While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
President Obama has given his last press conference and will leave office tomorrow. What will his administration’s legacy be? Well, it’s complicated.
On one hand, the administration put IT and adoption of modern technology front and center, and put in place policies that spurred cloud adoption, data center modernization, and more efficiency in IT procurement.
On the other hand, the breaches that targeted the Office of Personnel Management (OPM) — in which the personal information of 22.1 million current, former and potential federal employees was stolen — served as a black mark and highlighted cybersecurity weaknesses. The botched rollout of the HealthCare.gov website also was an embarrassment for the administration. However, those events spurred a greater emphasis on cybersecurity and IT modernization, and the creation of the U.S. Digital Service to help agencies deploy modern digital solutions.
The administration’s focus on IT was present from the start, with the appointment of Vivek Kundra in March 2009 as the first federal CIO, charged with directing the policy and strategic planning of federal IT investments and overseeing federal spending. Kundra was succeeded by Steven VanRoekel, Lisa Schlosser (on an interim basis) and Tony Scott.
Vivek Kundra, who served as the first federal CIO from 2009 to 2011. Photo credit: Salesforce APAC/YouTube
Another key element of the administration’s IT strategy was the passage in December 2014 of the Federal Information Technology Acquisition Reform Act (FITARA), seen as the most important piece of federal IT legislation since the Clinger–Cohen Act of 1996. FITARA, passed as part of the 2014 National Defense Authorization Act, gives CIOs authority on budget, acquisition and human resources as they relate to technology.
“What we tried to do there was shift from an older model to one of more risk-based assessment rather than checklist, and also one of making sure federal CIOs are focused on implementing FITARA the right way, on creating visibility and transparency and continuous upgrade as a set of core principles around how federal IT is managed,” Scott, whose last day in the administration was Jan. 17, told Federal News Radio.
The House Oversight and Government Reform Committee has developed scorecards to measure agencies’ progress on implementing FITARA, and in the third round of grades issued in December, 12 agencies improved their grades and 11 maintained them from the second scorecard, which was released last May.
Bill Rowan, vice president of federal sales at VMware, notes that no agency did very well on the first scorecard in November 2015, because it would have made the legislation “look foolish” if agencies had been doing well on the objectives set out by FITARA: data center consolidation, IT portfolio review savings, incremental development and risk assessment transparency.
“CIOs have gotten their arms around fiefdoms” in their agencies, Rowan says, and have cut down on shadow IT purchases. FITARA “got IT on the agenda of the secretaries of these agencies,” praising the law as “really positive legislation.”
Shaun Donovan, the outgoing director of the Office of Management and Budget, laid out a detailed case for continuing the Obama administration’s IT priorities in a Jan. 5 “exit memo,” and noted that in July, OMB also issued updated and revised OMB A-130 guidance for governmentwide IT management, security and privacy.
“The guidance had last been updated in 2000, prior to the advent of pervasive networked, social and mobile information technology. Under the new guidance, agencies are required to identify the expected lifespan of IT systems and to develop and implement plans to retire and upgrade IT systems with regularity. Agencies are required to ensure sufficient IT hardware and software visibility and asset management; to exercise comprehensive IT risk management; and to encrypt, by default, moderate- and high-impact data.”
In 2014, the administration launched an initiative known as “category management,” which shifts from managing government IT purchases individually across thousands of procurement units to buying as one, in order to leverage the government’s purchasing power, Donovan notes. “We advanced innovative and effective category management policies that streamline the more than $8 billion in annual spending for IT software, hardware, and mobile services and devices,” he wrote. “As a result of these efforts, we have saved more than $2 billion in Federal contracting and are on track to save an additional $3.1 billion by the end of fiscal year 2017.”
Since 2011, the government has been pursuing a formal “Cloud First” policy that requires agencies to default to using a cloud-based technology if they can find a secure, reliable and cost-effective solution. The idea was, and remains, that cloud technologies would enable agencies to pay only for the IT resources they used and would deliver services in a more efficient manner.
The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP), which was established in December 2011, and which certifies and monitors the cloud services that agencies can use, has received its fair share of criticism. However, FedRAMP worked to speed up the authorization process in 2016 and wants to double the number of cloud services that agencies can choose from, up to 150 by the end of 2017; there were 72 in late 2016.
Rowan says he thinks the “Cloud First” policy has been a good one, but acknowledges that some agency IT leaders were not “thrilled” and felt like they knew what was best for their agency’s IT environments. The problem that arises from that approach, he says, is that it creates IT “stovepipes” and makes it more difficult to manage complex IT environments. He notes that agencies are free to use private cloud, public cloud or hybrid services. “I’m not sure where that hasn’t benefited government foundationally,” he says.
In 2010, OMB launched the Federal Data Center Consolidation Initiative (FDCCI) to reduce the number of federal data centers and cut costs. Since then, Donovan says, agencies have closed more than 1,900 data centers and saved nearly $1 billion.
However, because the government still operates more than 9,000 data centers, OMB in August 2016 unveiled the Data Center Optimization Initiative, which is aimed at consolidating inefficient data center infrastructure, optimizing existing facilities, improving security, achieving cost savings, and pushing toward more energy-efficient infrastructure, cloud services and interagency shared services. The rules are designed to reduce costs by $2.7 billion by the end of fiscal year 2018.
The Utah Data Center, which is primarily used by the National Security Agency. Photo credit: ParkerHiggins/Wikimedia Commons
Although outgoing Defense Department CIO Terry Halvorsen has said he is disappointed by the lack of progress DOD has made on data center consolidation, the agency is moving to speed up closures and other agencies are proceeding apace to fulfill the new rules.
Despite a heavy emphasis on cybersecurity, threats to government agencies have morphed and multiplied, and the administration has suffered numerous breaches, most notably the OPM breach, which started in March 2014 but wasn’t disclosed until June 2015. It was reportedly conducted by hackers connected to the Chinese government.
However, as Nextgov reports, “there were breaches of email systems at the White House, State Department and Joint Chiefs of Staff, reportedly committed by Russian government-linked hackers.”
Yet the administration also took numerous steps to beef up cybersecurity. Nextgov notes:
“DHS built and continually upgraded its Einstein cyber threat detection and prevention system, which now protects more than 90 percent of federal agencies. The White House issued directives establishing internal government cybersecurity policies and procedures for responding to cyber incidents and attacks. The National Institute of Standards and Technology established a cybersecurity best practices framework widely adopted by the private sector. The Defense Department stood up an independent U.S. Cyber Command, with offensive and defensive capabilities, which reached its initial operating stage in October, staffed with more than 6,000 cyber warriors. The State Department worked with dozens of other nations to establish peacetime norms in cyberspace and to work out how international law applies there. And the Treasury Department developed a set of cyber-specific sanctions the White House used to punish Russian hackers in December.”
A presidential commission in December recommended that the incoming Trump administration launch a program to train 100,000 cybersecurity practitioners and initiate a national cybersecurity apprenticeship program to train 50,000 more by 2020. The report includes 53 specific “action items” for the incoming administration to follow up on. The administration also established the role of federal chief information security officer to coordinate federal cybersecurity policy.
Despite these efforts, the government still uses a great deal of outdated IT, though the administration also made IT modernization a key policy in its final year and sees it as a crucial element of cybersecurity.