The headlines started about a week or so ago, all variations of the same theme: Federal cybersecurity at risk because of partial government shutdown.
Then came the news about website certificates expiring and the new threat posed to federal cybersecurity.
Insight by MFGS, Inc.: In this exclusive Federal News Network survey, cybersecurity experts from the military services and intelligence community offer insights into how their agencies are transforming their approaches to cybersecurity to address the ever-changing threats.
But the fact is, the federal cyber sky is not falling. In fact, beyond some minor difficulties, like the website certificates expiring and further delays in programs like continuous diagnostics and mitigation (CDM), federal cyber workers are keeping agency data and systems as safe as ever.
“Security operations centers (SOCs) are running 24/7 and have stabilized. We still are protecting our data and monitoring our systems,” said one federal agency CIO, who requested anonymity because they didn’t get permission to talk to the press. “Websites are not being turned off. We are monitoring for critical patches, and will keep them up-to-date as necessary. All that work continues.”
This CIO’s experience is not special either. I talked with five agency CIOs and IT executives and all confirmed that cybersecurity is not being neglected, ignored or suffering from the partial shutdown — so, calm down folks.
“If security is a problem, we will call people in,” said another agency IT executive. “There was a domain-name system issue alert sent out by the Homeland Security Department and we brought some folks in to go through it. We found no issues, but we will bring people in as needed to protect our systems. We have a robust process where we vet who is working on an exempted basis, and it has to be approved by the leadership.”
Another government source who works in cybersecurity said they don’t believe agencies are at any further risk now than if all employees were working.
“SOC employees may be disgruntled and upset because they aren’t getting their pay, but they are doing their jobs,” the source said.
So let’s put this issue to rest once and for all.
But where the partial shutdown is impacting federal technology is across two main areas: Delays in programs and projects, and across the contractor community.
Steve VanRoekel, the former federal CIO during the 2013 shutdown, said those IT contracts that are not pre-paid or do not ensure property or safety will feel the impact for months to come.
“A lot of what we were dealing with was managing employees coming back. Things tend to queue up so we were dealing with backlogs in the government. How can we get that throughput to happen when you have a demoralized staff?” said VanRoekel, now the chief operating officer of the Rockefeller Foundation in New York City, referring to the challenges after the 2013 shutdown ended. “The tail of the shutdown was a work problem to get people engaged and going. But this is where the American civil service is an incredible group of people and their dedication is amazing.”
Five years ago, the Office of Management and Budget issued a memo about federal technology, telling agencies to work with their general counsel offices to evaluate all contracts that fund the IT platforms, whether government-owned and operated, contractor-owned and operated, or cloud solutions, to determine whether activities involving those platforms may, pursuant to the Anti-deficiency Act, continue, or whether they must cease during a lapse in appropriations.
Sources tell Federal News Network that OMB and Federal CIO Suzette Kent did not issue a similar letter this year, and the weekly CIO calls touched only lightly on shutdown issues or challenges
Sources say OMB generally pointed agencies to existing online resources from the Office of Personnel Management.
VanRoekel said the Trump administration is taking a looser interpretation of the Anti-Deficiency law than the Obama administration did, especially when it comes to things like technology.
“We asked a lot of questions about where does electricity costs come into play? If IT is consuming electricity then you have to make the call and that is where agencies got involved because these systems are incurring costs,” he said. “At the end of the day, it comes down to agencies making those decisions. The government is too large for OMB to manage on a program by program basis. I do remember agencies making different calls than maybe I would’ve made based on their different interpretations in different parts of an organization and depending on different reasons.”
VanRoekel said this latest shutdown is more unique than the one in 2013 only because it’s going on longer with no end in sight whereas in five years ago there was some notion of timing because there was a feeling that progress was being made.
The length and lack of progress is making agency IT executives more and more worried about the long-term impact of the funding lapse.
One agency CIO said any new technology investments or programs where there was a lot of development of systems or platforms has stopped, and when the shutdown ends, all will have to be geared back up.
“When we went through the 2013 shutdown, which was only two weeks, the impact on programs and projects was months long,” the CIO said. “I expect to see some of the same as well this time around.”
The federal IT executive said as soon as the partial shutdown ends, agencies will have to start looking at projects that were delayed and figure out which ones are more meaningful than others. The executive said OMB and other oversight bodies will have to accept the fact that some project milestones will have to move to the right.
This is especially true for projects such as CDM and the General Services Administration’s Enterprise Infrastructure Solutions (EIS) telecommunications and modernization effort. For example, GSA set a deadline for agencies to get their EIS solicitations out by March, but with the shutdown the likelihood of that happening now is small for the agencies affected by the funding lapse.
Agencies already were frustrated because of the slow roll out of services under the CDM program so the partial shutdown is exacerbating that issue for many.
Data collection activities like DHS’s cyberscope or OMB’s data center optimization efforts as well as finalizing policies such as cloud smart or identity management also will face possible delays because of the partial shutdown.
Another agency CIO said it’s not just a matter of restarting the projects, but getting employees back up to speed.
“I think that will be even harder this time around and I’m not sure any agency leadership appreciates it or understands it,” the CIO said. “Employee morale is taking a hit while people are on furlough. I had one person retire during the furlough. They had been eligible and said they had enough and gave me their papers. I knew it was going to happen in the next six or so months, but the shutdown accelerated it.”
And that leads us to the other big impact federal IT will feel: the loss of contractors, particularly small business subcontractors.
Agency CIOs and IT executives say the longer the partial shutdown continues the more likely key contract employees will be forced to find new jobs.
The federal IT executive echoed similar concerns because their agency is so dependent on contractors.
David Berteau, the president and CEO of the Professional Services Council, an industry association, said retention continues to be a major concern for their members.
“There are no databases of the number of contractors impacted by the partial shutdown, but I would estimates its tens of thousands across companies that do work for the nine agencies and others effected,” Berteau said in a call with reporters last week. “We don’t have a number of contractors who have been furloughed, but we estimate it’s in the tens of thousands, who have been put on some kind of status without pay or are no longer earning revenue for their companies.”
Berteau added it’s also not a matter of vendors putting the furloughed employees on other contracts at agencies that are not shutdown.
“To transfer an employee from one contract to another requires approval from the government and sometimes there aren’t government people to make those approvals,” he said. “Additionally, assuming the shutdown ends, contractors are expected to turn back on again. If the government somehow reopens this week, federal civilians can pick up right away, but to undo stop work orders can take days. You have to issue the return to work order, which is easy, but to start you have to ensure funds are available. You need to get the proper people to sign off and that could take days or weeks as people come back to work. This one will be amplified as well if people just don’t come back because how long can they work without a pay check? The magnitude of the restart will be even harder than previous shutdowns. I’m not sure anyone is considering that.”
It’s clear agency CIOs and IT executives are worried about the long-tail of this partial shutdown.