The proposed guidance asks agencies to develop and implement targeted modernization plans for specific high-risk, high-priority systems, and to do so in four phases.
With greater opportunity comes greater risk, U.S. CIO Tony Scott wrote in an Oct. 27 blog post releasing proposed guidance "that establishes a series of actions for federal agencies to identify and prioritize IT systems in need of upgrades."
In the post, Scott acknowledged that many federal departments and agencies rely on aging computer systems and networks that are running on outdated hardware and infrastructure, and are therefore expensive to operate and difficult to defend against modern cyberthreats.
"Of the $82 billion in federal IT spending planned for 2017, approximately 78 percent ($63 billion) is dedicated to maintaining legacy IT investments," Scott wrote. "As more and more data is stored online, the need to protect against the adverse consequences of malicious cyber activity becomes more pressing each year."
Evidence of this is in the 2015 Office of Personnel Management hack, which aired the personal information of at least 22.1 million people.
The federal government, Scott wrote, is obligated to protect the information entrusted to it by the American people. Many tools and policies are already at work, such as the Department of Homeland Security’s EINSTEIN, which detects and blocks cyberthreats. "We’ve dramatically accelerated the use of multi-factor authentication to reduce the risk of adversaries penetrating networks and systems," Scott wrote. "And as part of [President Obama's] Cybersecurity National Action Plan and supported by the FY 2017 Budget, earlier this year the President proposed a $3.1 billion IT Modernization Fund (ITMF) to kick-start an overhaul of the Federal Government’s antiquated IT systems and transition to new, more secure, efficient, modern IT systems."
Add to this the proposed guidance, open for public comment for the next 30 days, that asks agencies to develop and implement targeted modernization plans for specific high-risk, high-priority systems, and to do so in four phases:
Each year, agencies are required to submit strategic plans, otherwise known as "Enterprise Roadmaps," to the U.S. Office of Management and Budget (OMB) on the current and future state of their business and technology portfolios, according to Scott.
"As part of this year’s submission, agencies were asked to apply a particular focus that targets opportunities (including through shared services or cloud services) to modernize investments within their IT portfolios and reduce legacy IT spending," he wrote.
Agencies also will be required to identify and prioritize their information systems for modernization using OMB-establish criteria, which the General Services Administration assisted.
"Using the established criteria will provide uniformity across the government," Scott wrote. "The criteria are based on security risks, operational risks, business suitability, modernization impact and ability to execute."
Based on the evaluation discussed in phase two, according to Scott, agencies will be required to submit modernization profiles of systems prioritized for modernization, retirement or replacement to the OMB.
The profiles created in step three will inform agencies’ regular budget planning processes, Scott wrote, adding that, contingent upon congressional approval, funding provided could be used to supplement and accelerate modernization efforts proposed in agency budget submissions.
"Moving the federal government to modern infrastructure, such as cloud-based solutions," he wrote, "is a fundamental necessity to building a digital government that is responsive to citizen needs and secure by design."