Comment from email: Response to Report to the President on Federal IT Modernization

[Inlining a best-effort version of the attached comment below. If there were links in the original, they are not maintained in the below version. Download the original attachment in the issue above to see the original comment.]

September 20, 2017

Mr. Christopher Liddell Director American Technology Council The White House Washington, DC 20500

Dear Mr. Liddell:

Thank you for the opportunity to provide our perspective on the draft report to the President. We applaud the American Technology Council’s work to accelerate federal agency cloud adoption and IT modernization and strongly believe that close cooperation between the government and industry is a critical factor in achieving the transformation sought by the administration.

The federal government has a tremendous opportunity to make substantive progress in improving mission outcomes through the more effective use of new technology and industry leading practices. The time is right to mandate bold actions and outcomes. We are encouraged by the emphasis placed on moving to a risk- based approach to security with the goal of effectively managing risks. It is also encouraging that the report recognizes the need to move to security around data and other efforts that will help accelerate, rather than impede migration to the cloud. We believe that the incorporation of additional bold actions and more aggressive timelines for agencies, will significantly accelerate modernization efforts and deliver more effective mission results for the federal government.

Question 1: What are major attributes that are missing from the targeted vision?

More aggressive implementation schedules should be included in this report

It has been almost seven years since the federal government’s “Cloud First” policy and surveys show that only 5 percent of federal technology leaders feel that their agencies have made enough progress moving to the cloud. Many of the concepts included in the report around cloud adoption and security are well understood. There is an opportunity for the report to be more aggressive in demanding near-term implementations by federal agencies and then monitoring results, in addition to proposing plans, roadmaps and additional data calls.

The administration should set expectations for far more cloud migrations in the next 1-2 years than currently proposed in the report. The report should also help address agency-unique decisions that slow down adoption of commercial cloud solutions by demanding greater reciprocity between federal agencies and the reliance on security determinations/assessments already conducted by other agencies as a means to further accelerate the adoption of proven commercial solutions.

Aging legacy core is absorbing valuable resources for innovation

Network and cloud-based hosting are important considerations worthy of the attention of agency CIOs, but they also should not lose sight of the aging core of their business: applications. There are thousands of critical business processes across the government that still rely on legacy technologies, which is problematic not only because older technology presents cybersecurity risk, but also because older technology creates innovation risk. By continuing to use legacy technology, the government is forgoing opportunities to capitalize on innovations pioneered in the private sector. The Federal government has embraced commercial approaches such as ERP, advanced analytics, and agile development. These have all significantly changed the course of IT in government, but in many cases the focus has been on a sub-set of back-office and non- mission critical systems. The government has not been able to take advantage of more recent and rapid innovations in artificial intelligence, natural language processing and machine learning. Bringing all of these innovations to the forefront of enabling the core government mission is critical, with a focus on serving the citizens as customers to meet the mission with greater efficiency and effectiveness.

The nation’s most critical mission applications, those that issue checks to senior citizens, collect revenue from citizens and manage health care for veterans, remain stalled in embracing innovation. IT managers have considered change but see risk as immitigable, budget unattainable and desirable personnel “un- hirable” when it comes to modernizing core government functions. The report should redouble focus on High Value Assets (HVA) modernization, which will require more than rethinking network architecture and acquisition strategy. To deliver more value to citizens, the administration should mandate agencies employ a wider variety of tactics to modernize critical applications as soon as possible. These plans should be focused on leaving behind legacy technologies as quickly as possible through methods such as application refactoring. Then there should be a focus on prioritizing other modernizations including those to reduce technical debt, increase efficiency and improve citizen services.

Recipes for success may vary, but the menu of options is larger than currently represented in the report

Federal agencies face a wide range of IT modernization opportunities, and depending on their specific circumstances, their next priority may vary. For example, agencies may choose on an application-level basis to transition to the cloud, refactor legacy COBOL and NATURAL code to move off of a mainframe, shift to COTS, introduce robotic process automation, use micro-services to create a shared service application, move to a capability-as-a-service model, or retire the legacy application altogether. Agencies can employ a wide variety of tactics and innovations to modernize mission critical applications.

Each mission application has its own set of legacy business rules and processes that may need to be harvested in order to advance the technical core of an application. The government should ask, for example, how machine learning can offer better predictive service in citizen services or how process robotics could present efficiencies in currently non-automated processes. Indeed, not every legacy system needs to be replaced, and while accelerating cloud migration is an important goal, additional IT modernization work should also be mandated to ensure that agencies proactively decide what systems to sunset, what to stabilize leveraging current investments and what to replace. The draft report will be significantly enhanced with the incorporation of these additional IT modernization efforts. The administration can be more direct about the timeline and tactics utilized to advance the cause of modernization. From adapting legacy applications onto new platforms, or implementation of cloud based software solutions, specificity and tactics aligned with the administration vision are vital to drive rapid adoption of innovation.

Acquisition strategies need to adapt to reflect the realities of the technology market

While the report correctly notes that independent buying habits have “contributed to a fractured IT landscape,” the report could go further than just advocating for more agencies to use the EIS contract. While more usage of an existing vehicle like EIS will reduce the number of independent contracting actions, without alignment of effort, independent agency use of a single contract vehicle can still result in disparate implementations and outcomes. It will be important to demand improved acquisition outcomes and direct agencies to make better use of commercial leading practices and innovative contracting approaches, rather than just reducing the number of contracts. The report would be enhanced if it specifically addressed a number of contracting behaviors that currently stifle innovation and access to commercial best practices/solutions. Specifically, the report should advocate for:

• Greater reliance on commercial contracting, managed services and performance-based contracts • Reduced usage of contracting approaches that stifle the adoption of new ideas (i.e. transition away from “Lowest Price Technically Acceptable” contracts) • Increased innovation in contracting, valuing alternative approaches, streamlining and tailoring the acquisition approach and moving more aggressively towards consumption-based buying • Agile contract methods and tools that allow the government to continuously re-evaluate solutions and offerings being delivered and available in the marketplace

Defining return on investment and making optimal use of limited resources

The current draft does not tie recommendations to measurable business objectives. The report should propose a framework for consistently measuring return on investment (ROI), which will help CIOs articulate resource needs in terms that resonate with agency CFOs, OMB and congressional appropriators.

Additionally, the importance of change management for IT professionals cannot be overstated. Even technically sound IT implementations are rarely successful without a robust focus on end users. The administration is seeking a paradigm shift in the way agencies approach their systems, both in architecture and in ownership. Adoption of new approaches will be encouraged by investing resources, budget, time and training to help propel IT managers through this change.

To achieve the outcomes the administration desires, the right environmental conditions must exist from a workforce, acquisition and budget perspective.

Consider all threat types

The attributes listed in the draft report are related to technical controls. Process and people controls should also be considered to include insider threat (as discussed in the “network modernization & consolidation” section) and third-party risk management (especially with the push to move to shared services) as threats will remain regardless of how well you secure your applications, infrastructure, etc. A full consideration and examination of all threat types will allow the government to better address security concerns and also allow for greater ownership of security across the enterprise, with a full consideration of the human and technical assets that assure security.

Question 2: What are major attributes that should not be included in the targeted vision?

Executive Summary: Resourcing Federal Network IT Modernization

We recommend that you remove or revise the sentence on Page 4 of the Executive Summary, “Agencies should consider immediately pausing or halting upcoming procurement actions that further develop or enhance legacy IT systems identified that need modernization.” It would be more helpful to demand specific legacy modernization plans with near-term actions from each agency rather than putting a broad moratorium on all legacy improvement efforts. As discussed earlier, there will be cases where agency modernization efforts are greatly accelerated by the near-term investment in legacy improvements (such as refactoring and/or micro-services), as well as cases where stabilization is required or new legislative/regulatory requirements must be addressed in the near-term.

In the section Future State & Objectives (Page 18); The Federal Government must embrace the broader use of cloud services while working to develop cloud products that meet Federal cybersecurity standards.

The government should evaluate CSPs and SaaS provider’s security implementations prior to any acquisition to prevent unknown threats by use of commercially provided services. By advocating adoption without having the minimal Federal cybersecurity standards in place increases unforeseen risk to the government. The government should considering expanding the approved industry products / partners similar to what’s successfully been used for EaaS adoption via a GSA schedule / BPA to allow agencies of all sizes to similarly acquire other cloud services without having the in house expertise to solicit, evaluate and procure secure software services.

Prioritize the modernization of High-Risk High Value Assets (HVAs)

The document indicates OMB will also work with DHS to refocus these assessments to concentrate on hands- on technical engineering interventions, de-emphasizing the review of system documentation and policies. However, we recommend the update and management of system documentation and policies should NOT be de-emphasized, rather it should be the opposite, as hands-on technical interventions can pose a risk if the entity does not have proper background on a system. Ongoing review and updates to documentation/policies should in fact be further emphasized, however, the mechanism can be updated to move away from traditional and labor-intensive documentation to more operational and consolidated documentation. This can be done via working groups and sessions, which will also act as an opportunity to bring all stakeholders up to speed and share potential impacts.

Question 3: Are there any missing or extraneous tasks in the plan for implementing network modernization & consolidation?

Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) Program to enable secure Cloud migrations

The many benefits of cloud adoption are well documented and because of this we advocate for even more aggressive cloud migration timelines by federal agencies. That said, ATC should consider including in its report an even greater emphasis on the importance of security in the cloud and, in particular, for the network interconnections with their CSPs. Most CSPs, including those that have successfully completed FedRamp certification, state that they do not address many of the Federal security requirements, including those related to data at rest and in transit. Therefore, the responsibility falls to the federal community to ensure their data and interconnections with CSPs are adequately protected. This causes hesitation to migrate to the cloud because they are not sure how to address these gaps. Discussing new and emerging technologies like Next Generation Wide Area Network and Next Generation Software Defined (SD) WAN are just some examples of solutions that can help federal agencies bridge this gap in network security as they move to the cloud.

Consolidate and define best practices for advanced network management and operations

In an effort to modernize, streamline and secure critical federal network infrastructure, agencies should look to replace standard overlays (i.e. hardware based firewalls with extensive routing tables, configurations, etc.) with more secure, scalable and agile end-to-end solutions. For example, virtual networking lessens operational cost, provides additional security measures, and reduces infrastructure overhead. Partnering with vendors that are implementing software-based IP/session based network component and utilizing software defined networks (SDN) is an area that can further enable network modernization and consolidation. These virtualized models utilize a central controller that contain the rules and information for how to route traffic from one point to another. End-point network devices (i.e. switches) communicate with the controller to determine how to route traffic which eliminates the need for individual device configuration. This allows for the end-to-end session based control, increased operational visibility, and lower overall costs.

This approach is dramatically simpler to manage, resulting in a lower costs to build and operate, increased security, and reduced overall bandwidth consumption.

Question 4: Are there any missing or extraneous tasks in the plan for implementing shared services to enable future network architectures?

Consider implementation of other shared services that may be available in the Cloud

In considering the different deployment and security models to bring Government to the cloud, one potential opportunity for improved efficiency would be the establishment of a shared service Cloud Security Operations Center (SOC) within the government. The SOC would receive and analyze security logging feeds across agencies to provide a government-wide view into cloud application usage and threat attempts, and report back on vulnerabilities. The availability of Security Information and Event Management (SIEM) tools that read from a broad base of data sources would allow each agency to continue using the security tools, technologies, and capabilities that appropriate for their respective missions. The government-to-government nature of the SOC may also ease any considerations about the sharing of logging data, and a government SOC would be better able to keep pace with the offerings and security requirements of new offerings from the commercial cloud service providers. Finally, it would create a shared body of knowledge about real-time threats against government entities.

The various approaches to security design and application deployment listed in Appendices B and C of the report apply to cloud-based applications that are deployed using a public deployment model with commercial cloud service providers. With respect to the challenges stated around solving the "Network Trombone" problem, the report could go further to promote research and development of cloud-based EINSTEIN sensors and push for the creation of government reference architecture for deploying TIC capabilities in cloud. Several federal agencies have already successfully extended their on-premises data center capabilities by integrating commercial cloud service provider infrastructure with existing enterprise IT capability and accrediting the new capability as a General Support System (GSS). The GSS approach has obvious benefits, particularly in accelerating application ATO through control inheritance and the integration with existing systems management, core services, and data. Adding cloud-based TICs to existing general support systems would help protect those agency's investment and ease adoption of mobile application deployment.

Question 5: What is the feasibility of the proposed acquisition pilot?

The report correctly notes the advantages of enterprise licensing agreements, but the report could go further in accelerating and mandating this behavior, rather than just suggesting a pilot effort. The federal government has had many successes in past licensing efforts, including both the DoD Enterprise Software Initiative (ESI) and the GSA Smart Buy effort. Given this success, the government should fast track additional licensing efforts. Both companies and federal agencies must be equally committed to the use of these agreements. The government must also ensure that licensing agreements, once negotiated, are mandated for use so that companies can gain expected revenue from the agreement. As currently worded, the report demands more commitment from industry than from the government to undertake the pilot and then use the resulting agreement. In addition, the subject of the pilot -- enterprise email -- is well understood and already in place or in progress at a number of agencies. It should be straightforward to work through a licensing agreement for email and then rapidly move on to other capabilities/software that are good candidates for enterprise agreements.

We look forward to continued opportunities to work with the administration. Our long track record of delivering technical innovation to Fortune 500 clients as well as the Cabinet level departments and agencies across the Federal government provide us a unique perspective we are very interested in sharing. IT modernization should live the promise of increasing capability to more effectively and efficiently meet the needs of our government and its citizens. Through a strong partnership with industry and focus on substantive engagement we believe the administration is well down the path of serving the American people on this topic.

Sincerely,

Dan Helfrich Nishita Henry Federal Practice Leader Federal Technology Practice Leader Deloitte Consulting LLP Deloitte Consulting LLP

GSA / modernization

Comment from email: Response to Report to the President on Federal IT Modernization #65