Part 16 – Future Digital Resilience: AI, Automation, and Keeping Services Running During Funding Lapses

,

Aim: a practical, future-facing blueprint to minimise harm when appropriations lapse—without breaching the Antideficiency Act (ADA)—by using automation, continuity engineering, and clear legal guardrails.

16.1 First principles (what we can and cannot do)

  • The constraint: during a lapse, agencies may only perform excepted functions (protection of life/property, national security, activities with permanent authority) under OMB Circular A-11 §124. Everything else must stop or wait. (The White House)
  • The opportunity: modern continuity doctrine (FCD-1/FEMA) already requires agencies to design for survival of essential functions “under all conditions”; we can upgrade the how with automation and AI while staying within law. (GPO)

16.2 A resilience stack for shutdowns (technology + process)

  1. Automated continuity for excepted services
  • Always-on cloud baselines for emergency/public-safety systems hosted on FedRAMP-authorised services; pre-funded, pre-provisioned capacity, and autoscaling runbooks that require minimal human intervention during a lapse. (FedRAMP)
  • Network resilience via TIC 3.0 architectures and zero-trust segmentation so critical apps can operate in isolation if supporting back-office systems are paused. (CISA)
  1. Secure, low-touch operations
  • Patch & exposure control on a “break-glass” footing: keep CISA KEV (BOD 22-01) remediation pipelines live for excepted systems to reduce cyber risk while staffing is thin. (CISA)
  • Runbook robotics: scripted failover, queuing, and journalling to capture transactions for later lawful execution (no obligation of funds until appropriations resume). (Aligned to §124’s “orderly suspension” and restart.) (The White House)
  1. AI assistance—with governance
  • Triage copilots to surface the highest-risk incidents (health, safety, infrastructure) to the few on-duty staff; models evaluated under NIST AI RMF 1.0 (risk, bias, transparency). (NIST Publications)
  • Crisis chatbots for public information (what’s open/closed; where to get help), carefully scoped to inform only, not to obligate funds or take decisions outside excepted authority; governance aligned to EO 14110/successor policy and international principles (e.g., Bletchley Declaration). (Federal Register)
  1. Data continuity during “statistical blackouts”
  • Provisional data mirrors: pre-approved arrangements with states, academia, and private providers to maintain indicator proxies (clearly labelled “unofficial”) when BEA/BLS/Census are paused—so markets and policymakers are less “flying blind.” (Activation confined to informational products; official publication resumes post-lapse.) (The White House)

16.3 A three-phase playbook (before, during, after)

PhaseObjectiveActions (examples)Compliance notes
Pre-lapse (steady-state)Engineer for no-touch resilienceFedRAMP baselines; TIC 3.0 network patterns; KEV auto-remediation; AI models pre-validated under NIST RMF; tabletop exercises with COOPBudgeted in advance; tested under FCD-1
During lapseSustain only excepted services with minimal staffAuto-failover of critical apps; cyber patching for excepted systems; crisis chatbots with fixed scripts; queue non-excepted transactionsOperate strictly under A-11 §124 scope
Post-lapseSafe, rapid restart; integrity & auditControlled replay of queued work; reconciliation and anti-deficiency checks; post-incident GAO/IG review; model drift checksReport under 31 U.S.C. §1351 as required

Citations: FedRAMP; TIC 3.0; BOD 22-01; OMB A-11 §124; FCD-1; NIST AI RMF. (FedRAMP)

16.4 Policy upgrades that would materially help

  • Statutory clarity on automated operations: Codify that specific security and safety automations (patching, monitoring, incident response for excepted systems) may continue throughout a lapse as part of “protection of life or property,” aligning §124 with current cyber realities (KEV/BOD 22-01). (CISA)
  • AI governance continuity: Reaffirm (or re-issue, if altered) federal AI governance baselines consistent with NIST AI RMF and the AI executive framework so that model risk controls persist across administrations and lapses; internationally, keep convergence with Bletchley principles and related treaties. (NIST Publications)
  • Continuity finance levers: If Congress does not adopt auto-CRs, authorise a narrowly scoped “provisional twelfths for safety” mechanism—limited, transparent spend for designated excepted programmes, mirroring EU provisional-twelfths logic. (CISA)

16.5 Risks and mitigations

  • ADA over-reach risk: Automation must never create obligations for non-excepted work. Use “record-only” modes and escrowed queues for later lawful processing; legal counsel signs off on runbooks. (The White House)
  • AI reliability & bias: Crisis chatbots and triage models can misroute cases. Mitigate with human-in-the-loop for high-harm actions; publish model cards and incident logs per NIST AI RMF. (NIST Publications)
  • Cyber exposure during thin staffing: Treat shutdowns as adversary opportunity windows; enforce KEV deadlines on excepted systems and maintain on-call rotations for SOC analysts. (CISA)

16.6 A concise roadmap (12 months)

  1. Quarter 1: Inventory essential services; map to A-11 §124; migrate them to FedRAMP baselines; implement TIC 3.0 patterns for isolation. (FedRAMP)
  2. Quarter 2: Stand up KEV/BOD 22-01 automation for excepted assets; build “record-only” queues for non-excepted workflows; draft runbooks with GC/IG sign-off. (CISA)
  3. Quarter 3: Deploy crisis information chatbots with NIST-aligned evaluation; conduct COOP/FCD-1 exercises; red-team the ADA guardrails. (FEMA)
  4. Quarter 4: Live test “statistical proxy” partnerships; publish public dashboards clarifying what continues/pauses in a lapse; after-action with GAO metrics. (The White House)

16.7 Bottom line

Shutdowns may persist, but service collapse is not inevitable. By pre-engineering automated continuity for excepted functions, governing AI with NIST RMF (and allied frameworks), and tightening legal guardrails under OMB A-11 §124, the federal government can sharply reduce harm to safety, security, and the public—without undermining Congress’s power of the purse. (The White House)

References

  • CISA (2023) Trusted Internet Connections (TIC) 3.0: Core Guidance. Washington, DC: CISA. (CISA)
  • CISA (2021) Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Washington, DC: CISA. (CISA)
  • FEMA (2017/2018) Federal Continuity Directive (FCD-1) & Implementation Scoping Guidance. Washington, DC: FEMA. (FEMA)
  • FedRAMP (n.d.) FedRAMP.gov – About and Authorisation Guidance. Washington, DC: GSA. (FedRAMP)
  • NIST (2023) AI Risk Management Framework 1.0 (NIST AI 100-1). Gaithersburg, MD: NIST. (NIST Publications)
  • OMB (2025) Circular A-11 (Aug 29, 2025), Section 124: Agency Operations in the Absence of Appropriations. Washington, DC: Executive Office of the President. (The White House)
  • The White House / Federal Register (2023) Executive Order 14110 – Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Washington, DC. (Federal Register)
  • UK Government (2023) AI Safety Summit: The Bletchley Declaration. London: Cabinet Office. (GOV.UK)
Home