Comment from email: Adobe comments - 2017 Report to the President on Federal IT Modernization

[Inlining attached PDF comment.]

Adobe Comments—2017 Report to the President on Federal IT Modernization September 19, 2017

Thank you for the opportunity to provide comments in response to the draft of Report to the President on Federal IT Modernization. We appreciate the report’s focus on cybersecurity through increased data-level protection, an area that has been highlighted recently following high-profile government data breaches. We also wish to stress the importance of the Continuous Diagnostics and Mitigation (CDM) program, encouraging this administration to continue its commitment to CDM and accelerate implementation of phase 4 capabilities to protect data on federal networks. Lastly, we are pleased to see this report’s focus on IT modernization, particularly as it relates to leveraging proven commercial solutions and the cloud for greater efficiency and effectiveness of government citizen services. We look forward to working with you as the policies discussed in the report are implemented.

Accelerate Data-Level Protection Programs and Capabilities

We applaud the report’s focus on a “layered defensive strategy” and “increasing emphasis on application and data-level protections” to protect high-value assets (HVAs) and sensitive information. In today’s complex cybersecurity environment, organizations must take a multi- layered approach to information protection, evolving beyond container and transmission-based encryption down to the data or document-based encryption level. By protecting the native file format, data remains encrypted wherever it travels or is stored, especially important when personally identifiable information (PII) and national security information is concerned.

When it comes to PII, protected health information (PHI), intellectual property (IP), national security information, or related critical government data, the threat to documents is persistent, eminent, and evolving. While no one technology is a silver bullet, certain data-centric security controls add significant value to improving the USG’s cybersecurity posture.

These foundational capabilities are backed up by a number of current and former information security recommendations and federal policies, including the most recent revision of OMB Circular No. A-130, Managing Information as a Strategic Resource 1 and the December 2013 Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies, Liberty and Security in a Changing World.2 Recommendation 45 of the report states, “The US Government should fund the development of, procure, and widely use on classified networks improved Digital Rights Management (DRM) software to control the dissemination of classified data in a way that provides greater restrictions on access and use, as well as an audit trail of such use.” We offer the following recommendations related to data-level security:

Recommendation: In Appendix A: Data-Level Protections and Modernization of Federal IT, Foundational Capabilities of the report draft, we recommend adding the following data-level protection capabilities and controls to persistently protect HVAs:

• Digital Rights Management (DRM)—Encrypt sensitive data/documents and high- value digital assets to persistently and dynamically protect them, independent of storage or transport. DRM provides persistent data-level protection, establishes critical data permissions, and audits and authenticates user information to prevent unauthorized use or dissemination of digital assets. • Attribute-Based Access Control (ABAC)—Enforce granular access to portions of sensitive documents dynamically, based on user and informational asset security attributes. NIST SP 1800 3a 3 defines ABAC as, “Attribute based access control (ABAC) is an advanced method for managing access rights for people and systems connecting to networks and assets. Its dynamic capabilities offer greater efficiency, flexibility, scalability and security than traditional access control methods, without burdening administrators or users. In fact, Gartner recently predicted that “by 2020, 70% of enterprises will use attribute-based access control … as the dominant mechanism to protect critical assets, up from less than 5% today.” 4 • Digital Signatures—Thwart fraudulent document attacks with automated integrity and authenticity checks on sensitive documents and HVAs. NIST FIPS 186-4 defines what a digital signature is here, “Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. 5

Continuous Diagnostics & Mitigation (CDM) We are encouraged by this report’s focus on expediting the modernization and adoption of the CDM program to identify, detect, and respond to threats throughout the federal enterprise. The CDM program is critical to ensuring enhanced cybersecurity for federal departments and agencies, while providing innovative capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and direct cyber mitigation to the most significant problems first. While significant progress has been made with respect to the deployment of CDM phases 1-3, we are concerned by the delays to implement phase 4 for protecting data on the network. Considering the numerous data breaches experienced by the federal government in recent years, it is critical for DHS and federal agencies to begin implementing CDM phase 4 as soon as possible to ensure the protection of sensitive and high- value information.

Recommendation: We are aware that the department is focused on full implementation of CDM phases 2 & 3. But we believe it should be deploying CDM phase 4 (data-level protection) simultaneously to improve our government’s cybersecurity posture. We recommend that OMB, GSA, and DHS set a firm acquisition timeline (end of FY2018) for full implementation of phase 4 requirements (digital rights management, data masking, micro-segmentation, enhance encryption, and mobile device management) for all 70 civilian agencies and the 23 CFO Act agencies utilizing CDM.

Data-Level Protection Shared Service Program Security practitioners all agree that an “assume-the-breach” posture provides better security, by forcing organizations to consider not only protection, but also detection and response. According to the report draft, “The preponderance of efforts to protect Federal IT systems to date have been focused at the network level.” As you noted, this led to limited connections and access points, which negatively impacted performance while creating barriers to commercial technology. We believe a new frame of reference —assume-the-leak—is required. This subtle shift places more emphasis on the data and less on the network, which in turn provides powerful detection and response capabilities to potentially leaked data. More importantly, these capabilities can be provided by shared service programs, which do not need access to the data in question. Instead, these services provide organizations with the ability to protect, audit, and control sensitive information, regardless of where it resides. Crucially, this approach enables better performance by opening up new lines of communication and collaboration, while providing more robust security.

Recommendation: Following guidance laid out by the Office of Management & Budget’s M-16-04: Cybersecurity Strategy & Implementation Plan (CSIP) for Federal Civilian Agencies 6, we recommend OMB, in coordination with GSA, DHS and DoD stand up a digital rights management (DRM) shared service capability to “enable a systematic approach to data-level protection across the Federal Government and help prevent unauthorized review, redistribution, and modification of sensitive Government information.”

Leverage Commercial Solutions to Improve Citizen Services and Customer Experience At the outset of the Report to the President on Federal IT Modernization, a bold statement is made. “It is imperative for the Federal Government to leverage innovations to provide better service for its citizens in the most cost-effective and secure manner. This Administration… has committed to help agencies better leverage American innovations through increased use of commercial technology.”

The trouble with this assertion is that the remainder of the report fails to make mention of any improvement to citizen services. On balance, the report’s recommendations include networks, security controls, and improved contracting. But these are tactics on a road toward digital modernization strategy. In contrast, a strategic focus for improving government begins with tackling the citizen and government customer experience. Ensuring a concurrent focus—or equally prioritized emphasis—on modern digital experiences achieves an even greater outcome of reduced operating costs, increased performance, and better advocacy from the electorate, as well as the hardworking personnel who execute the business of government.

One of the administration’s stated goals is to give federal customers the same [digital] experiences that they have in the private sector. 7 However, despite increased efforts by many government agencies, federal customers indicate that their online and mobile experiences with government remain overwhelmingly weak and uneven compared with the private sector. 8 This equates to 80% of federal agencies scoring lowest in two categories of the Forrester Customer Experience (CX) Index, faring worse than much-more-costly-to-operate physical channels like offices and call centers.

To remain relevant, government must rethink its digital modernization by understanding the entire citizen/audience journey—both inside and outside of government—and focusing on the positive experience government can deliver. Government also has great responsibility to earn and protect trust of the citizenry by protecting against compromise of content. Setting a priority on delivering a modern and secure digital experience will ultimately lead to cost savings, immensely improved operating performance, and a future-proof/compliant method of keeping pace with citizen expectations.

To make positive change in citizen/government digital experiences, begin with rethinking the business of government and focusing on the following:

• Digitize manual and/or paper-based processes from end to end. This reduces time spent on administrative tasks like data entry and offers expanded self-service options that will increase citizens’ use of services at a lower cost. Automation could save 96.7 million federal hours annually, with a potential savings of $3.3 billion.9 • Implement data management and advanced analytics capabilities for a more precise understanding of citizens and employees across online and offline channels, as well as lines of business like Health & Human Services, the VA, Immigration, and Defense. • Modernize and re-platform core/legacy systems to become more agile and integrated—with the ability to provide near-real-time data. • Empower cloud computing to extend into other core functions like personnel onboarding (adding the thousands of needed agents for CBP or doctors for the VA), citizen services (like HHS, CDC, and FEMA), program enrollment, service delivery, citizen engagement, and automated processing. • Reduce call center transactions, potentially saving taxpayers millions in operating costs. Manual call center transactions are estimated to cost roughly $17 each, whereas digital transactions cost approximately forty cents each. The potential to drastically reduce government cost is immense when the per-transaction savings are multiplied by millions of interactions. (The VA seeks to close many of its 1900 call centers. Internationally, the Australian Department of Human Services is in the process of assessing how to close all call centers and transform online transactions to reduce nationwide service costs.) • Increase the probability of compliance with programs (by business and citizens) • Combine/collapse outdated digital experience platforms, saving millions in unnecessary database licenses, hardware overhead, and service management hours. • Streamline content delivery with personalization to provide relevant, dynamic content and information with speed and accuracy. • Digitize the thousands of paper-driven forms and workflow processes that are ubiquitous in the federal government to reduce paperwork and create adaptive online forms that can be completed across devices. From filing taxes to paying parking tickets and renewing driver's licenses, forms are an integral part of the government’s interactions with citizens. 62%of citizens would feel more positively toward government if online tools were improved.10 At the same time, 53% of government employees stated they have trouble getting all of their work done due to excessive paperwork burdens. State governments have already started to acknowledge and implement the benefits automating of paper-based forms, saving tens of millions of dollars annually.

Recommendation: We encourage the administration to promote a 21st-century digital government by proposing and implementing guidance that would require agencies to modernize their digital experiences and how they interact with citizens through the development of modern, mobile friendly websites, increased digitization of forms, enhanced-use electronic signatures and electronic transactions, and the leveraging of proven commercial technologies. These actions would significantly increase the efficiency and effectiveness of the federal government.

Platform as a Service (PaaS)

Recommendation: We recommend inserting a section on page 19 of the report draft under “1. Enable the Use of Commercial Cloud Services and Infrastructure” between the Software as a Service (SaaS) section and the Infrastructure as a Service (Iaas) section. The new section would be entitled, “Bring Government to the Cloud: Vendor-owned and - operated servers and applications — Platform as a Service (PaaS)“ and include the following text:

PaaS is the ubiquitous public cloud model used by the vast majority of private sector cloud providers and many Federal agencies. This model offers a foundation set of components that can be readily assembled and/or extended to offer mission-specific, government business applications.

Government agencies currently use Platform as a Service models for a wide variety of applications involving web content management, electronic forms, mobile applications, collaboration, and eLearning.

These services must meet NIST essential characteristics for security and are typically accessed through secure connections over the Internet.

Many agencies have already fully embraced these vendor-managed, FedRAMP authorized cloud services offerings (CSOs) and, depending on the agency, may have built dozens of business applications on top of these shared services at a platform level. It is important for the rest of government to migrate from legacy offerings and take advantage of the increased productivity and innovation that these preapproved platform services offer.

[1] Managing Information as a Strategic Resource, OMB Circular No. A-130, Appendix I: Responsibilities for Protecting and Managing Federal Information Resources, https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf

[2] Liberty and Security in a Changing World, Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies, December 12, 2013, https://obamawhitehouse.archives.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf

[3] NIST SP 1800- 3a Executive Summary: https://nccoe.nist.gov/publication/draft/1800-3a/#t=ExecutiveSummary.htm

[4] Market Trends: Cloud-Based Security Services Market, Worldwide, 2014, https://www.gartner.com/doc/2607617 [accessed August 21, 2015].

[5] Digital Signature Standard (DSS), NIST Federal Information Processing Standards Publication (FIPS PUB) 186-4, July 2013, http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

[6] OMB M-16-04: Cybersecurity Strategy & Implementation Plan (CSIP) for Federal Civilian Agencies (October 30, 2015) - https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf

[7] “Office Of American Innovation Targets Federal Customer Service,” Frank Konkel, Nextgov, July 12,2017, http://www.nextgov.com/cio-briefing/2017/07/office-american-innovation-targets-federal-customerservice/139378/?oref=ng-relatedstories

[8] “The US Federal Customer Experience Index, 2017” Forrester, Sep 6, 2017, https://www.forrester.com/report/The+US+Federal+Customer+Experience+Index+2017/-/E-RES135984

[9] “AI-augmented government,” William D. Eggers, David Schatsky, Dr. Peter Viechnicki, Deloitte University Press, April 26, 2017, https://dupress.deloitte.com/dup-us-en/focus/cognitive-technologies/artificial-intelligence-government.html#four-automation- choices

[10] “Introducing Adobe’s Digital Government Survey,” Jacob Rosen, Adobe Public Sector Blog, October 21, 2015, https://blogs.adobe.com/adobeingovernment/introducing-adobes-digital-government-survey/

GSA / modernization

Comment from email: Adobe comments - 2017 Report to the President on Federal IT Modernization #40