FTC's Tech and Cyber Modernization Sees Success and Ongoing Challenges

The Federal Trade Commission met some of its technology-related goals and struggled with others, according to a report the agency released Friday.

As part of the FTC’s annual performance report for fiscal year 2021 and performance plan for FY 2022-2023, the agency evaluated its progress for technology optimization and information management. 

Specifically, during FY 2021, the FTC started its initiative to move the agency toward zero trust network architecture, which includes “the migration to a new managed communications service, software-defined wide-area network (SD-WAN), and cloud-based secure gateway for remote employees.” The report stated that these technologies will help improve performance and user experience, as well as boost the FTC’s information security and reduce IT costs and complexities. 

FTC has also reduced its reliance on legacy infrastructure by upgrading, replacing or decommissioning “aging, end-of-support infrastructure components and applications” to improve functionality, reduce downtime and the risk of system failures and vulnerabilities. In particular, the FTC replaced legacy hardware for its wireless local-area-network, upgraded its enterprise management system and replaced its aging fleet of laptops to help the agency “consistently meet or exceed [its] cybersecurity targets.” 

Additionally, the FTC migrated and re-engineered legacy applications and manual processes to cloud-hosted platforms and shared services. The impacted applications and processes include those in IT service management, litigation support and employment onboarding. 

The FTC noted that though its IT systems are modernized and it increasingly uses cloud or shared services, its policies and procedures may not match best practices. Furthermore, a lack of resources, such as funding and personnel, could delay its modernization efforts. The FTC added that traditional IT service contracting may impede its ability to utilize agile development methods and innovative solutions. 

The agency evaluated its performance of 11 critical information technology services: email, FTC-based applications and systems, wireless services, internet, intranet, phone and voicemail, wide area network, website, litigation support applications, economic supporting systems and remote employee access. 

For FY 2021, the FTC exceeded its goal for major FTC systems’ availability at 99.94%; these are cloud-hosted systems that have a high level of availability. Meanwhile, for moving IT services to the cloud, it exceeded its goal of 40% for spending on provisioned services, coming in at 42.7%. For example, this includes deploying the ServiceNow Change Management application and reengineering its change management process, as well as automation of litigation support service requests and the personnel security intake and tracking. 

The FTC met its target for its cybersecurity goals. However, the FTC had difficulties with managing government-furnished equipment remotely while a large percentage of the FTC worked from home. The agency was able to meet its goals for scanning, patching, servers, network equipment and GFE workstations and multifactor authentication. 

The FTC also released its FY 2022 to 2026 strategic plan. For the agency’s third goal of advancing the FTC’s effectiveness and performance, it includes a new metric measuring the percentage of FTC IT systems hosted outside of the FTC’s data center; for FY 2023, the FTC has a goal of 90%. Other tech-related metrics under goal three include: the availability of information technology systems and the annual score on the FTC Cybersecurity Index. 

The FTC will implement the information resource management strategic plan to modernize its IT capabilities, remove outdated systems and use cloud solutions, while it strengthens its electronic information management. Additionally, the FTC stated its must address cybersecurity challenges.

Next steps for the FTC include: continuing to move toward zero trust architecture, finishing migrating legacy services and applications, implementing an electronic filing system for the Hart-Scott-Rodino pre merger filing process, optimizing its identity management platform, deploying a centralized security operations center, automating onboarding and offboarding and increasing migration to the cloud, among other things.