Whether or not Congress funds President Barack Obama’s request for a $3.1 billion IT modernization fund is secondary for the Office of Management and Budget.
Over the next five months, OMB plans to put the pieces in place across the government to be ready when and if lawmakers approve the new cross-agency money.
OMB is developing an IT modernization policy for civilian agencies that would require them to do a majority of the up-front planning to prepare for the funding should Congress approve the initiative.
According to a draft policy obtained by Federal News Radio, OMB plans to implement IT modernization in four phases:
Sources said the draft is currently going through interagency comment with agency chief information officers and other executives.
Insight by Optiv and Check Point: Federal cybersecurity experts discuss the benefits agencies would see by moving to a platform approach in this free webinar.
“I believe it’s the right directive overall,” said Tim Young, a former OMB deputy administrator for e-government and IT and now a principal with Deloitte. “I question the timing only in the sense that we are less than a year from inauguration. I think for this policy to be enduring the first couple of modernization efforts have to be positively executed so the incoming administration embraces and enforces it.”
Young and several other former federal chief information officers praised OMB for developing the draft memo, but expressed minor concerns over implementation.
Simon Szykman, a former Commerce Department CIO and now chief technology officer at Attain, said the requirements in the draft memo are “reasonable, achievable and measurable, and there wasn’t anything that left me scratching my head or was a glaring gap.”
The draft policy details each of the first three phases with proposed dates for completion.
“Throughout these phases, the General Services Administration (GSA) will collaborate with certain agencies to refine relevant criteria and templates and share best practices and other resources to aid agencies in executing this initiative,” OMB wrote in the draft policy. “The centralized, revolving nature of the fund will ensure a holistic view of the federal government’s legacy IT priorities, and will provide funding for modernization projects with the greatest risk profile, governmentwide impact, and highest probability of success. This will include identifying opportunities to migrate multiple legacy systems to a smaller number of common platforms; promoting the adoption of modern, proven technology; and deploying entirely new systems to replace older legacy systems.”
OMB plans to ask GSA by April 15 to publish a “full list of criteria to be used by agencies to identify and evaluate systems for modernization and a template for the submission of information on identified systems.”
OMB says at a minimum the criteria will include six security risk factors, such as security categorization under the Federal Information Security Management Act (FISMA), if the system has suffered previous cyber incidents and the number of documented cyber deficiencies. Agencies also should look at operational risks, such as how critical the system is to the mission, and modernization impacts, such as savings and reuse potential.
OMB says GSA will conduct a pilot with several agencies to further test out the criteria and potentially develop new factors, and “agency CIOs shall engage other senior agency officials, including program managers, and begin evaluating systems using the initial minimum criteria immediately.”
Under this phase, the draft policy would give agencies until May 31 to come up with at least three high-priority systems based on the criteria outlined in phase one. OMB encourages agencies in the draft policy to submit more than three systems, but at a minimum three that need to be modernized.
“As part of this submission, agencies shall include at least one system for which significant or full modernization and/or retirement could occur over a 12 month timeframe,” OMB stated in the draft policy. “Agencies should leverage existing system inventories required under the Federal Information Security Modernization Act (FISMA), systems associated with high-value assets (HVA) as identified through the Cybersecurity Sprint, as well as automated hardware and software continuous monitoring or other asset inventory tools (e.g., Continuous Diagnostics and Mitigation), to assist in identifying and prioritizing at-risk systems. Agencies should also utilize any pre-existing systems inventories, such as stewardship reports, maintained by private sector vendors, to help identify agency systems and their current support status.”
Szykman said he would recommend OMB take more of an IT portfolio approach instead of asking for a minimum of three systems.
“Agencies should rate all their systems so they know what the status is and what the systems’ needs are,” he said. “I understand they want to set a minimum and monitor compliance, so say set three can say X number of agencies complied But this approach has the tendency to turn into a ‘check the box’ exercise. This really should be one facet of the portfolio management process. One of things that does come across in policy may be the ability to consolidate across government, and may be the best opportunity is to consolidate 50 into one, but that may not be visible to one agency but it would be to OMB if they are looking across all government by agencies taking a portfolio approach.”
GSA would finalize and publish the criteria for choosing systems to modernize and publish a template by May 31. Then by July 31, the draft policy stated agencies will “submit to OMB a minimum of three modernization profiles (one each for an individual system included on the agency’s highest-priority list); however, submission of additional profiles is encouraged. Modernization profiles should demonstrate and explain why the selected system should be prioritized for modernization, retirement, or replacement.”
The current template includes four broad areas: system description, operations and maintenance, risk profile and modernization profile. The areas have several subcategories such as total spending on O&M and development, modernization and enhancement for 2014 to 2016, or modernization costs going forward or the implications of maintaining the status quo on the agency’s mission.
Young said the draft policy needs to be tightened up around how agencies demonstrate and explain why certain systems need to be upgraded.
“I believe a more structured and standardized, and potentially directed, approach is needed to guarantee savings,” he said. “I believe the governance needs to outline specific quantitative outcomes such as savings and reuse, and give the agencies a set of tools to figure out those metrics.”
Young and other former federal CIOs said OMB doesn’t highlight architecture quite enough.
“You should know where you want to be and this is the outcome, which is the piece that appears to be missing with the agencies,” said another former federal CIO, who requested anonymity. “OMB has the ‘vision’ of the ‘to be’ state by having initiatives such as shared services, but that is a tool. This memo is attempting to address the ‘transition’ plan, getting agencies from the ‘as is’ to the ‘to be.’ But the underlying assumption of the memo is that the agencies have the ‘to be,’ otherwise they would not be able to prioritize as requested. I would question the ‘to be’ and the outcomes.”
This phase is highly dependent on congressional approval of the $3.1 billion IT modernization fund. OMB says agencies still should plan to modernize systems within the budget process with a focus on the highest risk systems.
Should Congress allocate some or all for IT modernization, OMB says GSA would “work with selected agencies to further refine proposals in order to inform the selection of projects for funding through the fund.”
OMB is clear in the draft policy that the IT modernization fund is not the only money agencies will spend on these upgrades. The administration wants the fund to “supplement and accelerate” DME budgets, and should not “duplicate” any existing funding.
Szykman said OMB is smart to make the modernization effort part of the regular budget process.
“This is important on the chance that Congress doesn’t appropriate funding,” he said. “The need is there and agencies should be asking for modernization funds anyways. I don’t think OMB wants the success of doing the right thing to rely on congressional action for authorization and appropriations. The existence of a central fund will facilitate things, but this does put them down a positive path to do right thing even without the fund.”
As federal CIO Tony Scott said in early February during the budget roll out, when and if Congress appropriates money for the fund, OMB will establish an independent project review board to make funding decisions, and GSA will create a program management office, led by experts in multiple disciplines, to oversee each modernization initiative.
Throughout the entire process, OMB wants agencies to assign one leader and hold that person accountable.
The draft policy stated, “agencies shall designate an IT Modernization Initiative point of contact (POC) who will serve as the principal representative of the agency CIO in the execution of the IT Modernization Initiative. This leader must have sufficient capacity to implement the initiative and must be provided with the authority and responsibility to assign tasks and work elements; make business, product, and technical decisions; and be accountable for the success or failure of the overall initiative relative to their agency.”
Several experts wanted more details about the review board.
Another former federal CIO said the draft memo doesn’t address several important questions.
“How will the board and the fund operate? What does it mean that the board will be ‘independent?’ Will members be appointed from outside government (or a combination of government/non-government), or just that it will operate independently of current funding processes? Will the same officials be the decision-makers in a new government process, or an entirely new and independent body of decision-makers and processes?” the former CIO, who also requested anonymity, said. “The criteria for re-use and savings potential appear favorable for shared services — that’s good, but again — the weights and interpretations by the board will be decisive.”
Young said OMB needs to begin working with Congress immediately to get them to see the value of allocating $3.1 billion for the modernization fund.
He said the administration should send senior career officials to Capitol Hill to make the case to appropriators.
“When you look at the fund, $3.1 billion is less than 5 percent of the overall IT portfolio in the federal government, but it’s key to get approval from Congress based on the fact that it’s good for government, it’s good from the agency mission perspective,” Young said. “They have to clearly articulate what the ‘R’ of ROI will be. If Congress approves the $3.1 billion, it would likely not be a net new to the budget. It will be a carve out of existing budget authority. I would guess that very few appropriators would say this is a great idea here’s $3.1 billion of net new budget authority. They are more likely to say, ‘Let’s find $3.1 billion in offset to accommodate this funding initiative.’”