The National Cybersecurity Strategy tasks the Office of Management and Budget with creating a plan to eliminate all vulnerable legacy systems from federal agencies within a decade.
The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation's cyber posture, a top official said Tuesday.
Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year.
"We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW's Identity Security Workshop. "Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems."
The National Cybersecurity Strategy tasks the Office of Management and Budget with developing a multi-year lifecycle plan that accelerates technology modernization across the Federal Civilian Executive Branch and aims to eliminate legacy systems. The strategy further instructs OMB to accelerate the migration to cloud-based services and mitigate risks associated with older systems that cannot be replaced within a decade.
OMB also released a zero trust architecture strategy last year that requires civilian agencies to implement data encryption processes and multi-factor authentication — critical security tools that often prove challenging to integrate into legacy systems.
DeRusha, who serves in a dual-hatted role as the federal CISO and deputy national cyber director for federal cybersecurity, said legacy systems have created "modernization barriers" that make it difficult to implement guidance around encryption and multi-factor authentication.
A Government Accountability Office report published in May said federal agencies "need to continue addressing critical legacy systems" and warned that aging and outdated technologies "can be costly to maintain and vulnerable to hackers."
The report also found that the Department of Transportation and the Office of Personnel Management failed to implement prior recommendations around critical legacy IT systems.
DeRusha did not indicate when OMB is expecting to release the legacy modernization plan.
The White House recently released the National Cyber Workforce and Education Strategy, a long-awaited plan to address critical gaps in the cyber workforce and expand diversity and opportunities throughout the cybersecurity community. The administration also published an implementation plan for the National Cybersecurity Strategy that features over 65 federal initiatives designed to meet its cyber goals and objectives.