The leadership throughout the federal government is aware of the need to modernize the federal government’s networks. Outdated legacy systems contribute to security risks, increased costs and inability to complete the mission, much of which became more visible during the COVID pandemic. The Office of Accountability of the Government Estimates That 80% of the $ 90 billion spent in fiscal year 2019 was used to operate and maintain existing or outdated systems
There are impressive personalities in the Department of Homeland Security and throughout the federal government who are doing the modernization and securing the networks and systems. It is necessary to invest money in these efforts. Real progress in modernization requires resources. A government-wide program called the Technology Modernization Fund (TMF), approved by the Modernizing Government Act of 2017, is part of that solution. The TMF received $ 150 million in the first three years and made competitive grants in the form of a loan to the agencies to shut down and replace legacy systems. The expected future cost savings would be used for the repayment.
Customs and border protection within the DHS is one of the 11 government-wide projects that have been successful with the TMF. CBP received $ 15 million last June. In March 2021, CBP spent $ 9.5 million to quickly modernize its outdated trade collection system, which collects more than $ 80 billion in revenue for the government.
Modernization brings savings. In our experience, the forecast savings cannot be guaranteed. In the private sector, modernization has clear goals and incentives that align the interests of company managers. Private sector companies are more agile and can invest and scale faster. The public sector is characterized by long planning cycles, complicated procurement processes and complex organizational incentives. Capturing some or all of the projected savings from a public sector modernization project has its limits.
In addition to providing an additional $ 1 billion in funding for TMF, the American Rescue Plan recognized that there are different risk repayments associated with each project. The TMF now allows different repayment options – full, partial, and minimal – based on risk to generate savings and address urgent cybersecurity and modernization challenges. This is a very important change. While we were in government, the risk of not realizing any savings was an obstacle to applying for TMF.
The recent revisions to the TMF are urgently needed and will make a difference. Further improvements need to be made to improve cybersecurity and modernize the federal government’s information systems.
Firstly, we propose increasing the total funding of information systems agencies by two to three percent annually in order to accelerate the transition of contaminated sites. When a project receives TMF funding, it does not include any year-end funding for further modernization. IT and cybersecurity are not static. What is modern and safe today will not be in three or more years. Future funding could then continue to ramp up to support continued modernization, or the agency may have to deal with the legacy again. For DHS, that would efficiently cost more than $ 200 million a year to get modernization plans implemented much sooner.
Second, the Federal Information Security Modernization Act (FISMA) annual report to Congress should document the agencies’ progress in modernizing and decommissioning contaminated sites. The government cannot improve what it does not measure. But the right metrics need to be put in place. For example, the implementation of either a recapitalization rate metric that compares the recapitalization funding to the recapitalizable information system value or a maintenance rate metric that compares the maintenance funding to the modernization needs of the information system can be used to measure and track the modernization.
Third, the Federal IT Acquisition Reform Act (FITARA) requires all CIOs in an agency to report to the secretary or assistant secretary of their department or agency. Based on the latest FITARA scorecard 2020 Published by the House of Representatives Government Operations Committee, a third of the required agencies, including the DHS, are not fully compliant. No one is in a better position to inform the secretary of risks and the implications for the mission when that risk is recognized. IT is particularly complicated in a large government company. Bringing a non-expert up to date can lead to watered-down explanations or errors. The corollary of this is that CIOs need to describe risks clearly and concisely. By communicating the probability of occurrence and the effects to the mission together with the cascading consequences of malfunctions, the department or agency management can better understand the overall risk assessment and all risk reduction measures. In DHS, with an IT budget of over 7 billion US dollars, spread across all 22 components, the clear direction was decisive.
The recent actions of the Biden government are positive and recent initiatives indicate an increased focus on cyber and modernization. Improvements to the information system can be a value driver for the government, not only in protecting data, but also in providing improved quality of service and the fulfillment of the mission. Increasing funding, measuring progress and reporting structure are areas that we believe require additional focus to complement the work of the Biden administration and provide timely protection and security to the federal systems.
John Zangardi is the former Chief Information Officer with the Homeland Security Department, Acting Chief Information Officer with the Department of Defense, and Chief Information Officer with the Department of Navy. Today he is President of Redhorse Corporation and an active board member and advisor to several cybersecurity companies.
Troy Edgar is the former Department of Homeland Security Chief Financial Officer and Assistant Undersecretary of State for the Department of Homeland Security. Today he is Executive Chairman of Global Conductor.