This post is part of a continuing DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.
Strengthening federal information technology (IT) has been one of the priorities of the current administration, as outlined in the May 2017 Executive Order 13800. As summarized in our previous blog, the Director of the American Technology Council (ATC) was tasked, among other things, to coordinate the preparation of a report to the president regarding modernization of federal IT infrastructure. The draft report was made available for public comment in August, and finalized in December 2017. The final report’s implementation clock started on January 1, 2018.
Key recommendations of the report
The final report is structured around two major themes: “Network Modernization & Consolidation” and “Shared Services to Enable Future Network Architectures,” followed by a number of appendices detailing aspects relevant for implementation.
For the network modernization and consolidation, the report identified several objectives, such as “reduce the federal attack surface,” improve visibility and resilience against sophisticated attacks, and ensure that new technology can be used without sacrificing reliability or performance. Accordingly, the implementation plan focused on the following three areas, with certain milestones required to be reached within the 30-, 60-, 90-, 120-, 150-, 180-, and 365-day period:
- Prioritize the modernization of high-risk high value assets.
- Modernize the trusted internet connections and national cybersecurity protection system program to enable cloud migration.
- Consolidate network acquisitions and management.
With regard to shared services that would enable future network architectures, the report’s recommendations are as follows (each with a different milestones timeline):
- Enable use of commercial cloud.
- Accelerate adoption of cloud email and collaboration tools.
- Improve existing and provide additional security shared services.
Enhanced use of commercial cloud is envisioned through:
- Vendor-owned and operated servers and applications (Software as a Service, SaaS).
- Vendor-owned and operated servers and government-operated applications with networks that utilize a secure connection (Infrastructure as a Service).
- Government-owned data center buildings with vendor-owned and operated service.
- Vendor-owned and operated data centers with servers dedicated for government use.
Appendices provide guidelines for implementation
The report’s appendices provide guidelines for implementation. The following is a brief overview of each of the appendices:
“Appendix A: Data-Level Protections and Modernization of Federal IT” discusses such issues as encryption of data in transit and at rest, multi-factor authentication, the least privilege principle, application whitelisting, mobile device security, and others.
“Appendix B: Principles of Cloud-Oriented Security Protections” describes government-specific security needs, and potential ways to achieve appropriate protection.
“Appendix C: Challenges to Implementing Federal Wide Perimeter-Based Security” focuses on cloud security and situational awareness, encrypted network traffic, overreliance on static signatures, use and value of classified indicators.
“Appendix D: Acquisition Pilot: Change the Buying Strategy to Government-As-One-Purchaser” proposes creating “virtual street corners” for vendors of cloud applications and services, to encourage a robust marketplace for the government to reach into.
“Appendix E: Legal Considerations” cites key Acts and statutes supporting the actions recommended by the report, including those related to privacy, homeland security, technology modernization, and fiscal aspects.
“Appendix F: Summary of Recommendations” presents the report’s actionable recommendations in the form of a consolidated table and associated timelines for the specified milestones.
“Appendix G: Summary of Comments Received” concludes the report, summarizing in just over two pages the public input received from over 100 commenters over the three-week period following the issuance of the draft report.
One year later
A year has passed since the issuance of the Executive Order 13800, and the half-year mark has just passed for the Federal IT Modernization report’s implementation plan. Changes in IT-related processes and practices are sweeping through the government’s agencies and departments. Their full impact still remains to be seen. What is clear, however, is that much work still needs to be done, as documented, for example, in the just-released “Federal Cybersecurity Risk Determination Report and Action Plan.” The IT modernization continues to be one of the top priorities on the President’s Management Agenda.