Has the Time for Federal IT Modernization Finally Come?

Published: January 11, 2018

Cloud ComputingCybersecurityIT ReformPolicy and Legislation

The cybersecurity risk associated with federal legacy IT may provide the impetus to actually tackling its modernization.

By most accounts, the majority of federal spending on Information Technology (IT) goes toward legacy systems and applications, which are both costly to maintain and difficult to secure. With a growing list of major cybersecurity breaches being attributed to weaknesses in legacy IT the Trump Administration has drawn a direct link between IT modernization and increased security.

Near the end of 2017 the American Technology Council released its final Report to the President on Federal IT Modernization, focusing on the modernization of federal IT systems to improve the government’s security posture and improve the economies and efficiencies of federal IT asset acquisition and management. The report was initiated by the White House under its Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure issued last May.

Under the plan, modernization priorities would fall into a few key areas.

Network modernization and consolidation to maximize secure use of cloud computing, modernize agency-hosted applications, and securely maintain legacy systems. Specific actions would include:

  1. Prioritize the modernization of High-Risk High Value Assets (HVAs) among legacy IT assets that are essential for agencies to serve the citizenry and whose security posture is most vulnerable.
  2. Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) Program (i.e. EINSTEIN) to enable cloud migration by updating network security policies and architectures to enable agencies to focus on both network and data-level security and privacy, while ensuring incident detection and prevention capabilities are modernized to address the latest threats.
  3. Consolidate and standardize network and security service acquisitions and management to achieve economies of scale and minimize duplicative investments. GSA’s Enterprise Infrastructure Service (EIS) contract is the vehicle that will be used to achieve these goals.

Use of shared services to enable future network architectures to shift agencies toward a consolidated IT model by adopting centralized offerings for commodity IT. Specific actions would include:

  1. Enable use of commercial cloud services by improving contract vehicles to enable agencies to acquire commercial cloud products that meet fedRAMP requirements.
  2. Accelerate adoption of cloud email and collaboration Tools by leveraging federal buying power and identifying the next agencies to migrate to commercial email and collaboration suites.
  3. Improve existing and expanding available security shared services through consolidated capabilities that replace or augment existing agency-specific technology to improve both visibility and security.

Resourcing federal network IT modernization through collaboration among agency CIOs, CFOs and Senior Agency Officials for Privacy (SAOPs) to determine which of their systems will be prioritized for modernization, identifying strategies to reallocate resources appropriately. Agencies will be encouraged to reprioritize and reallocate funds away from obsolete legacy IT systems to modern technologies, cloud solutions, and shared services, using agile development practices and industry best practices.

Modernization Gaining Momentum

The ACT modernization plan comes out just as Congress passed provisions of the Modernizing Government Technology (MGT) Act that was included in the FY 2018 National Defense Authorization Act (NDAA). The MGT Act provisions allow agencies to establish working capital funds for modernizing technology and agencies can reprogram or transfer funds for up to three years to modernize or retire legacy systems.

While it will take time for the full implications of both the modernization initiatives to play out – the ATC plan has several immediate and short-term action items for federal agencies to address – the sense that is created is that there is significant and growing will and momentum to start tackling the huge issue of legacy IT and its security vulnerabilities.

The prospect of essentially re-architecting the entire federal government’s IT infrastructure is daunting, to say the least, and some skepticism may be understandable. One test of whether or not there is the collective will to see the task through is to watch agency IT budget proposals for FY 2019, due out in just a few weeks, to see what priorities get funded and by how much and which legacy programs actually begin to change.