If there is a reason to have hope that agencies actually are addressing outdated and potentially risky mission-critical systems, the five agencies that answered the call from Sen. Maggie Hassan (D-N.H.) provided a little optimism.
The Defense Department told the Senator that in June it finished an update to an Air Force system, which the Government Accountability Office in June 2019 deemed moderately high in risk to mission and moderate in cybersecurity risk.
The Education Department, which GAO said a year ago didn’t have a plan to modernize its systems, now does, and it includes the release of a new solicitation this fall to modernize the Federal Student Aid system that is 46 years old and considered high risk to mission and cybersecurity. Education said it plans to release an updated system by October 2022.
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
Along with DoD and Education, the Department of Homeland Security, the Social Security Administration and the Small Business Administration also answered the senator’s six questions.
“One of the things that is constantly misunderstood is how much we have to do to get out from under the technical debt,” said Mike Hettinger, the president of Hettinger Strategy group and a former staff member for the House Oversight and Government Reform Committee. “We read the GAO report that says one system in several agencies that needs to be modernized but this shows just how much work there really is. When we talk about $1 billion for the Technology Modernization Fund or more investments for the IRS, it’s not just throwing money at small problems, but it’s trying to address the fact that there is a lot of work to be done.”
The departments of Treasury, Interior, Health and Human Services and Transportation as well as the Office of Personnel Management hadn’t responded to Hassan’s request as of Aug. 10. The deadline to respond to the ranking member of the Homeland Security and Governmental Affairs Subcommittee on Federal Spending Oversight and Emergency Management was Aug. 3.
But those agencies which did respond shed light on plans and actions not previously made public, at least in this way.
Hettinger said that while many of the agency’s answers may have been the same five years ago and would still be similar in five years, the letters show what is important to each chief information officer, and in some cases the chief financial officer, over the next few years.
“One of the key things that may not be called out explicitly, but was obvious from the letters is agencies need more money for IT modernization. This nickeling and diming isn’t going to cut it. If you really want to invest long term, I would’ve like to have seen their investment plan by fiscal year. How are they going to invest in these programs to really modernize these legacy systems? You need to know how much money they will need each year and what milestones they will achieve,” he said. “There are a lot of quarterly briefings Congress is requiring on different legacy systems across the government and one way to look at it is to ask agencies to tell them how they are doing.”
In DHS’s letter, which included attachments for its network modernization plan under the Enterprise Infrastructure Solutions (EIS) program and its data center consolidation and migration plan, Karen Evans, the agency’s CIO, and Troy Edgar, the agency’s CFO, laid out its five top priorities and estimated completion dates:
The Social Security Administration said its IT modernization priorities will lead to cost savings.
“Our modernization plan is a program of business process improvement and IT development. We view cost-savings as our return on investment (ROI) for efficiencies gained through our IT modernization efforts. We base our ROI on efficiency estimates gained by similar entities after completion of their modernization projects, as well as on cost efficiencies achievable over time through our work with leading research firms,” SSA’s letter stated. “As we modernize our IT infrastructure, including retiring legacy systems, we assume incremental efficiency gains of 10% in the first year benefits are realized, 15% in the following two years, and 20% thereafter. Applying these gains to the portion of our annual IT cost affected by modernization efforts results in a positive ROI of about 12%.”
And then there is DoD, which hit a range of IT modernization topics.
“We expect cost to shift from legacy hosting and data center models to modern cloud based digital infrastructure, with a target of 9% of total IT spending dedicated to cloud services by FY2025, up from 3% in 2022,” wrote DoD CIO Dana Deasy. “The department is also in the process of implementing programs such as comply-to-connect (C2C) and Automated Continuous Endpoint Monitoring (ACEM), which will work together with Enterprise Patch Management System (EPMS) to provide enterprisewide automated patching and endpoint monitoring capability. This will enable the provisioning of trusted patches in a timely manner, enhance situational awareness, and provide improved visibility tools. These three capabilities will be deployed across the enterprise over the next several years.”
Deasy said DoD will invest about $526 million into C2C and another $389 million in ACEM.
“These capabilities will automate labor-intensive patching activities, and are expected to reduce overall operating costs for the DoD. Cost saving projections will be determined once each of these capabilities is operational,” Deasy wrote. “The department anticipates ACEM to be operationalized by the end of calendar year 2020. C2C will be implemented in stages, starting in 2022 with an estimated completion by the end of 2024, on both unclassified and classified networks. The EPMS will reach initial operational capability on classified networks by third quarter of 2021.”
Another trend that emerged from all five responses was the common need for Congressional help in the form of a working capital fund authorization.
Education, DHS and DoD all mentioned the need for his authorization, while SBA, which created a WCF in 2019, asked for lawmakers to reduce the burden of data calls and reports.
SSA received more than $370 million from Congress since 2017 for IT modernization so it made its case for a different kind of resource, people.
“In the area of human capital, we believe that the SSA may benefit from statutory hiring flexibilities that other agencies have to hire individuals in positions that require expertise of an extremely high level,” SSA’s letter stated. “For example, the IRS has a statutory authority known as “’streamlined critical pay’ that provides a significant amount of flexibility. Such hiring flexibilities may provide us with access to key skills and talents to support our IT modernization and digital transformation efforts.”
Hettinger said Hassan can use the information from these letters in several ways.
First, she can write her own letters to appropriation committee leaders to encourage them to authorize working capital funds for IT modernization.
Second, he said, she could use the letters as a basis for hearings and other investigations.
“What comes out of all of these responses is the need to fix these outdated systems and the answers could be the starting point to build some legislation,” Hettinger said. “At the end of the day, these letters have to help drive change. That may be requiring agencies to no longer do five-year IT modernization plans or at least require some more consistency in them. That may lead to an adjustment for how Congress or OMB ask agencies to plan for IT. In the end, the goal is to drive toward the same goal of modern technology and how Congress can enable that more quickly.”