Information Technology Priorities

2016

FederalGovernment

InformationTechnologyPriorities

by

MichaelBiddick

Ta

b

le

o

f

C

O

N

T

E

N

T

S

AuthorʼsBio. . . 2 AboutFusionPPT . . . 3 TheITJuggernaut. . . 4 CybersecurityGetsReal . . . 5 TheAgileITEnvironment . . . 9 BigDataGettingBigger. . . 10 CloudComputing . . . 11 TheFutureofFederalIT. . . 12

MichaelBiddick CEOFusionPPT UnderMichaelʼsleadershipasCEO,FusionPPThasachievedtriple-digitgrowthbecomingthepremierevendor-independentsystemsintegrationandconsultingpartnerwiththeirclients.Michaelisresponsibleforthe strategicvision,marketstrategy,projectqualityandisresponsibleforthecompanyʼsoverallperformance.For nearly20years,Michaelhasworkedwithhundredsofgovernmentandinternationalcommercialorganizations providingexpertiseinourSolutions.Michaelhasauniqueblendofdeeptechnologyexperiencecoupledwith businessandinformationmanagementacumenthatprovideabalancedapproachtoourbusiness.Priorto joiningFusionPPT,Michaelspent10yearswithaboutiqueconsultingfirmandBoozAllenHamilton,developing enterprisemanagementsolutionsforawidevarietyofbothgovernmentandcommercialclients.Hepreviously servedontheacademicstaffoftheUniversityofWisconsinLawSchoolastheDirectorofInformation Technology. MichaelearnedaMasterʼsofScienceinInformationSystemsfromJohnsHopkinsUniversityanddualBachelorʼs degreesinPoliticalScienceandAfro-AmericanHistoryfromtheUniversityofWisconsin-Madison. MichaelisacontributingeditoratInformationWeekandNetworkComputingMagazinesandhaspublishedover 50articlesonCloudComputing,BigDataandApplicationPerformanceManagement.Michaelisalsotheauthor ofthebook“FederalCloudComputing.”Michaelholdsmultiplevendortechnicalcertifications,isacertifiedITIL v3ExpertandacertifiedBarista.

AboutFusionPPT

A

B

O

U

T

Fu

si

o

n

P

P

T

WeSimplifyEnterpriseIT. FusionPPTisanestablishedleaderinprovidingITconsultingandsystemintegrationservicestoorganizationswith challengingtechnologyinitiatives.Sinceourinceptionin2009,wehavecontributedtothesuccessofhundredsofprojects, andmosthavespannedtheglobeintheirreachandimpact.Ourabilitytoperformandaddvalueincomplex,diverse,and distributedenvironmentshasearnedusasolidgrowthrateandareputationasatrusted,capable,andresults-oriented serviceprovider. DeepTechnicalKnowledge,DiverseProjectExperience. LedbyveteranITprofessionalsandthoughtleadersintheindustry,ourteamhasamassedadepthandbreadthoftechnical knowledgeandexperiencethatwearepassionateaboutsharingwithourclients.Weattractandhireonlysubjectmatter expertsandprovenperformers,andourculturefosterscollaboration,innovation,andanimble,team-basedapproachtohelp ourclientsachievetheirobjectives. BigFirmExpertise,SmallerFirmService&Agility. Asaprivatelyheldsmallbusiness,FusionPPTcombinesthebestpracticesandexpertisefoundatlargeconsultingfirmswitha nimble,entrepreneurial,andclient-focusedserviceteam.Werewardandencouragefreshperspectives,creativity,and intellectualrisk-taking,andthisconsistentlyproducesmoreefficientandmorecost-effectiveITsolutionsforourcustomers. MissionFocused. AtFusionPPT,wetakeapartnershipapproachinallofourengagements,andourteamfunctionsasanintegralpartofthe clientsʼorganizations.Weunderstandcomplexenterprisesandtheimportanceofnetworks,applications,andsystemsin deliveringreliablemission-basedservicestostakeholders.Ourstaffisfocusedatalltimesonourclientsʼmissionsand ensuringthattheservicesweprovideandtechnologysolutionswerecommendareincompletealignment. ValueBeyondIT. The“PPT”inourcompanynamestandsfor“People,Process,andTechnology,”anditrepresentsacoreaddedvaluethatour teamoffers‒whichisadeepunderstandingofwhatittakestomaketechnologyinvestmentspayoff.Ourexpertiseextends beyondphysicalandvirtualsystems.Weaddressthecriticalsuccessfactorsofpeopleandprocess,definingsuccessatthe leveloforganizationalimpactandtheincorporationofnewsystemsintodailyworkflowsandjobfunctions.Thefusing togetherofpeople,process,andtechnologyiscoretoour methodologyanditiscoretotechnologyprojectsbeing abletoattaintheirfinancialandoperationalobjectives. FusionPPTCompanyandTeamhighlightsinclude: Ÿ ISO9001:2008CertifiedOrganization Ÿ PrivatelyHeldFirm Ÿ LedbyITIndustryExpertsandThoughtLeaders Ÿ CollaborativeSubjectMatterExpert(SME)Team Approach Ÿ Agile,EntrepreneurialStaff Ÿ Diverse,ComplexProjectExperience Ÿ ProvenTrackRecordofSuccessfulDeployments Ÿ Global,Enterprise-Oriented Ÿ MultipleContractVehicles Ÿ Depth&BreadthofTechnologyExpertise Ÿ CommitmenttoExcellence Ÿ QualityFocused Ÿ FusionPPTInnovationLab CorporateInformation. DUNS:8307-42-792 CAGECode:5H6B4 PrimaryNAICS:541611,541512,518210 Ownership:Private,100%U.S SizeStandard:SmallBusiness,under$14M Certifications:ISO9001:2008,ITILv3,PMP D&BOpenRatings:95%CustomerSatisfactionRating

WiththeFederalGovernmentITbudgetcontinuingto hoverbelow$80billion,thisFebruary,thepresident requesteda1.8percentincreaseoverthe$78.3billion agenciesestimatethey'llspendthisfiscalyear‒ approximatelya10%percentincreaseoverfiscal2014 spending.Atthesametimethepresidentreleasedhis budgetrequest,partisangroups,legislatorsand governmentwatchdogscriticizedtheoverallspending onITandvalueobtainedfromthisspending comparedtoprivateindustries. Whilelegislationandopinionsoriginatingfromthe WhiteHousehavealwaysfocusedonmoreefficient, effectiveandsecuregovernmentITspending,the thirdappointedFederalCIO,TonyScott,continuedto trumpetboldvisionsandfederalITtransformation. ScottwasappointedbyPresidentObamainMarchof 2015andexplainedhow“drivingvalueisalsoabout drivingefficiency”inhisfirstspeech.Someofhis proposedideasincluded“adoptionofagile technologies”and“creatingtherightkindsof dashboardsthatwillhelpusunderstandwhether we'remakingprogressornot.” Afundamentalquestiontoansweris:Arethesebold visionstricklingdowntoagenciesandrank-and-fileIT leaderswithinthegovernmentandcontractingcommunities?Criticismaroundspendingandefficiencyalso runsparalleltohigh-profilesecuritybreachesofsomeofthemostsensitivegovernmentdatareportedoverthe pastyear.Ifthissecurityissueisnotaddressed,breacheswillcontinuetooccurandincreaseinfrequency. InthisannualFederalGovernmentITPrioritiesreport,we'llexaminewherefederalITleadersshouldbefocusing theirtime,thekeychallengestheymustaddressinordertomeetanincreasinglycomplexITenvironment,and howtheycandriveinnovationacrossprograms. Adoptionof agile technology _Dashboards

Efficiency _{GovernmentAgencies ITLeaders Communities} Security

Value

Efficiency

In2013,agenciesreceivednewguidancefromthe executivebranchintheformofExecutiveOrder 13636:ImprovingCriticalInfrastructureCybersecurity. ThisExecutiveOrderwarnedthat“thecyberthreatto criticalinfrastructurecontinuestogrowand representsoneofthemostseriousnationalsecurity challengeswemustconfront.”Despitethemandates, someofthemostsignificantcybersecurityattacks againstgovernmentdatainourtimehaveoccurred overthepastyear. InJuneof2015,theOfficeofPersonnelManagement announcedthepersonneldataofmorethantwenty-onemillionAmericans.TheOPMreportedthattensof thousandsofStandardForm86s(SF-86)‒whichare requiredforallservicemembersandciviliansseekinga securityclearance‒werestolen.TheSF-86,a127-pagedocument,requiresinformationaboutfamily members,friendsandpastemployment,aswellas detailsondrugandalcoholuse,mentalillness,credit ratings,bankruptcies,arrestrecordsandcourtactions. TheOPMindicatedthateverypersonwhounderwent agovernmentbackgroundcheckduringthelast15 yearswasmostlikelyaffected. OPMstatedthathackersstole“sensitiveinformation”thatincludedaddresses,personalhealthandfinancial recordsandotherprivatedetailsof19.7millionpeoplewhohadbeensubjectedtoagovernmentbackground check,aswellas1.8millionothers,includingthevictims'spousesandfriends.Thistheftwasseparatefrom,but relatedto,abreachrevealedlastmonththatcompromisedthepersonneldataof4.2millionfederalemployees, OPMreported. Otherhigh-profileattacksreportedoverthepastyearincludetheWhiteHousenetwork,StateDepartment network,UnitedStatesPostalService,GAOandtheHealthcare.govwebsite.Thoseareonlytheentitiesthat havebeendetectedandreported.AccordingtoareportissuedbyMerriTalk,thenumberofcyberincidents reportedbyFederalagenciestotheU.S.ComputerEmergencyReadinessTeamrosefrom48,562infiscalyear 2012to67,168infiscalyear2014,analarming38%increaseovertwoyears.

CybersecurityGetsReal

Limits Technology Inadequate Intelligence Insecure Architecture Emerging CyberThreat IT Investment Increase Security WorldClass TechServices

InareportreleasedinMarch,TheDefenseScience Board,aciviliancommitteethatprovidesscientificand technicaladvicetothePentagon,statedthattheDOD isnotpreparedtodefendagainstsophisticated, internationalcyberattacks.Thereportpointedto "inherentlyinsecurearchitectures,"inadequate intelligence,andthesheerlimitsoftechnologyin defendingagainstemergingcyberthreats.It encouragestheDOD'sCIOtoworkwithbranchesof themilitarytocreateanenterprisesecurity architecturethatincludesminimumstandardsfor ensuringa"reasonable"levelofdefensibilityand increasingtheprobabilitythatattacksaredetected. Overthelastthreeyears,cybersecurityhasrocketed tothetopofallprioritiesforFederalGovernmentIT leaders.NootherITaspectismoreimportantto controlthanthesecurityoffederaldataand preventingaccesstocriticalcommandandcontrol systemsofcriticalinfrastructure. Toaddressthesesignificantcybersecurityconcerns, theFY2016OMBbudget,releasedbytheWhiteHouse inFebruary,focusedonbolsteringexisting cybersecurityprogramsandincreasinginfrastructure agility,whiledecreasingwaste.Thebudgetrequest included$14billiontosupportcybersecurity programs,including“ContinuousDiagnosticsand MonitoringofFederalsystems,theEINSTEINintrusion detectionandpreventionsystem,andGovernment-widetestingandincidentresponsetrainingtomitigatethe impactofevolvingcyberthreats.” Whileanongoingthemeinthebudgetrecommendationswasinnovating“withless,”someagencies,suchas theVeteran'sAdministration,DepartmentofEducationandtheDepartmentofHomelandSecurity,submitted requestsforsignificantbudgetincreases.Evidence-basedpolicy,promotingexperimentationandevaluation wasalsonew,butmeasuredintermsofproposedinvestments.Thethreemajorfocusesofthebudgetconsisted ofincreasingvalueinITinvestments,increasingsecuritytoprotectfederalinformationandresources,and conveyingworld-classtechservices. LastDecember,Congressedpassedfournewcybersecuritybillsthatthepresidentsignedintolaw.TheNational CybersecurityProtectionActof2014,S.2519,codifiestheDepartmentofHomelandSecurity'sexistingNational CybersecurityandCommunicationsIntegrationCenter(NCCIC),whichisafocalpointforinformationsharing. TheFederalInformationSecurityModernizationActof2014,S.2521,amendsthe2002FederalInformation SecurityManagementActtocentralizeFederalGovernmentcybersecuritymanagementwithintheDepartment ofHomelandSecurity,andalsodelegatesimplementationauthorityfordefense-relatedandintelligence-related informationsecuritytotheSecretaryofDefenseandDirectorofNationalIntelligence.Thethirdbillfocuseson strengtheningtheFederalGovernment'scybersecurityworkforceandimprovinghiringproceduresand compensationrangesforcybersecuritypositionsattheDepartmentofHomelandSecurity,whilethelastbill mandatesanassessmentofitscybersecurityworkforceeverythreeyears,inadditiontodevelopingastrategy forenhancingtherecruitmentandtrainingofcybersecurityemployees. FirstintroducedinApril,theCybersecurityInformationSharingActof2015iscurrentlystuckinCongressand facesoppositionfrommanyprivacygroups.Withintheprovisions,it“Permitsprivateentitiestomonitorand operatedefensivemeasurestopreventormitigatecybersecuritythreatsorsecurityvulnerabilitiesontheirown informationsystemsand,withauthorizationandwrittenconsent,theinformationsystemsofotherprivateor governmententities.Authorizessuchentitiestomonitorinformationthatisstoredon,processedby,or transitingsuchmonitoredsystems.”Whilelegislatorsandprivacygroupstrytostrikeabalancebetweencivil libertiesandcybersecurityprotection,hackerscontinuetosucceedinpenetratinginformationsystemsand

CybersecurityGetsReal

stealinggovernmentdata.Theplethoraof Congressionalbills,ExecutiveOrdersand managementprioritiesmakescybersecuritynotjust anobjective,butalsoanationalpriority.Still,thisbig-picturepriorityexistsinconjunctionwithcurrent cybersecuritythreatsthatagencyCIOsfaceonaday-to-daybasis.Adisconnectremainsbetweenlofty leadershipcybersecurityobjectivesandcompliance withcurrentcertificationandaccreditationpolicies andprocedures,stillmiredinbureaucraticprocesses.It cantakeuptoayeartoreceiveauthorizationto operate(ATO)fromanewsysteminthefederal network.Inmostcases,theseauthorizationsarestill paper-based,withcontinuousmonitoringlayeredon top. Toeffectivelyaddressthesecybersecuritythreats, governmentITleadersneedtotakeseveralconcrete stepstopreventadditionalsecuritybreaches.First, governmentleadersmustrationalizetheirapplication anddata,andeliminateredundantapplications.Thisis oftenexercisedasacomponentofanapplication inventoryprocess.Withtherighttools,application discoveryanddependencymappingcanbe accomplishedinashortamountoftime.Second, EnterpriseArchitectureisneededtoalignsecurityand applicationinnovation,inordertoensurethe appropriatesecuritycontrolsareinplaceatthe

CybersecurityGetsReal

enterpriselevel.Third,investmentsareneededforcontinuousmonitoringandsecuritytoolsthattestthe infrastructure. Oneofthemostvexingareasformanyorganizationstotackleischoosingthemixandcorrectlyimplementing securitytools.WethinkaboutthreelayersoftheITenvironmentthatarecriticaltoprotect:thenetwork perimeter,enterpriseapplicationsandend-userdevices.Wealsoworktoembedautomationtopreventissues, incontrasttosimplyreportingonissues. NetworkParameter Enterprise Applications EndUser Devices NetworkParameter IntrusionDetection System(IDS) FireWall NetworkAccess Control(NAC) SecuritySoftwares Anti-Malware Anti-Virus Anti-Spyware DigitalCertificate PKI Enterprise Applications Civil Liberties Cyber Security Hacker Attack

Atthenetworkperimeter,intrusiondetectionsystems (IDS)detectpotentialthreatstothenetworkandcan bedeployedasnetworkorhostapplications.The primaryresponsibilityisreportingpotentialincidents tothesecurityoperationsteam.NetworkAccess Control(NAC)productsenforcesecuritypoliciesand handleaccessauthenticationandauthorizationbased ontheirabilitytorecognizeusers,devicesortheir specificroles.IPblacklistingcanbeeffectiveifvery broad,whiledatalossprevention(DLP)toolscan monitorandtrackissuesfrompotentialinsiderthreats. Firewalls,oneofourprimarysecuritytools,also possessadvancedcapabilitiesthatincludeapplication-awarenessfeatures. Attheserverenterpriselevel,securitysoftwareis neededtoprotectagainstawiderangeofthreats. Anti-malwaretoolshelpsecurityadministrators identify,blockandremovemalware.Bothanti-virus andanti-spywaresoftwarecanbedeployedtohelpIT departmentsfocustheiranti-malwarepoliciesto identifyknownandunknownmalwaresources.Newer identity-basedsecuritytechnologiesmanage authenticationandauthorizationthroughsuch methodsasdigitalcertificatesandpublickey infrastructure(PKI)solutions.

CybersecurityGetsReal

Fromanend-userdevicestandpoint,mobiledevicemanagement(MDM)monitorsandcontrolssecurity configurations,policyenforcementandpatchpushestomobiledevices.Theycanalsoremotelylocklost,stolen orcompromisedmobiledevicesandwipeallstoreddata,ifneeded.Fordesktopsandlaptops,webbrowsing policiesandanti-virus/anti-malwaretoolsareessential. Monitor & Control Security Configuration _Policies Enforcement Patch Pushes Web Browsing Policies Anti-Virus Anti-Malware Cell Phones and Tablets Laptops and Desktops

MobilDevice

Management(MDM)

Oneaspectthatmakesaddressingsecuritymore challengingforfederalagenciesisthecomplexityof manyapplicationenvironments.Thedisastrousrollout oftheHealthcare.govsitewillliveonasalasting exampleoftheseshortcomingsandcomplexities.As oneresponsetotheshortcomingsofthe Healthcare.govproject,GSAcreatedanorganization called18F(locatedon18thandFStreetin Washington,D.C.).Thisgovernmentconsulting organizationfocuseson“leanstartupmethods,open sourcecode,andcontemporaryprogramming languages.”Oneoftheirkeyobjectiveshasbeento promotethetransitionfromwaterfallframeworksto agileones. Overall,Agilevaluesinteractionsoverprocesses, amongotherthings,andtimetodeliveryisquicker. Becausesmallcomponentsarecompletedsoonerand stakeholderfeedbackisreceivedfaster,changescan bemadeinashortertimeframe. AttheendofJuly,theHouseOversightand GovernmentReformCommitteeberatedthelackof progressagencieshavemadeinmakinggovernment ITmoreefficient.Federalagenciesarestillover budget,behindscheduleandmakingduplicated effortsthatwastebillionsofdollars.Rep.DarrellIssa statedexpertsestimateasmuchas$20billionin FederalITfundingiswastedeveryyear.However,

TheAgileITEnvironment

otherstudiesshowthatwastecouldbeashighas$40billioncomparedtoprivatesectorspending.While agencyITleadersarefacedwithbalancingthisbroadrangeofpriorities,congressisstrugglingtoprovide effectiveITgovernanceacrossthemassivefederalbureaucracy. Earlierthisyear,FederalChiefTechnologyOfficerMeganSmithhighlightedtheimportanceofbuildinglarge andcomplexprojects,oneincrementalpieceatatime.SpeakingtotheACT-IACIgnitingInnovationaudience, shenoted“Let'snot'spec'thewholehugethingout.Let'sdotheminimumthingandthengetitoutthereand startiteratingwiththecommunity.”.TheGeneralServicesAdministrationreleasedanagile-onlycontracting vehicletoallowagenciestobuyservicesbasedonthefasterturnaroundspeed.Incontrasttotraditional proposalefforts,contractorshavebeenaskedtosubmitexamplesofcodethatcouldbeevaluatedduringthe awardprocess. Asagenciesworktomovetowardsmoreagileprojects,thekeytotheapproachisusingvitalelementsofAgile; specificallyrequirements,designandtesting,andworkingcollaborativelyandsimultaneouslysothat deliverablesareproducedinashorterperiodoftime.Developmentsprintsshouldconsistofone-ortwo-week incrementsandincludeauser-functionalitytestcasedocument.Meetingsshouldbeheldonadailybasisonall testsites.ThemostsuccessfulagencieswillimplementAgileasapilotacrossasingleapplicationorprojectand furtherrefineittofitthespecificneedsoftheorganization.

Oneofthereasonsapplicationsneedtobedelivered fasteristodealwithanincreasingamountofdatathat isproducedwithintheFederalGovernment.Dealing withmassiveamountsofdataisnotnew.AllFederal agenciesareresponsibleforcreatingandmaintaining documentationontheirorganizations'functions, policies,decisions,proceduresandessential transactions.However,alargeshiftoverthepastfew yearshasbeenthedesiretomakeaportionofthis datamoreavailabletothepublic,aswellasdata producedthroughsensors,camerasandremote monitorsthatdidnotexistadecadeago. TheOpenGovernmentInitiative(data.gov)offersup datasetstothepublicthataregeneratedandheldby theFederalGovernment.Data.govprovides descriptionsofthefederaldatasets(metadata), informationabouthowtoaccessthedatasets,and toolsthatleveragegovernmentdatasets.Thesedata catalogswillcontinuetogrowasdatasetsareadded. Currently,over140,000datasetsexistonline.The governmentalsopublishesusageinformation.For example,over165,000peoplevisiteddata.govinJune andthesiteaveraged60,000monthlydownloadsover thepastyear. TheVeteransAffairs(VA)ResearchandDevelopment programlaunchedtheMillionVeteranProgram(MVP) tounderstandhowgenesaffecthealthandultimately

BigDataGettingBigger

improvehealthcareforVeterans.MVPwillestablish“oneofthelargestdatabasesofgenetics,militaryexposure, lifestyleandhealthinformation.”Asidefromprocessingcapability,securestorageandtoolstoanalyzethistype ofdataareneededtoensurethatthesetypesofaggressiveprojectsprovidevalue. Atthesametime,theVAstruggleswithbasicclaimservices.Forexample,attheVA'sLittleRockRegionalOffice, ithad“over1,000filebanksfullandoverflowingwithfilesandover102,000paperfiles."DirectorLisaBreun stated"Atthepeak,itwastakingus…overeightmonthstocompleteaveteran'sclaimandalotofthatwas becauseitwaspaper.We'vegonefromovereightmonthstofinishaclaimtolessthanfourmonths."That'sstill asignificantamountoftimethatcouldbebetterspentinmorecriticalareas.

MillionVetProgram(MVP)

Ca h re t l f a o e _r H V _e e _t v e o _r r _a p n s mI Health Information Genetic LifeStyle Military Exposure Security Storage Tools

TheGovernment'scurrentITenvironmenthasbeen characterizedby“lowassetutilization,afragmented demandforresources,duplicativesystems, environmentswhicharedifficulttomanage,andlong procurementleadtimes.”Deliveredcorrectly, commodityITserviceshostedinacloudcomputing environmenthavethepotentialtoplayamajorrolein addressingtheseinefficienciesandimproving governmentITservicedelivery. Largeagencieshavemoreresources,butalsoamore complexanddiverseITenvironment.Smalleragencies havesimplerITenvironments,butfarfewerresources. Thecloudcomputingmodelcansignificantlyhelp agenciesgrapplingwiththeneedtoprovidehighly reliable,innovativeservicesquicklyandefficiently, despiteresourceconstraintsandhighlycomplex environments. Nowoverfiveyearsold,TheFederalDatacenter ConsolidationInitiative's(FDCCI)goalisto“reducethe costofdatacenterhardware,software,andoperation, increasetheoverallITsecuritypostureofthe government,andshiftITinvestmentstomoreefficient computingplatforms.”Agenciesthatareparticipating intheFederalDataCenterConsolidationInitiative

CloudComputing

showanestimated3,800datacenterclosingsbytheendof2015.Theseconsolidationswillfreeup1.7million squarefeetofland,aswellassave$3.3billion.Manyagenciesarestillstrugglingtomigratelegacyapplications thatdonotsupportvirtualization,anddealingwithaskillgapintermsofoptimizingvirtualizedapplications. Thecost,complexityandpoliticalwranglingoverwhoactuallycontrolstheseapplicationshasmadetheroadto cloudcomputingabumpyone. Thethreekeybarriersthatpersistingreatercloudcomputingadoptioncontinuetobeadisconnected acquisitionmodelthatdoesn'tsupporton-demandservices,legacysecurityaccreditationandauthorization procedures,andculturalresistancetochange.Thekeymechanismforaddressingthissecuritychallengehas beentheFederalRiskandAuthorizationManagementProgram,orFedRAMP.Thisprogramprovides“a standardizedapproachtosecurityassessment,authorizationandcontinuousmonitoringforcloudproducts andservices.”CurrentlyonlyapplicabletoFISMA-moderateworkloads,thisapproachusesa“doonce,usemany times”frameworkthatsavesanestimated30-40%ofgovernmentcosts,aswellastimeandstaffrequiredto conductredundantagencysecurityassessments.Currently,theFedRAMPprogramisdraftingstandardsfor FISMA-Highworkloadstoenablemoresensitiveworkloadstoexistinpubliccloudenvironmentsin2016and beyond.

Disconnected Acquisition Model On-demand services

Legacy security accreditation and authorization procedure

Cultural resistance to change NOT SUPPORT

FedRAMP (Federal Risk and Authorization Management) Standardized approach to security assessment

Authorization and continuous monitoring for cloud products and services Only applicable to FISMA-moderate workloads

FISMA-moderate workload Do once, use many times

FISMA-High workload

3

(2016 and beyond)

2

1

Key Barriers

Whileindividualprioritiescanbecharted,therealityis thatalloftheseinitiativesintersectintoaunifiedIT strategy.Fromtheuserperspective,havingaccessible data,secureapplicationsandarobustinfrastructureall arebasicfunctionsofgovernmentIT.Withlimited budgets,governmentITleadersneedtoinnovatejust tosurviveandhandletheincreasingrelianceonIT. Becausegovernmentbusinesscan'tbeaccomplished withoutit,ITisnolongeranicheforapplication developers. Whilegovernmentleadersestablishpriorities,agency ITorganizationsarestillstrugglingtoprovidebasic accesstoapplications,supportforlaptopsand commodityITactivities.Whilemanypocketsof innovationexistthroughoutthegovernment,theone-size-fits-allprioritylistisachallengefordiverse agenciesthathavedifferentmissions,budgetsand objectivestoservecitizensandtheirusers. Amuchmoreaggressivestanceisneededonsecurity, especiallyintheuseofheuristictools.Asthe complexityofthesecuritytoolenvironmentincreases, CISSOsneedtoconsiderhowthecorrelationofthese dataelementscanbecombinedandautomatedto preventhacks.Astrongersharedenvironmentsuchas

TheFutureofFederalIT

thecloudcanstrengthensecurity,astheresourcesarepooledwithinalargercommunityofusers.Thesetypes ofinnovationarenotonlyabouttechnology,butcenteronthedeep-seatedculturalperspectivesofindividual agencies.