The Obama administration is seeking substantial budget increases to shore up cybersecurity protections at federal agencies and proposing a new funding scheme to help pay for badly needed upgrades for some of the ancient IT systems gathering cobwebs in government.
Those are some of the big-ticket items in the fiscal 2017 budget released by the White House Feb. 9, the last of Barack Obama’s presidency. In recent years, the annual budget release has come to be seen as a “dead-on-arrival” presidential wish list and not the starting point for serious budget negotiations.
Still, the annual budget blueprint contains the Obama administration’s priorities for the coming year and the price tag for achieving them. We’ve compiled eight takeaways from the 2017 budget related to the administration’s IT and cybersecurity agenda.
IT Budget Set to Rise
All told, the budget blueprint envisions total IT spending of $89.9 billion -- up 1.8 percent from current estimated spending levels and about $3.5 billion more than last year’s request. Of that, about $51.3 billion is slated for civilian agencies.
The growth in spending is well below the average annual 7.1 percent growth in IT spending during the Bush administration. Since 2009, IT spending has inched up only about 1.8 percent annually, according to budget documents, “due in part to the administration’s achievements in improving the efficiency of how funds are spent on IT.”
New Fund for Modernizing Federal IT Fossils
Of the $51 billion in planned civilian IT spending, about 71 percent is dedicated to maintaining so-called legacy IT investments, leaving little room for developing new systems or modernization. As part of the newly announced National Cybersecurity Action Plan, the Obama administration is proposing a new source of funding to help push agencies off outdated technology.
The proposed $3.1 billion IT modernization revolving fund would operate outside the traditional appropriations process to provide upfront funding to agencies in incremental installments to help transition to more modern, secure systems.
A project review board, made up of experts in IT acquisition, cybersecurity and agile development will select projects most in need of upgrade.
Agencies that receive funding will have to repay the investment over time based on efficiencies they gain from upgraded systems.
The topic of outdated government tech is getting some high-level attention. In remarks at the White House yesterday, Obama referred to “ancient software” and “archaic” systems. In a Feb. 9 op-ed for The Wall Street Journal, Obama even referred to government IT as “an Atari game in an Xbox world.”
Setting up the fund requires congressional approval.
Big Boost to the Cyber Budget
As part of the national cybersecurity plan, the administration proposed a 35 percent increase in the federal information security budget -- from $14 billion to $19 billion.
The White House, by this spring, expects to publish a policy for national cyberincident coordination across the public and private sectors. The administration is also proposing $62 million to bolster the federal cybersecurity workforce through new grants and scholarship programs.
In addition, officials announced plans to hire the first-ever federal chief information security officer to oversee governmentwide cybersecurity policy.
OPM, Most Agencies to Get Cyber Boost
The Office of Personnel Management -- which famously fell victim to a massive hacking campaign last year that netted background-investigation records on 21.5 million federal employees -- is requesting $37 million for IT security upgrades. That’s a 75 percent increase from the $21 million lawmakers allotted for cyber upgrades in last year’s omnibus spending bill.
Overall, 19 of the 24 largest civilian agencies are planning budget increases for cybersecurity, “which is significant and important,” federal CIO Tony Scott told reporters on a conference call Tuesday. “Each of the agencies have a very specific need that's based on its mission and its posture. However, generally, across all of the agencies we see significant efforts to upgrade and enhance their cybersecurity posture."
More Spending on EINSTEIN
The budget proposes spending an additional $275 million to accelerate the implementation of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, a $6 billion contract through which agencies can purchase tools and services to continuously monitor their networks for cyberthreats. The program is now available to 97 percent of federal agencies.
Also due for an upgrade is the National Cybersecurity Protection System, which is more commonly known as EINSTEIN. The White House wants $471 million in new funding to continue deployment across the federal government.
EINSTEIN acts as an intrusion-detection and, in more recent iterations, as an intrusion-prevention tool to block suspicious Internet traffic before it shows up on government networks. However, the $5.7 billion program was the subject of a recent unflattering Government Accountability Office report, which reported the system ignored common security vulnerabilities and couldn’t spot all nation-state-directed advanced persistent threats.
"People can be critical, but anybody who thinks any one thing is the absolute defense is probably mistaken,” Scott told reporters during a conference call with reporters Monday. “We think EINSTEIN is a good piece but not the only piece. It continues to get enhanced... If you only look at EINSTEIN, I think you're missing a whole, big piece of the rest of the puzzle."
More Cloud Spending?
Despite the overwhelming amount of spending on legacy spending, agencies are slowly but surely moving the needle toward new development. All told, about 8.2 percent of the federal IT budget -- about $7.3 billion -- is slated for provisioned services, such as cloud computing “on par with leading private sector companies,” according to the budget release.
The government, to date, has closed more than 3,000 data centers. That’s more than the total number of data centers the government estimated it even had when the shutdown effort began in 2010. But the consolidations haven’t saved as much as planners had originally hoped.
That’s because agencies have consistently run into problems accounting for savings, and thanks to increased visibility into IT spending, kept turning up new data centers. The latest tally of government data centers stands at about 9,700.
Scott told reporters the administration is planning to issue new policy guidance to agencies dealing with data center optimization.
Agencies Going Agile
Agencies are making increased use of agile development practices, which entails chunking up big projects into smaller pieces and prioritizing functioning products over exhaustive documentation.
Thanks to agile, agencies are delivering functionality 12 percent faster since May 2013, according to budget docs. Projects that followed the agile development process were nearly twice as likely to deliver on time than those that used the traditional “waterfall” development technique and 33 percent more likely to deliver within budget, per the administration.
Agencies are also trying to attract companies schooled in the agile methods of Silicon Valley to government business.
“The federal government must work with private-sector innovators to ensure the best use of proven and emerging technologies and practices, which requires rethinking procurement rules, processes and practices to reduce barriers to entry,” the budget proposal states.
In 2015, nearly 200 small businesses won federal contracts for IT software development, per budget documents.
A big part of that likely stems from the 18F’s agile blanket purchase agreement deal that would allow agencies access to agile software development services from a pre-vetted group of vendors.
18F, the General Services Administration’s internal startup, announced in August that 16 companies had won spots on the BPA. However, work on the contract has been halted by a series of protests from the companies not selected.
U.S. Digital Services ‘Growing Consistently’
The fiscal 2017 budget largely continues initiatives first introduced in last year’s budget. That includes implanting digital service teams based on the elite White House tech unit at each of the 24 largest federal agencies.
"The digital services teams have been growing consistently" since launched last year, Scott said in the conference call with reporters Tuesday. "And they've engaged in key projects in any number of different agencies."
The digital unit will also play a role in selecting projects to be funded through the newly proposed IT modernization fund.
“As we go through a review of our high-value assets and as we look at projects that we think should be eligible for this IT modernization fund, the digital services teams will play an important role in helping us evaluate what the potential for both savings but also better security and more use of shared services across the federal government,” Scott said.
The administration even spun off a new “rapid response” unit to work on pressing projects. When hardware failure struck a database used to process visas for the State Department, USDS swept in to help rebuild the system. The rapid response team is now working with the Internal Revenue Service to work on more secure sign-on procedures. Hackers last year exploited the agency’s weak electronic authentication system to file fraudulent returns.
The goal, according to the budget, is to hire 500 digital staffers by January 2017 to staff the new agency teams -- the same goal espoused in last year’s budget proposal. So far, according to the latest Performance.gov update, just five agencies have actually created digital service teams, and it’s unclear how many total digital experts have been hired.
Last year, OPM approved a special authority to speed up the hiring of digital experts.