Turning Damage Control into Digital Modernization

Jeff Neal is a senior vice president for ICF International and founder of the blog, ChiefHRO.com. Before coming to ICF, Neal was the chief human capital officer at the Homeland Security Department and the chief human resources officer at the Defense Logistics Agency.

Peter Wilson has more than 20 years of consulting experience within the U.S. federal government and in the areas of healthcare, Fortune 500, and nonprofits. He provides public- and private-sector thought leadership in technology, program and project management for ICF International. Pete was named a 2014 "rising star" by Federal Computer Week magazine.

Each year, the federal government spends approximately $37 billion to maintain the existing IT portfolio, and each year, costs to maintain and defend them against cyberthreats continue to increase.

President Obama’s recently published 2017 budget puts forward a $3.1 billion IT Modernization Fund to help “retire, replace, or modernize the federal government’s most at-risk legacy IT systems.”

The purpose of the fund is to help stimulate modernization of systems that are both high priority and high risk… and federal IT systems are at risk. Federal News Radio’s Jason Miller reported the draft policy was circulating among civilian agencies to get the ball rolling before Congress approves the fund. Here is how the Office of Management and Budget described the proposal in the 2017 budget Analytical Perspectives:

"A project review board, comprised of experts in IT acquisition, cybersecurity and agile development, will review agency business cases and select projects for funding to ensure prioritization of projects with the highest risk pro le, governmentwide impact, and probability of success. The board will identify opportunities to replace multiple legacy systems with a smaller number of common platforms – something that is difficult for agencies to do when acting on their own with limited insight into other agencies’ operations. As a result, the central fund will achieve a far greater and more rapid impact than if the funds were allocated directly to agencies. In addition, a team of systems architects and developers will provide additional oversight and development capabilities to make these major changes. The revolving fund will be self-sustaining by requiring agencies to repay the initial investments through efficiencies gained from modernization, ensuring the fund can continue to support projects well beyond the initial infusion of capital. Seed funding of $3.1 billion would address an estimated $12 billion worth of modernization projects over 10 years."

Given the amount of money spent (and sometimes wasted) on government IT, the IT Modernization Fund makes a lot of sense.

Not every initiative is confined to a single agency. Not every agency has the budget to modernize critical systems (OPM, for example).

Congress has ample reason to push for IT modernization.

OMB's March 2016 annual Federal Information Security Modernization Act report stated that in 2015, “Federal agencies reported 77,183 cybersecurity incidents, a 10 percent increase over the 69,851 incidents reported in FY 2014.”

These increases justify the need to focus upon protecting the confidentiality, integrity and availability of high-value assets. OMB’s cyber sprint was an essential first step that focused on strengthening access controls to federal systems.

The result of the initiative was a significant improvement of PIV-enabled authentication within a single year. Now that we have moved from cyber sprint to cyber marathon, we see a broader focus taken by OMB where a range of IT vulnerabilities are to be addressed through legacy modernization.

Legacy systems can suffer from a variety of technical and management issues that put information and operations at risk.

For instance, infrastructure and operating systems that have been available for many years have afforded hackers ample time to find their weak spots. Hackers engineer attacks that exploit these weak spots to gain access to and control of federal information and systems.

When systems suffer from inconsistent management, such as failures to patch known vulnerabilities, hackers not only steal information, but also, launch attacks and perform surveillance from compromised systems.

Funding constraints aggravate this situation.

When chief information officers need to make decisions about how to spend limited IT funds, they must balance the costs of securing and maintaining systems (often seen as IT overhead) with delivery of new or enhanced program capability.

The perceived costs of modernizing (i.e., re-platforming) a legacy system often appears a bad choice for technology managers. As a result, they stay in place and serve as rich targets for hackers and cyber criminals.

Legacy IT modernization seems to be the right medicine, but one big question looms over the idea: Will that $3.1 billion be well spent?

Federal agencies do not have the greatest IT modernization record. Currently, the Federal IT Dashboard indicates that 175 investments (27.3 percent) within the federal government’s $80 billion investment portfolio are medium or high risk.

In June of 2015, the Government Accountability Office's testimony before Congress highlighted several urgently needed improvements to federal IT acquisitions and operations that underpin government’s track record with IT modernization.

Weaknesses addressed in the testimony included failure to meet cost and schedule expectations, lack of disciplined and effective management, inconsistently applied best practices, transparency, failure to consistently perform TechStats, limited commitment to incremental delivery, and inconsistent performance of operational analysis for steady-state systems.

Will the IT Modernization Fund Work?

The fund can provide much needed stimulus to the increasingly important IT modernization issue. The draft IT modernization policy maintains a strong cyber focus and offers a basic approach for identification and selection of candidates for legacy modernization.

To secure congressional and agency support, the final policy will need to account for modernization risks cited by GAO and others and incorporate following focus areas:

Workforce Readiness. The administration has had some successes in IT workforce initiatives. The IT Solutions Challenge, term authority for digital services professionals, National Science Foundation educational programs, and the Digital Service Contracting Professional Training and Development Program Challenge are great examples, but here is much more to be done.

Cybersecurity and digital services and other IT challenges are permanent problems that require permanent solutions. Term hiring is not enough. OPM must work with the CIO and chief human capital officers councils to develop lasting solutions, including proposing new legislation if they cannot get it done under existing law.

Governance. There are inherent risks in the selection of modernization candidates without extensive engagement from agency stakeholders. An outside panel that selects funding awardees must make clear the criteria for selection, expectations surrounding initial and downstream funding activities, and the value to the participating agencies, their programs and customers.

A Common Vision/Blueprint. Agencies can benefit greatly from an IT modernization vision or blueprint. The candidate criteria proposed in the draft policy does not do enough to help agencies understand what or how to modernize.

GAO states, “Experience has shown that attempting to modernize and maintain information technology environments without an architecture to guide and constrain investments results in mission operations and supporting systems that are duplicative, not well-integrated, and costly to maintain, and thus are inefficient and ineffective in achieving institutional goals and performance measures.” OMB should produce resources that offer modernization patterns, principles and architectures for use by affected agencies.

FITARA Maturity. Many of the pain points highlighted in the GAO report are addressed in some way within the Federal Information Technology Acquisition Reform Act. FITARA provides the best opportunity in many years for agencies to improve their management of IT, strengthen the role of the CIO and ensure taxpayers get a real return on their IT investments.

Recognizing the IT management practices FITARA requires are not institutionalized across government, it is important to recognize the demonstrated management discipline each agency possesses. ACT-IAC's IT Management Maturity Model can serve as a valuable tool to evaluate the management risk associated with agencies proposals to modernize their legacy systems.

OMB issued FITARA guidance that has real teeth and is intended to make certain FITARA is far more effective than the Clinger-Cohen Act.

FITARA's co-author, Virginia Rep. Gerry Connolly, also intends to stay engaged, saying: “Previous efforts to reform federal IT management and acquisition fell short of achieving their goals due to poor implementation and lack of congressional oversight. That will not be the case this time around. I intend for us to hold a recurring series of hearings to work with agencies on getting this right.”

Everyone involved – from the White House to the Congress to individual departments and agencies – must not take their eyes off this one.

Twenty years ago, most folks thought Clinger-Cohen would do the trick. The power of bureaucratic inertia worked its voodoo and it did not happen. We cannot let that same force kill the reforms FITARA promises.