Leveraging the TMF for the secure modernization of high value assets

Prioritizing Technology Modernization Fund dollars for systems that support high-impact programs can drive major improvements in how IT supports key government missions.

 

Last week we published the first in an ongoing series of commentaries intended to highlight the Technology Modernization Fund as a funding option available to agencies to modernize critical systems while lessening reliance on costly legacy systems and reducing cyber risk. In this first post, we outlined elements of the Office of Management and Budget’s TMF/American Rescue Plan (APR) guidance that were just recently updated. The updated guidance incorporates new flexibilities in the fund’s payback requirements and also continues to focus modernization efforts on addressing High Value Assets (HVAs), improving cybersecurity, improving citizen-facing services, and leveraging scalable cross-government services.

On May 12, President Joe Biden issued a comprehensive executive order that gave direction to federal departments and agencies for strengthening the government’s cybersecurity posture. The order establishes a requirement to modernize systems and implement stronger cybersecurity standards by moving agencies and their contract partners to secure cloud services and a zero-trust architecture, and by mandating deployment of multifactor authentication and encryption.

(Note: Zero trust architecture (ZTA) assumes that no user, device or application attempting interaction with a technology environment can be trusted by default. A zero-trust architecture employs the elements of identity management including least privilege access and continuous authentication along with micro-segmentation of the network to limit lateral movement once inside the environment. ZTA is designed to lessen the risk of breaches and damage resulting from inappropriate access.)

Additionally, the EO addresses software supply chain security by establishing a public-private process to develop new and innovative approaches to secure software development, and uses the power of Federal procurement to incentivize the market. (The full text of the order can be found here.)

In this post, we will explore the opportunity to leverage the TMF to modernize HVAs while improving cybersecurity in a manner consistent with the EO’s direction.

The definition of a High Value Asset, as set forth by the Cybersecurity and Infrastructure Security Agency, is as follows:

A High Value Asset (HVA) is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.

This HVA definition was further clarified and expanded with the issuance of OMB M-19-03, “Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program.”

Agencies have long been responsible for identifying and protecting their most critical assets as part of their continuity of operations planning programs. If missions are threatened by natural disasters, terrorist activities, or cyber attacks, agencies must be able to quickly reconstitute operations and restore those critical assets to their normal function in priority order. Also, with the establishment of the High Value Asset Program in 2015, CISA received authority to assist Federal agencies in further identifying those HVAs most vulnerable to cyber attacks, and to set remediation requirements.

These two foundational programs provide data to assist agencies in sequencing systems for modernization, in priority order based on criticality to the mission and identified cyber vulnerabilities. Agencies that have done the critical thinking and planning necessary to take an enterprise portfolio view of their technical assets, and have developed a modernization roadmap tied to the strategic plan and prioritized according to HVA status, can best leverage the expanded funding options afforded to them by the TMF and other funding streams established in the ARP.

Further, agencies can connect the dots among prioritizing HVAs that need modernization, addressing the criteria for a successful business case and the focus areas outlined in the OMB TMF/ARP guidance, and accounting for the stated goals of the Cyber EO. In making this linkage, they can take advantage of opportunities to develop TMF proposals that meet all of these imperatives. Connecting those dots would enable agencies to focus on TMF proposals that:

  • Leverage modernization solutions that move HVAs to cloud environments with zero trust architectures and upgraded authentication fine-grained permissions for access control.
  • Leverage a common and well-designed solution/platform/software to address remediation of multiple HVAs based on the analysis of integration points within and across agency enterprise portfolios, for both mission support and mission delivery processes.
  • Utilize solutions provided by and marketplaces developed by the General Services Administration designated Quality Service Management Offices in the areas of finance, human capital, cybersecurity and grants management. QSMOs serve as government-wide storefronts, offering multiple solutions for technology and services in their functional area
  • Employ a DevSecOps approach to develop modernized applications while following secure practices for software development as outlined in NIST 800-160 and related guidance. The DevSecOps approach automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing and software delivery.
  • Leverage a modernization solution that improves the customer experience and enhances the cybersecurity posture of citizen-facing systems that contain personally identifiable information.

The federal government continues to be well overdue for modernization. Past modernization efforts have often lacked the level of investment needed to accelerate progress. The TMF was designed specifically to address that issue – the increased funding and added flexibilities improve chances to accelerate progress. Investments made based on strategic significance of assets (as with HVAs) -- and with the use of modernization approaches that leverage commercially available, scalable solutions consistent with TMF criteria – will present opportunities to drive progress by optimizing return on those investments. 

Given the multiple efforts around HVA modernization and cybersecurity that the TMF guidance integrates, more foundational elements of success now exist. These elements apply both within the TMF and, as we discussed last week, can drive progress across the $100 billion federal IT portfolio. Agencies and their industry partners can and should take advantage of the moment and opportunity for significant mission and performance improvement from modernized, secure technology.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.