Government technology is in the middle of a historic shift. The Department of Veterans Affairs (VA) stands at the center of this transformation, moving from a check‑the‑box cybersecurity culture to a model of “cyber dominance” that fuses artificial intelligence (AI), zero trust architecture (a security model that assumes no user or device is trusted by default, even inside the network), and continuous risk management. 🔐

For lawyers who touch government work in any way—inside agencies, representing contractors, handling whistleblowers, litigating Freedom of Information Act (FOIA) or privacy issues, or advising regulated entities—this is not just an IT story. It is a law license story. Under the American Bar Association (ABA) Model Rules, failing to grasp core cyber and AI governance concepts can now translate into ethical risk and potential disciplinary exposure. ⚠️

Resources such as The Tech-Savvy Lawyer.Page blog and podcast are no longer “nice to have.” They are becoming essential continuing education for lawyers who want to stay competent in practice, protect their clients, and safeguard their own professional standing. 🧠🎧

Where Government Agency Technology Has Been: The Compliance Era 🗂️

For decades, many federal agencies lived in a world dominated by static compliance frameworks. Security often meant passing audits and meeting minimum requirements, including:

• Annual or periodic Authority to Operate (ATO, the formal approval for a system to run in a production environment based on security review) exercises

• A focus on the Federal Information Security Modernization Act (FISMA) and National Institute of Standards and Technology (NIST) security control checklists

• Point‑in‑time penetration tests

• Voluminous documentation, thin on real‑time risk

The VA was no exception. Like many agencies, it grappled with large legacy systems, fragmented data, and a culture in which “security” was a paperwork event, not an operational discipline. 🧾

In that world, lawyers often saw cybersecurity as a box to tick in contracts, privacy impact assessments, and procurement documentation. The legal lens focused on:

• Whether the required clauses were in place

• Whether a particular system had its ATO

• Whether mandatory training was completed

The result: the law frequently chased the technology instead of shaping it.

Where Government Technology Is Going: Cyber Dominance at the VA 🚀

The VA is now in the midst of what its leadership calls a “cybersecurity awakening” and a shift toward “cyber dominance”. The message is clear: compliance is not enough, and in many ways, it can be dangerously misleading if it creates a false sense of security.

Key elements of this new direction include:

• Continuous monitoring instead of purely static certification

• Zero trust architecture (a security model that assumes no user, device, or system is trusted by default, and that every access request must be verified) as a design requirement, not an afterthought

• AI‑driven threat detection and anomaly spotting at scale

• Integrated cybersecurity into mission operations, not a separate silo

• Real‑time incident response and resilience, rather than after‑the‑fact blame

“Cyber dominance” reframes cybersecurity as a dynamic contest with adversaries. Agencies must assume compromise, hunt threats proactively, and adapt in near real time. That shift depends heavily on data engineering, automation, and AI models that can process signals far beyond human capacity. 🤖

For both government and nongovernment lawyers, this means that the facts on the ground—what systems actually do, how they are monitored, and how decisions are made—are changing fast. Advocacy and counseling that rely on outdated assumptions about “IT systems” will be incomplete at best and unethical at worst.

The Future: Cybersecurity Compliance, Cybersecurity, and Cybergovernance with AI 🔐🌐

The future of government technology involves an intricate blend of compliance, operational security, and AI governance. Each element increasingly intersects with legal obligations and the ABA Model Rules.

1. Cybersecurity Compliance: From Static to Dynamic ⚙️

Traditional compliance is not disappearing. The FISMA, NIST standards, the Federal Risk and Authorization Management Program (FedRAMP), the Health Insurance Portability and Accountability Act (HIPAA), and other frameworks still govern federal systems and contractor environments.

But the definition of compliance is evolving:

• Continuous compliance: Automated tools generate near real‑time evidence of security posture instead of relying only on annual snapshots.

• Risk‑based prioritization: Not every control is equal; agencies must show how they prioritize high‑impact cyber risks.

• Outcome‑focused oversight: Auditors and inspectors general care less about checklists and more about measurable risk reduction and resilience.

Lawyers must understand that “we’re compliant” will no longer end the conversation. Decision‑makers will ask:

• What does real‑time monitoring show about actual risk?

• How quickly can the VA or a contractor detect and contain an intrusion?

• How are AI tools verifying, logging, and explaining security‑related decisions?

2. Cybersecurity as an Operational Discipline 🛡️

The VA’s push toward cyber dominance relies on building security into daily operations, not layering it on top. That includes:

• Secure‑by‑design procurement and contract terms, which require modern controls and realistic reporting duties

• DevSecOps (development, security, and operations) pipelines that embed automated security testing and code scanning into everyday software development

• Data segmentation and least‑privilege access across systems, so users and services only see what they truly need

• Routine red‑teaming (simulated attacks by ethical hackers to test defenses) and table‑top exercises (structured discussion‑based simulations of incidents to test response plans)

For government and nongovernment lawyers, this raises important questions:

• Are contracts, regulations, and interagency agreements aligned with zero trust principles (treating every access request as untrusted until verified)?

• Do incident response plans meet regulatory and contractual notification timelines, including state and federal breach laws?

• Are representations to courts, oversight bodies, and counterparties accurate in light of actual cyber capabilities and known limitations?

3. Cybergovernance with AI: The New Frontier 🌐🤖

AI will increasingly shape how agencies, including the VA, manage cyber risk:

• Machine learning models will flag suspicious behavior or anomalous network traffic faster than humans alone.

• Generative AI tools will help triage incidents, search legal and policy documents, and assist with internal investigations.

• Decision‑support systems may influence resource allocation, benefit determinations, or enforcement priorities.

These systems raise clear legal and ethical issues:

• Transparency and explainability: Can lawyers understand and, if necessary, challenge the logic behind AI‑assisted or AI‑driven decisions?

• Bias and fairness: Do algorithms create discriminatory impacts on veterans, contractors, or employees, even if unintentional?

• Data governance: Is sensitive, confidential, or privileged information being exposed to third‑party AI providers or trained into their models?

Blogs and podcasts like Tech-Savvy Lawyer.Page blog and podcast often highlight practical workflows for lawyers using AI tools safely, along with concrete questions to ask vendors and IT teams. Those insights are particularly valuable as agencies and law practices both experiment with AI for document review, legal research, and compliance tracking. 💡📲

What Lawyers in Government and Nongovernment Need to Know 🏛️⚖️

Lawyers inside agencies such as the VA now sit at the intersection of mission, technology, and ethics. Under ABA Model Rule 1.1 (Competence) and its comment on technological competence, agency counsel must acquire and maintain a basic understanding of relevant technology that affects client representation.

For government lawyers and nongovernment lawyers who advise, contract with, or litigate against agencies such as the VA, technological competence now has a common core. It requires enough understanding of system architecture, cybersecurity practices, and AI‑driven tools to ask the right questions, spot red flags, and give legally sound, ethics‑compliant advice on how those systems affect veterans, agencies, contractors, and the public. ⚖️💻

For government lawyers and nongovernment lawyers who interact with agencies such as the VA, this includes:

• Understanding the basic architecture and risk profile of key systems (for example, benefits, health data, identity, and claims platforms), so you can evaluate how failures affect legal rights and obligations. 🧠

• Being able to ask informed questions about zero trust architecture, encryption, system logging, and AI tools used by the agency or contractor.

• Knowing the relevant incident response plans, data breach notification obligations, and coordination pathways with regulators and law enforcement, whether you are inside the agency or across the table. 🚨

• Ensuring that policies, regulations, contracts, and public statements about cybersecurity and AI reflect current technical realities, rather than outdated assumptions that could mislead courts, oversight bodies, or the public.

Model Rules 1.6 (Confidentiality of Information) and 1.13 (Organization as Client) are especially important. Government lawyers must:

• Guard sensitive data, including classified, personal, and privileged information, against unauthorized disclosure or misuse.

• Advise the “client” (the agency) when cyber or AI practices present significant legal risk, even if those practices are popular or politically convenient.

If a lawyer signs off on policies or representations about cybersecurity that they know—or should know—are materially misleading, that can implicate Rule 3.3 (Candor Toward the Tribunal) and Rule 8.4 (Misconduct). The shift to cyber dominance means that “we passed the audit” will no longer excuse ignoring operational defects that put veterans or the public at risk. 🚨

What Lawyers Outside Government Need to Know 🏢⚖️

Lawyers representing contractors, vendors, whistleblowers, advocacy groups, or regulated entities cannot ignore these changes at the VA and other agencies. Their clients operate in the same new environment of continuous oversight and AI‑informed risk management.

Key responsibilities for nongovernmental lawyers include:

• Contract counseling: Understanding cybersecurity clauses, incident response requirements, AI‑related representations, and flow‑down obligations in government contracts.

• Regulatory compliance: Navigating overlapping regimes (for example, federal supply chain rules, state data breach statutes, HIPAA in health contexts, and sector‑specific regulations).

• Litigation strategy: Incorporating real‑time cyber telemetry and AI logs into discovery, privilege analyses, and evidentiary strategies.

• Advising on AI tools: Ensuring that client use of generative AI in government‑related work does not compromise confidential information or violate procurement, export control, or data localization rules.

Under Model Rule 1.1 (Competence), outside counsel must be sufficiently tech‑savvy to spot issues and know when to bring in specialized expertise. Ignoring cyber and AI governance concerns can:

• Lead to inadequate or misleading advice.

• Misstate risk in negotiations, disclosures, or regulatory filings.

• Expose clients to enforcement actions, civil liability, or debarment.

• Expose lawyers to malpractice claims and disciplinary complaints.

ABA Model Rules: How Cyber and AI Now Touch Your License 🧾⚖️

Several American Bar Association (ABA) Model Rules are directly implicated by the VA’s evolution from compliance to cyber dominance and by the broader adoption of artificial intelligence (AI) in government operations:

• Rule 1.1 – Competence

• Comment 8 recognizes a duty of technological competence.

• Lawyers must understand enough about cyber risk and AI systems to represent clients prudently.

• Rule 1.6 – Confidentiality of Information

• Lawyers must take reasonable measures to safeguard client information, including in cloud environments and AI‑enabled workflows.

• Uploading sensitive or privileged content into consumer‑grade AI tools without safeguards can violate this duty.

• Rule 1.4 – Communication

• Clients should be informed—in clear, non‑technical terms—about significant cyber and AI risks that may affect their matters.

• Rules 5.1 and 5.3 – Responsibilities of Partners, Managers, and Supervisory Lawyers; Responsibilities Regarding Nonlawyer Assistance

• Law firm leaders must ensure that policies, training, vendor selection, and supervision support secure, ethical use of technology and AI by lawyers and staff.

• Rule 1.13 – Organization as Client

• Government and corporate counsel must advise leadership when cyber or AI governance failures pose substantial legal or regulatory risk.

• Rules 3.3, 3.4, and 8.4 – Candor, Fairness, and Misconduct

• Misrepresenting cyber posture, ignoring known vulnerabilities, or manipulating AI‑generated evidence can rise to ethical violations and professional misconduct.

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor. Judges, regulators, and disciplinary authorities expect lawyers to engage these issues competently.

Practical Next Steps for Lawyers: Moving from Passive to Proactive 🧭💼

To meet this moment, lawyers—both in government and outside—should:

• Learn the language of modern cybersecurity:

• Zero trust (a model that treats every access request as untrusted until verified)

• Endpoint detection and response (EDR, tools that continuously monitor and respond to threats on endpoints such as laptops, servers, and mobile devices)

• Security Information and Event Management (SIEM, systems that collect and analyze security logs from across the network)

• Security Orchestration, Automation, and Response (SOAR, tools that automate and coordinate security workflows and responses)

• Encryption at rest and in transit (protecting data when it is stored and when it moves across networks)

• Multi‑factor authentication (MFA, requiring more than one factor—such as password plus a code—to log in)

• Understand AI’s role in the client’s environment: what tools are used, where data goes, how outputs are checked, and how decisions are logged.

• Review incident response plans and breach notification workflows with an eye on legal timelines, cross‑jurisdictional obligations, and contractual requirements.

• Update engagement letters, privacy notices, and internal policies to reflect real‑world use of cloud services and AI tools.

• Invest in continuous learning through technology‑forward legal resources, including The Tech-Savvy Lawyer.Page blog and podcast, which translate evolving tech into practical law practice strategies. 💡

Final Thoughts: The VA’s journey from compliance to cyber dominance is more than an agency story. It is a case study in how technology, law, and ethics converge. Lawyers who embrace this reality will better protect their clients, their institutions, and their licenses. Those who do not will risk being left behind—by adversaries, by regulators, and by their own professional standards. 🚀🔐⚖️

Editor’s Note: I used the VA as my “example” because Veterans mean a lot to me. I have been a Veterans Disability Benefits Advocate for nearly two decades. Their health and welfare should not be harmed by faulty tech compliance. 🇺🇸⚖️

MTC