Report to the President on Federal IT ModernizationThis report outlines a vision and recommendations for the Federal Government to build a more modern and secure architecture for Federal IT systems. Agencies have attempted to modernize their systems but have been stymied by a variety of factors, including resource prioritization, ability to procure services quickly, and technical issues. Recommendations to address the aforementioned issues are grouped into two categories of effort: the modernization and consolidation of networks and the use of shared services to enable future network architectures. In addition to specific recommendations, this report outlines an agile process for updating policies and reference architectures to help the Government more rapidly leverage American innovation. Taken together, these recommendations will modernize the security and functionality of Federal IT, allow the Federal Government to improve service delivery, and focus effort and resources on what is most important to customers of Government services. Chief Information Officers CouncilCIOC_2f91fc52-3883-403c-8e4a-ee2c4641dfd9Agency LeadersAchieving these goals will require an active shift in the mindset of agency leadership, mission owners, IT practitioners, and oversight bodies. Mission OwnersIT PractitionersOversight BodiesMore modern and secure Federal IT systems._7aab826c-617a-11ea-8a07-ebdb2f83ea00To build a more modern and secure architecture for Federal IT systems._7aab84ba-617a-11ea-8a07-ebdb2f83ea00Shared ServicesDifficulties in agency prioritization of resources in support of IT modernization, ability to procure services quickly, and technical issues have resulted in an unwieldy and out-of-date Federal IT infrastructure incapable of operating with the agility and security that is required of a multibillion-dollar Federal IT enterprise. In order to aggressively modernize IT systems, the Federal Government will need to maximize use of shared services and commercial capabilities.IterationIn furtherance of this objective, existing policies and programs will be rapidly and iteratively updated to eliminate barriers to cloud adoption, and agencies will rapidly migrate applicable capabilities to commercial cloud services.SecurityCapabilities which will not be hosted in the commercial cloud will be modernized to leverage modern security protections, and agencies will assess risk of existing capabilities to prioritize resources on protecting the most important systems and information.CollaborationThe Federal Government will also accelerate the adoption of cloud email and collaboration tools, improve and strengthen existing shared services, and provide additional security shared services for agencies.ConsolidationFederal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others.Cost EfficiencySuch a change in outlook will allow for greater utilization of shared services, consolidated infrastructure, and cloud-based collaboration tools that can deliver improved functionality and drive cost efficiencies to improve Government operations and citizen services.NetworkModernize and consolidate the network._7aab85b4-617a-11ea-8a07-ebdb2f83ea001The future of Federal IT is one in which agencies move further toward a risk-based approach to securing their systems that places appropriate emphasis on data-level protections and that fully leverages modern virtualized technologies. This renewed focus on data-level protections for managing risk must be accepted and driven by agency leadership, mission owners, IT practitioners, and oversight bodies. Specific recommendations that will bridge to this future state are detailed in the next section, titled “Implementation Plan.” The following broad objectives will drive momentum toward the future state of IT:Attack SurfaceReduce the Federal attack surface through enhanced application and data-level protections._7aab8690-617a-11ea-8a07-ebdb2f83ea001.1Rather than treating Federal networks as trusted entities to be defended at the perimeter, agencies should shift their focus to placing protections closer to data, specifically through improved management and authentication of devices and user access, as well as through encryption of data – both at rest and in transit. This approach curtails an attacker’s likelihood of gaining access to valuable data solely by accessing the network, and it has the potential to better block and isolate malicious activity. As agencies prioritize their modernization efforts, they should implement the capabilities that underpin this model to their high value assets first.VisibilityImprove visibility beyond the network level._7aab883e-617a-11ea-8a07-ebdb2f83ea001.2Agencies will gain greater visibility and resilience against more sophisticated attacks, including insider threats that may have access to agency-owned networks by enhancing protections closer to the data. Expanding visibility beyond the network level – for instance, through collecting security logs at the application level or establishing a vulnerability disclosure policy and placing systems or applications under a bug bounty program – provides security teams with other information feeds, which they can use to better understand, process, and triage information security events and possible incidents. This information can provide insight into the gaps in security that agencies are experiencing, which informs the types of investments they should make to defend against modern threats. Maximizing the effectiveness of this approach requires updating tools and models by which staff conduct operational security to detect and prevent intrusions. It also requires risk-proportionate application of security practices and maintenance of situational awareness, particularly in scenarios in which Federal information resides in an off-premises environment, such as in commercially-provided clouds. Government-wide programs designed to deliver these tools and services must evolve, as must the operational culture by which agencies collect and analyze logs and interact with the security research community.Policy & ResourcesEnsure that policy, resource allocation, acquisition, and operational approaches to security enable use of new technology without sacrificing reliability or performance._7aab891a-617a-11ea-8a07-ebdb2f83ea001.3Information technology policy, resource allocations, acquisition processes, and operational guidance must enable the achievement of security objectives while also allowing agencies to take advantage of newer approaches to technology, such as commercial cloud-based services and mobile devices. Agencies should prioritize the IT resources and technical personnel they need to implement necessary data protections and provide situational awareness in their daily operations, whether information is stored on premises or in a commercial cloud. While some successes have occurred in the Federal Government, many real or perceived impediments remain to accelerating network consolidation and optimization on a Government-wide scale. The recommendations in this report collectively address and seek to remedy impediments to modernizing Federal IT. Addressing these barriers will enable agencies to accelerate toward a new era of modernization without sacrificing security or performance. Implementation_7aab8a0a-617a-11ea-8a07-ebdb2f83ea001.4Network Modernization and Consolidation. This report envisions a modern Federal IT architecture where agencies are able to maximize secure use of cloud computing, modernize Government-hosted applications, and securely maintain legacy systems. Specific actions in this report focus on the first two areas, where securely maintaining legacy systems is addressed in other areas of EO 13800. These actions enable agencies to move from protection of their network perimeters and managing legacy physical deployments toward protection of Federal data and cloud-optimized deployments. The report also emphasizes a risk-based approach that focuses agency resources on their highest value assets, per OMB’s authorities provided by the Federal Information Security Modernization Act of 2014 (FISMA) 4 and OMB Memorandum M17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The report addresses current impediments or obstacles to adopting modernized cloud technologies by piloting new implementation approaches, and using these test cases to inform rapid policy updates. The report also focuses on consolidating and improving acquisition of network services so that management of security services for networks are consolidated where possible and managed to high standards. Specific actions include:HVAsPrioritize the Modernization of High-Risk High Value Assets (HVAs)._7aab8af0-617a-11ea-8a07-ebdb2f83ea001.4.1Prioritize modernization of legacy IT by focusing on enhancement of security and privacy controls for those assets that are essential for Federal agencies to serve the American people and whose security posture is most vulnerable.TIC & NCPSModernize the Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) Program to Enable Cloud Migration._7aab8bd6-617a-11ea-8a07-ebdb2f83ea001.4.2Use real world implementation test cases to identify solutions to current barriers regarding agency cloud adoption. Update relevant network security policies and architectures to enable agencies to focus on both network and data-level security and privacy, while ensuring incident detection and prevention capabilities are modernized to address the latest threats.Acquisitions & ManagementConsolidate Network Acquisitions and Management._7aab8d16-617a-11ea-8a07-ebdb2f83ea001.4.3Consolidate and standardize network and security service acquisition to take full advantage of economies of scale, while minimizing duplicative investments in existing security capabilities. Shared ServicesShift toward a consolidated IT model._7aab8e06-617a-11ea-8a07-ebdb2f83ea002Shared Services to Enable Future Network Architectures. The following section of this report lays out an approach to enable, with ongoing Government-wide category management efforts, the Federal Government to shift toward a consolidated IT model by adopting centralized offerings for commodity IT. The recommendations detail steps to address current impediments in policy, resource allocation, and agency prioritization to enabling the use of cloud, collaboration tools, and other security shared services. For the purposes of this Report and its implementation, shared services is the provision of consolidated capabilities or functions (services and/or IT systems) that are common across multiple agencies. Shared Services can enable agency efficiency by reducing duplication and costs through consistent delivery of standardized capabilities or functions in ways that make the most of innovative processes and commercial solutions. Specific actions include:CloudEnable use of Commercial Cloud. Improve contract vehicles to enable agencies to acquire commercial cloud products that meet Government standards._7aab8eec-617a-11ea-8a07-ebdb2f83ea002.1E-mail & CollaborationAccelerate Adoption of Cloud Email and Collaboration Tools._7aab8fe6-617a-11ea-8a07-ebdb2f83ea002.2Provide support for migration to cloud email and collaboration suites that leverage the Government's buying power. Define the next set of agencies to migrate to commercial email and collaboration suites.SecurityImprove Existing and Provide Additional Security Shared Services._7aab90e0-617a-11ea-8a07-ebdb2f83ea002.3Provide consolidated capabilities that replace or augment existing agency-specific technology to improve both visibility and security. ResourcingRealign IT resources appropriately using business-focused, data-driven analysis and technical evaluation._7aab91d0-617a-11ea-8a07-ebdb2f83ea003Resourcing Federal Network IT Modernization. In order to implement the Federal IT modernization efforts outlined in this report, agencies will need to realign their IT resources appropriately using business-focused, data-driven analysis and technical evaluation.PrioritiesDetermine which systems will be prioritized for modernization._7aab92ca-617a-11ea-8a07-ebdb2f83ea003.1OMBOMB will inform agencies that agency Chief Information Officers (CIOs) work with their Chief Financial Officers (CFOs) and Senior Agency Officials for Privacy (SAOPs), in consultation with OMB, to determine which of their systems will be prioritized for modernization, identifying strategies to reallocate resources appropriately.CIOsCFOsSAOPsAcquisitionsEvaluate ongoing and planned acquisitions._7aab93c4-617a-11ea-8a07-ebdb2f83ea003.2In accordance with the terms of agency contracts and consistent with law, agencies should consider evaluating ongoing and planned acquisitions that further develop or enhance legacy IT systems identified that need modernization to ensure consistency with broader IT strategies outlined in this report.ReprioritizationReprioritize funds and consider "cut and invest" strategies._7aab94be-617a-11ea-8a07-ebdb2f83ea003.3Agencies should also emphasize reprioritizing funds and should consider "cut and invest" strategies that reallocate funding from obsolete legacy IT systems to modern technologies, cloud solutions, and shared services, using agile development practices and the best practices within GSA’s Unified Shared Services’ Modernization and Migration Management Framework, where appropriate.2017-12-312020-03-08https://itmodernization.cio.gov/assets/report/Report%20to%20the%20President%20on%20IT%20Modernization%20-%20Final.pdfOwenAmburOwen.Ambur@verizon.net