The White House IT report sounds good, but funding is still needed

As the White House presses forward with its IT modernization efforts for the federal government, success for these initiatives will depend on the funding being there to make them a reality.

The director of President Donald Trump's American Technology Council recently released a draft report on federal IT modernization, which was developed pursuant to a directive in the president's wide-ranging executive order on cybersecurity. The report states that it is intended to "create a vision for the future of Federal IT that maximizes secure use of the best commercial technology available, and…define a plan to jumpstart the government's transition to that vision."

The content and recommendations within the report sound good, and the document contains a solid description of the security and budgetary challenges posed by outdated federal IT systems. Similarly, it outlines a roadmap for agencies to modernize and consolidate networks, improve IT acquisition, and better utilize the cloud and shared services in order to enhance their cyber posture.

Unfortunately, it still doesn't commit sustained, long-term funding to provide the resources that will be needed to fix the vulnerabilities posed by legacy IT systems.

For anyone who deals with information security and federal IT contracting, the entire 51-page report is worth reading. Below are some of the highlights of the report along with my observations on what also should have been included.

The benefits of moving to shared services

The government spends too much taxpayer money maintaining legacy systems, and this report lays the foundation to move the focus of government acquisition efforts to the cloud and other more secure and cost-effective solutions. Specifically, it wisely encourages agencies to "maximize secure use of cloud computing" and to consider abandoning pending and future contracts that would continue legacy IT systems identified as at-risk and in need of modernization. 

Maximizing security cost-effectiveness with risk management

The plan also endorses a risk-based approach to prioritize information security resources. It recommends, with specific deadlines for action, the identification and prioritization of "high-risk, high value assets." This will entail shifting resources from lower-risk, low-value assets and involve greater use of automated compliance processes, including automated continuous monitoring.

The report notes that the Federal Risk and Authorization Management Program currently provides "a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services." It sees FedRAMP, with additional baseline updates, as continuing to be a valuable component of this risk-based process. By shifting further to automation, agencies can reduce costs and enable security officials to better focus their efforts on the highest priority vulnerabilities and threat vectors. 

Taking the commercial approach to IT solutions

For too long, government agencies have acquired IT solutions and services via a fragmented IT acquisition structure with incredible redundancies. The report notes that standardizing and consolidating IT acquisition will achieve economies of scale, freeing up resources to pursue additional IT modernization needs.

To their credit, the report's authors recognize and place great value in the outstanding commercial technology capabilities that already exist and are available to the federal government. Utilizing commercial-off-the-shelf products wherever possible is something the private sector has urged the government to do for years, but the bureaucratic inertia and subtle favoritism for government-off-the-shelf solutions has been difficult to overcome. It is my hope that this report can help knock down such resistance to utilizing innovative private sector solutions.

Agility and innovation calls for new ways of thinking

The authors admit much of the report is based on industry best practices and innovative approaches. In doing so, they conclude that achieving these goals "will require a shift in the mindset of agency leaders, mission owners, IT practitioners and oversight bodies," and I totally agree with that.

One immediate change modeled on private sector practices would be to empower the federal CIO to hold the CIOs of the various agencies personally accountable. If they aren't doing everything they can to implement the president's goals with respect to IT modernization, migration to the cloud and cybersecurity, the CIO should be able to impose penalties and even be prepared to overrule them to give stronger top-down direction to agencies for this important effort. That might shake up a few people, but it will send a clear message that the White House won't tolerate bureaucratic inertia.

Spending priorities must shift to support IT modernization

Despite all of the positive direction in the report, I must return to my one big concern -- the report references reallocating resources to modernize federal IT networks, but does not acknowledge that additional new resources will also surely be needed. 

Modernization of federal IT is not a one-shot deal that can be quickly "finished -- it will be a long-term, continuous process, as federal systems will require regular and repeated modernization to meet new threats and incorporate new technologies. 

Hopefully, the Modernizing Government Technology Act approved by the House and Senate will permit much greater reallocation of resources via reinvested savings. But regardless of the MGT Act's future, the report should have included an acknowledgement that current and future budgets must provide the resources needed to adequately modernize and secure federal IT systems. 

When it finalizes appropriations legislation for Fiscal Year 2018, Congress should fully fund the president's budget request for IT modernization this year. In fact, Congress should consider providing even more than the President sought to jump-start the modernization effort.

In addition to urging that funding for FY 2018, the report should have also committed the Trump Administration to supporting the funding that will be needed in future years to constantly assess, update and secure government systems.

The federal government appears to have finally reached the moment where true IT modernization will happen. But it can only happen if Congress and the White House agree to fund the initiatives needed.