Part I of this column described it as an opportune time for the Biden administration to make bold changes that can hasten agencies’ maturity in managing and leveraging IT. Six recommendations can help the Biden administration make those changes. I described the first three recommendations—Developing comprehensive, yet realistic, agency IT modernization plans; Improving agencies’ ability to manage IT programs and projects; and Addressing procurement timeliness and the use of strategic sourcing and category management—in Part I of this column. Here are the remaining three recommendations.
- Improving agencies’ cybersecurity posture –Cybersecurity breaches have become the most significant risk for many organizations, including government agencies. And across the federal government, we still have significant areas of vulnerability. The Biden administration should ensure agencies use an enterprise cybersecurity risk management framework, so agencies focus on protecting their most sensitive data and critical systems. The good news is that the National Institute of Standards and Technology (NIST) has developed such a risk management framework, called the NIST Cybersecurity Framework (CSF). President Donald Trump mandated its use by agencies in his 2017 executive order on cybersecurity. Agencies need to fully adopt the use of the CSF throughout their enterprises.
The last process step of implementing the CSF is implementing an action plan, which is a prioritized list of steps an agency should take to protect its most critical assets and address its significant cybersecurity risks. Given the current environment, particularly in light of the SolarWinds attack, OMB should insist all agencies use the CSF process to develop an updated action plan. Further, OMB should direct agencies to immediately take the steps addressing their top five risks, even if that means diverting funds from other modernization or system development efforts. Protecting these most critical agency assets and addressing crucial risks cannot be delayed any further.
As agencies work on their cybersecurity action plans as well as their IT modernization plans, they should be driving to use modern security architectures. Now is the time for federal agencies to work to implement a zero-trust security strategy. The legacy perimeter-based security strategy has been overcome by the advent of mobility and cloud computing. A zero-trust security strategy is a proven 21st-century approach that, when implemented properly, provides better protection at a lower cost. The good news is that many government agencies have some elements of zero trust already deployed in their infrastructure, including identity credential and access management (ICAM) solutions and continuous monitoring. The use of zero-trust architecture should be an integral part of an agency’s IT modernization plan.
- Addressing the IT talent gap – Across the federal government, the number of workers over 60-years-old is almost double the number of those under 30. We are not attracting enough younger talent to the government, and the problem is particularly acute in technology disciplines. Hence, many agencies struggle to even effectively oversee their technology contractors, given the lack of enough technical talent in agencies. We need to make the federal government a more attractive place to start your career or even enter mid-career. The Federal CIO, along with agency CIOs, should partner with the Office of Personnel Management and the federal Chief Human Capital Officers (CHCO) Council to find additional ways to attract and retain technologists in government. I entered government mid-career and was taken with the mission and scale of what I could do as a technical leader. Agencies must improve the marketing of these opportunities. Attracting the right talent is imperative in improving agencies’ ability to manage IT and drive modernization.
One tangible example that can make government more attractive to young professionals is to accelerate the excellent work in creating learning and career paths for cybersecurity professionals, based on the cybersecurity roles defined by the National Initiative for Cybersecurity Education (NICE), which is part of NIST. Agencies could increase their ability to recruit and retain cybersecurity professionals if they had well-defined learning and career paths and backed it up with commitments to develop such individuals to become experts in differing cybersecurity specialties.
- Improving alignment across the administration and with Congress – There are significant, and in some cases, duplicative burdens of reporting requirements on agencies, particularly from the Office of Management and Budget (OMB). The new administration should lower the reporting burden on agencies and focus agency reporting on the most critical aspects of improving their IT management and modernization capabilities. For example, in regards to cybersecurity, FISMA reporting remains burdensome, and many who are responsible for completing FISMA authority to operate (ATO) paperwork question its value. FISMA reporting should not be eliminated but integrated with the NIST CSF process and significantly streamlined.
The administration should also work with Congress to evolve the FITARA scorecard, working to gain alignment of agency reporting with the reporting required to determine an agency grade via the FITARA scorecard. Having such alignment of the administration’s IT priorities with how Congress is grading agencies would accelerate the adoption of IT management best practices across the federal government.
Unified, committed leadership is the key to improving agencies’ ability to manage and leverage IT to improve operational performance. Certainly, we need capable agency CIOs, but just as important is the commitment from the Biden administration, at the most senior levels of OMB and across agency leadership, to champion these recommendations. If you want IT to be a true strategic asset to help agencies improve their performance, there are no shortcuts. The new administration has to take on the hard work of maturing IT management at the agency level, with the support of agency leadership.
Richard A. Spires is currently an independent consultant. Previously, he served as the CIO of the IRS and as the CIO of the Department of Homeland Security (DHS). While at DHS, he served as the vice-chairman of the Federal CIO Council.