Build Back Better: Cybersecurity Edition

The COVID-19 crisis in the United States has given insight into weaknesses in emergency response and preparedness plans concerning government information systems and the services they provide. While most federal agencies already had a telework force in place, other agencies hurried to meet the requirements. We discovered the failures to plan for the capacity of a full telework force, insufficient licensing of applications available to remote users, and the loss of talent through reducing forces.

As part of the $1.9 trillion coronavirus relief proposal, one of the actionable items is to Modernize federal information technology to protect against future cyber attacks. $300 million is to be allocated to the Technology Transformation Services (TTS), that is, the digital transformation lead of the Federal Acquisition Service (FAS) organization within the General Service Administrations’ (GSA). TTS is a unique program area that brings us capabilities, such as login.gov, the Federal Risk and Authorization Management (FedRAMP), and the U.S. Web Design System (USWDS). These efforts, and more, help propel businesses and agency organizations forward into modernization. There is $690 million to be allocated to the Cybersecurity and Infrastructure Security Agency (CISA), notable for the recent efforts on election security and securing control systems for improved cybersecurity services with State, Local, Tribe, and Territorial Government.

Working Backwards

Before diving into what I believe is the best proposal for this budget, I will share an excerpt from OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [OMB M-17-25] states the following:

… Effective management of cybersecurity risk requires that agencies align information security management processes with strategic, operational, and budgetary planning processes…

There is no better organization to lead by example than the GSA, and whose evolved mission includes the government’s acquisition services. The TTS program area is to be given $300 million in no-year funding, which is different from the cost-recoverable model most of the program area functions. This funding is to secure TTS’s ability to bring IT projects forward and is the basis of my proposal’s focal point.

Resilient Acquisitions By Risk-Driven Analysis of Alternatives

We must recognize the impact of expected performance acquisitions by accepting the lowest price technically acceptable, purchasing goods and services where the supplier cannot provide sufficient means of trust, and selecting solutions without including consultants to ensure proper implementations.

  • Establish baseline requirements where the only business is only with organizations that meet such baseline requirements in both their operations, products, and services delivered.
  • Prioritize Commercial-Off-The-Shelf (COTS), Government-Off-The-Shelf (GOTS), or Modified-Off-The-Shelf (MOTS) solutions with Common Criteria certifications.
  • Prioritize COTS solutions where Common Control Profile exists.

Prioritize Risk Tolerance With Supply Chain Risk Management

To measure the degree of acceptable risk or uncertainty with the supply chain is to first incorporate the organization’s risk tolerance baseline into the Supply Chain Risk Management (SCRM) processes. The processes should include the organization’s existing policies, or new policies where there are none, that determine the threats, assumptions, constraints, priorities, or trade-offs when making investment and operational decisions.

  • Identity a cross-functional team that can work across the GSA to incorporate and communicate risk tolerance throughout the organization’s decision-making activities to the Risk Executive Function (REF).
  • Collect inputs from the organization, mission/business processes, and systems to better frame, assess, respond, reduce, and monitor risk.
  • Incorporate supply chain risks, including threat agents, threat and vulnerability considerations, and agency constraints, into purchasing decisions of supplier goods and services.

Empower Cybersecurity Workforce With Education and Training

It is crucial that existing or new professionals transitioning into cybersecurity do not inherit the current age challenges and are better equipped and prepared with the knowledge and solutions necessary. Supervisors should recognize and provide the opportunity for a generalist to become a specialist.

  • Expand staffing to include more opportunities for the Internship, Recent Graduates, and Presidential Management Fellows programs to gain the knowledge, abilities, skills, and experience needed to perform duties not to exceed position grade.
  • Strengthen the workforce by cross-training functional units without existing federal employees occupying vacancies where opportunities exist for future cybersecurity professionals.
  • Prioritize training as required by each position, grade, and work roles, but not limit interagency education and training availability.

Conclusion

I have established these goals as only a few of the challenges articulated to me by federal technology executives. It is always tricky to prepare strategic planning without conflicting or contradicting existing laws, orders, or directives while best laying out a reachable set of goals that can be implemented in one year or by the third year. However, the goals that I highlighted would help us build towards secured programs, solutions, service, and trustworthy technology.