Over the last 18 months, the Office of Management and Budget painstakingly went over nearly every federal technology policy that came out in the last 20 years with an eye toward modernization.
Every new policy, whether for cloud or identity management or data center consolidation and optimization, that came from that effort included a list of rescinded regulations which had grown old and held no value any more.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
The most recent update to the Trusted Internet Connections (TIC) initiative rescinded four policies, some dating back 12 years.
The identity management policy from May terminated five policies, of which some went back to 2004.
As you can see, OMB did more than a little spring cleaning.
This exercise over the last two years or more has led to a new way of thinking about policymaking. OMB and other agencies are taking a page out of the agile software development playbook and applying this methodology to policymaking.
“Because our environment is changing so quickly many of the things we’ve done was create methods, whether it was as simple as a timer to reevaluate every six months or every year and evaluate if this is still effective, or approaches and partnerships like the one with the [the Department of Homeland Security’s] Cybersecurity and Infrastructure Security Agency (CISA) on TIC. If there is a better way or a better idea, we are not changing any of our security expectations and we continue to raise the bar, but we are creating a pathway to ask the question, ‘Is there a better way?’ And make that happen very quickly versus a decade or a long study,” said Suzette Kent, the federal chief information officer, at the CISA Cybersecurity Summit in September. “That is the kind of agility and nimbleness we have to have in this space because cybersecurity is a perpetual state of hyper vigilance. We have to constantly be evaluating what are we seeing, how do we act and what’s the next step?”
For the TIC policy, OMB worked with CISA, the Defense Department and several other agencies who tested out potential new approaches to securing internet gateways between the public and agency networks.
Jeanette Manfra, the assistant secretary for cybersecurity at CISA, said her office worked with OMB in coming up with both the key policy priorities and implementation guidance.
“The concept is to continue to be able to move fast as technology or the threat changes,” Manfra said in an interview. “We are just now in the last six or seven months realizing the benefits of that.”
OMB and DHS recognized that policies can’t be so broad that they can’t measure what successful implementation looks like, and at the same time implementation guidance can’t be so prescriptive that the policy is not effective.
“The concept is you can potentially renew the implementation guidance on a faster basis than the policies. We are still developing this,” Manfra said. “It also means getting everybody on the same page of what we are going to focus on and it provides a more enduring framework as well.”
A senior administration official, who provided answers to Federal News Network questions, said the feedback loop is critical to achieving the right balance in agile policymaking.
At the same time, DoD is mirroring federal civilian efforts on its networks.
Jack Wilmer, the deputy CIO for cybersecurity and chief information security officer for DoD, said at the CISA event this agile approach to policymaking and implementation is a key piece to the defend forward notion around cybersecurity.
“How do I say ‘here is an interesting approach that one of the agencies wants to do in terms of how to connect to cloud or something else’ so let’s get the right set of people together to assess the risk of what that is, to look at the results, to look at how it works, and if it seems like it worked well and it’s a good approach, let’s go ahead and modify the policy to say any other federal agency can use that model,” he said. “The intent is as the threat evolves if we find out that we were letting people do this but now we understand it’s not a good idea, we should be able to rapidly evolve our policy so no new connections use that model that we know now is not the right approach. I am absolutely trying to figure out how do I bring that into the DoD so the policies that I write and we update are things we can evolve in a more agile manner.”
Wilmer said the goal is to increase the cost to hackers for trying to attack federal systems.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
The concept of agile policymaking for IT actually started several years ago when OMB began releasing draft policies for industry and other expert comments.
Dan Chenok, a former OMB branch chief and now executive director for the IBM Center for the Business of Government, said putting out draft policies is one step toward the move to agile because it’s a good way to get customer or stakeholder feedback.
“GitHub lets OMB or any agency see the comments, and comments on others people’s comments, and then iterate, instead of having to receive 30,000 comments and figure out what everyone is saying,” he said. “It’s not just policy making, but policy execution as well. If through this iterative process OMB or the government get more buy in, you have a far less cost of compliance because there are fewer people you have to chase and can move to next the policy faster.”
In fact, IBM and the National Academy of Public Administration wants to expand the concept of agile beyond technology policy to all parts of government.
In a blog post from July, Ed DeSeve, a visiting fellow for both IBM’s center and for NAPA, wrote that government reform must adopt the concept of agile software development.
“It is critical that we develop a reform agenda to make governments at all levels more agile. For example, we should work to identify key agile government principles; identify instances of agile government around the country and around the world in order to develop ‘best practices’ that can be available to governments and researchers; and collaborate with governments that wish to use agile principles in their projects, programs, and overall organizational design to assist with strategy and implementation,” DeSeve wrote. “Success will require a new mindset in government and new organizational models.”
Terry Gerton, the president and CEO of NAPA, said the change the government has to make is toward a more proactive rather than reactive policy process.
“It is more response to the environment we are in now. We know some of the regulations are outdated, and there can be volumes and volumes of them. We have a sense that these regulations are very controlling and they may not advance government,” Gerton said. “There are new ways to do government so we are citizen or customer responsive, more timely and using a more cross-functional approach. Virtually no problem we have can be solved by one branch or one agency any more so how do we help users of the regulations be more successful so we have better government.”
The senior administration official said there are several changes needed to move to an agile policy mindset.
“Agencies are well on their way to embracing this cultural mindset and OMB is best positioned to act as an enabler by removing barriers that have long plagued the modernization journey,” the official said. “As we continue our journey, we are looking across the board at opportunities to take a more agile approach to policy development and service delivery. As evidenced through our work with the Technology Modernization Fund and shared services, iterative approaches will enable the federal government to more rapidly improve the digital service experience provided to the American public.”