While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The federal government needs to rethink how it purchases and deploys technology, making those decisions irrespective of agencies’ organizational structures, according to federal CIO Tony Scott. The top federal IT official also said that the government, not to mention society at large, needs to change the conversation around cybersecurity: The focus, Scott urges, must be on quality and best practices.
Speaking at FedScoop’s FedTalks 2016 conference in Washington, D.C., Scott praised the House of Representatives’ passage last month of the Modernizing Government Technology Act of 2016, which is designed to spur the replacement of legacy federal IT. The bill, which still awaits action in the Senate, is an evolution of the White House’s proposed $3.1 billion IT Modernization Fund.
While the MGT Act does not appropriate new money, it does authorize working capital funds at the 24 agencies governed by the Chief Financial Officers Act of 1990. As FCW reported, these funds “drive IT modernization and bank the savings achieved from retiring expensive legacy IT and shifting to managed services.” The bill also authorizes a governmentwide revolving fund that the General Services Administration would manage.
“The construct and the framework of it is something that I think is quite workable, and in some ways a nice improvement on our original proposals,” Scott said during a keynote presentation at the conference.
Scott asserted that the broad federal IT community understands that “what we’ve been doing hasn’t worked so well, and that we need a new model and a new paradigm for” IT funding. As Scott and many others have noted, the federal government spends roughly 80 percent of its $80 billion annual IT budget on maintaining legacy systems.
The MGT Act and associated changes, Scott told the audience, represent “a new mental model” for thinking about IT governance, architecture and funding for technology investments.
Scott advised those in federal IT leadership positions to look at the information systems architecture of their organization, what its boundaries are, the scope of the infrastructure, and the applications they are responsible for.
“And if it exactly matches the org chart of your agency, you know you are in trouble,” he said. “If there’s a 1-to-1 match of the information systems capability you have and the way your org chart is organized, you are in deep doo-doo.”
What that inherently means, Scott said, is that the agency has not taken a customer-centric approach, and has not organized either its infrastructure or applications to serve the customers.
In that world, Scott said, agencies are using business processes that are merely producing services and interacting with customers via how they are organized. And that, Scott said, is all wrong. “There is nobody who’s a customer of anything that wants to have to decode that institution’s org chart to do what it is they want to do,” he said. “You shouldn’t have to know how an enterprise is organized in order to find information, or to get served, or do whatever it is you’re trying to do in terms of your interaction with that organization.”
Thanks to legacy IT systems that have automated manual processes and created information systems architectures around how agencies are organized, agencies are unable to break free of old ways of operating, Scott contended. “It wasn’t wrong to do that at the time; it’s just that we need to move on from that,” he said.
Scott relayed an old bit of advice that elicited a number of laughs: “If you’re riding a dead horse, best dismount.”
“This is a paradigm for IT that’s dead,” he added. “Let’s dismount. Let’s move on to a different model.”
Federal agencies should focus on adopting broad, shared IT services and cloud infrastructure, Scott said. That will allow agencies to use the “precious resources” they do have on “the mission-specific, mission-critical things that only those agencies can do. But they should be able to ride on a broad set of common capabilities.”
The MGT Act, Scott predicted, will usher in a new model, one that will allow agencies to collaborate and deploy a set of shared IT infrastructure and shared services, upon which applications and citizen surveys capabilities can be built.
That will help agencies cut costs but also speed up how they deploy apps and services, Scott suggested, and that speed will be more important in the years ahead.
“Five years from now, we’re probably not talking about what the cost of things are,” he said. “I think we’re going to be talking about how fast we are, how flexible we are, how adaptable we are to meet the needs of our citizens and our country.”
In the federal government’s IT funding model today, Scott said, there is the expectation that the smallest agencies are going to do as well on cybersecurity as the Defense Department.
“You know that the chances of that happening are slim to none,” he said. “Small agencies or groups of small agencies just don’t have the resources, can’t get the kind of talent, can’t put together the critical mass of capabilities that you need to do an adequate job. And yet some of those small agencies have some of the most important information and represent some of the most important assets that our country has.”
Scott noted that in the 1980s and early 1990s there was a “national crisis” in the American manufacturing and auto industries, as businesses and consumers flocked to buy products from Japanese companies and other foreign competitors. The quality of those products, many Americans felt, was thought to be superior.
In response, American companies like GE focused on quality and the “Six Sigma” data-driven methodology for eliminating defects. That spread to many other companies, Scott noted, and should now be applied to cybersecurity.
Every time there is a breach or a hack, one could think of that as a defect, he said. “We ought to be able to measure these things, and we ought to be able to apply some of the same processes and methods that we used to solve some of our manufacturing quality issues,” Scott said.
Scott noted that last month the Commerce Department’s National Institute of Standards and Technology (NIST) unveiled a draft of the Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. NIST is accepting public comments on the draft until Dec. 15.
Scott said he hopes the program will move the cybersecurity conversation away from pointing out flaws and toward applying best practices.
“I think what we need is a broad national conversation, creating awareness, sharing information, but most importantly, deeply embedding good practices in all of our institutions, across all our aspects of government, and all aspects of our economy,” he said. “And I think it’s only by having this broader conversation and making a commitment as a country, as a government, as a part of our private sector that we’re going to do something meaningful about this and that we’re going to make progress.”