IT modernization has been top of mind for many federal CIOs since the Modernizing Government Technology Act was signed into law in 2017. Add to that the new Federal strategy to adopt zero trust cybersecurity architecture, and there’s a lot to plan and budget for. However, zero trust may actually help accelerate your modernization efforts.
Let’s quickly recap both:
Modernizing Government Technology Act (MGTA)
This bill authorized agency CFOs to establish an IT system modernization and working capital fund to improve, retire, or replace existing systems—including migrating to the cloud—to improve efficiency and security. It also created a Technology Modernization Fund to help provide the money to make those improvements happen. (1)
Federal zero trust strategy
The zero trust strategy issued by the Office of Management and Budget (OMB) in January 2022 started with Executive Order 14028 issued by President Biden in May 2021 to improve the nation’s cybersecurity. Zero trust was just one of many topics in the Executive Order, which also included improving threat information sharing, software supply chain security, and incident detection and remediation. (2)
The OMB’s zero trust architecture strategy includes several objectives that must be met by the end of the fiscal year 2024 and strategic goals around identity, devices, networks, applications and workloads, and data that align with the zero trust model developed by CISA. It also emphasizes stronger enterprise identity and access controls and moving away from traditional trusted networks. (3)
Challenges to implementation
While initial plans have already been submitted to comply with the zero trust architecture strategy, you know that implementation will have challenges along the way. One issue is that IT modernization is still ongoing, and many legacy tools currently in use were designed for legacy security. Thus modernization will need to continue alongside the shift to zero trust. Funding to make these changes may prove tricky, as will securing experienced IT and cybersecurity to complete the work.
Budget is the first hurdle
Gartner identified the acceleration of legacy modernization as one of the top ten government technology trends for 2022.4 However, budget is still a big hurdle for many agencies. The Technology Modernization Fund established by MGTA requires repayment by the borrowing agency in most cases, meaning some agencies have been hesitant to request funds without a repayment plan. The American Rescue Plan provided an additional $1B in TMF funds to assist agencies with urgent modernization needs and allowed partial repayment to provide more options for agencies. (5)
The other source of IT modernization budget, IT working capital funds, has not yet been widely adopted. As of April 2022, only two agencies have set up IT working capital funds under MGTA, three more have requested authority to create them, and two have existing working capital funds to use. Yet the technical debt is estimated at $7B. (6)
Zero trust programs also need funding. Some agencies have already applied for and received TMF funds to begin the shift to zero trust architecture.7 In addition, the White House has requested $10.9B in cybersecurity-related funding for federal civilian agencies for FY23, an 11% increase over last year, some of which will go towards implementing zero trust. (8)
Budgetary issues will require careful planning, but combining IT modernization and the move to a zero-trust architecture may offer economies of scale. Transitioning legacy systems to the cloud with zero trust in mind from the start can minimize the number of changes, thereby minimizing cost. Those legacy systems will need to be included in zero trust one way or another, so evaluate if modernizing them now will prove the most cost-effective option.
Skill and resource gaps may also hinder progress
With agencies varying widely in size and the types of technologies they support, there is no one-size-fits-all approach to modernization or cybersecurity. Collaboration between agencies can help provide new solution ideas and fill skill or knowledge gaps. The OMB zero trust strategy explicitly encourages collaboration, stating, “agencies that are further along in their zero trust process should partner with those still beginning by exchanging information, playbooks, and even staff.”
And collaboration shouldn’t be limited to agency CISOs. Increased cooperation between functions within agencies is also essential. The OMB strategy advises that agency leadership must be “aligned and committed to overhauling an agency’s security architecture and operations.” These changes will impact all parts of the agency in some way, and getting their feedback and buy-in is critical to success.
However, collaboration alone isn’t enough for implementation, and many agencies are trying to hire more skilled IT and cybersecurity resources. Hiring in cybersecurity has been especially challenging for years, so some agencies may look to private sector organizations to take on tasks. The OMB strategy even advises increasing reliance on external third parties for some cybersecurity activities, such as security testing.
Find common ground between zero trust and modernization
As zero trust requires moving away from the trusted network philosophy, it makes sense to use this transition to take users and workloads off the network as well. Connecting users directly to applications in the cloud enables user identity authentication and authorization for each application, as required by the zero trust strategy.
DevSecOps will also be a vital component of IT modernization and zero trust. Automated, immutable cloud workloads restrict manual modification and prevent configuration drift. This can result in a consistent, homogenous environment that reduces the chance of a breach due to misconfiguration. Gartner predicts that through 2025, more than 99% of cloud breaches will be traced back to preventable misconfigurations or mistakes by end users. (9) To accomplish this at scale, agencies will need end-to-end automation of DevSecOps.
If your agency finds IT modernization and zero trust a daunting task, there is help. Taos, an IBM Company, helps U.S. federal agencies automate processes and modernize legacy applications by capitalizing on scalability, enhanced security, and cloud economics. Through our Advisory Services, Professional Services, Managed IT, and Security Services, Taos works with you to develop a unique, secure solution that best fits your agency’s needs and optimizes your ROI.
Learn more at https://www.taos.com/industries/federal-government/
Citations:
1 – H.R.2227 – MGT Act, U.S. House of Representatives, December 2017
2 – FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House, May 2021
3 – Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, The White House, January 2022
4 – Gartner Unveils the Top 10 Government Technology Trends for 2022, Gartner, February 2022
5 – Guidelines on the American Rescue Plan Funding , The Technology Modernization Fund, March 2021
6 – Treasury wants to join the growing ranks of agencies with IT working capital funds, Federal News Network, April 2022
7 – OPM speeding up zero-trust security implementation with TMF funds, FedScoop, March 2022
8 – White House reviewing agency zero trust cybersecurity plans, Federal News Network, April 2022
9 – Hype Cycle for Cloud Security, 2021, Gartner, July 2021