Cloud Security, Security Strategy, Plan, Budget

Fed IT plan heads to Capitol Hill


A plan aimed at streamlining efficiencies in the federal government's use of IT technologies is making its way toward a hearing on Capitol Hill on April 12.

The "25 Point Implementation Plan to Reform Federal Information Technology Management," introduced last December by U.S. Chief Information Officer Vivek Kundra, is scheduled to be discussed in a committee hearing hosted by Sen. Thomas Carper (D-Del.), chair of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security.

The 25-point scheme engaged federal IT management and a wide range of academics and security experts in both the public and private sectors over the past two years to propose productivity improvements in government systems. Kundra acknowledges that despite $600 billion spent over the past decade for federal information technology implementations the government lags behind the private sector in achieving operating efficiencies. But, he says, the roadmap offers ways the Office of Management and Budget (OMB), working with the President's Management Council, can "leverage information technology to create more efficient and effective government."

The top priorities of the strategy call for the turnaround or termination of at at least one-third of underperforming projects in its IT portfolio within the next 18 months, advocacy for a shift to “cloud first” policies, and a reduction in the number of federal data centers by at least 800 by 2015 (this number grew from 432 in 1998 to 2,094 in 2010). Further, the plan pledges to work with Congress to consolidate IT funding under the agency CIOs, develop flexible budget models, and launch an interactive platform for pre-request for proposal (RFP) agency-industry collaboration.

Industry pundits have been weighing in on where they are with the security aspects of this scheme. Teri Takai, CIO at the Department of Defense, raised questions about security when Kundra unveiled the plan, according to Steve O'Keeffe (left), founder of MeriTalk, a government IT network. However, Kundra responded that security is "baked in" to the blueprint.

"Challenges with programs such as FedRAMP – cloud FISMA certification – are making people question the attainability of the cloud vision, or perhaps the security tradeoffs it may force," O'Keeffe told "The first incarnation of GSA's cloud services contract ran into security question marks. We are sure that the second coming will amp up the security capabilities."

The OMB 25 Point Plan is driving vigorous debate – both pro and con, O'Keeffe said. Some responses point out weaknesses in the proposition's language, and others opine that it focuses mainly on better management of old technology. But other comments that are being tallied in a MeriTalk survey, to be unveiled at the Senate hearing, gauge a huge amount of support for Kundra's initiative, albeit there is also a good deal of skepticism attached to the attainability in the identified timelines, O'Keeffe said.

The OMB is requesting $25 million to roll out the IT plan. As to whether it is likely to get approval and budget from Congress, O' Keeffe said that without funding it will fail. "We certainly need to move the ball forward in federal IT – nobody can argue with that," he said.

In its call for a shift to "light technology," or cloud services, the scheme says the National Institute of Standards and Technology (NIST) will lead development to ensure security, interoperability and portability. NIST is teaming with various agencies to develop cloud computing standards where gaps exist.

However, even though the plan specifies that shifts to the cloud be made only where appropriate or feasible, and despite safeguard assurances detailed in "Proposed Security Assessment and Authorization for U.S. Government Cloud Computing," a 90-page document released last November that outlines a proposed government-wide cloud computing risk and authorization management program, the proposal to move services to the cloud has raised security concerns for some.

"Once you put your resources in someone else's hands, there's reason for concern," Jeff Kushner, a 25-year veteran of the security industry, told on Friday. Certainly there are advantages in that it is cheaper and faster, but now you have to worry whether you're able to manage it, he said. "Sometimes there are privileges you don't know about, and suddenly vendors become part of your extended team."

A distributed environment adds an extra element of hidden dangers, he added, pointing out that now that data is housed outside the perimeter, administrators have to be concerned with physical security of the cloud servers. "What if the network goes down between you and the cloud," he said. Also, if data is housed with a trusted third party, "it sets up a conflict of interest with the provider as they would not be motivated to tell you if there was a breach," he said.

Streamlining operations and implementing patches are other concerns the 25-point blueprint seeks to remedy. And judging by the results of a new audit by the Security and Exchange Commission (SEC) of federal IT implementations, focusing attention in these areas should be a priority. The 2010 Annual FISMA Executive Summary Report, from the SEC's Office of Inspector General, found, for example, that the SEC failed to patch its systems in a timely manner. The report also points out that the SEC is weak in maintaining documentation of its patch implementations and, though crediting the office with having incorporated NIST patch requirements, cites it for not always following guidance.

In one instance, Microsoft patches issued in May 2008 were found not to have been deployed until 2010 to the SEC's systems. While NIST guidelines don't specify a timeframe for when patches and upgrades be implemented, it does require prompt installs of "security-relevant software updates."

To remedy processes such as these, the 25 Point Implementation Plan promises that if approved, it will enable the federal government to provision services in the manner of "nimble start-up companies," and enlist cloud solutions rather than building systems from scratch. Costs could be reduced as well.

When asked how this 25-point strategy is different from another cybersecurity bill making its way through Congress, the Executive Cyberspace Coordination Act (ECC), sponsored by Rep. James Langevin, D-R.I., O'Keeffe explained that the two proposals really play in different areas. The ECC Act focuses on federal cybersecurity [though the] OMB's 25 Point Plan and ECC are not mutually exclusive, he told "That said, ECC would reform FISMA and move responsibility for federal cybersecurity to the White House."

The question with the 25 Point Implementation Plan, he added, is whether OMB's hands will be too full with other priorities to oversee FISMA and federal cybersecurity. "There is no right answer – only the one which optimally serves our nation's cybersecurity interests."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.