What the White House’s Final IT Modernization Report Could Look Like
Modernization is the hot topic in Washington tech circles these days. There are breakfasts, summits and roundtables almost weekly. Anticipation is building as the White House and its American Technology Council readies the final version of its Report to the President on IT Modernization and the next steps in the national cyber response plan near public release.
At the same time, flexible funding sources for IT modernization are also coming into view as the Modernizing Government Technology (MGT) bill, which unanimously passed the House in the spring and passed by the Senate as part of the 2018 National Defense Authorization Act (NDAA). Barring any surprises, the measure will become law later this fall when the NDAA conference is complete, providing federal agencies with a revolving fund for modernization initiatives, and a centralized mechanism for prioritizing projects across government.
The strategy and underlying policy for moving forward will flow from the final Report on IT Modernization. Released in draft form on Aug. 30, it generated 93 formal responses from industry groups, vendors and individuals. Most praised its focus on consolidated networks and common, cloud-based services, but also raised concerns about elements of the council’s approach. Among the themes to emerge from the formal responses:
- The report’s aggressive schedule of data collection and reporting deadlines drew praise, but its emphasis on reporting – while necessary for transparency and accountability – was seen by some as emphasizing bureaucratic process ahead of results. “The implementation plan should do more than generate additional plans and reports,” wrote the Arlington, Va.-based Professional Services Council (PSC) in its comments. Added the American Council for Technology–Industry Advisory Council (ACT-IAC), of Fairfax, Va.: “Action-oriented recommendations could help set the stage for meaningful change.” For example, ACT-IAC recommended requiring agencies to implement Software Asset Management within six or nine months.
- While the draft report suggests agencies “consider immediately pausing or halting upcoming procurement actions that further develop or enhance legacy IT systems,” commenters warned against that approach. “Given the difficulty in allocating resources and the length of the federal acquisition lifecycle, pausing procurements or reallocating resources to other procurements may be difficult to execute and could adversely impact agency operations,” warned PSC. “Delaying the work on such contracts could increase security exposure of the systems being modernized and negatively impact the continuity of services.”
- The initial draft names Google, Salesforce, Amazon and Microsoft as potential partners in a pilot program to test a new way of acquiring software licenses across the federal sector, as well as specifying General Services Administration’s (GSA) new Enterprise Information Services (EIS) contract as a preferred contract vehicle not just for networking, but also shared services. Commenters emphasized that the White House should be focused on setting desired objectives at this stage rather than prescribing solutions. “The report should be vendor and product agnostic,” wrote Kenneth Allen, ATC-IAC executive director. “Not being so could result in contracting issues later, as well as possibly skew pilot outcomes.”
- Responders generally praised the notion of consolidating agencies under a single IT network, but raised concerns about the risks of focusing too much on a notional perimeter rather than on end-to-end solutions for securing data, devices and identity management across that network. “Instead of beginning detection mitigation at the network perimeter a cloud security provider is able to begin mitigation closer to where threats begin” and often is better situated and equipped to respond, noted Akamai Technologies, of Cambridge, Mass. PSC added that the layered security approach recommended in the draft report should be extended to include security already built into cloud computing services.
Few would argue with the report’s assertion that “The current model of IT acquisition has contributed to a fractured IT landscape,” or with its advocacy for category management as a means to better manage the purchase and implementation of commodity IT products and services. But concerns did arise over the report’s concept to leverage the government’s EIS contract as a single, go-to source for a host of network cybersecurity products and services.
“The report does not provide guidance regarding other contract vehicles with scope similar to EIS,” says the IT Alliance for Public Sector (ITAPS), a division of the Information Technology Industry Council (ITIC) a trade group, Alliant, NITAAC CIO-CS and CIO-SP3 may offer agencies more options than EIS. PSC agreed: “While EIS provides a significant opportunity for all agencies, it is only one potential solution. The final report should encourage small agencies to evaluate resources available from not only GSA, but also other federal agencies rather than presuming that consolidation will lead to the desired outcomes, agencies should make an economic and business analysis to validate that presumption.”
The challenge is how to make modernization work effectively in an environment where different agencies have vastly different capabilities. The problem today, says Grant Schneider, acting federal chief information security officer, is that “we expect the smallest agencies to have the same capabilities as the Department of Defense or the Department of Homeland Security, and that’s not realistic.”
The American Technology Council Report attempts to address IT modernization at several levels, in terms of both architecture and acquisition. The challenge is clear, says Schneider: “We have a lot of very old stuff. So, as we’re looking at our IT modernization, we have to modernize in such a way that we don’t build the next decade’s legacy systems tomorrow. We are focused on how we change the way we deliver services, moving toward cloud as well as shared services.”
Standardizing and simplifying those services will be key, says Stan Tyliszczak, chief engineer with systems integrator General Dynamics Information Technology. “If you look at this from an enterprise perspective, it makes sense to standardize instead of continuing with a ‘to-each-his-own’ approach,” Tyliszczak says. “Standardization enables consolidation, simplification and automation, which in turn will increase security, improve performance and reduce costs. Those are the end goals everybody wants.”