Inside CISA Cuts, ODNI Shifts, and Spyware Threats with Federal News Network’s Justin Doubleday
Season 2 Episode 37 •Show Notes
What happens when the federal cyber workforce shrinks just as threats are multiplying? In this episode, Federal News Network’s Justin Doubleday joins host Frank Cilluffo to unpack the turbulence facing government agencies. They examine the mass departures at CISA, the controversial firings under DHS’s Cyber Talent Management System, and the looming risks of dismantling ODNI’s cyber intelligence hub. Doubleday also shares a chilling story of how El Chapo’s cartel used spyware and hacked city cameras to compromise FBI operations in Mexico—underscoring the new reality of ubiquitous surveillance. The conversation closes with a look at the Pentagon’s long-awaited CMMC rollout, Treasury’s “Do Not Pay” database, and the broader challenge of protecting both privacy and security in a digital age.
Main Topics Covered
- Why CISA lost a third of its workforce and what that means for U.S. cyber defense
- How probationary firings under DHS’s Cyber Talent Management System shook trust in federal hiring
- The implications of ODNI shutting down its cyber intelligence integration center amid deep budget cuts
- Proposals in Congress to speed up security clearances and retain cleared talent longer
- A chilling account of how El Chapo’s cartel hacked FBI operations using spyware and city surveillance
- What the rollout of DoD’s CMMC rules will mean for defense contractors and future cyber regulations
- How Treasury’s “Do Not Pay” database ties into fraud prevention, privacy concerns, and the future of digital identity
Key Quotes
“A lot of [the departed federal cyber workforce is] on the books until October 1st and so we’re kind of waiting to see exactly how many folks left and where the dust kind of settles as we get into the fall.” – Justin Doubleday
“The probationary firings certainly cast a little bit of a negative light on the idea of joining the Cyber Talent Management System, because… you could be fired with a snap of a finger.” – Justin Doubleday
“Commercial spyware is much more easily accessible for a range of groups and individuals. And it’s almost impossible to detect when spyware has gotten onto a phone of an individual, even for a cyber expert.” – Justin Doubleday
“I think there’s concern that [with ODNI shutting down CTIIC] you’re now going to go back to a situation where you have disparate views kind of bubbling up from across the intelligence community and you don’t have that single source of truth at the top that’s helping to sort things out for leaders.” – Justin Doubleday
“As it goes with technology and cybersecurity, things are often nice to have until they’re necessary.” – Justin Doubleday
Relevant Links and Resources
Cyber pay in government is as fragmented as ever
https://federalnewsnetwork.com/federal-report/2024/09/cyber-pay-in-government-is-as-fragmented-as-ever/
CISA at a crossroads amid workforce cuts, pause, partnerships
https://federalnewsnetwork.com/cybersecurity/2025/06/cisa-at-a-crossroads-amid-workforce-cuts-pause-partnerships/
Security clearance reforms advancing in 2026 defense bill
https://federalnewsnetwork.com/inside-ic/2025/08/security-clearance-reforms-advancing-in-2026-defense-bill/
How a hacker for El Chapo illustrates existential counterintelligence threats
https://federalnewsnetwork.com/federal-report/2025/07/how-a-hacker-for-el-chapo-illustrates-existential-counterintelligence-threats/
Grand odyssey of CMMC nearing implementation
https://federalnewsnetwork.com/cybersecurity/2025/08/grand-odyssey-of-cmmc-nearing-implementation/
OMB directs agencies to address Do Not Pay data gaps
https://federalnewsnetwork.com/financial-management/2025/08/omb-directs-agencies-to-address-do-not-pay-data-gaps/
Guest Bio
Justin Doubleday is a reporter for Federal News Network covering cybersecurity, intelligence, and technology policy. He tracks how federal agencies and lawmakers address evolving digital threats, insider risks, and the intersection of policy, procurement, and national security.
Transcript
1
00:00:00,000 –> 00:00:01,000
Justin Doubleday [00:00:00]: The probationary firings certainly cast a little bit of a negative light on the idea of joining the cyber talent management system, because you have to think that perhaps your position is not as stable as you once thought it would and you could be fired with a snap of a finger.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:16]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Justin Doubleday. Justin is a prolific writer, reporter for Federal News Network. You see his pieces almost daily and you hear him often on Federal News Radio. Really excited to have a long chat with Justin today and really delve into the workforce issues because there are few entities that do it better than Federal News Network and few writers who do it better than Justin. So, Justin, thank you for joining us today.
3
00:00:02,000 –> 00:00:03,000
Justin Doubleday [00:00:56]: Thanks for having me. I appreciate it.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:58]: So I thought we’d start sort of in a broader sort of context. No, no news going on in terms of the federal workforce these days, right?
5
00:00:04,000 –> 00:00:05,000
Justin Doubleday [00:01:06]: No, it’s pretty quiet.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:01:07]: Pretty quiet. But, but let’s try to do a little bit of level setting and get a sense of where things stand, where you see some of the trends. And you’ve done a couple of really insightful pieces on this. So I thought I’d, I’d start with the softball. Where are we and where are we going?
7
00:00:06,000 –> 00:00:07,000
Justin Doubleday [00:01:22]: Well, the trends generally with the federal workforce are, you’ve seen a ton of attrition, obviously, a lot of firings over the last nine or so months across the board. And I think that while things have calmed down a little bit, you’re seeing agency by agency, you know, HHS continues to lay off workers. You’re also seeing some folks brought back at agencies like the IRS who perhaps they cut a little bit too deep in the spring. And now they’re bringing folks back. From the cybersecurity standpoint, the cyber and tech workforce, if you will, that’s certainly seen some cuts as well across the, across the board. You can certainly start with the Cybersecurity and Infrastructure Security Agency, lost about a third of its workforce, roughly a thousand people, since the spring. A lot of those are folks who either retired early or took the deferred resignation offer. Some were fired as well.
8
00:00:07,000 –> 00:00:08,000
Justin Doubleday [00:02:21]: And so that’s, that’s kind of where things stand, is that there were a lot of terminations and a lot of resignations through the spring. And we still have those folks, a lot of those folks on the books until October 1st and so we’re kind of waiting to see exactly how many folks left and where the dust kind of settles as we get into the fall.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:02:43]: And you’ve written a little bit about the Cyber Talent Management System. Anything you want to expand on here?
10
00:00:09,000 –> 00:00:10,000
Justin Doubleday [00:02:49]: Yeah. So the Cyber Talent Management System is an accepted service that was established by DHS about four years ago, and it’s intended to offer kind of this separate track for cyber talent to offer them perhaps more money, to entice them to join the government, because we know the private sector can offer a lot more money. The types of money that the Cyber Talent Management System can offer gets closer to the private sector. It’s certainly not on par, but it gets a lot closer. And so DHS set up the system about four years ago after years of development, and it slowly got off the ground under the Biden administration. By about 2024 last year, they had hired roughly 200 folks, mostly at CISA, through this new system. And what happened in the spring was that a lot of those folks, because of the design of the Cyber Talent Management System, it has an extended probationary period. And a lot of those folks who were hired over the last four years were still probationary, and they were swept up in that wave of probationary firings in the spring under the new Trump administration.
11
00:00:10,000 –> 00:00:11,000
Justin Doubleday [00:03:56]: And so a lot of folks at CISA in the Cyber Talent Management System are now on administrative leave because of court cases involving those probationary workers. But it doesn’t appear that they will necessarily come back and just slide back into the, into the, into the role.
12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:04:12]: You know, along those lines, you’ve also written about cyber pay and how it’s fragmented. And given some of these developments with the Cyber Talent Management System, is that because in addition to recruiting, it’s also retaining some of this talent. Do you think this is going to have a chilling effect and may deter, dissuade those that are committed to public service?
13
00:00:12,000 –> 00:00:13,000
Justin Doubleday [00:04:36]: I think in the long term, it remains to be seen, but certainly in the short term, you know, we’re under a hiring freeze right now, so it’s not as if these positions are being backfilled for, for the most part. But what’s happening, I think, with the Cyber Talent Management System and other cyber pay systems across government is they brought this promise of we can pay you a little bit more, and we can also offer, as we always could, this compelling mission to join the government and perhaps…
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:05:04]: Which is a compelling mission.
15
00:00:14,000 –> 00:00:15,000
Justin Doubleday [00:05:06]: Very compelling. And I think that was always the sale. But then this extra money, you know, in some cases, 30% more money for an entry level position and certainly for an executive level position would entice more folks to join the government rather than joining the private sector. Along, and of course, the mission was always a big piece of that. I think the probationary firings certainly cast a little bit of a negative light on the idea of joining the Cyber Talent Management System, because you have to think that perhaps your position is not as stable as you once thought it would and you could be fired with a snap of a finger.
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:05:43]: Absolutely. And you’ve also written about the Cyber Threat Intelligence Integration Center out of ODNI and plans to shut that down. Any more light you want to shed on that?
17
00:00:16,000 –> 00:00:17,000
Justin Doubleday [00:05:57]: Well, I think this is just one small piece of broader ODNI reforms. Massive ODNI cuts that are expected to reduce the workforce there by roughly 40%. And ODNI says it will save $700 million a year. The CTIIC was established, as you know, about a decade ago to really bring together cyber threat intelligence from across the intelligence community. And I think from folks like Michael Daniel, who helped set it up.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:06:27]: One of our senior fellas.
19
00:00:18,000 –> 00:00:19,000
Justin Doubleday [00:06:28]: Sure, yeah. I mean, in his eyes, this is not something that can be replicated by the National Intelligence Council, which is where some of those functions will be going, because they don’t have the expertise or the day to day focus on cyber threat intelligence that the CTIIC has had. And so I think there’s concern that you’re now going to go back to a situation where you have disparate views kind of bubbling up from across the intelligence community and you don’t have that single source of truth at the top that’s helping to sort things out for leaders.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:06:58]: And not from a policy, this is just to know where the snapshot is at that moment and that can have implications for response. Right? I mean, ultimately you want good intelligence to inform good decisions which can be operationally relevant as well. So hopefully it doesn’t have significant impact. But CTIIC maybe hasn’t lived up to its initial intent, but it did play a major and significant role and at least getting the USG, the Alphabet soup of the government on the same sheet of music. It’s not to suggest that some of those agencies aren’t there, but you still need that integration and hopefully that, that continues. You’ve also written about the clearance challenge, which is not a new issue, but you were looking specifically to some of the proposals put forward and legislative and otherwise by House Armed Services Committee and Senate Armed Services Committee.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:08:01]: Can you give us a sense of where that stands and what we should be thinking there?
22
00:00:21,000 –> 00:00:22,000
Justin Doubleday [00:08:05]: Yeah. This year’s NDAA could be an interesting one from a security clearance perspective because you have, you know, in the House a proposal to essentially allow businesses to submit more people for a background investigation on the front end when they’re competing for a contract or they’re trying to get folks cleared on a contract. And they can then have a bench on the back end when folks get through the investigation to try to pull them in. Because as we all know, things happen. You could have someone who you thought you were gonna bring in and they could take a different job or they could, something can come up in their background investigation and you could ultimately not go with that person. And so having that bench on the back end of a months long process could help some companies with that.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:08:49]: And could get to work faster. Right? I mean, it’s the capture team versus the team doing it. Yeah.
24
00:00:23,000 –> 00:00:24,000
Justin Doubleday [00:08:54]: Exactly, exactly. And on the Senate side you have a provision that would allow folks to keep their access to classified information, essentially keep their security clearance active for longer once they leave government. Bump that up to three years, which can help bring folks back in quicker.
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:09:11]: In terms of reinvestigations and…
26
00:00:25,000 –> 00:00:26,000
Justin Doubleday [00:09:13]: Exactly.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:09:14]: And if there’s one bill that seems to pass, it is the National Defense Authorization Act, the NDAA, right?
28
00:00:27,000 –> 00:00:28,000
Justin Doubleday [00:09:20]: I think so.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:09:21]: Is that going to have to be, are these going to be integrated? These two bills from HASC and SASC.
30
00:00:29,000 –> 00:00:30,000
Justin Doubleday [00:09:26]: Typically they go into conference at some point in the fall and they hash out the differences. And it’ll be interesting to me from the security clearance side, these are two different ideas. They certainly could be complementary. Will the conferencees decide that they want them both in there? Yeah, we’ll see.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:09:43]: Horse trading never happens in D.C.
32
00:00:31,000 –> 00:00:32,000
Justin Doubleday [00:09:45]: No, never.
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:09:46]: In terms of other structural or cultural hurdles you’re seeing, especially when it comes to reform efforts. What, anything come to top of mind to you?
34
00:00:33,000 –> 00:00:34,000
Justin Doubleday [00:09:56]: Well, the big and the long standing challenge is the timeliness issue with, when it comes to background investigations. This is something where it used to take, back in 2018, when there was a huge backlog. It could take years to get a top secret investigation done. It could take, you know, many months or up to a year to get a secret level investigation done. They’ve whittled that down on average to a much more reasonable state. But it still takes months in both cases to get through these investigations. And as we just talked about, that can limit companies from starting the job. That can just limit people from entering government service in the first place.
35
00:00:34,000 –> 00:00:35,000
Justin Doubleday [00:10:38]: I’ve known several people who, when they were waiting for their background investigation to be completed, they left because they took another job that didn’t require it because it was just taking too long. And so that’s the long pole in the tent, along with technology. There’s this effort at the Defense Counterintelligence and Security Agency to modernize the background investigation IT system, the back end. And this is, you know, many years over budget, over, many years overdue, many hundreds of millions of dollars over budget. And they’re trying to get that back on track so that you can have a much more modern system that facilitates people moving between different agencies, moving between agencies and industry, and they’re just not there yet.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:11:21]: And in a post DOGE environment, what trends are you looking at and looking for in terms of just the general public service workforce?
37
00:00:36,000 –> 00:00:37,000
Justin Doubleday [00:11:32]: Yeah, I think as we talked about, a lot of people were terminated or left their jobs in the spring when DOGE was kind of at its heights. And it was, especially from the cybersecurity perspective, the cyber workforce perspective, it was indiscriminate. It wasn’t well thought out in the words of a lot of folks that I talk to. And if you look at the reforms that CISO wants to make in their budget, those cuts don’t necessarily line up with the folks who left, folks left from across the board, a lot of high end talent left. How do you fill in those positions? Where does an agency like CISA go from here? And I think getting Senate confirmed leadership in there will help quite a bit. But where does CISA go from here after that spring?
38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:12:23]: So basically, even not questioning intent, well intended or not, at the end of the day, making sure you have the right people in the right jobs. And I’ve heard some voicing that, whether it’s Sean Planky and others, that they are committed to bringing some of those folks, if they were wrongfully or otherwise at a place, back. So hopefully, hopefully we can square that circle and hopefully we have some Senate confirmed leadership in those roles. And it’s much more than just Cybersecurity and Infrastructure Security Agency, CISA. It’s across the USG. I want to jump to another story you wrote that literally could be pulled from a James Bond kind of movie. And it’s looking at, I normally don’t put James Bond and invest, and IG reports in the same sentence, but it was a pretty eye popping story that the Department of Justice came out, an IG report on El Chapo and some of the counterintelligence concerns and considerations there.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:13:34]: Can you, can you shed a little bit of Light for our viewers and listeners on, on that particular story you wrote and more broadly, the IG investigation.
40
00:00:39,000 –> 00:00:40,000
Justin Doubleday [00:13:44]: Yeah. Well, the story I wrote focused on this idea of ubiquitous technical surveillance, which is a jargony term for essentially this world we live in, where our…
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:13:52]: Always on?
42
00:00:41,000 –> 00:00:42,000
Justin Doubleday [00:13:53]: Smartphones, yeah, are tracking our every movement. We have a lot of technology around us when it comes to surveillance systems and things like that. And so the DOJ Inspector General and the government generally has this term now to describe that technology kind of world that we live in, where you can be tracked throughout your life. And the DOJ audit that you were just talking about looked at how is the FBI doing in terms of preparing their workforce for this world and ensuring that they aren’t unduly swept up by an adversary in that type of surveillance. And the story that came out, which shocked me as well in this audit was in 2018, an FBI legal attache was in Mexico City meeting with sources.
43
00:00:42,000 –> 00:00:43,000
Justin Doubleday [00:14:40]: And as it turned out, he was meeting with sources, or they were meeting with sources, we don’t know who they were, for investigating the El Chapo’s drug cartel. And while this legal attache was moving around Mexico City meeting with sources, according to the DOJ audit, a hacker who was working for the cartel had actually infiltrated their phone, had been able to track both their phone calls and their geolocation data. And it also hacked into Mexico City’s surveillance cameras and was able to watch them that way as well. And they were able to track who they were meeting with, their sources, obviously extremely sensitive. And then they were able to intimidate and in some cases even kill some of these sources. And so that just demonstrates the world that the FBI and everyone is now operating in.
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:15:34]: That is, it’s chilling in many ways. And the sophistication in tradecraft necessary to do something like that, you would have thought maybe resides in a handful of three lettered agencies. But the fact that the cartels are demonstrating this capability, and shouldn’t be that surprising because there’s a lot of money in that business and they’re going to hire the best people and the best technology, and if not, they’re going to buy the companies that run the telcos and the like at some point. But, but it’s still sort of shocking when you see it. And I, what implications do you think this means more broadly from a foreign counterintelligence perspective or even a criminal environment as we’re seeing here?
45
00:00:44,000 –> 00:00:45,000
Justin Doubleday [00:16:24]: Yeah, as you point out, the bar is much lower in terms of accessing some of these capabilities. Commercial spyware is much more easily accessible for a range of groups and individuals. And it’s, it’s almost, it’s, it’s almost impossible to detect when spyware has gotten onto a phone of an individual, even for a cyber expert.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:16:50]: And you don’t even have to click the link anymore, right?
47
00:00:46,000 –> 00:00:47,000
Justin Doubleday [00:16:52]: You don’t have to click the link. You don’t have, it’s clickless. It’s, it’s, it’s scary, as you said. And so I think from the audit that we were talking about, essentially the IG said that the FBI did not have a long term vision for combating this type of threat and dealing with this world.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:17:08]: Does anyone?
49
00:00:48,000 –> 00:00:49,000
Justin Doubleday [00:17:09]: Right. Does anyone really know what exactly to do? I think one of the concrete things that came out of the audit was that folks in the FBI’s training section were trying to get more funding to help train folks to defend themselves against this type of world. And according to this audit, higher up said FBI denied that request.
50
00:00:49,000 –> 00:00:50,000
Justin Doubleday [00:17:30]: And so as it goes with technology and cybersecurity, things are often nice to have until they’re necessary.
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:17:38]: Absolutely.
52
00:00:51,000 –> 00:00:52,000
Justin Doubleday [00:17:39]: It seems as if we’re always a little bit behind the eight ball.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:17:41]: That tends to be, we let the adversary shape our response in many ways and hence we’re sort of going at it backwards. But we do let big events drive and, and that’s understandable to a point, but it is unacceptable. We know what some of those concerns and considerations are. And if, if a drug cartel can do this, what can the Chinese do, what can the Russians do, what can the Iranians do, or anyone else with a SIGINT capability. So it is kind of, kind of frightening. And it has implications beyond the FBI.
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:18:18]: And hopefully, hopefully smart people are asking some of these questions right now. I know we’re looking at some of those issues through our policy work, but tough one to get our arms around. And just spyware generally, it’s commercially becoming more and more, so the bar is sometimes getting lower from a tradecraft standpoint because the technology is widely available. Right? Did you look into that at all?
55
00:00:54,000 –> 00:00:55,000
Justin Doubleday [00:18:44]: Well, I think there’s been some efforts to, you know, ban spyware by governments. There’s been efforts to essentially develop some, some consensus globally around this. But I think it’s a tough thing to get your arms around. It’s tough to ban any sort of technology as we, as we all know so well.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:19:04]: Once the genie’s out.
57
00:00:56,000 –> 00:00:57,000
Justin Doubleday [00:19:05]: Yeah. And so we haven’t even talked about artificial intelligence and the way that that can kind of supercharge some of these surveillance efforts and also introduce things like deepfakes that can further kind of muddy the pool of public information and trick folks into doing things. We saw a deepfake of Secretary of State Marco Rubio go out to a lot of his employees globally. And you know, the goal with those things of course, is to convince folks that hey, this is legitimate and I need to give up some sort of sensitive information and those are only going to become more convincing and it’s just going to be that typical kind of cat and mouse game where you have to try to keep up.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:19:50]: And it’s going to be hard. And, and for scammers, I, I mean just to record someone’s voice, very easy to do, and call your grandma. Next thing you know, your grandma’s sending, sending her, her retirement to some of these scammers. That is going to be something we’ve got to get our arms around. And I’m not sure they’re easy answers to, but the fact that the IG put out a report should be eye opening.
59
00:00:58,000 –> 00:00:59,000
Justin Doubleday [00:20:13]: Unredacted with stories like that as well is pretty remarkable.
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:20:17]: Absolutely. Let’s go to some of the regulatory sets of issues and what we think this framework looks like from a digital agenda. And one in particular is CMMC and the Department of Defense. And you’ve done some great reporting there, and Katie Arrington’s done work on this for quite some time. Where does that stand and what are the implications in terms of promulgation of CMMC?
61
00:01:00,000 –> 00:01:01,000
Justin Doubleday [00:20:43]: Well, after a six year saga that feels like maybe it was 60 years, it is now about to enter force as a contracting requirement. You know, this started back in 2019. The CMMC term came about in 2019. It started well before that, of course, and this idea of ensuring contractors were following these cybersecurity standards. And now folks expect that on about October 1st or a little bit after this requirement will start trickling into defense contracts. And this is of course a program that involves third party audits in many cases to ensure that contractors are following cybersecurity requirements. And so that’s pretty remarkable in and of itself because up until now it’s been a lot of self attestation, it’s been a lot of self certification and sort of, hey, hope you’re doing this, let’s, but you know, we’ve got bigger priorities.
62
00:01:01,000 –> 00:01:02,000
Justin Doubleday [00:21:39]: We’ve got cost schedule and performance that we’re more worried about than security. And, and now security is a part of that whole process. So I think it’ll be interesting to see how this phased rollout works. DoD is not immediately throwing CMMC third party audit requirements into every contract. It’s, it’s going to take some time.
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:21:57]: Coming though, right?
64
00:01:03,000 –> 00:01:04,000
Justin Doubleday [00:21:58]: But it is coming now. It’s official. It’s gotten through the regulatory process.
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:22:02]: And you’ve, you spoke to my, my friend Matt Travis for one of your stories on this. Any, anything that he highlighted?
66
00:01:05,000 –> 00:01:06,000
Justin Doubleday [00:22:09]: Well, Matt Travis of course leads the Cyber Accreditation Body, which is this nonprofit that is contracted with the government to run this essentially army of third party auditors that will have to go out and at the height of the CMMC program, deal with an estimated 80,000 companies that are going to require third party audits under CMMC. And so his, his focus right now is in many different directions, but it’s really on building out that capacity in the coming years. So that this big concern with the CMMC program is that it could essentially gum up the defense acquisition process because companies are waiting around for cyber certification.
67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:22:52]: Which we can’t do either, right?
68
00:01:07,000 –> 00:01:08,000
Justin Doubleday [00:22:53]: Exactly. That’s been kind of the tension all along. So that’s a big issue.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:22:57]: Do you think it’s going to have any other implications for future cyber regulations or?
70
00:01:09,000 –> 00:01:10,000
Justin Doubleday [00:23:02]: I think we haven’t seen any other agencies come out and say we want to use CMMC, but a lot of these companies that sell, you know, services and products to the Defense Department also sell them to Homeland Security, to many other agencies. And so the question is to what extent will the rest of the federal government adopt CMMC or something like it versus go their own route? I don’t think that is something that anyone wants to see. But as, as you know, you know, a lot of agencies have their own ideas and their own priorities about what they would like to see from their contractors.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:23:37]: Well intended. That’s why we have a bit of a patchwork right now, and I personally feel needs to be synchronized or streamlined or whatever it may be. And we recently had Senator Peters on to talk about some of his legislation along those lines. You know, along, in that vein, you also wrote about the Do Not Pay database. And why is that important and why now?
72
00:01:11,000 –> 00:01:12,000
Justin Doubleday [00:24:04]: Well, it’s, the Treasury Department’s Do Not Pay database is used by, supposed to be used by agencies across the federal government to ensure that when they’re essentially spending federal dollar, giving federal dollars to a grant recipient or benefit recipient that this person is not someone who is a fraud actor or someone who should not be paid because for various reasons. And so the Do Not Pay database is essentially supposed to help agencies verify that they’re not making an improper payment or even giving money to a fraud actor. It’s been underutilized according to not just the Trump administration, but, you know, fraud experts across the board. And so President Trump in March signed an executive order essentially directing agencies to make better use of Do Not Pay, but also to boost the data that Do Not Pay has in terms of accessing what HHS might have, what SSA might have. And so now the Treasury Department is trying to increase access to, the data access as far as Do Not Pay.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:25:08]: And that can help with getting visibility across our supply chains. Right? I mean that’s one of the most vexing and challenging set of issues. And, and dare I say AI, machine learning, and other technologies can help with that. Not silver bullets, but can help with that across, across all federal agencies. And hopefully that can go to state local at some point as well.
74
00:01:13,000 –> 00:01:14,000
Justin Doubleday [00:25:34]: They do have access to that database as well.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:25:36]: Now what about privacy? Are there any privacy implications?
76
00:01:15,000 –> 00:01:16,000
Justin Doubleday [00:25:40]: Certainly, I mean, I think the big barrier for increasing the data that Do Not Pay can access is the Privacy Act and for good reason. When you give the government information, when you give the IRS information, you expect that they’re going to use your personal data and the way that they have said they were going to and not going to share it kind of willy nilly across the federal government. That’s the whole intention behind the Privacy Act. But what’s happened in kind of this modern digital world where a fraud actor can find a real Social Security number and develop a synthetic identity using that, is that there are, they’re taking advantage of gaps when agencies don’t share certain pieces of data across the board. And so that is what this effort under the Trump administration is aimed at, is ensuring that agencies can share data within the Privacy Act’s framework for essentially proper use. And so that’s, that’s where this is going.
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:26:37]: And for so long we’ve treated privacy and security as either or. Aren’t they one of the same, two, two, two sides of a coin if done right?
78
00:01:17,000 –> 00:01:18,000
Justin Doubleday [00:26:50]: I think so. I think that’s that, that last statement is key when done right. And I think it requires a great deal of intentionality and sort of digging into the issue when it comes to these digital identity technologies as well, things like mobile driver’s licenses.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:27:06]: That’s gonna have huge implications.
80
00:01:19,000 –> 00:01:20,000
Justin Doubleday [00:27:07]: Yeah, those are, those are already here and they’re certainly going to…
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:27:12]: Biometrics and everything.
82
00:01:21,000 –> 00:01:22,000
Justin Doubleday [00:27:13]: Exactly, yeah.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:27:14]: Justin, we’re getting near the end of our time. What questions didn’t I ask that I should have, and or what stories keep you most excited going forward?
84
00:01:23,000 –> 00:01:24,000
Justin Doubleday [00:27:27]: That’s a great question. I mean, I think the, what we were just talking about there, some of the digital identity pieces, is one of, that’s a topic that long term really interests me. How, that’s kind of the big story, I think behind all this chatter is how does the government continue to adapt to this digital world that we now live in and deliver services, better deliver services more securely, secure itself on the back end, respect privacy and ensure that, you know, we continue to have strong privacy to the extent possible. I think that’s a fascinating story. And so this, this effort to, you know, build up the Do Not Pay database and combat fraud, I think is intertwined with stories of cyber security, stories of IT modernization, I think across the board. Seeing that some of those connections that are just below the surface is what excites me.
85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:28:23]: And things are moving so fast and we can’t let ethics and privacy and everything else be a footnote in whatever it is we’re building or let an incident respond and then we have a draconian approach and don’t get our arms around it. Justin, thank you for spending time with us today. Thank you for your crackerjack reporting. Keep fighting the good fight. Keep seeking the big stories. And, and thank you.
86
00:01:25,000 –> 00:01:26,000
Justin Doubleday [00:28:50]: Thank you for having me.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:28:52]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.