Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Building a house takes two things: Money and a solid plan. The same is true for IT modernization. Now, thanks for a ballooning technology modernization fund, agencies will have the money they’ve said they need. Their plans, though, need a little work. That’s according to the director of the information technology and cybersecurity team at the Government Accountability Office, Kevin Walsh, who spoke to Federal Drive with Tom Temin.
Tom Temin: And you have looked at this issue before, but now there’s a billion dollars in the TMF. That wasn’t there before. So what do we need to know here about what agencies have to do?
Kevin Walsh: Thanks again, thanks for having me, Tom. So we’ve looked at this, as you noted, a couple times over the years. In this instance, we asked agencies what their most critical modernization programs in need of attention and basically modernization were. They flagged 65 different systems over the 24 CFO Act agencies. And we looked at those 65 ourselves and flagged the 10 that we thought were the most critical in need of modernization. And basically, we found that agencies had, in some cases, rudimentary plans or more developed plans, but not nearly to the degree that we want. And we’re not looking for anything over the moon in terms of requirements, we wanted them to have some idea of timeframes on when these things would get going and finish an idea of the work necessary to modernize the system. And finally, and critically, a plan to turn the legacy system off because all too often we see those legacy systems are running in parallel with the newly modernized system. So that’s really what we want, we want agencies to be thinking about their modernizations, and have a plan for them to go forward, which, if they’re applying for the TMF is very similar to the requirements that the TMF oversight board would need to review and approve applications.
Tom Temin: And it looks like the Defense Department of all places was the most ahead in all of this, they had included milestones. They had described the works they need to do. And they had a plan to disposition for the legacy systems, the shut off date. So it looks like DoD is ahead of the pack here.
Kevin Walsh: Correct. The two systems that we flagged as most critical that actually had the work done were the systems at the Department of Defense and Interior. Since then, one additional agency, the Small Business Administration, did tick their final remaining box on the legacy plan that we were looking for. So there are three that kind of have done this really preliminary work. But again, up to 10 only having three done that means, there are seven out there that don’t.
Tom Temin: And the Office of Personnel Management looks pretty bad here. They have a partial partial and a no for respect to turning off the old systems, partial uncompleted milestones partial on completed the work. And yet they’re the often cited, even though they’re not a huge agency, but an influential one, and one that’s been twisted and reorganized so much lately, you would think they would be ready to roll with everything they’ve got so they can get that money.
Kevin Walsh: Yeah, especially in light of their past security incidents and their persistent concerns, all of the sensitive information they have there, it’s really, really concerning that they haven’t done more to modernize. And this system in particular, basically was on the infrastructure side of things, hardware-software service components that supported a lot of their IT. So again, it’s stuff that we really, really would like them to modernize.
Tom Temin: And Treasury, I guess you’re speaking, well I’m guessing mostly about the IRS. And they do have a statement of work that they need to do to modernize. But interestingly, no shut off date for the legacy system, is that a reference to their master file system, which has resisted modernization efforts for 30-40 years?
Kevin Walsh: So we were very, very careful in this report, not to name specific systems, we didn’t want to create a target list for any bad actors. So I won’t be able to speak to whether that is associated with that system. However, that seems like a reasonable conclusion. Now, interestingly, that system at Treasury and the IRS is an interesting use case, because they only spend about $15-16 million per year on operations and on the labor to keep that system going. But the Treasury Department estimated that it would cost $1.6 billion to modernize. So there’s this really, really fascinating push pull here on this system, as well as many other systems where we’re not replacing like for like, we’re not taking in really old green screen system and replacing it with a new green screen system in the cloud. As agencies are modernizing, we want to see them get better functionality, better performance, perhaps very importantly in this day and age, better security, ease of updating, perhaps even having some of these systems supported by the vendor, whether that be hardware or software, which many of them are not. So it’s not going to be cheap to do. And in some cases, it may not save money. Now, that’s not to say that agencies shouldn’t be focusing on the ones that save money because as you know, the Technology Modernization Fund requires repayment. So getting that payback is going to be very, very important to the TMF. But there’s going to be some systems out there that cost a lot of money and aren’t gonna save money to do it, but they are critical to serving our citizens and the taxpayers better.
Tom Temin: We’re speaking with Kevin Walsh, he’s a director on the information technology and cybersecurity team at the Government Accountability Office. And the implication of this report is that this is an interest keenly to Congress, isn’t it?
Kevin Walsh: Absolutely. The 65 systems that agencies think are the oldest and most in need of modernization. And then we’ve winnowed that down to just 10 across the government. And these are systems that manage dams and power plants, that have student loan data, that manage basically critical functions in our government. So absolutely, Congress should be paying attention to this end, we are working with him. And they are, so it’s very heartening to see.
Tom Temin: Department of Health and Human Services got the gray bar along with education, they just don’t have a documented monetization plan. Are they nevertheless among the 65 systems that are identified as needing modernizing?
Kevin Walsh: Absolutely, and the system at the Health and Human Services is actually a very distributed system. It works with the Indian Health Service, which has little nodes all across the nation. And each of those nodes has slightly different or tweaked versions of the system to operate in its local parameters. And they may also have different hardware. So that’s going to be a really challenging one to modernize. So we really would like to see them have that rudimentary modernization plan, some idea of the timeframes and the work needed and a plan to get the old stuff out of there.
Tom Temin: And with respect to the costs, and the possible savings or the efficiencies, isn’t this a good example of where you as an agency, one, as an agency should be very FITARA like, and maybe this is led by the CIO. But you’ve got to have the agency, at least deputy head of the agency and the CFO kind of signing on to the modernization plan?
Kevin Walsh: Absolutely. At its heart FITARA is all about getting our C-suite to work together. It had many, many stipulations. For example, there was one in there that required CIOs to review and approve IT contracts. So previously, IT contracts would kind of go through the acquisition shop and the CFO shop without really involving the CIO, which is critically important in this day and age. Your CIO should have some say in that, they want to make sure that the hardware that you’re buying is compatible with the existing network and not going to require excessive tweaks or that the software isn’t already covered under a software license. So absolutely correct. We want the CIO to be involved with the entire C-suite all the way up to the Deputy Secretary and the Secretary in making these decisions on these modernizations.
Tom Temin: noteworthy for not being on your top 10 List of agencies that yes or no here is Veterans Affairs. They’re not there. And the other one that’s not there is Agriculture. And Agriculture, I guess, it did some pretty heavy lifting on modernization in the funds that have been available for the last few years during the Trump administration. So what about Agriculture, what about VA?
Kevin Walsh: So those agencies are included in the 65 that we tagged. And there is a anonymized list in the in the back of our statement. Agriculture only flagged one, we’re not sure why they flagged one we asked them, hey, what are your most critical modernizations, most agencies flagged two to three, Agriculture flagged one. And VA is also in that list in the back, VA flagged three. Both of the agencies, Agriculture flagged their system as critical, according to them, and VA flagged their three as all critical as well, but varying degrees of security, right. So that’s not to say that they don’t have these systems that are in need of modernization, it’s just when we looked at them, we didn’t think they rose up to the top 10 in the government.
Tom Temin: Alright, so then, in order to apply for those funds, these are the things that the board that decides the allocation of the funds are going to be looking at. So basically, it’s fair to say agencies should get all three columns set to go. What do they need to do? Identify the systems carefully and have a timeline for getting rid of the old — fair enough?
Kevin Walsh: That is fair, I don’t think that’s entirely what the TMF looks for. And they work very carefully with agencies on their application process to get a more in depth idea of what the work is going to be doing, as well as cost estimates associated with what they’re going to do and how they’re going to save money because they want to make sure that they can get paid back. But yes, this is very, very related to what they need to do to apply for the TMF ones.
Tom Temin: Kevin Walsh is the director on the information technology and cybersecurity team at the Government Accountability Office. As always, thanks so much.