Federal chief information officers may have one of government’s hardest jobs: protecting our country’s largest networks against rapidly evolving cyber threats, while being stuck with technology that’s often decades old. Add to the mix a set of bureaucratic rules dictating how they buy IT, and it’s nearly impossible for them to upgrade to the modern, best-in-class technology they need.
President Donald Trump recognized this problem in his budget blueprint, stating the government’s current “acquisition approaches … are too cumbersome, and IT … is outdated by the time it is deployed.” On March 27, he put forth a solution: the Office of American Innovation, a new team focused on making government run more like a business.
If the federal government was run more like a business, agencies would have the flexibility to rapidly adopt today’s best technologies, and to do so at a lower cost. It may even be the catalyst to modernizing our government’s entire digital infrastructure.
CIOs across the federal government have long bemoaned the challenges procurement forces upon them. In the January State of Federal IT report, they said, “The federal procurement process is lengthy and complex, and does not provide … the flexibility needed to respond quickly to cybersecurity threats.”
Three dominant factors are responsible:
The unjustified demand for custom-built solutions;
The use of massive, multiple-year contracts;
Vendors’ addition of hundreds of unnecessary consulting hours into those contracts.
These factors lead to technology staying in place for decades, to the point where most civilian agencies are forced to spend their IT budgets merely trying to keep the lights on.
In short, our system is broken, and the security industry played a role in breaking it.
Now, the administration must lead the charge in fixing it.
As it looks to update IT procurement rules, it should consider three guiding principles.
First, government technology should be best-in-class technology. This means adopting existing, off-the-shelf commercial platforms — ones proven at private-sector companies of similar scale and complexity to government agencies. It does not mean custom-built solutions. It does not mean solutions requiring hundreds of hours for “consulting” or “services.” Today’s best-in-class tech can automate most of those tasks. Look at the largest banks, for instance, which are not all that different in size from certain civilian agencies, and face a similar scale of attacks, yet, are using flexible platforms that give them accurate and complete data across their endpoints in seconds.
While the government still has more work to do on defining “best-in-class” and the metrics that such technology should meet, such as speed of vulnerability assessments, initial signs are positive. In a memo issued in May, the Office of Mangement and Budget advised agencies to use best-in-class contracting mechanisms. This is a starting point, and the government should not be buying anything that fails to meet these standards.
Second, the procurement process must become faster and more agile than it is today. It ought to take weeks or months, not years, for agencies to stand up and make fully operational the technology they purchase. The current procurement process does not keep up with the speed at which our adversaries move. By the time technology is typically deployed, threats have changed and original requirements are obsolete.
The Air Force has emerged as a leader in addressing this issue, reworking its procurement processes to focus less on specific, custom requirements, and more on solving the problem. In the process, it’s cut its acquisition schedule to eight months from the initial request for bids to having fully deployed and operational technology — unprecedented for a government agency that large.
Third, IT contracts must be flexible, not locking in status quo technologies for years on end. Following a model common in the private sector, agencies need to be able to try a tool for a month, evaluate it, and, if it meets their needs, buy it as a subscription service. These contracts must be for a limited timeframe — a year, not many years — and require vendors to uninstall the technology quickly if the contract ends. Too often, agencies find themselves stuck with technology that doesn’t work, and no way to get rid of it before going through a long and complicated process.
Parts of government are moving in the right direction. The Defense Department — the world’s largest employer and most complex network — is setting the standard for many of these procurement methods. Initiatives include its Defense Innovation Experimental Unit, which focuses on rapidly acquiring and deploying commercial technologies. The General Services Administration’s efforts, such as 18F and its Highly Adaptive Cybersecurity Services program, are also on the right path.
It’s time to build on this progress, make these successes standard across the government and, in the process, bring our federal IT into the 21st century.
Orion Hindawi is the CEO and co-founder of Tanium.