When Rep. Will Hurd (R-Texas) opened the House Oversight and Government Reform Subcommittee on IT’s hearing about the State of Federal IT last Wednesday, he focused on not losing momentum that built up over the last few years.
From the Office of Management and Budget’s IT modernization strategy to the CIO Council’s State of Federal IT report to Congress passing the Modernizing Government Technology (MGT) Act as part of the Defense authorization bill , agencies have tools and data to continue to swing the pendulum away from unsecured legacy technologies.
In fact, Hurd and OMB Deputy Director for Management Margaret Weichert, who testified at the hearing, both remain optimistic that Congress will fund the Technology Modernization Fund (TMF) for fiscal 2018.
“We have had conversations [with appropriators]. It will get populated. We still are having conversations on where that going to be. I feel pretty good we will have something there,” Hurd said.
Weichert said during the hearing that the administration is hopeful that the appropriators will fund the TMF.
The Trump administration requested $228 million for the TMF in 2018 and another $210 million for 2019. OMB recently released details and a memo about how agencies can apply for those funds, should they eventually get approved by lawmakers, and the board overseeing the fund held its first meeting.
At the same time, Hurd’s concerns go beyond the actions of the appropriators. One of the biggest concerns for the chairman of the subcommittee — and one of the most active members in the House when it comes to IT and cybersecurity — is the continued high number of open recommendations from the Government Accountability Office.
And it’s that issue that will turn up the pressure on CIOs and other IT executives for 2018 and beyond.
So with that in mind, here are three reasons why CIOs will feel more IT heat in 2018:
One of the most interesting things about hearings is when the Government Accountability Office offers a preview of its ongoing work. And it looks as if David Powner, the director of IT management issues at GAO, and his staff will be extra busy this year.
Powner offered insights into at least three major efforts around IT modernization.
One of the most interesting ones is reviewing why some of the most critical and largest IT programs, such as the Federal Aviation Administration’s Next Generation Air Traffic Control System or the IRS’s CADE 2 effort, continue to struggle.
“We have a review underway where we are identifying and profiling these most critical acquisitions,” he said. “The reason these acquisitions need OMB’s attention is because these agencies left alone haven’t managed them well. The administration’s attention to Veterans Affairs’ electronic health record solution is spot on. We just need more of this.”
History has shown when OMB gets involved in a program, the chances for success are much higher — think of the post-data breach cyber sprint or the Healthcare.gov website.
OMB’s push for TechStat and then PortfolioStat under the Obama administration was in part an answer to these ongoing problematic IT projects.
It’s unclear how the Trump administration is conducting its program and project oversight efforts, but GAO’s review will, once again, make it clear the White House’s attention is required.
A second ongoing review will identify and profile the systems across government that are 30, 40, 50 years old or older.
“The nation’s most mission critical legacy systems that are costly to maintain and post significant cyber risks due to unsupported software need to be replaced with modern, secure technologies and ultimately decommissioned,” Powner said. “OMB needs to have an active role here to ensure these old systems like VA’s VISTa system and IRS’s individual master file have plans to replace and decommission. The administration’s recent modernization strategy was solid on network modernization, shared services and cyber, but light on tackling these most challenging modernization efforts.”
Additionally, GAO says CIOs with short tenures don’t always tackle these legacy systems, which is why OMB’s attention to them is so critical.
GAO did similar work in 2016 for the full committee, finding, for example, The IRS runs two systems in use that are 56-years-old — the individual master file and the business master file, as well as a 53-year-old system DoD uses to run the nuclear that runs on an IBM Series 1 computer — a 16-bit minicomputer, introduced in 1976.
Agencies need a workforce that is properly trained to support all of these modernization efforts. That is the third area where GAO is reviewing, the cybersecurity and IT workforce gaps as well as CIO authorities.
Powner said agencies still need to properly identify and tackle these shortcomings.
“Properly addressing many of these needs with contractors is a critical part of this solution here,” he said. “CIO authorities still need to be strengthened despite significant improvements from Federal IT Acquisition Reform Act. Your push to elevate these positions in departments and agencies is still needed. Currently 13 of the 24 CIOs report to the deputy secretary or higher. OMB plays a critical role here, especially with the recent focus on agency reorganizations.”
The White House floated a draft executive order on reemphasizing CIO authorities back in January, but it’s unclear whether that order still is in the works.
Hurd said the subcommittee has received responses from those 11 agencies where the CIO doesn’t report directly to the head or deputy head.
“A lot of the responses were things that, ‘oh, it’s basically already the case.’ Well, if it’s basically already the case, make it the actual case,” Hurd said in an interview after the hearing. “This is a simple fix that goes a long way in ensuring that an agency is making cybersecurity and good system hygiene a priority.”
Hurd said the subcommittee wasn’t familiar with the draft EO.
The Office of Personnel Management and the National Institute of Standards and Technology are working with agencies to identify and recode the IT and cyber roles as required under the Federal Cybersecurity Workforce Assessment Act of 2015. The deadline was December but few, if any, agencies accomplished the goal.
Hurd also reiterated his plans to introduce a bill to establish a U.S. Cyber-Reserves public-private sector rotational workforce.
Hurd plans to pressure agencies to make better use of the Homeland Security Department’s security architecture reviews and risk and vulnerability assessments, or obtain similar services from contractors to discover and mitigate cyber vulnerabilities.
“When it comes to penetration testing, a passive scan is not a penetration test, and making sure that a good best practice is to use on a regular basis a third-party security folks to come in and do a technical vulnerability or penetration test,” Hurd said after the hearing. “That level of engagement is not happening as much as I previously thought.”
So now the subcommittee plans on sending a letter to agencies asking about penetration testing and several other of what Hurd called unresolved digital hygiene questions.
One reason for Hurd’s letter is to understand more about the inconsistencies around penetration testing.
Jeanette Manfra, the DHS assistant Secretary for the Office of Cybersecurity and Communications, said there is no common definition of what people mean about penetration testing.
“Our risk and vulnerability assessments…which is actively going to identify and exploit vulnerabilities,” she said. “We haven’t previously taken statistics on which agencies are using penetration testing. In the last fiscal year, we’ve done 42, and we’ve prioritized high value assets.”
Crystal Jackson, the high value asset program manager at DHS’s Cybersecurity and Communications Office, said on Thursday at the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington, D.C., that over the last two years, DHS conducted 100 assessments, and plans to do another 60 in 2018 alone.
“We are working with agencies to rescope the HVA program within their own agency and how its ties into a bigger construct of the federal enterprise,” Jackson said at the meeting. “We are taking the list of HVAs and delving deeper into the critical assets of all agencies, what they touch, and they how impact the rest of government. We are looking to identify what is the federal government’s risk profile.”
Jackson said the HVA program has shown trends among agencies around problems with network segmentation and patch management, both of which are common hygiene problems Hurd is worried about.
She said agencies need more network rigor so if one part of their system is breached, the hacker can’t jump to another section and maybe steal more valuable information.
Manfra said agencies have made a lot of progress post-cyber sprint, reducing the time to patch critical vulnerabilities to 10-to-15 days on average down from 200 days in 2014.
The whole of government approach to understanding the network connections and risks associated with them is a major reason why Hurd and DHS want agencies to do more penetration assessments.
Jackson said DHS tends to focus a lot on the high value assets at the larger CFO Act agencies, which is why it is working with the General Services Administration to create capabilities under the cybersecurity special item number.
“We are working with vendors to offer the same types of assessments using the same methodologies DHS uses,” she said. “We want to get the same kind or more detailed assessments.”
DHS also is establishing a community of interest around high value assessments to share ideas, best practices and address common challenges.
She said DHS and OMB are developing the charter for the COI over the next few months.
“We want to make sure all the agencies have a voice in this program and the ability to share ideas,” Jackson said.
Agency senior leaders should expect the committee to continue to bring up CXOs to find out on how they are implementing the Federal IT Acquisition Reform Act (FITARA).
Hurd said he was specifically frustrated with the Defense Department’s lack of transparency over its IT budget in the 2019 funding request to Congress as well as its continued low grades on the FITARA scorecard.
In the November 2017 scorecard, DoD received three “Ds” and two “Fs” across the five areas.
“As Rep. Gerry Connolly said, ‘If the boss doesn’t care, then nobody else will care.’ I’m going to continue when we do the next FITRA scorecard hearing bring in the CIO, the CFO and the deputy agency head,” Hurd said.
OMB’s Weichert added she understands the committee’s frustration over CIOs not having all the authority they need.
“We are looking closely at how we do we address CIO authorities through the President’s Management Agenda. We are laying out how all components of various authorities will work together and align their efforts while avoiding duplication while also giving maximum capabilities to CIOs. This IT modernization efforts have to include the CFO, the chief procurement officer, the chief human capital officer as all of them need to be there in lock step with the CIO.”
Hurd said he would like to penalize agencies on the scorecard if their CIO is not reporting directly to the agency head or deputy head.
Additionally, Hurd said he still plans to transition the FITARA scorecard to one that focuses on digital hygiene.
Connolly (D-Va.), who co-authored FITARA, said he is supported of the transition but not until agencies have made more progress in meeting the requirements under FITARA.