FEDTECH: In your migration to cloud, have you encountered any security challenges or opportunities?
KILLORAN: When I arrived at GAO, I prioritized cloud security. In 2023, we started using secure access service edge. Our workforce is very mobile, and we wanted to ensure that they can access their information anywhere at any time and do so securely.
We gather a bunch of information from other agencies to conduct our audit work, and that makes us a prime target for bad actors. We strive to bake in our cybersecurity; it’s always our No. 1 priority. From large federal agencies all the way down to small ones, we have to maintain a chain of custody and ensure that we maintain cybersecurity at a very high level along the way. The cloud gives us very powerful cybersecurity capabilities, and we monitor everything very closely. We make sure that we understand the threats that we face, and we adjust as necessary. Just as AI is going to help us, AI also could hurt us. Hackers could target our data with AI, so we need to establish the right capabilities now. We are going to data-mine our reports with AI, and we need to understand what is rational datamining and what is adversarial. We must have monitoring in place, and we must be able to articulate what is OK.
FEDTECH: You are responsible for internal IT at GAO, but do you also have a relationship with GAO external auditors? Does your office learn from auditing the IT of other agencies? Is it a two-way street?
KILLORAN: We learn a lot from what our mission teams discover at other agencies. This federal wide lens is one of the things that interested me about GAO. We get involved in audits in two ways. We serve as subject matter experts. For cloud audits in the past year, for example, we served as subject matter experts on some of those reports. Then during the design process, our engagement teams design how they are going to audit a particular agency or frame a particular category, like cloud, and they host design sessions to talk about how they are going to conduct the audit. As subject matter experts, we weigh in and suggest tweaks or make recommendations or request insights. We establish a dialogue and gain clarification into the process. When we ask them if they have considered something, we might realize it is also applicable to us. We have playbooks and guidebooks, like our agile playbook and our AI playbook. We examine our recommendations and then see how we incorporate our own recommendations into our own guidance internally. We provide them with guidance from an operational standpoint, and then we follow recommendations in their publications and incorporate best practices into our operations.
LEARN MORE: What is OSCAL?
FEDTECH: What do you foresee when you look into the future of cloud for GAO over the next few years?
KILLORAN: We will gain a better understanding of how we use the tools available to us not only in the cloud but also in commercial off-the-shelf applications. And we will have to ask ourselves what new tools in the cloud really have applicability for us. How are we going to figure out methodically which pieces and parts to deploy sooner rather than later, and which to delay?
Cloud is going to accelerate the flexibility of our platforms so that we can provide better value to our customers at a faster rate. You must understand what that looks like for you instead of running pilots. As we build capabilities, we will have more of a menu of options instead of rushing into something that we don’t know how much it’s going to cost. You could pick five things, say, and try them instead of simply paying for consumption. I can then be charged on my utilization instead of buying a bunch of things and throwing some back.
One of the great things about the cloud is the flexibility of putting services in and taking services out, depending on what you need for your particular organization.
UP NEXT: The FITARA scorecard is progressing around cloud.