrails “in some ways,” but maintained that these guardrails have to align with the government’s needs.

“When they deploy on our networks, they’re deploying models that are tuned for national security purposes,” Michael said. “And that's why the partnership with the executive team and the management is so important, because things are evolving in the threat landscape. And whatever guardrails, whatever principles they want to develop against, has to be consistent with our values, our mandate, our restrictions, even, and that’s where the guardrails come in.”

]]>

CISA unveils CI Fortify to help secure critical infrastructure during conflicts

David DiMolfetta — Tue, 05 May 2026 12:26:00 -0400

The Cybersecurity and Infrastructure Security Agency announced the release of its CI Fortify project on Tuesday, aiming to help critical infrastructure owners and operators defend themselves against hackers and maintain continuity during a geopolitical conflict.

“For planning purposes, operators should assume that in a conflict scenario third-party connections — such as telecommunications, internet, vendors, service providers, and upstream dependencies — will be unreliable and that threat actors will have some access to the [operational technology] network,” a webpage describing the initiative says.

Per guidance, CISA wants critical infrastructure providers to focus on isolation and recovery planning objectives.

“We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors,” agency acting director Nick Andersen said in a prepared statement.

Critical infrastructure — like water treatment plants, financial institutions and electric grids — are a regular target for foreign hackers. U.S. officials have assessed for years that China is burrowing into non-military critical infrastructure networks, preparing to sabotage them should the U.S. enter into a major conflict with the nation, especially involving Chinese interests in Taiwan.

Hackers linked to China, Russia, Iran, North Korea and ransomware groups will continue to pose critical threats to U.S. networks and critical infrastructure, U.S. intelligence agencies assessed this year.

Amid the U.S.-Israel war against Iran, Tehran-backed hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors, targeting equipment manufactured by Rockwell Automation, according to a government advisory issued last month.

Last year, Australia, a Five Eyes partner, launched its own CI Fortify program.

]]>

Survey: More than half of federal agencies now planning agentic AI pilots

Frank Konkel — Tue, 05 May 2026 10:00:00 -0400

Agentic AI has entered the chat for federal agencies.

According to a March survey of more than 200 technology executives across government, more than half (53%) said their agencies are exploring agentic AI or actively planning pilots of the technology. Another 15% are currently implementing agentic AI systems or have completely done so already, compared to 6% who said they were not yet considering agentic AI.

However, even as agencies race toward agentic AI, respondents identified potential barriers to adoption in the forms of inadequate oversight policies and disparity between the perceived necessity of governance frameworks and their implementation. The findings were released today by Market Connections on behalf of ServiceNow.

“This research confirms what we're hearing from agencies every day — the appetite for agentic AI is real, but oversight hasn't kept pace," said Mike Hurt, Global Vice President of U.S. Public Sector at ServiceNow. "Seventy-seven percent of federal leaders say oversight frameworks are essential, yet fewer than a third have actually implemented them. Agencies that build accountability into their AI workflows from the start, not as an afterthought, will be the ones delivering strong results for citizens.”

The findings come after a major uptick in AI use across the federal government in 2025 despite a significant decrease in the total number of federal employees.

In April, the Office of Management and Budget unveiled its 2025 Federal Agency Artificial Intelligence Use Case Inventory, which indicated AI use more than doubled across federal agencies from 2024. In total, agencies reported more than 3,000 AI use cases, with significant jumps in AI use at NASA and the departments of Health and Human Services, Veterans Affairs, Justice and Energy.

Agentic AI is generally defined as autonomous systems capable of pursuing complex goals and reasoning, with the ability to take independent actions across software systems with minimal human oversight. Those agentic capabilities to perform some tasks without human intervention have made it an attractive option, and it has been touted by some of President Donald Trump’s top tech officials as a key way to do more with less.

But per the findings, not every agency is ready for agentic AI, even as a growing number of companies offer agentic solutions. Only 20% of respondents said their agencies have defined policies for pre-deployment testing or generic agentic AI use, and only 8% have a defined framework for incident response. Even fewer (6%) have a framework for third-party or vendor governance.

"Agentic AI has definitely entered the chat. Over half of those we surveyed are currently in the planning stages or have actively launched a pilot effort,” said Aaron Heffron, president of Insights and Research at GovExec. “The main question remains, however, if the current infrastructure, both human and technical, is up to the task.”

Findings also indicated some agencies struggle moving agentic AI pilots from the sandbox to production environments. Those challenges move beyond policy and into data readiness.

“One of the very big questions that you have to ask is, ‘How am I getting my data ready for AI consumption? That governance piece becomes critical [to] making sure that your data within your organization and your AI are working together,” advised one unnamed IT director in his response.

ServiceNow Federal Chief Technology Officer Jon Alboum said one way to address the data problem is bringing data and workflows together in a single environment.

“The current environment of fragmented, siloed systems and disconnected workflows only increases complexity and hinders adoption,” Alboum said. “To move forward, AI adoption should focus on bringing everything together in an AI control tower so that policies can be applied, controls enforced, and results delivered efficiently across the organization.”

Research findings indicated that while governance frameworks tended to lack maturity, consistent oversight was a near-universal requirement. Almost 90% of respondents said they required logging and audit trails for all actions, and more than 80% requiring automated policy checks and guardrails.

The findings further point to a strong correlation between the demand for human oversight and criticality of data. For national security, critical infrastructure and emergency response data, 79% of respondents said their agencies mandated “human-in-the-loop” oversight, with approval needed for every action performed by AI. For high-risk data, like benefits claims or agency financial data, 78% of respondents said their agency requires formal human approval before high-risk actions are taken by AI, but not every action. Conversely, more than 90% of those surveyed said they favored reduced direct involvement for low and moderate risk data, requiring only periodic check-ins.

To ensure accountability for agentic AI solutions, 84% of respondents said their agencies had documented escalation policies, while 78% had structured post-incident review processes. Fewer than half (44%) said their agencies included liability or responsibility clauses for AI vendors in contracts, and fewer than one-third (29%) had documented “kill switch” procedures.

“Federal leaders say they want human control over high-risk AI — but less than a third have a kill switch to enforce it, leaving a dangerous gap between intent and capability where trust is won or lost,” the report states. “Agencies must act now to define intervention triggers, ensure data readiness, and unify oversight into a single platform — or risk losing control as systems scale. When failures happen, they cannot be crises; they must be contained, repeatable workflows. Built-in accountability is no longer optional — it is the prerequisite for any agency serious about deploying agentic AI at mission speed.”

Editor’s note: Market Connections is a business division of GovExec, the parent company of Nextgov/FCW.

]]>

The State Department looks to build on the success of online passport renewal

Natalie Alms — Mon, 04 May 2026 16:58:00 -0400

In 2024, the State Department opened its online passport renewal platform, upending the paper-based, 1970s process the department had been intending to revamp for over a decade with little success.

The department has now issued over 7.3 million passports through the online system. Compared against a general discourse about government systems being old, clunky and frustrating, the online renewal tool appears to be a bright spot, as 94% of users have rated it positively in government surveys, according to Matt Pierce, deputy assistant secretary for passport services, consular affairs.

And unlike some of the other recent stories of successful digital government rollouts that did not survive into a new administration, most notably the IRS Direct File program, State’s system is still going well into President Donald Trump’s second term, and the department is planning for more.

State wants to pilot online applications for those seeking their first passport, and it’s looking into issuing digital travel credentials, too, said Pierce, who recently spoke with Nextgov/FCW about what made the online renewal process work and what’s next.

Up until 2024, the process for renewing a passport was largely the same as it had been for decades, even as the number of people getting passports has been increasing. In 1990, only 5% of Americans had a passport. Now, that number sits at around 50% — and that figure is expected to continue to grow, said Pierce.

State debuted its first attempt at an online system in 2022, in the lead-up to record passport backlogs the following year, as Americans looked to travel again following the COVID pandemic. At the time, the department was still grappling with staffing shortages caused by a hiring freeze instituted during Trump’s first term.

That pilot worked for some people but was ultimately unsuccessful, one former State Department employee who worked on online passport renewals told Nextgov/FCW. They requested anonymity for fear of retribution.

In technical terms, the first system was made in a waterfall development style. State made a list of requirements and chucked them “over the fence” to technologists who built a tool, they said.

Passport adjudicators weren’t consulted in the design process and had a really difficult time using the system. Applications would get lost because of how work queues were set up, the former employee said.

The department paused, pivoted and eventually opened the system that’s still running now in 2024.

What changed? For one, the department switched to a human-centered, agile design process.

There are thousands of employees who handle over 24 million passports a year, Pierce said, adding “that system has to work for them.”

In the lead-up to the second launch, the team tested the system with frontline employees and worked to make sure that the understanding of those building the new system matched up with the needs of those actually handling the day-to-day passport work. That included considering not only technology alone, but also processes and policies.

And while the department attempted to replace the entire system in the first rollout, for the second, they replaced only the front end portion that Americans see. On the backend, enhancements were made, but the system is largely as it was before, meaning employees didn’t have to make changes, said Pierce, while the department continues to work on a larger overhaul.

Moving forward, Pierce is looking to use the same dialogue with employees that made the second online passport renewal effort successful to find improvements to prevent future backlogs along with a staffing baseline. It’s an organizational transformation, he said, driven by employees to change processes and procedures.

One big shift for the department, he said, has actually been a cultural one in how it responds to risk.

“In the past, we would spend a lot of time thinking about something, working on something, and then here it is. Now you’ve got to live with it for 10 years,” Pierce explained.

Now, employees are more open to taking calculated risks with the understanding that they can pilot changes and adapt as needed, he said, noting “that has been a huge change.”

More improvements ahead

Over a year out from the second, more successful launch, it takes 20 minutes to renew a passport on the new, online system, as opposed to the 40 minutes it took through the old process, said Pierce. The department estimates that it’s saved Americans over a million hours.

The online system currently handles over half of renewals. Some people aren’t able to apply online depending on their situation, although the goal is to eventually make it so that anyone renewing can do so online, said Pierce.

The team is also planning to pilot letting Americans that want to get their first passport apply online in the coming years. That’ll require the department to work through some wonky issues, like how it will digitally validate proof of citizenship documents that State itself doesn’t house, like birth certificates — something that will likely require the department to work out data-sharing agreements with states, said Pierce.

State is also in the early stages of looking into digital travel credentials.

“A lot of people call it the digital passport,” said Pierce, but it’s different from the ID that digital wallet users can create with a passport, for example, which can’t be used for international travel or border crossings.

“I mean something that can ping against the database, like the passport, to validate that it is a valid passport issued by the United States government, and this is the person’s information,” he said.

The department is also working to add Trump’s face to a limited number of commemorative passports, although that news broke after Nextgov/FCW’s interview with Pierce.

New challenges

As it pursues new changes, the department will be working with a different team than the one it used for online passport renewal.

Last year, Pierce won what’s considered the Oscar of government service, a Sammie, alongside another key leader in the passport modernization effort, Luis Coronado, the former CIO for the Bureau of Consular Affairs at State. But Coronado and others have since left the department.

The Bureau of Consular Affairs wasn’t spared from layoffs last year as the Trump administration sought to downsize the federal workforce, although some affected employees were later reinstated.

Other offices that worked on the online passport renewal project have also been shuffled around as part of a reorganization. Consular Affairs’ tech office, led by Coronado, was moved to the central IT department within State, and also was affected by layoffs, said the former employee, who has also left federal service.

“The intent of the reorg is to become a more responsive, a more relevant State Department,” said Pierce, adding that he’s seen “a lot of positives.”

Other departments, including Interior, have also been centralizing their technology operations.

The team behind the online passport renewal launch also included 18F, a digital services consultancy inside the government that the Trump administration shuttered completely last year, as well as the U.S. Digital Service, which was renamed to house the Department of Government Efficiency as the U.S. DOGE Service.

“We lost a lot of the folks that had been integral to getting that online passport renewal successfully stood up and out the door for the 2.0 version,” said the former employee.

These teams helped other agencies adopt different models of modernizing, such as the IRS with Direct File.

“The federal government has lost a lot of that,” the former employee said. “How is the government — absent those organizations — going to continue to transform how the government improves services?”

]]>