Call it a 36-point plan or a modernized IT modernization strategy, but no matter what moniker you use, the American Technology Council in the White House is trying to put its stamp on federal efforts to move off of legacy technology systems.
The council, led by Chris Liddell, President Donald Trump’s director of strategic initiatives in the White House and director of the ATC, set out 36 deadlines for agencies over the next year, including 24 in the next 90 days.
The draft plan cuts across two broad cybersecurity focused areas: Network modernization and consolidation and shared services to enable the network of the future.
“We are pleased they are moving forward in this space. We’ve argued that IT modernization needs attention for some time now, and we messaged to Congress last year and to White House during the transition that this should be a primary activity. You can’t achieve cybersecurity without going after IT modernization,” said Trey Hodgkins, the senior vice president for the public sector for the IT Alliance for Public Sector (ITAPS), in an interview with Federal News Radio. “There is a lot here to digest and to understand. We are still trying to put the pieces together and understand how the proposals would work in context they laid out. But we are pleased they are moving in this direction.”
Generally speaking, vendors and former federal experts alike praised the draft modernization strategy for both building on previous efforts from the last two administrations, and for expanding some areas such as shared services.
The ATC is accepting public comments on the draft strategy through Sept. 20.
Tony Scott, the former Federal CIO under the Obama administration, said the fact the Trump administration is opening up the draft to public comment is a great sign that they want to hear from and understand broad viewpoints of how modernization could work.
“The bottom line here is all the stuff in there is good, and either supports or extends a lot of stuff we were working on,” Scott said in an interview with Federal News Radio. “I think as it is there is a set of good stuff here. But I think there are some other dimensions that need to be part of plan.”
Scott said while cybersecurity definitely gets the attention of lawmakers, federal executives and vendors, there are a lot of other reasons to modernize federal IT.
“In world where funding will be an issue, modernization can also bring cost savings over time in a significant way,” he said. “The concern is you don’t just want to replace old systems with modern technology and preserve all information flows you had before. This will require some architecture changes and it’s mentioned in there through shared services section. I would’ve included it more on other dimensions too.”
Simon Szykman, the former Commerce Department CIO and now managing director and chief technology officer of the federal services division at Attain, expanded on Scott’s call for a broader focus on architecture.
“There is a very strong emphasis on modernizing network architectures. But for many systems that are difficult to secure and expensive to maintain, the root of the problem is often not simply one of network architecture, it’s one of system architecture,” he said. “There is no question that networks are important, but in many cases the shortcomings can’t be addressed simply by re-architecting networks. The applications themselves need to be re-architected, migrated to modern technology stacks, transitioned to run on modern infrastructure. Indeed, in many cases with legacy IT systems you can’t bring the government to the cloud without doing this. The system-level focus is very much absent from this report.”
Where are the citizen services?
The big criticisms that came from observers is the lack of any mention of how these efforts will improve citizen services or any discussion of the IT modernization fund or the Modernizing Government Technology (MGT) Act.
“This is a framework, but not really a detailed implementation plan,” said Alan Chvotkin, the senior vice president at the Professional Services Council, in an interview with Federal News Radio. “We are going to find other areas they need to address, like procurement policy was identified as a weakness and how the draft pilot program for commodity IT and cloud email would work. We will look at that pilot and what it provides in more detail and may have recommendations on how to expand or conduct initial ones around procurement policy limitations.”
The cloud email pilot is one of several detailed in the draft. ATC says in 240 days after the strategy is finalized, the Office of Management and Budget and the General Services Administration “will pilot new acquisition tactics for cloud email and collaboration licenses.”
“By creating virtual ‘street corners’ for cloud email providers the federal government can use competing market forces to drive governmentwide volume pricing as a lever to speed migration,” the draft document stated. “This will apply Hotelling’s Law of spatial competition, wherein government’s potential purchasing power will be used to negotiate tiered pricing agreements directly with the providers and result in publicly displayed price points, total number of licenses purchased, and the remaining number of mailboxes that need to be migrated. This volume pricing would serve as the base rate for any license purchased by the government.”
There is one huge red flag in this draft strategy that ATC and OMB will have to address. In this section describing the cloud email and collaboration pilot, the draft document calls out four vendors as “suggested industry partners.”
As one procurement expert who’s been in the federal market for more than 25 years, never in their time have they seen the White House actually suggest using specific companies, in this case Google, Salesforce, Amazon, and Microsoft, in a policy document.
There may be some Competition in Contracting issues here that the ATC will have to address before the final version is out.
ATC plans to hold a follow-up summit with interested cloud providers to see if they are “willing to participate in a pilot of the Manufacturer’s Agreements.”
Scott added the specific focus on cloud email stood out to him as being a little strange.
He said between 60 percent and 70 percent of all agencies already had moved to the cloud for email—whether Google or Microsoft.
“The gap in that space at least as I was viewing it was we got there on the legs of couple of thousand different contracts and negotiations and tons of different implementations with different rules and design settings, which makes it hard for interagency collaboration to take place to degree you’d want it too. So I thought the things needed in the cloud email space was for those agencies which hadn’t migrated yet to make it really easy for them to migrate, maybe some sort of GSA offering or other approach with different levels of services, high, medium and low The second big opportunity in that space is better interoperability between Gmail and O365. It’s true today because of all the different implementations, sending a calendar invite from Google to Outlook or vice versa is pretty ugly. I implored both companies to fix that, but they haven’t done anything about it yet.”
Hodgkins added ITAPS will be looking closely at the metrics for the email and collaboration pilot to better understand the current price many agencies already are paying, and if it’s already a low price.
Challenges remain in cyber policy
Scott said another key piece to the modernization strategy is addressing the challenges around the Trusted Internet Connections (TIC) program. He said nearly every CIO told him over his two-year tenure what a problem the TIC is as it relates to the cloud.
The draft strategy stated that within 30 days of it being final, “OMB will submit a data call to agencies requesting submission of both in-progress and pending projects for cloud migration. Agencies should focus submissions on projects that have experienced delays due to constraints in current TIC policy and National Cybersecurity Protection System (NCPS) program implementation, and should propose a migration plan that, highlights needed changes to requisite policies and capabilities to facilitate faster migration.”
Additionally, OMB will provide a preliminary update to the TIC policy that introduces a 90 day sprint during which projects approved by OMB will pilot proposed changes in TIC requirements and formalizes the approach.
The longer-term goals, 180 days, OMB, GSA and the Homeland Security Department will update TIC and other cyber policies, such as the EINSTEIN program, to figure out how they could be incorporated into the commercial cloud.
There is a lot more to the draft strategy, all of which is well worth reading and commenting on.
But as Szykman and others pointed out, there are a lot of developing and revising plans, reports, strategies and policies as well as a lot of data calls and collecting of metrics, but little discussion on how to get things done—see earlier discussion about IT modernization fund and the MGT Act.
“Those things may all be important, but given how slow things have historically been to evolve in the government IT world, I think that issuing strategies/policies, sending out data calls, and collecting data is a very indirect path to real, meaningful change,” Szykman said. “It may at some point become necessary to take a heavier hand and provide stronger direction to achieve the desired results.”
And naming a permanent Federal CIO and replacing many of the department CIOs who have left over the last few months would also make a huge difference.