Appendix G: Summary of Comments Received

More than 100 companies and individuals submitted comments during the three week public comment period for the IT Modernization Report. Overall, the comments reaffirmed the importance of modernizing Federal IT, and validated that the proposed approach is on the right track. The comments offered diverse and at times conflicting suggestions, and ranged from strategic thoughts to detailed implementation guidance.

The ATC strove to keep this report at a strategic level, and will make the more detailed ‘implementation level’ comments available to the teams who will drive specific modernization efforts across Federal IT. Several comments also noted the need to fundamentally reform or tweak current statutory provisions, and the ATC will provide these recommendations to existing activities which are already charged with these statutory reform areas.

All comments received are publically posted, but this appendix will highlight some of the key themes that emerged during the comment review.

Need for technical diversity and efficiency

Many comments stressed the need to future-proof the Government’s systems, keep pace with innovation and future standards, maintain vendor and technology neutrality, and recognize the validity of diverse approaches to securing data, applications, networks, and services. Comments also suggested adopting modern approaches to development and operations such as DevOps and continuous delivery and automate more of the functional/security testing, integration, deployment, and operations of applications.

Accreditation and cybersecurity

Comments emphasized the benefits of leveraging FedRAMP authorization, suggested improvements to the FedRAMP process, asserted need to enforce reciprocity, suggested utilizing the native security capabilities (such as machine learning and big data analytics) offered by the cloud service providers, and potential for automating the sharing of classified threat intelligence with cleared service providers.

Network modernization and data level security

Comments emphasized the importance of network level security, advised that tools should focus on outcomes not mechanisms, that controls must be placed in closer proximity to the data, and that users, cloud APIs, and individual devices need to be considered as access control shifts from the network perimeter. Comments also emphasized that controls must be placed in closer proximity to the data, and that cloud access security brokers (CASBs) should be used to provide secure access to cloud resources.

Acquisition strategy and workforce

Several comments indicated concern over halting or pausing acquisitions in progress, the need for reform of the acquisition and budgeting processes, and observations that acquisition cycles needed to become more rapid and agile. Comments also suggested that the acquisition of modern IT requires a holistic approach (technical, cybersecurity, and contracting) supported by a trained and experienced workforce.

Shared services and the acquisition pilot

Comments suggested that the discussion and policy around shared service be clarified. Several comments mentioned that contract consolidation on EIS was essential, while others mentioned that the strategy might stifle innovation and competition. The ATC is committed to the strategy of leveraging the competitively awarded EIS contract to assist with consolidation efforts. Comments suggested that the acquisition pilot would be useful in proving out the Government’s objectives, while others suggested it too narrowly scoped. Comments also recommended that specific vendor names be removed from the notional examples in the appendix.

Examples of key points derived from the comments is included in the section below.

Question 1 - What are major attributes that are missing from the targeted vision? (Appendix A, Appendix B)

Comments, in response to this question suggested the report should:

(i) make clear the section only described some of the approaches to be used;

(ii) include the concept of logical vice physical separation of data;

(iii) consider including multi-factor authentication;

(iv) consider including the concept of least privilege;

(v) consider expanding the discussion regarding software lifecycle automation and security testing.

Many of the comments confirmed that the attributes were on the right track or offered additional suggestions and insights to attributes proffered within the report.

Question 2 - What are major attributes that should not be included in the targeted vision?

Comments, in response to this question, suggested the report should:

(i) remove references to specific companies;

(ii) remove or revise the suggestion that agencies halt procurement actions that are underway;

(iii) expand the description and approaches to cybersecurity assessment and authorization.

Many of the comments confirmed that the attributes were on the right track or offered additional suggestions and insights to attributes proffered within the report.

Question 3 - Are there any missing or extraneous tasks in the plan for implementing network modernization & consolidation?

Question 4 - Are there any missing or extraneous tasks in the plan for implementing shared services to enable future network architectures?

Comments and recommendations in response to questions 3 and 4 were similar and suggested or implied that the report:

(i) should clarify the definition, description, and/or purpose of employing shared services;

(ii) should identify and address obstacles to adopting shared services or network consolidation;

(iii) should, relative to item (ii) recommend that a greater focus and actions be placed on addressing issues relative to the FAR;

(iv) should acknowledge need to reuse existing accreditation packages (aka foster reciprocity among agencies);

(v) relative to item (iv) above, should suggest an activity to improve reciprocity and identify capabilities to automate NIST RMF Framework;

(vi) reinforce the need for training and career development for professionals involved in accomplishing the goals articulated in the report.

Many of the comments confirmed that the tasks were appropriate and/or offered additional enhancement to the identified tasks.

Question 5 - What is the feasibility of the proposed acquisition pilot? (Appendix D)

Comments, in response to this question, suggested that the report:

(i) should clarify the intent, purpose, scope, expected outcomes, and assessment criteria of-and-for the pilot;

(ii) should consider expanding the pilot to other shared services;

(iii) should de-identify service providers and include contracting options.

The comments generally confirmed that a pilot was a valid idea and offered additional suggestions, approaches, and identified potential pit-falls.

We want to express appreciation for the sincerity, depth of thought, and time taken by each of the commenters and encourage the community to go to the public website and read each of the submissions.