Leadership across the federal government is aware of the need to modernize the federal government’s networks. Outdated legacy systems contribute to security risks, increased cost and inability to meet mission, much of this became more visible during the COVID pandemic. The Government Accountability Office estimates that 80% of the $90 billion spent in fiscal 2019 was on operations and sustainment of existing or legacy systems.
There are impressive individuals in the Department of Homeland Security and across the federal government that are making modernization happen and securing the networks and systems. Putting dollars behind these efforts is necessary. Real progress toward modernization requires resources. A governmentwide program authorized through The Modernizing Government Act of 2017 called the Technology Modernization Fund (TMF) is a part of that solution. The TMF received $150 million over its first three years and competitively awarded grants to agencies in the form of a loan to retire and replace legacy systems. The expected future cost savings would be used for repayment.
Customs and Border Protection, within DHS, is one of the 11 projects governmentwide that have had success with the TMF. CBP was awarded $15 million last June. As of March 2021, CBP spent $9.5 million to quickly modernize their outdated trade Collections system that collects more than $80 billion of revenue for the government.
Modernization does generate savings. Based on our experience, capturing the projected savings is not assured. In the private sector, modernization has clear objectives and incentives that business managers’ interests align to. Private sector enterprises are more agile and can more quickly invest and scale rapidly. The public sector is typified by long planning cycles, complicated procurement processes and complex organizational incentives. Capturing some or all the projected savings from a public sector modernization project has its limitations.
The American Rescue Plan, in addition to providing an additional $1 billion in funding for TMF, recognized that there are varying levels of risk repayment associated with each project. The TMF now permits different repayment options — full, partial, and minimal — based on risk to realize savings and handling urgent cybersecurity and modernization challenges. That is a very important change. While we were in government, the risk of not realizing savings was a disincentive to apply for TMF.
The most recent revisions to TMF are much needed and will make a difference. There are further improvements that need to be made to improve cybersecurity and modernize federal government information systems.
First, we would suggest that overall agency funding for information systems be increased annually by two to three percent to expedite the move from legacy. When a project gets TMF funding, it doesn’t include outyear funding for continued modernization. IT and cybersecurity are not static. What is modern and secure today will not be three or more years from now. Future funding levels could then be ramped up further support continuous modernization, or the agency ends up dealing with legacy again. For DHS, that would efficiently add over $200 million a year to pull in modernization plans much sooner.
Second, the annual Federal Information Security Modernization Act (FISMA) report to Congress should document agency progress on modernization and retirement of legacy. The government can’t improve what it doesn’t measure. But the right metrics need to be put in place. For example, implementing either a recapitalization rate metric that compares recapitalization funding to recapitalizable information system value or a sustainment rate metric comparing sustainment funding to information system modernization requirement can be used to measure and track modernization.
Third, the Federal IT Acquisition Reform Act (FITARA) requires all agency CIOs to report to the secretary or deputy secretary of their department or agency. Based on the latest 2020 FITARA scorecard released by the House Oversight’s Committee on Government Operations, one-third of the required agencies, including DHS, are not fully compliant. No one is better positioned to inform the secretary on risk and the impact to mission if that risk is realized. IT is complicated especially in a large government enterprise. Getting a non-expert up to speed could lead to water downed explanations or errors. The corollary is CIOs need to brief risk in a clear, concise fashion. By communicating probability of occurrence and impact to mission along with cascading consequences from capability disruption, the department or agency leadership can better comprehend the overall risk assessment and any mitigation efforts. In DHS, with the IT budget is over $7 billion, spread across all 22 components, clarity in direction has been critical.
The latest actions coming from the Biden administration are positive and recent initiatives point to an increased focus on cyber and modernization. Information system improvements can be a value driver for the government not just in protecting the data but in delivering improved quality of service and meeting mission. Increasing funding, measuring progress and reporting structure are areas that we do believe require some additional focus to complement the work of the Biden administration and to provide timely protection and security to federal systems.
John Zangardi is the former chief information officer at the Homeland Security Department, acting chief information officer at the Department of Defense, and chief information officer at Department of Navy. He is now the president of Redhorse Corporation and an active board member and advisor for several cybersecurity companies.
Troy Edgar is the former chief financial officer at the Homeland Security Department and associate deputy undersecretary of management at the Homeland Security Department. He is now the executive chairman of Global Conductor.