Looking Ahead to Cyber Modernization / Agency Data Posturing
Published: September 19, 2019
USAIDUSDADOCDEFENSEGSAHHSDHSInformation TechnologyNASANSFNRC
Modernization has turned the federal contracting landscape into a digital environment and we live in an era in which cyber warfare is at an all-time high. For the US Government to remain effective and efficient means constantly advancing its data and cyber posture to maintain its advantage and place on top of the modern digital world. The US Government’s commitment at modernizing its digital environment is evident in its acquisitions and procurements. While there aren’t many agencies that are under fire per say in regards to government wide modernization efforts, there also aren’t many agencies that serve as glowing examples either. The National Science Found (NSF) is one such agency that is leading the way. According to the FITARA COR Biannual Scorecard - June 2019, NSF has scored an A in the cyber department which is a significant change from May 2018, in which their cyber grade was a “C”. Trailing in close proximity is the Department of Homeland Security (DHS), General Services Administration (GSA), Nuclear Regulatory Commission (NRC) and the United States Agency for International Development (USAID), which all received a “B” for their cyber scores. There were no agencies that received overall “A” grades. This shows that while agencies are making substantive progress, there hasn’t been an exemplary agency to serve as a lighthouse in the modernization movement.
Below is a breakdown of each of the agencies listed above and depicts where they each stand, specifically in the cyber category.
On the other hand, some agencies have a lot of room for improvement in terms of the cyber modernization efforts. For example, the United States Department of Agriculture (USDA), Department of Commerce (DOC) and the United States Department of Health & Human Service all received an “F” for their cyber scores as you can see in the graph below.
The Government Accountability Office recently stated in a report that some agencies still don’t have any documented plans to address decades old legacy systems. Among these agencies were Education, Health and Human Services, and Transportation. Department of Education for example still runs a COBOL (Common Business Oriented Language) based system which is becoming increasingly difficult to service due to the lack of people who have experience with the programming language.
|
Agency |
System namea |
Age of system, in years |
Age of oldest hardware, in years |
System criticality (according to agency) |
Security risk (according to agency) |
|
Department of Defense |
System 1 |
14 |
3 |
Moderately high |
Moderate |
|
Department of Education |
System 2 |
46 |
3 |
High |
High |
|
Department of Health and Human Services |
System 3 |
50 |
Unknown |
High |
High |
|
Department of Homeland Security |
System 4 |
8 – 11c |
11 |
High |
High |
|
Department of the Interior |
System 5 |
18 |
18 |
High |
Moderately high |
|
Department of the Treasury |
System 6 |
51 |
4 |
High |
Moderately low |
|
Department of Transportation |
System 7 |
35 |
7 |
High |
Moderately high |
|
Office of Personnel Management |
System 8 |
34 |
14 |
High |
Moderately low |
|
Small Business Administration |
System 9 |
17 |
10 |
High |
Moderately high |
|
Social Security Administration |
System 10 |
45 |
5 |
High |
Moderate |
The table above provides a snapshot of the 10 most Critical Federal Legacy Systems that are in need of Modernization as per a GAO report from June 2019
The inclusion of a cybersecurity component pertaining to FISMA (Federal Information Security Modernization Act of 2014) and Presidential Cross Agency Priority (CAP) goal compliance in the latest FITARA Scorecard did not help this cause. Agriculture, Commerce, and Health and Human Services all received failing grades in the FISMA portion of FITARA 8.0 for various reasons from preexisting internal compliance issues, to simply not understanding the FITARA measurement requirements. According to a recent GAO report released in April 2019, there are 4 overarching practices that will help agencies better implement FITARA:
- Obtaining support from senior leadership
- Treating FITARA implementation as a program
- Establishing FITARA performance measures for component agencies
- Appointing an accountable executive for FITARA at each component agency
Some agencies are already making efforts to improve their data management and cybersecurity posture. USDA for instance, has stated that they are closing down data centers in anticipation of transitioning to a cloud based infrastructure. NASA while mired in legacy systems for their Trusted Internet Connections (TIC), has expressed interest in partnering with cloud providers to transform their data environment. The agency is also in the unique scenario in that some of their legacy systems are tethered to assets that are currently in use such as the Voyager satellites, which makes them impossible to upgrade until those missions are completed.
According to the FY 2020 President’s Budget below, there is $17.4 billion allocated towards cybersecurity efforts. The Department of Homeland Security has approximately $1.9 billion allocated for cybersecurity projects, which is approximately 11% of the total cyber budget. DHS is still striving to improve such efforts despite their already above average cyber score. The National Science Foundation was allocated $224 million for cyber projects, which is 1.28% of the cyber budget. In addition, the agencies that received an “F” received much more in cyber funding than did agencies with much high scores. The USDA, DOC and HHS requested cyber funding in the amounts of $311 million, $392 million and $460 million respectively, which suggest there could be an uptick in the amount of cyber modernization projects in the coming years.
We now live in an age where security breaches are more common than they should be which might be changing the way agencies are allocating there cyber funding. According to Federal New Network, “OMB reports agencies continue to spend almost 80 percent of their IT budgets to support legacy systems, which means both goals of IT modernization and improved cybersecurity is not happening quickly enough.” Although most agencies were not allocating enough funding towards cyber modernization, some agencies might be concentrating on modernizing their cyber strategy and not focusing as much on legacy systems. Although DHS received a “B” for the cyber score, they are continuing to make internal changes to modernize and improve their cybersecurity strategy. DHS is pursuing a strategy that is currently used by the DOD that requires the department to assess all 16 federated security operation centers (SOC) so that all agencies under DHS would become a “Center for Excellence”, which isn’t anticipated to be operational until 2021.
Compared to federal spending on Cybersecurity, when looking at Government estimates for modernization spending, the reported Information Technology (IT) Modernization investments of the U.S. Government for Fiscal Year 2020 is at $69.2 billion. This amount is $3.3 billion more than the reported budget of agencies from Fiscal Year 2019. The highest requested budget comes from the Department Of Defense with $19.1 billion in IT projects. Surprisingly, this figure is only 52% of the total $36.8 billion unclassified fiscal 2020 IT budget request made by the Pentagon. Information on the remaining 48% is withheld due to national security concerns.
Most agencies requested for larger funding for Fiscal Year 2020 compared to the previous year. Most notable increases are from the National Aeronautics and Space Administration (NASA) that had a requested budget increase of 31.1%, Department of Commerce with a 28.3% increase in requested budget, and the National Science Foundation with 25.9% increase in requested budget.
The table below shows the breakdown of the $69.2 billion reported IT Modernization investments by agencies for Fiscal Year 2020 as well as the percentage increase/decrease compared to last Fiscal Year’s budget as reported to Federal IT Dashboard. (Value rounded to the nearest million)
|
Agency |
Requested FY20 budget for IT Modernization |
Amount increase/decrease from FY19 budget |
|
Department of Defense |
$19,068 |
-2.3% |
|
Department of Homeland Security |
$7,071 |
+3.3% |
|
Department of Veterans Affairs |
$6,118 |
+11.5% |
|
Department of Health and Human Services |
$5,645 |
+3.2% |
|
Department of the Treasury |
$4,987 |
+7.9% |
|
Department of Commerce |
$3,860 |
+28.3% |
|
Department of Transportation |
$3,372 |
+12.6% |
|
Department of Justice |
$2,995 |
+4.1% |
|
Department of State |
$2,272 |
-6.5% |
|
Department of Agriculture |
$2,189 |
+7.6% |
|
NASA |
$2,157 |
+31.1% |
|
Social Security Administration |
$1,969 |
+17.8% |
|
Department of Energy |
$1,963 |
-7.1% |
|
Department of the Interior |
$1,283 |
+7.4% |
|
Department of Education |
$761 |
+2.7% |
|
Department of Labor |
$756 |
+9.6% |
|
General Services Administration |
$648 |
-2.9% |
|
U.S. Army Corps of Engineers |
$555 |
+18.6% |
|
Department of Housing and Urban Development |
$383 |
+13.1% |
|
Environmental Protection Agency |
$343 |
+0.3% |
|
USAID |
$168 |
+9.3% |
|
Office of Personnel Management |
$153 |
+4.1% |
|
National Science Foundation |
$132 |
+25.9% |
|
Small Business Administration |
$92 |
+3.0% |
The top 10 IT Projects for Fiscal Year 2020 are shown below. (Value rounded to the nearest million)
|
Project Name |
Agency |
Anticipated budget (in millions) |
|
Electronic Health Record Modernization |
Department of Veterans Affairs |
$1,603 |
|
2020 Decennial Census |
Department of Commerce |
$1,577 |
|
IT Operations End User |
Department of Veterans Affairs |
$1,486 |
|
Fourth Estate Network Optimization |
Department of Defense |
$698 |
|
Non-DISN Telecomm |
Department of Defense |
$672 |
|
IRS Main Frames and Servers Services and Support (MSSS) |
Department of Treasury |
$630 |
|
Department of Defense Healthcare management System Modernization |
Department of Defense |
$623 |
|
Joint Service Provider |
Department of Defense |
$560 |
|
Commercial Satellite Communications |
Department of Defense |
$536 |
|
Network Standard Investment |
Social Security Administration/General Services Administration |
$521 |
An example of resultant procurements from the modernization effort is the JEDI Cloud requirement currently being solicited by the Department of Defense, Washington Headquarters Services. The Joint Enterprise Defense Infrastructure (JEDI) is a large Department of Defense cloud-computing contract that has a potential 10-year period of performance for an anticipated maximum value of $10B dollars. JEDI’s contractual goal is to put a single cloud service provider at the center of hosting and dispensing mission-critical assignments and classified military secrets to warfighters around the globe. The JEDI Cloud will allow the DOD to use technologies like artificial intelligence placing the department into the modern digital age. JEDI Cloud will provide the ability for people, regardless of their location around the globe, to use and operate data as needed. It will also support advances in Artificial Intelligence.
Cyber warfare will continue to evolve and grow at exponential rates due the increasing amount of technology growth which has but government agencies in more of a vulnerable position requiring them to focus not on legacy systems but rather modernization. Agencies continue to operate on outdated systems while new wave of employees from more recent generations lack knowledge and experience working on these prehistoric programs. Due to the fact that agencies have been allocating approximately 80% of their cyber budgets to legacy systems, we can expect there to be some sort of change in that ratio moving forward in the coming years. However, the future looks bright based on forecasted budget requests and agencies roadmaps for IT transformation. The significant increase in requested budgets for IT modernization plans across almost all agencies demonstrates the Government’s awareness of the need to keep up with the times.