Q&A: GAO CIO Beth Killoran Oversees Her Agency’s Cloud Migration

FEDTECH: What are GAO’s cloud priorities? What does the cloud landscape look like at the moment?

KILLORAN: We recently finished a new strategic plan for 2025-2027. We really didn’t start our cloud journey holistically in earnest until 2023. We began by migrating our email, and then we adopted Microsoft 365. We are now migrating the majority of our data and applications. In the last half of 2024, we migrated about 85% of our back-office applications, and now we are really moving into our data. We have an on-premises system that contains the bulk of our data. As you can imagine, we have a lot of data. Because we are a publishing organization, we have all of the data we’ve gathered for those publications, reports and testimony and then all of our specialized applications that support that ecosystem. We migrated about 40% of that, as of December. So far, we have migrated 38 servers from our portfolio and our data center, and we’ve decommissioned 28. Our goal for 2025 is to move 90% of our applications into the cloud, and we’re on target to do that. Once things are moved and migrated, we will talk about how we update the code. How do we better utilize capabilities that we have once we have moved? How do we stabilize the environment? How do we use common capabilities within the cloud?

FEDTECH: You mentioned Microsoft. Are you migrating to Azure? Is this part of a multicloud strategy?

KILLORAN: There is a multicloud strategy. Right now, the majority of our stuff is going into the Azure cloud, but we also have Amazon Web Services, and a lot of high-performance computing data analytics right now is on the AWS side.

We also are getting ready to pilot some of our AI capabilities on the AWS side, so we’re using AWS for those things where we need a little bit more capability to utilize for our Applied Research and Methods organization, which handles all of our analytics for our technology organization. We have a smaller AWS footprint, but we have the capacity to run data analytics. The majority of our employees are using Azure. Once we have our data migrated over, then we’re going to look at our overall portfolio to determine if we should rebalance. We will have lessons learned from being in Azure holistically for our day-to-day applications and then specializing in AWS for data analytics and our AI capabilities.

FEDTECH: What are the AI priorities at GAO? You’ve previously highlighted intelligent automation as a priority. Are there others?

KILLORAN: Within GAO, we now have a number of documented use cases that we want to explore. GAO is a ready-made organization for AI. One of the core things that AI does well right now is to gather and analyze information and then draft reports. So, we need to ask ourselves, how do AI algorithms map to our current models? Are there adjustments that we must make?

We have very highly educated employees, and so we want to bring forward their own use cases and track them in a pilot. Some of these use cases will come to fruition as AI capabilities. For example, we have a lot of interaction with various partners on the Hill. Congress will craft legislation and create a requirement for us. So, AI may help us with something as simple as tracking legislation and identifying potential work that we may have to do.

Internally, there are two things we would like to do. One, it’s pretty easy to build chatbots today. We would like to build one for self-help and provide a simulation of a person-to-person interaction even though it is a virtual assistant. Two, we have talked internally about using low-code/no-code solutions for modernization after our cloud migration. We may jump right over that to AI-generated code. AI could help us find ways to be more efficient in our code or to modernize our code quickly to support our goal of providing fast value to our customers and to Congress. The best way to do that is to get the precise information that we need from our stakeholders. We can potentially gather information more easily in audits with AI, first with publicly available sources and then with direct data inquiries. We could then assemble that data to quickly understand the best recommendations for Congress and for agencies. It also helps agencies to be effective and efficient in the use of taxpayer dollars.

FEDTECH: In your migration to cloud, have you encountered any security challenges or opportunities?

KILLORAN: When I arrived at GAO, I prioritized cloud security. In 2023, we started using secure access service edge. Our workforce is very mobile, and we wanted to ensure that they can access their information anywhere at any time and do so securely.

We gather a bunch of information from other agencies to conduct our audit work, and that makes us a prime target for bad actors. We strive to bake in our cybersecurity; it’s always our No. 1 priority. From large federal agencies all the way down to small ones, we have to maintain a chain of custody and ensure that we maintain cybersecurity at a very high level along the way. The cloud gives us very powerful cybersecurity capabilities, and we monitor everything very closely. We make sure that we understand the threats that we face, and we adjust as necessary. Just as AI is going to help us, AI also could hurt us. Hackers could target our data with AI, so we need to establish the right capabilities now. We are going to data-mine our reports with AI, and we need to understand what is rational datamining and what is adversarial. We must have monitoring in place, and we must be able to articulate what is OK.

FEDTECH: You are responsible for internal IT at GAO, but do you also have a relationship with GAO external auditors? Does your office learn from auditing the IT of other agencies? Is it a two-way street?

KILLORAN: We learn a lot from what our mission teams discover at other agencies. This federal wide lens is one of the things that interested me about GAO. We get involved in audits in two ways. We serve as subject matter experts. For cloud audits in the past year, for example, we served as subject matter experts on some of those reports. Then during the design process, our engagement teams design how they are going to audit a particular agency or frame a particular category, like cloud, and they host design sessions to talk about how they are going to conduct the audit. As subject matter experts, we weigh in and suggest tweaks or make recommendations or request insights. We establish a dialogue and gain clarification into the process. When we ask them if they have considered something, we might realize it is also applicable to us. We have playbooks and guidebooks, like our agile playbook and our AI playbook. We examine our recommendations and then see how we incorporate our own recommendations into our own guidance internally. We provide them with guidance from an operational standpoint, and then we follow recommendations in their publications and incorporate best practices into our operations.

LEARN MORE: What is OSCAL?

FEDTECH: What do you foresee when you look into the future of cloud for GAO over the next few years?

KILLORAN: We will gain a better understanding of how we use the tools available to us not only in the cloud but also in commercial off-the-shelf applications. And we will have to ask ourselves what new tools in the cloud really have applicability for us. How are we going to figure out methodically which pieces and parts to deploy sooner rather than later, and which to delay?

Cloud is going to accelerate the flexibility of our platforms so that we can provide better value to our customers at a faster rate. You must understand what that looks like for you instead of running pilots. As we build capabilities, we will have more of a menu of options instead of rushing into something that we don’t know how much it’s going to cost. You could pick five things, say, and try them instead of simply paying for consumption. I can then be charged on my utilization instead of buying a bunch of things and throwing some back.

One of the great things about the cloud is the flexibility of putting services in and taking services out, depending on what you need for your particular organization.

UP NEXT: The FITARA scorecard is progressing around cloud.