President Donald Trump’s executive order on cybersecurity, which he signed last week, intertwines security of federal IT systems and networks with technology modernization, according to acting federal CIO Margie Graves. The order has the potential to speed up the adoption of shared cloud and cybersecurity services, she added.
Speaking Wednesday at the FedScoop Public Sector Innovation Summit in Arlington, Va., Graves said that the executive order takes a risk management approach to cybersecurity and will force agencies to better understand their IT assets and data.
Graves also indicated that the executive order could be tied back to budgeting for IT modernization, since agencies will need to decrease their risk by investing in new technologies.
Implementing the Cybersecurity Executive Order
Graves noted that it’s getting easier for malicious actors to attack networks around the world, as this past week’s WannaCry ransomware attack demonstrated. The Office of Management and Budget is responsible for cybersecurity in two ways, she noted —implementing the Federal Information Security Modernization Act of 2014, and helping agencies get unsupported hardware and software out of their IT environments.
The new executive order puts cybersecurity “front and center” for OMB, Graves said, and leverages many of the constructs for cybersecurity that are already in place. Under the order, each agency head is required to use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST), or any successor document, to manage his or her agency’s cybersecurity risk.
Each agency director is required to provide a risk management report to the Department of Homeland Security and OMB within 90 days. Those reports must document the risk mitigation and acceptance choices made by each agency head, including the strategic, operational, and budgetary considerations that informed those choices, and any accepted risk, including from unmitigated vulnerabilities. They will also need to describe the agency’s action plan to implement the NIST Framework.
Agencies need to understand their IT assets, Graves said, because those assets are the foundation for making “those risk-based decisions and those tradeoffs you do in an operational environment on a daily basis.”
Those assessments will help OMB determine how to gauge the magnitude of the risks and how much needs to be spent to mitigate them. She noted that legacy IT is risky for several reasons.
The Government Accountability Office has noted that legacy IT systems “may become increasingly more expensive” as agencies pay higher prices to “hire staff or contractors with the knowledge to maintain outdated systems.” If every IT dollar is spent on maintaining old systems (and currently around 80 percent of federal IT spending is), then reduced funding or unforeseen costs can threaten agencies’ ability to carry out their missions, Graves noted. Importantly, legacy IT systems often cannot be patched and may not support encryption or multifactor authentication, Graves added.
The Future of Federal IT Modernization
Under the order, within 90 days, the director of the American Technology Council, Chris Liddell, will coordinate and produce a report to President Trump from the secretary of Homeland Security, the director of OMB, and the administrator of the General Services Administration, in consultation with the Secretary of Commerce, as appropriate, regarding the modernization of federal IT.
The report will “describe the legal, policy, and budgetary considerations relevant to — as well as the technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies” to one or more consolidated network architectures, as well as shared IT services, including email, cloud and cybersecurity services.
The government faces challenges to achieving IT modernization, Graves said, because decentralized acquisition and difficult processes encourage duplication and inefficiencies. The federal IT workforce is not adequately enabled to take advantage of modern technology approaches. Authority and management of IT portfolios is still not concentrated in single points of accountability, despite the Federal Information Technology Acquisition Reform Act (FITARA).
Most important, Graves said, the traditional federal budgeting process creates disincentives to long-term planning and IT investment. The recently reintroduced Modernizing Government Technology (MGT) Act aims to change that approach.
As FedScoop reports:
The re-introduced bill is the same as its predecessor in that it proposes allowing agencies to put money they have saved with IT into working capital funds, which can be accessed for up to three years, to fund future efforts to modernize their technology. It also calls again for the creation of a centralized fund agencies can tap into for modernization.
The new bill caps the amount that can go in the centralized fund for year one and year two at $250 million per year, FedScoop reported.
The Congressional Budget Office gave the bill a price tag of $500 million over five years, compared to $9 billion for the original bill, which may make it more politically palatable in Congress. Rep. Will Hurd (R-Texas), one of the key sponsors, brought it to the floor of House of Representatives today for a vote, where it passed. The bill now goes to the Senate, where it is thought to be more likely to pass than the original version, which died in the Senate late last year.
Graves said that the government could move toward a model in which agencies are required to budget for the modernization of specific, high-risk legacy IT systems. She praised the MGT Act’s approach to using working capital funds.
Agencies can also enhance IT modernization by requiring technical hires to demonstrate hands-on technical abilities, get direct hiring flexibility for IT positions, and accelerate the deployment of digital services teams. She also said agencies can continue to leverage federal buying power through category management approaches and centralized acquisition vehicles.
Additionally, Graves said the government can improve agency leadership’s attention to IT issues through mechanisms such as the President’s Management Council, and that OMB can focus its oversight of FITARA implementation on modernization.
The goals of the cybersecurity order are clear, Graves said, and the push for IT modernization is strong. Now, agencies and OMB need to execute on those fronts.