While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
What is the future of federal IT modernization? It’s uncertain, but federal IT leaders say that critical details about a potential IT modernization fund need to be worked out in Congress, including how the fund would be repaid and what penalties would be assessed if agencies do not show a return on investment.
On a panel Thursday at MeriTalk’s 2017 Data Center Brainstorm event in Washington, D.C., the officials also delved into how they prioritize projects in technology modernization. Some of the factors they said were under consideration: the vulnerability of IT assets to cybersecurity threats; how critical the systems or applications are; and whether the people using the systems have special knowledge that needs to be imparted to other users.
As part of its broader cybersecurity proposals, the Obama administration proposed a $3.1 billion IT Modernization Fund (ITMF). Congress took up the issue, only to see momentum stall at the end of 2016. In September, the House of Representatives passed the Modernization Government Technology Act (MGT Act), which didn’t appropriate any new money, but would have authorized working capital funds at the 24 agencies governed by the Chief Financial Officers Act of 1990.
The funds would allow agencies to reprogram funding (with the approval of appropriators) to improve, retire, or replace existing IT systems. This would help boost efficiency and effectiveness, transition to the cloud and support IT capabilities that deal with evolving security threats. The bill also authorized a governmentwide revolving fund that the General Services Administration would manage, akin to the ITMF.
The MGT Act would fund IT upgrades across the government. The original co-sponsors of MGT, Reps. Will Hurd (R-Texas) and Gerry Connolly (D-Va.), plan to reintroduce the bill after it stalled late last year, The Hill recently reported.
Meanwhile, earlier this month, Thomas Bossert, assistant to the president for homeland security and counterterrorism, indicated that the White House thinks it will take a year or two for such an effort to move ahead.
At the MeriTalk event, Agriculture Department CIO Jonathan Alboum said that an IT modernization fund of some kind would have a great deal of value, and that his agency has made good use of its existing working capital fund to drive modernization.
Such a fund for all agencies would help produce IT savings in the long term by allowing agencies to make upfront investments, Alboum indicated. At USDA, the agency is looking to consolidate its 17 different networks down to one, two or three as part of the General Services Administration’s forthcoming Enterprise Infrastructure Solutions (EIS) contract. “To move from what we have now to what we want to have is not free,” Alboum said, and a working capital fund would help defray the costs as USDA modernizes its networks.
Melonie Parker-Hill, division chief of the Enterprise Operations Center at the State Department, said State has also benefited from its working capital fund. She added that critical questions need to be answered about how agencies would repay money they take from the fund — and potential penalties if they don’t. “What if you are not able to achieve that return on investment?” she asked. Agencies need to have a clear understanding of the potential penalties and incentives for upgrading IT.
Food and Drug Administration CIO Brad Wintermute, whose agency does not have a working capital fund, says a governmentwide IT modernization fund would be “really appealing.” However, he noted that paying back the fund is a concern because of potential change management issues and the length of time it could take for projects to be completed.
“I need a long runway to be able to see the savings, to be able to turn that back in,” he said. “We also have a lot of systems, so there’s a situation where you almost the need the snowball effect. I need that initial capital, but then if you’re going to take the savings, I need it for the next system. I don’t know if I get to the point where I give it back for a long time.”
How do agencies prioritize which IT systems to upgrade?
One factor is cybersecurity concerns. Alboum noted that the Department of Homeland Security told USDA to identify its “high-value” assets that need to be protected from cyberattacks. Congress directed the agency to identify its oldest systems that are the most difficult to maintain. When a system appears on both lists, Alboum said, it’s a “prime candidate.” For those assets, the security conversation “becomes a real driving factor in that prioritization process.”
Parker-Hill used an analogy of juggling different kinds of balls — iron balls, rubber balls and crystal balls. Iron balls are services that do not need to be upgraded urgently. Rubber balls are services that could be upgraded or could be put on hold. And crystal balls are critical services, such as payroll systems, that cannot go down or falter. Each agency will have different systems they put into those categories, she said. More strategically, agencies need to think through which upgrades will produce the largest return on investment.
Wintermute agreed with Alboum that anything presenting a significant security risk needs to be fixed and upgraded as soon as possible. However, he also noted that some systems may require skill sets that are hard to find and therefore expensive to fix. Identifying projects where the skill sets needed to upgrade the system are readily available could help make those upgrades more achievable.
On that issue, Alboum noted a potential quandary: Some software may have been written decades ago, and the real comprehension of that software is locked inside IT veterans’ heads, is not well documented, and needs to be imparted to colleagues before those people retire. “How do we avoid building another system with critical functionality,” Alboum asked, “that we don’t know how it works?”