This report outlines a vision and recommendations for the Federal Government to build a more modern and secure architecture for Federal IT systems.1 Agencies have attempted to modernize their systems but have been stymied by a variety of factors, including resource prioritization, ability to procure services quickly, and technical issues. Recommendations to address the aforementioned issues are grouped into two categories of effort: the modernization and consolidation of networks and the use of shared services to enable future network architectures. In addition to specific recommendations, this report outlines an agile process for updating policies and reference architectures to help the Government more rapidly leverage American innovation.
Network Modernization and Consolidation. This report envisions a modern Federal IT architecture where agencies are able to maximize secure use of cloud computing, modernize Government-hosted applications, and securely maintain legacy systems. Specific actions in this report focus on the first two areas, where securely maintaining legacy systems is addressed in other areas of EO 13800. These actions enable agencies to move from protection of their network perimeters and managing legacy physical deployments toward protection of Federal data and cloud-optimized deployments. The report also emphasizes a risk-based approach that focuses agency resources on their highest value assets, per OMB’s authorities provided by the Federal Information Security Modernization Act of 2014 (FISMA) and OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The report addresses current impediments or obstacles to adopting modernized cloud technologies by piloting new implementation approaches, and using these test cases to inform rapid policy updates. The report also focuses on consolidating and improving acquisition of network services so that management of security services for networks are consolidated where possible and managed to high standards. Specific actions include:
Prioritize the Modernization of High-Risk High Value Assets (HVAs). Prioritize modernization of legacy IT by focusing on enhancement of security and privacy controls for those assets that are essential for Federal agencies to serve the American people and whose security posture is most vulnerable.
Modernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) Program to Enable Cloud Migration. Use real world implementation test cases to identify solutions to current barriers regarding agency cloud adoption. Update relevant network security policies and architectures to enable agencies to focus on both network and data-level security and privacy, while ensuring incident detection and prevention capabilities are modernized to address the latest threats.
Consolidate Network Acquisitions and Management. Consolidate and standardize network and security service acquisition to take full advantage of economies of scale, while minimizing duplicative investments in existing security capabilities.
Shared Services to Enable Future Network Architectures. The following section of this report lays out an approach to enable, with ongoing Government-wide category management efforts, the Federal Government to shift toward a consolidated IT model by adopting centralized offerings for commodity IT. The recommendations detail steps to address current impediments in policy, resource allocation, and agency prioritization to enabling the use of cloud, collaboration tools, and other security shared services. For the purposes of this Report and its implementation, shared services is the provision of consolidated capabilities or functions (services and/or IT systems) that are common across multiple agencies. Shared Services can enable agency efficiency by reducing duplication and costs through consistent delivery of standardized capabilities or functions in ways that make the most of innovative processes and commercial solutions. Specific actions include:
Enable use of Commercial Cloud. Improve contract vehicles to enable agencies to acquire commercial cloud products that meet Government standards.
Accelerate Adoption of Cloud Email and Collaboration Tools. Provide support for migration to cloud email and collaboration suites that leverage the Government’s buying power. Define the next set of agencies to migrate to commercial email and collaboration suites.
Improve Existing and Provide Additional Security Shared Services. Provide consolidated capabilities that replace or augment existing agency-specific technology to improve both visibility and security.
Resourcing Federal Network IT Modernization. In order to implement the Federal IT modernization efforts outlined in this report, agencies will need to realign their IT resources appropriately using business-focused, data-driven analysis and technical evaluation. OMB will inform agencies that agency Chief Information Officers (CIOs) work with their Chief Financial Officers (CFOs) and Senior Agency Officials for Privacy (SAOPs), in consultation with OMB, to determine which of their systems will be prioritized for modernization, identifying strategies to reallocate resources appropriately. In accordance with the terms of agency contracts and consistent with law, agencies should consider evaluating ongoing and planned acquisitions that further develop or enhance legacy IT systems identified that need modernization to ensure consistency with broader IT strategies outlined in this report. Agencies should also emphasize reprioritizing funds and should consider “cut and invest” strategies that reallocate funding from obsolete legacy IT systems to modern technologies, cloud solutions, and shared services, using agile development practices and the best practices within GSA’s Unified Shared Services’ Modernization and Migration Management Framework,2 where appropriate.
Taken together, these recommendations will modernize the security and functionality of Federal IT, allow the Federal Government to improve service delivery, and focus effort and resources on what is most important to customers of Government services.