by James Scott, Sr. Fellow, ICIT
Nearly three-quarters of the $80 billion annually spent on federal IT systems is allocated towards the upkeep and maintenance of outdated and vulnerable legacy systems. The majority of these systems predate the Internet, many were “Frankensteined “together ad hoc from technologies that are now older than those tasked with their maintenance, and some have even outlived their manufacturers. Rather than waste $60 billion annually on categorically vulnerable systems that are actively exploited by sophisticated and unsophisticated remote adversaries, Congress passed the Modernizing Government Technology Act to reduce the waste of billions of tax dollars and to enable agencies to increase efficiencies and ensure the protection of systems vital to national security . Former Federal CIO Tony Scott has expressed that investment should be dedicated to replacing outdated infrastructure and applications that are costly to operate and that pose a significant cybersecurity risk. He also suggests focusing on projects that have a cross-agency impact, where a shared solution can be opportunistically deployed .
The Modernizing Government Technology Act was included in the 2018 National Defense Authorization Act and signed into law on December 12, 2017 . The Act builds on the Federal IT Acquisition Reform Act (FITARA) to provide agency CIOs access to modernization funding and guidance. In operation, funded modernized projects should be more efficient, transparent, and secure . The MGT Act allocates capital working funds for agencies covered under the CFO Act, which do not have resources sufficient to transition from antiquated legacy systems to modern technology that can be defended with cutting-edge layered defenses . Essentially, the MGT Act positions agencies to expeditiously update and upgrade federal IT infrastructure according to the built-in Congressional oversight to reduce unnecessary expenditures and to increase federal system resiliency against cyber-attacks .
The passage of the NDAA with the MGT Act followed the release of the fifth FITARA scorecard (November 2107) which measures agency progress adhering to the Federal Information Technology Acquisition Reform Act. The scores for the past five evaluations are depicted in the table below.
The recent regressions in scores were due to the inclusion of a new metric – software licensing under the MEGABYTE Act – which evaluates agencies’ software libraries. According to Rep. Will Hurd (R-Texas), “The goal of all of this is are you implementing FITARA to strengthen the CIO’s roles so that you have one person responsible for defending your digital infrastructure as well as having the flexibility to look at and improve citizen-facing services.” Of the 24 agencies scored, 18 had permanent CIOs, and 6 had acting CIOs . Ultimately the responsibility of modernizing and securing agency systems and networks belongs to the entire executive C-suite, and the CIO must coordinate with others such as the CFO and the COO.
On December 13, 2017, OMB released the final Report to the President on Federal IT Modernization, highlighting priorities such as network modernization and consolidation, cybersecurity, shared services, and the adoption of commercial cloud solutions . The funds made available from the MGA Act can be used to improve, retire or replace existing IT systems to enhance cybersecurity and to improve efficiency and effectiveness; transition legacy IT systems to cloud or shared services; adopt risk-based cybersecurity solutions; or to reimburse a central modernization fund the law sets up. No later than Dec 12, 2018, and every six months thereafter, the head of each agency must submit to the director of the Office of Management and Budget a list of each IT investment that has been funded, including the estimated cost and completion date for each investment. They also must submit a publically available summary by fiscal year of obligations, expenditures and unused balances. The OMB director will, at least quarterly, make public a list that includes a description of the projects funded, the project status (including any schedule delay and cost overruns), financial expenditure data related to the project and the extent to which the project is using commercial products and services (including if applicable, a justification of why commercial products and services were not used and the associated development and integration costs of custom development) .
As made clear from the FITARA scores, the majority of federal agencies are failing to secure and maintain their network, systems, and applications. The MGT Act offers resources and guidance to modernize systems with current technology, to introduce security-by-design at each stage of development and architecture, and to implement layered security solutions. The General Services Administration houses the central modernization fund. The Office of Management and Budget leads the board to review and approve which projects receive funding under the MGT Act and to offer guidance for submissions. The seven-member Technology Modernization Fund Board includes the federal CIO, a senior GSA official “with technical expertise in information technology development,” a member of the Department of Homeland Security’s National Protection and Programs Directorate and four at-large members appointed by OMB Director Mick Mulvaney was established March 12, 2018. All proposals are subject to the board’s evaluation and approval. After approval, the board has the authority to conduct regular project reviews and to vote whether to recommend to the GSA administration to withhold future funding. Funding requests should not be disproportionately back-loaded and should include between two and six incremental funding transfers throughout the lifecycle of the project. Agencies cannot “incrementally fund non-severable services contracts using transferred TMF funding.” Agencies can request to become shared-services providers using the GSA-housed central fund. These so-called “managing partners” would receive money from the central fund to host a “common solution for which the managing partner charges a fee-for-service to participating agencies.” Agencies report to OMB every quarter all planned uses of the working capital funds, all transfers and reprogramming actions with a brief justification, any updates to the IT dashboard, as well as a summary of actual obligations, expenditures, and unused balances each fiscal year. Agencies are to describe the project, what it plans to address, the impact of completion and how the impact will be measured, the amount being requested, plus all costs and benefits — pre-modernization, during modernization and post-modernization — associated with the project. If an agency fails to reimburse the central fund, the OMB chief will act as mediator. Meanwhile, the TMF Board charter includes project oversight guidance “to identify where corrective action or revocation of committed funds is warranted” .
Project submissions are evaluated based on their alignment with the priorities of the modernization report and the agency’s record of successful modernization projects. Agencies without a strong reputation for efficient modernization can convene working groups, develop business cases for simple, short-term projects, and then apply for MGT funds to boost the chances of success. The MGT Act creates a $500 million central modernization fund over two years, which federal agencies can borrow against to update, upgrade, and secure aging and outdated IT infrastructure. The law also creates working IT capital funds where agencies can place savings from other modernization projects and use for future needs. Experts predict that approved projects will cost $10 million or less. More expensive projects may be challenging for agencies to pay back within the three-year window. As a result, the MGT funds are more likely to be used for incremental small and moderate modernization efforts rather than massive overhauls of complex infrastructure such as financial management or human resource systems .
Despite the availability of MGT funding, some agency CIOs may not submit proposals or initiate modernization efforts because the responsibility of sustained modernization daunts them and because many may not be able to develop efficient projects that enable savings sufficient to pay back the MGT fund within three years . It is imperative that these executives consider the guidance offered by OMB and other thought leaders, contact other agencies for cooperative initiatives, or consult trusted private sector vendors for efficient and cost-effective modernization solutions that include security at each development stage, that are adaptable to the evolving threat landscape, that incorporate layered defenses, and that are resilient against unsophisticated and sophisticated threat actors ranging from script kiddies to cyber-mercenaries to digital terrorists to nation-state sponsored advanced persistent threat (APT) actors.
 Miller, J. (2017). Agency progress to modernize IT systems languishes as new MGT Act headed to White House. [online] FederalNewsRadio.com. Available at: https://federalnewsradio.com/hearings-oversight/2017/11/agency-progress-to-modernize-it-systems-languishes-as-new-mgt-act-headed-to-white-house/ [Accessed 19 Mar. 2018].
 Gunter, C. (2017). The MGT Act is law. Now what? — FCW. [online] FCW. Available at: https://fcw.com/articles/2017/12/13/modernization-whats-next-gunter.aspx [Accessed 19 Mar. 2018].
 Konkel, F. (2017). Agency Scores Fall in Latest FITARA Scorecard. [online] Nextgov.com. Available at: http://www.nextgov.com/cio-briefing/2017/11/agency-scores-fall-latest-fitara-scorecard/142534/ [Accessed 19 Mar. 2018].
 Gunter, C. (2018). OMB’s user guide to the MGT Act — FCW. [online] FCW. Available at: https://fcw.com/articles/2018/02/06/mgt-guidance-omb-memo.aspx [Accessed 19 Mar. 2018].