It’s no great secret that technology today evolves faster than policy. That’s the reality that has the current administration taking directed steps toward renovating IT infrastructure to a level of sophistication the future requires.
It’s not that the federal government isn’t spending money on IT. In fact, of the approximately $82 billion in the federal IT spending planned for 2017, 78 percent is dedicated to maintaining legacy investments. But according to the director of the newly formed American Technology Council (ATC), not enough attention has been paid to the future.
On May 1, President Donald Trump created the ATC with an explicit goal to craft a plan to modernize the security and efficiency of IT across the federal government. Soon after, he signed an executive order instructing council Director Chris Liddell to get back to him within 90 days on how best to proceed.
The result, a lengthy report published Aug. 30, includes coordination with a handful of government agencies, such as the Homeland Security Department (DHS), the Office of Management and Budget (OMB) and the General Services Administration (GSA). It outlines both current and hopeful future states of IT across the federal government.
The report doesn’t say how these recommendations would be funded. But in a recent statement of administration policy, the White House noted that funding wouldn’t be included in a new House appropriations bill that it’s backing. Earlier this, President Trump’s budget proposal included $228 million in IT modernization funding.
Put simply, there’s a lot of information to consume. Fortunately for you, we’ve assembled a list of the seven most important takeaways from the report, which you can find below. We focused specifically on the recommended immediate actions that agencies should take over the next months.
Prioritize the modernization of high-risk, high-value assets (HVAs), which includes agencies most sensitive systems and data.
1. The National Institute of Standards and Technology should develop a plan to promote a risk management culture in government. The goal is for agencies to make security decisions based on the threats they face, rather than solely focusing on meeting a checklist of requirements. Where appropriate, agencies should use the NIST Framework to help them. (Timeline: 30 days).
2. Agencies should submit a list of high-value systems to DHS for review. From there, six will be chosen for centralized interventions in staffing and technical support. (Timeline: 100 days).
Modernize the government’s Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) and enable commercial cloud migration.
3. OMB should submit a data call to agencies to request information on both current and pending projects for cloud migration. The report instructs agencies to focus on projects that have been delayed due to policy constraints and implementation. Ideally, this would help OMB to understand the needed changes for faster migration. (Timeline: 30 Days).
4. Along with GSA’s FedRAMP office, the Technology Transformation Service (TTS) and other relevant agencies, the ATC will place the above submissions into three categories. There will be low-risk systems that are able to move to the cloud immediately, high-priority systems that pose some risk in migration and systems that present too great a risk to move at all without additional policies or capabilities. (Timeline: 60 Days).
Consolidate Network Acquisitions and Management.
5. The GSA and DHS would be tasked with assessing if a centralized acquisition support arm within GSA would be viable. If it is, it should be capable of completing cybersecurity-related contracts for small agencies. (Timeline: 90 Days).
Enable the use of commercial cloud services and infrastructure.
6. OMB will update the Federal Cloud Computing Strategy (“Cloud-First”), in conjunction with DHS, GSA and federal partners. This should shine a brighter light on where cloud migration can be most impactful, as well as how best to run security in cloud environments. The plan is to also reduce the amount of time it takes to approve cloud solutions to operate in government agencies. (Timeline: 120 Days).
Improve existing and provide additional security shared services.
7. OMB and DHS will select agencies to provide Security Operations Center as a Service (SOCaaS) across the federal government. Additionally, GSA will work with those two on contracting efforts for commercially provided SOCaaS. (Timeline: 60 Days).