Federal agencies face a complex balancing act. They must simultaneously modernize legacy systems, embed zero-trust security, and harness the power of artificial intelligence (AI), all while talent pipelines shrink and budgets tighten. A recent MeriTalk webinar, “Secure Cloud Modernization: Empowering Federal Teams for an AI-Enabled Future,” convened government and industry leaders who have tackled these challenges head on. Drawing on their insights, this playbook helps practitioners modernize securely, meet the latest executive mandates, and unlock AI at mission speed.
Step One: Align Modernization With Federal Guidance
New Federal guidance has accelerated the pace of change by removing barriers to AI innovation and directing agencies to drive cost-efficiency across government operations. This guidance includes:
- “Winning the Race: America’s AI Action Plan,” which outlines policy actions designed to accelerate innovation, build American AI infrastructure, and leadg in international diplomacy and security
- EO 14179, “Removing Barriers to American Leadership in AI,” which tasks every agency with adopting responsible AI while removing legacy policy hurdles
- EO 14222, “Implementing the President’s Department of Government Efficiency Initiative,” which requires measurable cost-efficiency gains across the Federal enterprise
“Agencies are managing their way through technology debt and the efficiency mandate,” noted Don Tweedie, deputy chief information officer for the Federal Communications Commission (FCC). “They’re taking a multi-pronged approach that addresses both structural and cultural gaps. Some of the biggest gaps are with talent.”
Step Two: Treat Modernization as a Team Sport
“Modernization is a team sport. It’s not just a technologist problem, a data scientist problem, or a security problem,” said Taka Ariga, former chief artificial intelligence officer (CAIO) and chief data officer for the Office of Personnel Management. “You need to make sure that your lawyers, contract specialists, procurement specialists, and privacy professionals are also embedded in the process. The chief AI officer position was created to help carry out those conversations across agency functions.”
Ariga’s point resonates with every organization that has struggled to move pilots into production: Modernization succeeds when governance, acquisition, privacy, and workforce policies evolve together. Standing, cross-functional “tiger teams,” supported by a CAIO or similar leader, replace serial handoffs with parallel sprints and shorten lead times.
Step Three: Modernize With Purpose
The FCC’s cloud journey has been widely recognized as a model for modernization. “We had outdated, legacy infrastructure that was operationally inefficient. It constrained us from supporting rapid innovation. We overcame that by prioritizing strategically and modernizing with purpose,” Tweedie said.
The FCC’s 360-degree approach to modernization addressed business, technology, and security. The agency:
- Inventoried and assessed every legacy system for functionality, dependencies, and mission value
- Established strong governance and risk management to control costs and drive efficiency across the agency
- Embedded zero trust architecture with least-privilege access and network segmentation by role and adopted tools that streamlined routine security functions
- Shifted from a CapEx to OpEx spending model, auto-scaling resources and shutting down idle instances to eliminate waste
The result: improved cost efficiency plus a cloud platform resilient enough for emerging AI workloads.
Step Four: Converge Skills to Close the Mission Gap
The importance of the human side of modernization cannot be overlooked. In one public sector study, just half of respondents said their DevOps/DevSecOps practices are mature, and 67 percent said the security team has a difficult time getting the development team to prioritize remediation of vulnerabilities. A recent survey of Federal CAIOs, the Tech Tonic 2025 Federal CAIO Outlook, found that 85 percent believe AI will transform agency operations by 2030, but 66 percent say their agency lacks the talent, infrastructure, and funding to meet AI goals.
Traditional upskilling programs treat cloud, security, and data as discrete tracks; tomorrow’s AI missions demand talent who can speak all three languages, said Drew Firment, chief cloud strategist for Pluralsight, an online tech skills training provider.
“If you have a security engineer who understands AI frameworks or DevOps leads who grasp compliance, that’s going to reduce friction between those conversations,” Firment said. “This isn’t about everybody becoming an expert on everything. It’s about building shared understanding so you can pivot quickly to adapt to mission changes securely and at speed.”
The FCC took “a mission-line training focus,” Tweedie noted. “The workforce wasn’t just learning new cloud skills. They were learning how to apply them in the context of mission delivery.”
Practitioner takeaway: Map the workforce against four converging skill pillars: cloud-native architecture, secure software development, data engineering, and AI/ML foundations, and then build cross-skilling paths that deliver mission-aligned outcomes, not just certificates.
Step Five: Shift From Vertical to Horizontal Security
Legacy organizational structures often force each team to buy and run its own scanners and dashboards, creating telemetry silos, duplicated work, and alert fatigue.
“We have to move away from the vertical security that we typically have today, where everyone’s doing security in silos, to horizontal security, where everyone has the same telemetry, the same view of risk, so we can all make the right decisions,” said Chris Saunders, director of public sector solutions engineering at Wiz, a cloud security platform provider.
Collapsing siloed scanners into a single inside-out platform feeds the same evidence to developers, security operations center analysts, and auditors, Saunders noted. That shared security data, coupled with policy-as-code guardrails, aligns everyone – from developers and operators to compliance professionals – around a single, prioritized risk picture.
Progressive agencies use a three-pronged security model:
- Proactive security – visualize attack paths and misconfigurations
- Preventive security (shift left) – convert findings into guardrails and compliance-as-code
- Reactive security – high-fidelity runtime alerts during live incidents
Step Six: Validate Learning Through Resident Experts
Upskilling requires verification, the experts advised.
“Resident experts who have specific knowledge in the technologies that are being deployed can train agency staff and make sure that the training is successful,” said Bob Venero, CEO and president of Future Tech Enterprise, an IT solutions provider. “Many times, training programs offer a certificate at the end, but there’s no real validation that real understanding was gained. That validation is critical.”
Embedding vendor “residents” or integrator fellows inside agency teams creates a virtuous cycle: hands-on mentoring, immediate skills assessment, and knowledge transfer that outlives the contract.
Step Seven: Ensure That Governance Is Agile
When models drift and threat vectors multiply daily, governance must be iterative, not quarterly.
“Government entities don’t get to say ‘oops’ about breaches or privacy violations,” Ariga warned. “So governance is an important part of this conversation – but speed and agility matter, especially as AI technology evolves.”
To move at the speed of innovation, multi-stakeholder teams must be empowered to make micro-decisions about configuration, deployment, and user experience issues as they arise, while still escalating systemic issues to the C-suite, Ariga advised.
Step Eight: Evaluate, Adapt, Repeat
Secure cloud modernization is a continuous loop of evaluating operations, refactoring, cross-skilling, and reassessing emerging tech, from post-quantum cryptography to AI-generated code. Agencies that institutionalize the idea that continuous modernization equals continuous learning stay ahead of both regulators and adversaries, the experts advised.
This special report captures some of the insights shared in the Secure Cloud Modernization webinar. Watch the on-demand session to explore more real-world strategies and toolsets.