Federal CIOs and others have observed that rapid changes in technology, especially in mobile computing, constitute an inflection point for federal IT. At the Bureau of Alcohol, Tobacco, Firearms and Explosives, and in other agencies, we are rapidly moving beyond what has become, in essence, an IT monoculture — an environment that since the late 1990s has largely relied on Microsoft Windows for desktops and RIM BlackBerrys for mobile devices. Those products continue to be a major part of federal IT, and, over time, that environment has become predictable, manageable and comfortable.
But the recent trend in “consumerization” has brought an exploding diversity of powerful and user-friendly mobile devices, along with rapidly changing associated software (operating systems and applications), and has fundamentally disrupted the predictable IT environment. Now, we need to think carefully about how we adapt to an environment that is more diverse and open, more unpredictable, and — today, at least — less manageable and less comfortable than that to which we have become accustomed.
To that end, the National Institute of Standards and Technology has been working to incorporate mobility and its challenges into its publications, focusing on establishing in the mobile environment “roots of trust” for security similar to what exists today in the traditional federal IT environment. In the future, those roots will likely need to be predicated upon the adoption of broader and more open standards rather than on particular products and vendors. For example, NIST has validated the cryptography provided by the open-source OpenSSL toolkit, meaning that the cryptographic module can be reused and engineered into new products or platforms.
Similarly, in striving to be device-agnostic, we need to focus on securing data rather than devices. This shift requires us to think differently about how we design, tag and expose our data, and in many cases will require us to re-engineer legacy systems that were not built on those principles. Generally, it also assumes a greater reliance on continuous, pervasive network connectivity, so data does not need to be stored locally on devices.
DigitAl Strategy @
Read the federal Digital Government Strategy at cio.gov/building-a-21st-century-government/digital-strategy.
We also need to work across federal agencies to develop a finite range of discrete security controls, tailored to well-understood use cases and risk postures, instead of what seems today to be an almost infinite number of security regimes based on organization-specific interpretations and implementations. We must also focus on real, implemented security controls rather than the “aspirational” controls that we desire but never actually put into practice. Through this approach, we can concentrate on developing and implementing meaningful controls, instead of producing perishable device- or software-specific configurations. Moreover, we will move to a greater commonality within our security frameworks, allowing us to better understand and trust each other’s security authorizations and share solutions and services more easily and interoperably.
Last, the device-independent delivery of more complex content such as documents, presentations, analytics and visualizations remains a challenge. Our ability to reproduce faithfully and interact with such content across platforms and devices will be critical. We already see support for this, from solutions such as Google Docs and Maps and Microsoft Office, to name a few. We expect even more moving forward.
Change that is this fundamental can be extremely daunting. However, through thoughtful planning and engineering with the end in mind, such transformative change can be accomplished incrementally. We must incorporate these “new defaults” of open standards and device independence as we modernize old systems, build new services, and arrive at the other side of the inflection point in a new era for federal IT.