Distributed Workforce, Cloud Security, Governance, Risk and Compliance

The federal government is (finally) taking the connection between legacy IT and cybersecurity seriously

Deputy Attorney General Jeffery Rosen speaks to the media about charges and arrests related to a computer intrusion campaign tied to the Chinese government by a group called APT 41 at the Department of Justice on Sept. 16, 2020, in Washington. A recent tranche of government IT modernization funding reflects the federal government’s growing pr...

The Technology Modernization Fund — created in 2017 to help federal agencies fund the replacement of old, outdated and unsafe IT — announced six new projects that it will fund throughout the federal government, most of which emphasize boosting cybersecurity protections for federal systems and services.

The largest project will give the General Services Administration $187 million to build new cybersecurity capabilities into LogIn.gov, the government’s sign-in service for members of the public who interact with federal websites or apply for federal jobs and programs. It would include expanded identity verification and integrate the tool with additional government systems and websites.

Three of the fund’s choices reflect the growing adoption of “zero trust” security strategies and solutions in government.

GSA will get $29.8 million to build out its zero-trust architecture, including development of a single sign-on solution with multifactor authentication, micro-segmentation of systems and secure remote access, as well as machine learning and artificial intelligence tools to help with threat correlation, supply chain security and digital services.

 The Department of Education will get $20 million to develop a comprehensive zero-trust strategy, incorporate secure remote access, security, orchestration and automated response technology and an enterprise program management office dedicated to zero trust.

The Office of Personnel Management, which was subject to devastating hack in 2015 that led to the pilfering of personal data for more than 22 million people and many federal employees, will get $9.9 million to accelerate its zero-trust strategy and “fully comply with the mandates established in the Executive Order on 'Improving the Nation’s Cybersecurity.'”

Max.gov, which hosts a number of collaboration and information-sharing tools for federal agencies, will also get $14.5 million to move to a secure cloud environment that will make it easier to perform authentication and foster collaboration with other agencies. Usage of the service among federal agencies “has significantly increased in the 14 years since its deployment, and dozens of agencies rely on the system for mission critical operations” the fund writes.

The influx of $1 billion into the TMF earlier this year represents a marked shift from the levels of funding the program received in recent years. Originally envisioned as a multi-billion dollar overhaul of federal IT systems, members of Congress eventually whittled that funding down to $500 million over two years. They even briefly zeroed out all money for the program in a 2018 minibus spending package. As of January 2021, the program has dealt out just $150 million in awards to federal agencies, awards that usually came with strict timelines that required agencies to reimburse the money within five years.

For years, the fund’s boosters (and lawmakers who often love to rake federal IT and cybersecurity officials over the coals in public hearings for not doing enough to stop high-profile breaches of government systems) have insisted to reporters and the public that this piecemeal approach to funding was sufficient to meet the government’s massive legacy IT challenges. In reality, it often reflected a Congress that has historically been reluctant to spend money on IT modernization and an inability to recognize the connection between the government's decades-old technology and its cybersecurity woes.

It also reflects Congress’ penchant for maintaining the status quo. About 80% of federal IT spending goes towards maintaining legacy systems and some former cybersecurity officials have pointed out that it’s far easier to convince appropriators to dole out money to maintain older systems.

“Many people complain about the old technology you see in the federal government, but that’s not because the federal government is just bureaucratic and slow entirely. It is incredibly easier to get money from Congress to keep old systems running than it is to get money to buy new systems,” said Michael Daniel, former White House cyber coordinator during the Obama administration and now president of the Cyber Threat Alliance, at the Aspen Institute Cyber Summit this week. “So if you’re a federal manager or if you’re an expert or you know someone in the federal government responsible for running an IT system, it is eminently practical and logical to keep the old system running because you can get money for that.”

When Democrats took over the White House and Congress in the wake of the SolarWinds compromise and topics like ransomware, state-sponsored cyber espionage and widespread cyber insecurity dominated the headlines, they shifted the conversation back towards a more robust investment, initially floating out a $9 billion infusion before settling for $1 billion tucked into the American Rescue Plan Act this year.

That’s opened up a much broader range of potential funding opportunities, and with a wave of new federal cybersecurity mandates being placed on agencies this year from executive orders, OMB memos, the defense authorization bill and binding or emergency directives, some federal IT leaders are looking to the modernization fund for assistance.

At least two agencies — the Federal Energy Regulatory Commission and the National Archives and Records Administration — have said they will look to apply for TMF funding to help them respond to the Biden administration’s zero-trust plan over the next three years.

 “We're putting requirements into our proposals, as many agencies are, for TMF to augment some of our appropriations that maintain our day-to-day operations,” Mittal Desai, CIO at the Federal Energy Regulatory Commission, told SC Media this month.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.