As agencies enter 2020, cybersecurity remains at the top of many agency and industry executives’ priority list.
But it’s not alone by far. Agencies received good news in December when the Homeland Security Department released more details about the Trusted Internet Connections (TIC) 3.0 implementation. This will make it much easier for agencies to securely move to the cloud.
In fact, when we look back at 2019–and really over the last two years—the Office of Management and Budget updated nearly every major IT policy and took some initial steps toward implementation. This includes Cloud Smart, expanded cybersecurity requirements for high value assets, the federal data strategy, identity management and so much more.
All of these policies set the roadmap for agencies to move more quickly toward IT modernization.
Chris Howard, the vice president of U.S. public sector at Nutanix, said the biggest change in the federal sector will come from the focus on supply chain security and the acceleration of the move toward a consumption model for cloud services.
“The requirements I’m seeing from the government are still the same. For the most part, it’s about how do they bring scale, ease of use, simplicity, the consumption model and a whole bunch of different things into their environment whether that’s on-premise or in the cloud,” Howard said in the IT Innovation Insider show. “I foresee we are still dealing with the same priorities and requirements, but there will be some slight alternations around how things are procured and a lot more inspection on where does the software and the hardware come from.”
Howard said the “pay as you grow” model is coming more to the forefront of acquisition strategies across the government. He said agencies need to get into the model of paying for what they need versus the traditional way of buying too many licenses or seats and potentially wasting money.
“Agencies should no longer go out and buy five years worth of stuff today. If you can do it based on funding and contractual policies, pay for it exactly when you need it,” he said. “That’s where products need to be built so they can scale easily. You have to be able to do things in real time during production hours that don’t require maintenance windows. As long as the technology allows for that pay as you grow, that is, by far, the best situation for the government to be in.”
At the same time, the focus on cybersecurity, particularly within the supply chain, will impact agencies and vendors alike.
Dan Fallon, the senior director of federal engineering at Nutanix, said agencies are doing a better job with the day-to-day security of networks and data, especially with things like patch management and the ability to react quickly to threats.
“Now it’s on to the next phase of things that are maybe a little more remote in terms of how they are attacked,” he said. “Supply chain is big and broad, and it’s probably a little less susceptible than a public facing website that has a vulnerability. But if someone compromises your supply chain, the impact can be huge. That’s the next shift.”
Fallon said the success and evolution of the Federal Risk Authorization Management Program (FedRAMP) is both possible model for how the government has address supply chain threats and sets the expectations of the agencies for vendors in this cybersecurity area.
“The important thing is just because we see positive trends, now is not the time to back off of investments because the threats are continuing to grow,” he said. “Agencies now have visibility of what’s vulnerable. That was step number one. A lot of agencies are now past that point where they can start reacting and be much more proactive to threats.”
Howard added that the IT-as-a-service or consumption model doesn’t just make sense from a business standpoint, but it gives agencies more tools and help with cybersecurity. He said the vendor provider plays a bigger role in securing the infrastructure-, platform- or software-as-a-service.
One way to pay for this consumption model approach is to shift spending from only development or modernization to using operations and maintenance funding for these managed services.
“Throughout the years, there’s been this debate on which is easier and which has more funding, the capex or opex. Now it has shifted toward ‘we wanted to do this either as a managed service or we want to pay for exactly what we use.’ This is a big year to see that shift,” Howard said. “We have been talking about this for five years and it’s been a slow progression point. But this year we are already seeing a lot of requirements where we are being asked to do consumption-based models or capacity services types of contracts. What is the reason behind that? I don’t know if there is more money from an O&M perspective, or if it’s just the government feels that being a fiscal responsibility that they get better money out of the spending.”
Howard said this new model of consumption should be more economical and more valuable to the customer because there is nothing sitting idle.
Fallon said there are several pieces that have to fall into place for the consumption-model to happen, and the evolution of technology with the move to public cloud has helped open the door to change.
“The product has to match the budget and consumption model. If the product doesn’t fit, can’t be scaled easily and granularly, then it’s hard to meet that,” he said. “I would look for products that have the flexibility to run across all the environments. Software licenses that can be transferred from on-premise to the cloud.”