If you don’t look closely, 2021 seems eerily similar to 2020 for the federal technology community.
Topics like the pandemic, cybersecurity, cloud and the like were all big movers and shakers over the last 12 months.
But if you peel back the onion or curtain, or whatever cliché you prefer, the next 12 months will be strikingly different if — and it’s a big if — the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency and Congress can come together to further push the evolution of IT modernization and cybersecurity.
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
For insights about the past and future of federal IT, Federal News Network asked for feedback from former federal IT executives:
Suzette Kent: My answers are not about the “single story” but the results delivered because of what the community accomplished:
Rich Beutel: The momentum to create a modern, 21st century digital government through the embrace of customer experience, as an essential aspect of underlying IT infrastructure essential for government to modernize core service delivery. Virtually all key policy expressions, from the President’s Management Agenda to individual Office of Management and Budget policies and directives, now either expressly or implicitly acknowledge the necessity for government to reform all aspects of essential service delivery, especially to underrepresented and underserved communities, by re-examining how Americans “consume government” and by revamping the IT necessary to effectively serve this goal. In this regard, government’s failure to fully and completely implement the requirements of the two-year old 21st Century IDEA Act stands as a massive program failure across the board.
The awareness that cybersecurity must be “baked-in” to every facet of government IT and digital government, through the adoption of zero trust principles, the botched roll out of the Cybersecurity Maturity Model Certification program and the restructuring of CISA and its implementing elements.
Eric Olson: The long-tail of the Solarwinds exploit: The sophistication, scale and stealth of this exploit will drive federal technology priorities for many years to come. Remote work works: As evidenced by the annual Federal Employee Viewpoint Survey, federal employee satisfaction is at an all-time high largely driven by remote work. Most department and agencies report no material degradation in mission outcomes as a result of a maximum telework posture.
Dave Wennergren: TMF Fund gets $1 billion: The American Rescue Plan Act of 2021 provides $1 billion for the Technology Modernization Fund, a dramatic increase over the previous cumulative amount provided to the TMF. IT modernization is still crucial issue, with agencies still spending the majority of their IT budgets sustaining aging legacy infrastructure and systems rather than implementing new, digital-age solutions, and IT modernization efforts need to not only address moving to the cloud, but also retiring/replacing the thousands of legacy systems and applications still in use. While $1 billion is a small percentage of the $90 billion-plus per year federal IT budget, it is still a dramatic increase, and expectations will be high that the $1 billion is spent effectively. We are at an inflection point. After years of funding the TMF in small bites, Congress has dramatically increased the funding and priority of this work. Investments must be made and measurable outcomes achieved in rapid fashion. If the fund is only drawn down by a small percentage a year from now, or if quantifiable improvements can’t be celebrated, it’s doubtful that there will be any appetite for future significant additional funding. $1 billion should make a noticeable difference, but it will take far more than $1 billion to transform the entire federal technology business.
New PMA announced. The arrival of a new President’s Management Agenda always provides a galvanizing force for agencies to move forward on key issues. It’s a good thing that the new PMA maintains momentum and interest on topics already being worked, as complex change in large organizations takes time. It’s also good to see commitment and attention being placed on technology modernization, cybersecurity, data, digital solutions, customer experience, shared services, improving the acquisition system, the “future of work” and the federal workforce. The things that we measure are the things we focus out time and attention on, and it’s encouraging that federal leaders will be focusing time and attention on these important topics.
Cybersecurity stays in the headlines. From SolarWinds to the Colonial Pipeline, cybersecurity remains a national imperative, with our intellectual capital and competitive advantage at risk. Cyber efforts must continue to adapt to reflect the virtual/mobile/cloud-based world we live in. A lot of attention is being paid to `baking cybersecurity into IT solutions rather than bolting it on as an afterthought. And, it’s good news that cybersecurity and modernizing critical systems are top priorities for the Technology Modernization Fund. One area of cybersecurity that’s getting a lot of attention is the adoption of zero trust architectures. Zero trust has generated a lot of interest as a way to reduce risks while still enabling information sharing and legitimate access. As we have moved into a cloud-based, mobile access, virtual world, it became crucial to shift away from security strategies that may have made initial access hard, but once gained, allowed unfettered access to everything within a network. Zero trust uses a combination of robust identity management, access control, data-level security and strong monitoring to create an environment where positive identification and authorization allow transactions to occur. This topic will remain important in the year ahead.
Mike Hettinger: The biggest federal IT story of the year is SolarWinds. If you look at Congress’s focus since we first learned about SolarWinds, it has been all about cybersecurity and incident response. This has been a big part of congressional oversight, legislation and even funding — CIO offices have seen significant budget increases in fiscal 2022 to address cyber needs. A close second would have to be the TMF funding. Given that the TMF has been historically under-funded, securing $1 billion via the American Rescue Plan was an enormous win for the federal IT community. The key as we move into next year will be to ensure that the projects that have been funded via TMF are successful and that the fund expands to touch on areas other than just cybersecurity needs.
Rob Dapkiewicz: Enterprise Infrastructure Solutions transition, the timeline is compressing very quickly. Overall, EIS awards, orders and transitions are lagging where they should be, with some agencies just now releasing their request for proposals. Supply chain issues with network/telecom equipment: Projects and programs have faced possible delays due to the lack of availability of critical network equipment, e.g., routers. This is also exacerbating the compressed timelines for transition off of Networx, Local Service Agreements, etc., to EIS.
Eric Olson: The Colonial Pipeline Ransomware Attack: Will the federal technology enterprise undertake the massive contingency planning required to rapidly recover from such an attack? Or, will the federal technology enterprise suffer from “a lack of imagination?” The Technology Modernization Fund: Congress funded the TMF at unprecedented levels for fiscal 2021 and the Office of Management and Budget has determined that full repayment is not required. Will Congress continue to fund the TMF at these levels when repayment is not required and investment decisions of this size are delegated to non-elected federal employees?
Dave Wennergren: I’ll go with the cybersecurity story that I mentioned above. Ransomware, phishing attacks and other cyber threats will continue to be top topics in the year ahead, and we have another election coming, further increasing the level of misinformation that will be fed to the American people. The pandemic has significantly accelerated the migration to a cloud-based, mobile access, virtual world. Security practices must move away from only defending network perimeters and focus on new approaches like zero trust architecture, data-level security and enhanced identity and access management.
Suzette Kent: Progress on digital advancement of citizen services, data and automation achievements and advancing cyber posture.
Mike Hettinger: The focus on cybersecurity is definitely going to carry over into 2022. First of all, the changes to incident response and reporting that have been proposed in Congress have not yet made it across the finish line. We expect those to be front and center early next year. Secondly, between the requirements of the cyber executive order, and the persistent threats that federal systems face, I believe we will continue to see a whole of government approach to cybersecurity in 2022 and beyond.
Rich Beutel: I believe that the focus upon enhanced and expanded “cybersecurity by design” will be a huge continuing story in 2022.
Rob Dapkiewicz: Cybersecurity and keeping pace with the evolving threat landscape, i.e. zero trust. Network modernization, as in transition versus transformation.
Rich Beutel: Federal systems will continue to be hacked at an alarming rate until the pain becomes so extreme that major cybersecurity measures are forced upon virtually every agency. Government will embrace the growing awareness that streamlined and rapid acquisition techniques, such as other transaction agreements and commercial solutions openings are essential means to support the government’s access to, and deployment of, critical commercial innovation.
Rob Dapkiewicz: Secure Access Service Edge will gain a lot of traction within federal agencies once they complete their transitions to EIS and then look to modernize and fortify their network architectures, and meet the OMB mandate to implement specific zero trust security goals by the end of fiscal 2024. Remote and hybrid work forces for agencies and industry are not going away. Agency networks will need to be far reaching and flexible.
Suzette Kent: People and operational changes due to service delivery being significantly more digital, workforce in hybrid location mode and massive growth in automation and artificial intelligence. All drive the need to reexamine workforce, risk practices and operational resiliency.
Mike Hettinger: I know it just came out on Dec. 13 but I think the customer experience executive order is going to have a huge impact. This is the first time we have seen this sort of laser-like focus on CX and the changes likely to come as a result of that are certainly worth watching. Second is zero trust, as 2021 laid a lot of groundwork for zero trust in the federal government and 2022 will be the year of zero trust implementation. Watch for additional policy activity that continues to promote zero trust.
Eric Olson: Zero trust architecture is the centerpiece of the cybersecurity executive order, however, it will take too long to implement and will not be a silver bullet that many want it to be. Aggressive consolidation and harmonization of the federal IT infrastructure is required to reduce complexity and the consequent vulnerabilities. As for the technology talent gap, the federal government is not likely to solve the technology talent recruiting and retention issue any time soon and in some ways is playing a zero-sum game by competing with itself. The federal technology enterprise should more aggressively leverage services from commercial providers to close the gap.
Dave Wennergren: As we navigate the pandemic, two facts remain certain, the pace of change we’ve witnessed in the past year will only continue to accelerate, and, uncertainties will continue to emerge, reinforcing the need for both agility and resiliency. Expectations for rapid adoption of new solutions will continue to increase, placing pressure on the acquisition system and leaders to find innovative approaches. Organizations that are unwilling to embrace rapid change and the adoption of new technologies and approaches will fall further behind and risk irrelevancy.
The explanation is that I think CISA will be the most critical given the acceleration of cybersecurity threats, the emerging incident reporting obligations and the massive amount of National Defense Authorization Act clauses from the current NDAA. I ranked Congress behind the others because of the continuing political gridlock and inability to reach consensus on much of anything. In my humble opinion, the action next year will continue to migrate to industry because that is where research and development, and innovation are happening.
At scale, the civilian federal government will continue to remain reactive when it comes to leveraging technology: binding operation directives vs. adaptive risk management, and IT modernization vs digital transformation. The most ambitious technology endeavors the federal government will pursue will tend to be the result of actions taken by others such as attacks by our adversaries or applying technology that is most aggressively marketed.
I’ll finesse this answer, as my hope is that OMB, CISA and Congress are all highly impactful (in a positive way) in the year ahead, as that is what is desperately needed. I am very confident that industry will be impactful in a positive way, as long as agencies encourage companies to offer new approaches and solutions, reward innovation and alternative approaches and encourage contracting approaches that allow companies to bring their creativity and skill to bear on the challenges facing government.
CISA has been the most active federal agency for at least the past year. The continued focus on cybersecurity will keep them as the most impactful organization in 2022. OMB, with its complementary role to CISA on cyber, and focus on other key areas like customer experience and federal IT modernization, will have the second-most significant impact. Congress has the potential to be very impactful as well, with a number of key pieces of cyber and IT-focused legislation pending. I ranked industry tied for third.
How will the General Services Administration handle agencies that haven’t been able to transition off of Networx by the current deadlines? Will the pandemic and supply chain issues justify another extension beyond May 23, 2023? For OMB, [I considered] budget, EIS oversight, zero trust requirements. How will 2022 midterms change the makeup of Congress and budget priorities Industry will follow the money and pivot as quickly as possible to meet the mission requirements of the federal government. Mergers and acquisitions, which have been numerous in the last few years will continue to be a method for companies to fill perceived capabilities gaps and/or eliminate key competitors. CISA’s mission will continue to be one of the most critical in the federal government as cybersecurity threats escalate further.