How the FCC could be the model for IT modernization

Subscribe to Ask the CIO’s weekly audio interviews on PodcastOne or iTunes.

During his four years as the Federal Communications Commission’s chief information officer, David Bray set lofty goals and accomplished many of them. One of those could serve as the model for the implementation of the Modernizing Government Technology Act.

Bray, who left the FCC in October and now is the executive director of the People-Centered Internet Coalition, reduced the FCC’s spending on legacy technology systems and reinvested those savings into modern technologies.

“When I first arrived and I assessed the case, I made the presentation to both the chairman and the other commissioners too that we were in a hole of legacy IT that was only going to get worse. The proposal was if we figure out a way to reduce our spend on legacy IT, they would permit us to then reuse those funds to modernize the FCC. That was the only way we would do it on a flat budget,” Bray said on Ask the CIO. “That did require buy-in from all the commissioners, the managing director and, at the time, the CFO saw me as a cost center, and I saw him as not recognizing that we were actually doing the business of the FCC. We also briefed the Hill staff members so they could understand what was going on. And that’s what we are doing.”

David Bray left the FCC after four years as its CIO.

The MGT Act is heading to President Donald Trump for his signature as part of the 2018 Defense Authorization bill. The act would establish working capital funds that agency CIOs could use to accumulate savings and then use them to modernize legacy systems.

Bray said the new managing director is the former CFO who came back to him about six months later and said he understood what the CIO’s office was doing.

The FCC, he said, had a clear mandate for change, given it had more than 200 legacy IT systems with an average age of more than 10 years old.

“I recommend that CIOs be bold enough to have those conversations because they are needed,” he said. “We had built a unified front up and down the chain from the commissioners and the managing director so it was hard for someone to do that. The other thing is, let’s face it, pretty much everything the FCC, and really any organization, wants to do has an IT component. So if someone might try to make a grab for the savings, they’d quickly find if they didn’t have IT support to make it happen, they are back to square one.”

Bray said the FCC reduced its spend on legacy systems to about 50 percent of its IT budget, down from about 85 percent in 2013.

With the “newfound” money, the FCC addressed its core infrastructure and computer needs. This included shifting more than 200 servers and transferring more than 400 applications associated with those servers to a commercial cloud in 2015.

“We ended up more than 100 servers in that move and that was a major gain as well,” he said. “That gave us the fuel to do additional things. We’ve now moved to a cloud platform, ServiceNow, as one of the ones we use to build instead of different systems, different processes on their platforms, which makes it a lot easier for the chief information security officer. He accredits the platform as opposed to 70 or 80 different systems each needing their own authority to operate. It also lets us reuse parts of different processes we build on that platform.”

Bray said the move to the cloud let the FCC get out from under its “legacy” IT debt as well as be more resilient in scale, faster to deliver solutions to its stakeholders.

The FCC is continuing its modernization effort on several fronts, including implementing identity management in the cloud to allow simplified sign-on across platforms.

The commission also rolled out Windows 10 and Office 2016 on virtual desktops. Bray said the FCC would like to move to software-as-a-service for its virtual desktops where the agency pays a set amount of money per user, per desktop based on specifications and the vendor is responsible for keeping the software updated.

“We should not be in the business of maintaining desktops,” he said. “That would be a very big thing across the government as a whole. Let’s face it, the workforce is 1-to-2 million people and if you provided whatever NIST guidance for what that image should look like, then it could be consistently rolled out across government, and free us to focus more on mission.”

Bray said the FCC is moving toward zero client or thin clients and if employees need a laptop or tablet when traveling, the agency will provide it.

“The idea is [laptops are] not something that we can provide for everybody. With scarce resources, we have to say if you have the ability to do virtual desktop anywhere, whether from home or at work, then maybe we shouldn’t be in the business of providing a laptop unless it’s absolutely essential you have one,” he said. “There is a two-factor piece to the virtual desktop. It’s not a virtual private network. It containerizes what’s going on in that environment so there is not a way to move data from the virtual desktop space to whatever machine you are on and vice versa. That helps us rest a little more on the security side.”

Bray said the FCC has made a lot of progress around cybersecurity, but it’s a never-ending challenge.

“We are being very intentional as we move to the cloud, also moving our IT security solutions to the cloud as well, that includes our security operations center,” he said. “We also want to look at some of our security tools to be the next generation necessary to actually deal with the fact that increasingly threats are polymorphic in nature. There are several statistics that show there has been a tripling of cybersecurity threats, which was a tripling of the year before that. We want to make sure before someone clicks on a link in an email, it’s tested in a containerized space to see if it has any malware, and if it does, it doesn’t allow the link to go through. That’s only possible in the cloud. If I tried to do that on-premise, it would not be possible.”

Bray said if the agency’s network and apps are in the cloud, then why not the security too?

In the White House’s draft IT modernization strategy released in September, one goal was to develop a SOC-as-a-service approach for the entire government.

“We made a very big jump over the last few years, and whoever is the CIO going forward, it’s now about refinement of those things we made in the big jump,” Bray said. “I’m a big believer that organizations can’t make big jumps every year. They get tired after a while. This is about refinement and capitalization of the transformation we made.”