Agility Driving Federal IT Modernization

New technologies are just about obsolete by the time they actually hit federal work stations and are put to use, a disruption that could threaten the future of federal information technology investments. Acquisition at times precariously hinges on the government striking a sustainable balance between agility and innovation on one side, and security on the other, according to acting federal Chief Information Officer (CIO) Margie Graves.

Cybersecurity must envelop standardization, a well-trained work force, optimized contractual causes and a willingness to accept a certain amount of risk, Graves said during an afternoon fireside chat at AFCEA International's Defensive Cyber Operations Symposium (DCOS) in Baltimore this week.  

Modernization is the tool get to the end game-hopefully get there faster and more effectively, federal #CIO Margie Graves says #AFCEACyber

— Sandra Jontz (@jontz_signalmag) June 14, 2017

Discussions at the first two of the three-day symposium have floated around a handful of key topics that experts say will help define the future of cybersecurity initiatives. Those areas include software-defined networking, identity management, virtualization and the emerging new buzzwords “gray network.” 

“The gray network, as we think about it, is starting to become agnostic to the network itself, building this secure thread between the end user all the way to the data in whatever network you want to use, from the unclassified networks—the Internet—to any coalition network,” said Alfred Rivera, director of the Development and Business center for the Defense Information Services Agency, or DISA. “And it’s really focused on, ‘How do we start sharing information on a transport level that is agnostic?'” 

Some of Graves’ roles as acting federal CIO is to strategize federal information technology and invest in modernization, as well as drive transformational change—elements that present a number of challenges across the government, particularly with respect to modernization, she said.

At no time during her tenure with the government, which started shortly after the September 11, 2001, terrorist attacks, has she seen the elements needed to support moving forward in modernization line up so effectively, she said. She cited the Modernizing Government Technology act, which passed the House of Representatives in May and is on its way to the Senate. The bill would create a $500 million fund for federal rapid IT modernization. Additionally, the government is working to speed up acquisition processes and build a talented work force from which agencies can build capabilities.

Graves says: "I look forward to blue sky discussions we’re going to have on the art of the possible" #AFCEACyber

— Sandra Jontz (@jontz_signalmag) June 14, 2017

“Really, the end game is the effective delivery of mission in a secure manner,” Graves said. “Modernization is simply a tool that you use to get there; hopefully get there faster and more effectively,” Graves said.

Some of her priorities were set when the president signed in May a cybersecurity executive order (EO). Two important aspects of the order are the risk management plan driving agency project prioritization and ways agency leaders will use modernization techniques, she said. Some of the efforts are guided by the cybersecurity framework issued by the National Institute of Standards and Technology. Using the document, the government has emphasized the ability to accept and define risk, and to operate in an environment “where you actually are savvy enough and know enough to describe and articulate what risk you’re willing to accept,” she said. Modernization and risk management reports that will be sent to the president will outline “opportunities for modernization that will make sea changes, big changes … in the way we actually manage these types of capabilities.”

Several panel discussions during this year's symposium have touched on the sticky topic of information sharing—both between agencies and between the government and the private sector. “There are great opportunities for [agencies] to share information … but I also see the hindrance and concerns from a legal perspective,” Rivera said. “Why can’t we get analytic information or data from [system and organization controls]” that provide enhanced threat intelligence, he asked of Graves.

A short answer is a lack of optimized contractual clauses, she said. The government must get smarter about drafting jointly agreed upon clauses. “I’m talking about an open conversation with industry about what the most effective exchange would be … and jointly come to some conclusion that would center around some common clauses.” 

An additional cyber quagmire for the government centers on standardization—or the lack thereof—where communities of interest still try to do their own thing, Rivera said. “Is it OK to have multiple standards or multiple solutions?” 

If agencies can “find the common ground” they can always scale their individual needs from there, she answered.

The two experts' discussion of innovation, of course, also included suggestions for improving work force development and attracting talent for government service. Current hiring practices and vetting processes take too long to get talent into the federal government, Graves said. “They they can’t hang around that long.”

Graves: The arduous federal hiring & vetting process keeps many talented #cyber workers from wanting to serve #AFCEACyber

— Sandra Jontz (@jontz_signalmag) June 14, 2017

Graves floated the idea of drafting a blueprint based on how the National Guard and Reserves envelop members from the civilian sector for their military work. “There are ways to do that for the IT work force," she said.