Part I of this column described it as an opportune time for the Biden administration to make bold changes that can hasten agencies’ maturity in managing and leveraging IT. Six recommendations can help the Biden administration make those changes. I described the first three recommendations—Developing comprehensive, yet realistic, agency IT modernization plans; Improving agencies’ ability to manage IT programs and projects; and Addressing procurement timeliness and the use of strategic sourcing and category management—in Part I of this column. Here are the remaining three recommendations.
The last process step of implementing the CSF is implementing an action plan, which is a prioritized list of steps an agency should take to protect its most critical assets and address its significant cybersecurity risks. Given the current environment, particularly in light of the SolarWinds attack, OMB should insist all agencies use the CSF process to develop an updated action plan. Further, OMB should direct agencies to immediately take the steps addressing their top five risks, even if that means diverting funds from other modernization or system development efforts. Protecting these most critical agency assets and addressing crucial risks cannot be delayed any further.
As agencies work on their cybersecurity action plans as well as their IT modernization plans, they should be driving to use modern security architectures. Now is the time for federal agencies to work to implement a zero-trust security strategy. The legacy perimeter-based security strategy has been overcome by the advent of mobility and cloud computing. A zero-trust security strategy is a proven 21st-century approach that, when implemented properly, provides better protection at a lower cost. The good news is that many government agencies have some elements of zero trust already deployed in their infrastructure, including identity credential and access management (ICAM) solutions and continuous monitoring. The use of zero-trust architecture should be an integral part of an agency’s IT modernization plan.
One tangible example that can make government more attractive to young professionals is to accelerate the excellent work in creating learning and career paths for cybersecurity professionals, based on the cybersecurity roles defined by the National Initiative for Cybersecurity Education (NICE), which is part of NIST. Agencies could increase their ability to recruit and retain cybersecurity professionals if they had well-defined learning and career paths and backed it up with commitments to develop such individuals to become experts in differing cybersecurity specialties.
Insight by Wickr: Federal technology experts share how to reconcile communications channels and cybersecurity standards in this exclusive executive briefing.
The administration should also work with Congress to evolve the FITARA scorecard, working to gain alignment of agency reporting with the reporting required to determine an agency grade via the FITARA scorecard. Having such alignment of the administration’s IT priorities with how Congress is grading agencies would accelerate the adoption of IT management best practices across the federal government.
Unified, committed leadership is the key to improving agencies’ ability to manage and leverage IT to improve operational performance. Certainly, we need capable agency CIOs, but just as important is the commitment from the Biden administration, at the most senior levels of OMB and across agency leadership, to champion these recommendations. If you want IT to be a true strategic asset to help agencies improve their performance, there are no shortcuts. The new administration has to take on the hard work of maturing IT management at the agency level, with the support of agency leadership.
Richard A. Spires is currently an independent consultant. Previously, he served as the CIO of the IRS and as the CIO of the Department of Homeland Security (DHS). While at DHS, he served as the vice-chairman of the Federal CIO Council.