recommended reading

White House Wants to Give Agencies New Pot of Money to Upgrade Legacy IT

Federal Chief Information Officer Tony Scott testifies before the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill in Washington, Thursday, June 25, 2015, during a hearing on Federal Cybersecurity and the OPM Data Breach.

Federal Chief Information Officer Tony Scott testifies before the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill in Washington, Thursday, June 25, 2015, during a hearing on Federal Cybersecurity and the OPM Data Breach. // AP Photo/Susan Walsh

The White House is seeking Congress’ help to establish a multibillion-dollar fund that federal agencies could use to upgrade aging computer networks prone to cyberattacks and system failures.

As part of a planned Cybersecurity National Action Plan announced today, the Obama administration wants permission to establish a $3.1 billion revolving fund that will help agencies transition away from so-called legacy IT toward more modern options, such as cloud computing.

“We have a broad surface area of old, outdated technology that's hard to secure, expensive to operate and, on top of all that, the skill sets needed to maintain those systems are disappearing rather rapidly,” Federal Chief Information Tony Scott said in a conference call with reporters Monday evening.

About three-quarters of the $80 billion in annual federal IT spending is slated for operations and maintenance of existing systems -- some of them years out of date. A soon-to-be-released report from the Government Accountability Office on legacy systems in government has tallied up 28 systems at least 25 years old. Another nearly dozen information systems date back to 1980 or earlier.

Scott has likened the lopsided spending on older, harder-to-secure systems to “a crisis that's bigger than Y2K,” at a White House meeting in November with business executives.

In a Feb. 9 Wall Street Journal op-ed on the new cybersecurity action plan, President Barack Obama wrote:  "It is no secret that too often government IT is like an Atari game in an Xbox world. The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way. Going forward, we will require agencies to increase protections for their most valued information and make it easier for them to update their networks.”

The modernization fund, which the White House plans to situate at the General Services Administration, requires congressional approval.

The fund would target applications that:

  • Have documented cybersecurity challenges;
  • Can easily shift to shared services, the cloud or other “more modern architectures”; and
  • Eat up a lot of costs just to maintain.

Agencies would receive funding in installments “rather than the big blob of money that is typical in the federal government” to encourage incremental development, Scott said.

Agencies that receive funding will also be required to pay back into the fund over time.

All told, the administration expects the modernization fund to support between $12 billion to $15 billion in new application development over several years.

Federal officials have long maintained the arcane federal budgeting and appropriations process makes IT modernization difficult.

“This world where annually we decide what we're going to spend money on is not conducive to building a secure infrastructure,” Scott said at a government acquisition conference in October, adding, “We don't have a regular plan for replacement or upgrade.”

Michael Daniel, special adviser to the president for cybersecurity and the White House “cyber czar,” said officials plan to work “closely with our colleagues up on the Hill” to secure support for the IT fund.

Draft bipartisan legislation circulating on Capitol Hill -- called the Cloud IT Act -- has already floated the possibility of a working capital fund to help agencies make upfront investments in order to modernize legacy IT systems. However, that legislation, introduced by Sens. Jerry Moran, R-Kan., and Tom Udall, D-N.M., has yet to be introduced.

Also, as part of the new cyber action plan, the White House requested a 35 percent funding bump for governmentwide cybersecurity initiatives -- for a total of $19 billion -- and announced plans to hire a federal chief information security officer to oversee cybersecurity planning across the civilian federal government.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.