It has been a banner week for federal technology modernization efforts, first with the signing into law of the Modernizing Government Technology Act and then with the release of the White House’s report on IT modernization. And, according to federal IT officials, those actions will spur a wave of IT upgrades next year.
Agencies will likely accelerate their push into the cloud and adopt more “as a Service” technologies, and will also look to modernize and simplify their cybersecurity efforts, according to officials at the Department of Homeland Security and International Trade Commission.
Speaking at an Association For Federal Information Resources Management luncheon in Washington, D.C., on Dec. 14, the officials said they expect to see agencies’ IT leaders go after the “low-hanging fruit” of IT modernization next year. That includes restructuring cybersecurity architecture, the continued shuttering of data centers and shifting to virtualized, cloud-based services.
Kevin Cummins, vice president of technology at the Professional Services Council, a trade group that represents government technology professionals, said that the group’s research indicates that some IT leaders are not worried about maintaining parts of their legacy IT.
On the other hand, some agencies are still running supervisory control and data acquisition systems from the 1980s. “A lot of that could be replaced with vastly more fictional and newer and more efficient stuff,” he said. “How do you get there?”
Cybersecurity, Data Center Optimization Will Be Key in 2018
Barry West, acting deputy CIO and the senior accountable official for risk management at the Department of Homeland Security, said the Trump administration has been keen on driving innovation in federal IT.
Taken together, President Donald Trump’s executive order on cybersecurity, the Office of Management and Budget’s memorandum on implementing the order and the recent White House modernization report go “hand in hand” to demonstrate a strong emphasis on innovation, transformation, shared services and cybersecurity, West said.
The push around cybersecurity has revolved around taking a risk-based approach. West is the DHS point person in charge of implementing the cybersecurity executive order. He expects that, over the next two years, agencies will take many significant efforts to consolidate their security operations centers. SOCs are the facilities where agency websites, applications, databases, data centers and servers, networks, desktops and other endpoints are monitored, assessed and defended.
From left to right, Kevin Cummins, Barry West and Kirit Amin speak at the AFFIRM luncheon on Dec. 14.
West noted that even within agencies SOCs are not standardized. Some operate on a 24/7 basis while others do not. Some leverage DHS’ headquarters SOC and others do not. If there is a cybersecurity incident within an agency, West said, “You don’t want 22 component agencies not having situational awareness” because of different SOC implementations.
“I think you will see a lot of great things,” he said. But it’s going to take a lot of effort.”
Kirit Amin, the CIO of the International Trade Commission (who is about to retire from his post), said there is a “very potent link” between IT modernization and cybersecurity. “You don’t modernize, you can’t secure,” he said.
“When we look at cyber, it’s huge,” Amin said. “How do we get into some actionable wins here?” Amin called streamlining agency SOCs a “perfect example of low-hanging fruit” in the IT modernization arena.
“Why does everyone need a SOC? Why are they not standardized?” he asked.
As a small and independent agency, the ITC is not graded under the Federal Information Technology Acquisition Reform Act, which applies to the 24 CFO Act agencies. Nonetheless, in the three years Amin has been CIO of the ITC, he has pushed for the agency to meet federal IT mandates. He has also pushed for the scores of small and independent agencies to have a seat on the federal CIO Council and have a greater voice in federal IT.
Amin praised DHS’s Continuous Diagnostics and Mitigation program, which offers agencies commercial, off-the-shelf cybersecurity tools — hardware, software and services — that they can access via a central fund. For smaller agencies, DHS has provided CDM as a shared service, which Amin said is an excellent model that should be replicated for other IT services.
Without CDM as a Service, Amin said, smaller agencies could not achieve the cybersecurity goals of the program, which allows agencies to continuously monitor their IT systems and networks and then prioritize the risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first.
Another potential easy win in the IT modernization push, Amin said, is data center optimization and consolidation. “I can’t afford to keep my data center. Why should I?” he said, expressing the thinking at many small agencies. OMB and the General Services Administration should “incentivize larger agencies to bring smaller and independent agencies” into their data centers to give access as a shared service. That would boost efficiency and save money he argued.
Cloud Services Will Get a Major Boost
The cybersecurity executive order and White House IT Modernization report both heavily emphasize the need for agencies to accelerate their adoption of commercial cloud services.
Amin argued that if smaller agencies “do not go cloud and ‘as a Service’ they will not be able to keep up.” Shifting to the cloud and to shared services will allow them to focus more squarely on their missions, he said.
Cummins said that IT modernization will not involve merely replacing decades-old computers with new ones, it will require a new approach to IT. “How can we do this differently now that we’re in the cloud?” he said. “It’s a target-rich environment.”
Cummins added that while the GSA’s centralized IT modernization fund in the MGT Act — $250 million per year in fiscal years 2018 and 2019 — gets a lot of attention, the working capital funds the law authorizes within each CFO Act agency are likely going to be more important. That’s in part because they will potentially be “orders of magnitude” larger than money agencies can get from the centralized fund. The working capital funds can also be used for up to three years.
Those working capital funds will likely be used to accelerate cloud adoption, Cummins said. “It should be very powerful,” he added.
Amin said IT investments need to be based on their potential return. “It has to be ROI-based,” he said. “You need to look at it from a business case.”