In today’s fast-paced digital landscape, effective government IT modernization is crucial for agencies to achieve their missions, from enhancing public service delivery to realizing cost savings and ensuring better security. Agencies need to recognize that data security, data privacy and data access all need to be prioritized in order to improve citizen experiences and trust while complying with government mandates.

While the governmentwide push for cloud adoption has accelerated some digital transformation efforts and mitigated some challenges, agencies need to be aware of their shared responsibility to manage risks. In the shared responsibility model, the cloud or platform’s security is the responsibility of the service provider. However, agencies are responsible for the data within those systems. The current “lift and shift” approach where applications are moved directly to the cloud without re-architecting them for the cloud-native environment, may provide some initial benefits but doesn’t fully leverage the scalability, flexibility and performance that cloud technologies can offer.

To properly engage in digital modernization efforts, agencies should embrace secure development practices as the best approach to balancing security, efficiency and the delivery of services to their constituencies.

Policy drivers

The driver for digital transformation within federal agencies was the enactment of the 21st Century Integrated Digital Experience Act (IDEA) in 2018. This legislation mandated that federal agencies regularly report on their progress in modernizing websites and digital services. The Office of Management and Budget issued updated guidance in 2023 to further enhance public access and promote a digital-first experience.

Additionally, the Federal Information Security Modernization Act (FISMA) requires agency chiefs and program officials to conduct annual reviews of their information security readiness. This ongoing assessment is essential to maintain risk levels within acceptable parameters and ensure the security of sensitive information.

The cumulative effect of these mandates has been a broad push across the government to engage in IT modernization to meet the objective of delivering the digital-first experience. Agencies are at various stages of transformation due to a variety of factors, including budgetary constraints, competing priorities and expertise.

Secure development practices and closing the modernization gap

For those agencies at the nascent stages of their IT transformation, they need to consider security as an enabler and leverage secure by design principles at the outset of the transformation journey. Without this foundation, the end product may not meet the necessary security requirements, which can hinder its ability to withstand evolving threats and vulnerabilities.

Beyond budgetary and resource constraints, agencies must also appreciate the importance of encryption, including data masking and anonymization as part of their broader security strategy centered on zero trust and other IT security principles.

Here are some key secure development practices that agencies should incorporate into their modernization efforts:

• Security integration and automation: Incorporating security measures and best practices into the DevOps pipeline — often referred to as DevSecOps — is crucial. This approach ensures that security is a foundational element of application development from the outset. By utilizing automation for monitoring, incident response and compliance checks, agencies can enhance efficiency while minimizing the risk of human error.

• Data protection and privacy: Establishing robust frameworks for data protection is nonnegotiable. This includes ensuring that data is encrypted both in transit and at rest, as well as implementing stringent access controls and identity management systems to safeguard sensitive information. Compliance with data protection regulations, such as HIPAA, is essential to maintain trust and integrity.

• Developing and testing with high-quality data: Utilizing high-quality, realistic data in preproduction environments is a best practice for delivering secure digital services. This process involves prioritizing data classification, implementing field-level encryption for sensitive data, and managing data access effectively. By addressing potential security issues before deployment, agencies can enhance the resilience and security of their applications.

Modernizing IT infrastructure and a shift to cloud-native architectures are a priority for government agencies seeking to deliver public services that meet or exceed the standards set by the private sector. While there is a steep learning curve for the transition to cloud-based systems and deployment of automation, adhering to Cloud Smart principles on the transformation journey allows for a thoughtful approach to security planning and implementation.

Just as private industry has embraced digital transformation and best security practices, and has increasingly turned toward automation, government agencies must leverage these secure development practices to achieve their ultimate objectives. By doing so, they will deliver that digital-first experience while ensuring compliance with IDEA and FISMA reporting requirements. With the right guidance and tools, bridging the digital divide is not insurmountable, and ultimately federal agencies will benefit from more secure, efficient and responsive IT platforms, starting with sound security planning at the outset.

Eoghan Casey is field chief technology officer for Own Company.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.