June 1, 2016, marks the beginning of another Hurricane Season for the Nation. During this time, the Federal Emergency Management Agency reminds individuals and communities of the measures that they can take to prepare for hurricanes and tropical systems that can cause serious damage to both coastal and inland areas. FEMA’s Mission is to support our citizens and first responders to ensure that as a Nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.
FEMA and the entire federal government rely heavily on information technology (IT) to deliver critical capabilities and services to the people of the U.S. each and every day and when they are most in need. Although these systems are functioning, many of them consist of legacy applications that are not supported by “critical IT infrastructure” but rather a “crumbling IT infrastructure” supported by an IT infrastructure that is increasingly at risk and becoming more expensive to operate. This “crumbling IT infrastructure” may restrict the way that the federal government conducts its business and undermine security because systems cannot easily adapt to the changing mission needs flowing from the emerging technologies flooding the market place, respond to the ever increasing number of connected devices, and meet the requirements of new laws, regulations, and industry standards.
“Crumbling IT infrastructure” refers not only to a systems’ age in years, but also to factors that diminish long term sustainability and resiliency. Challenges such as the availability and interoperability of software and hardware, as well as finding the talent required to service systems, will grow increasingly difficult over time.
"To ensure that our systems and applications are disaster ready, Federal agencies and departments must first identify and quantify the risks within their environments”
On November 20, 2015, congressional investigators reported that nearly three quarters of the $80 billion spent by the federal government on information technology each year goes toward keeping so-called legacy systems running. Some of them woefully out of date. The government currently operates nearly two dozen information systems that date back to 1980 or earlier, according to congressional investigations.
Our dependence on information and telecommunications continues to grow exponentially, so it is clear to me that IT infrastructure assurance must be a high priority for government agencies. I will spend the remaining balance of this article describing several possible approaches for addressing this assurance challenge.
To ensure that our systems and applications are disaster ready, Federal agencies and departments must first identify and quantify the risks within their environments. They must clearly understand and articulate the links between the identified risks and their potential impact to agency mission essential and business critical operations. After identifying the threats, agencies and departments must determinethe likelihood of those risks. The National Institutes of Standards and Technology (NIST) Special Publication 800-34, “Contingency Planning Guide for IT Systems,” which provides instructions, recommendations, and considerations for government IT contingency planning, has become an industry best practice. As mandated by federal directives, NIST 800-34also provide policies and procedures for protection of national critical infrastructure components and guidance to sustain an organization’s mission essential functions at an alternate site for up to 30 days. The Federal government must implement parallel standards for robust system and application contingency testing to accurately identify and quantify the risksthat crumbling IT infrastructurepresents to department and agency functions.
Next Federal departments and agencies must strategically manage risks across their IT ecosystem. Departments and agencies must use a portfolio management approach to strike an effective and thoughtful balance between investment in operations and maintenance; development, modernization, and enhancement; and IT infrastructure. The approach of comprehensively looking at all IT assets (aging or otherwise) provides the opportunity to weigh investments in an emerging technology against a critical infrastructure asset that is a single point of failure for delivering mission essential and business critical functions and services to the people of the U.S. The outcome must be a multi-year department or agency investment plan supported by a funding strategy. Federal Chief Information Officers must work with Chief Financial Officers and Chief Procurement Officers to identify sufficient resources and acquisition plansto implement and complete the initiatives necessary to manage the aging IT risks in their respective IT and contingency plans.
Finally, the public and private sectors must work in partnership to address the ever increasing threat of a cyber-attack resulting from the exploitation of outdated or unsupported software or hardware. I would suggest a sector-by-sector (e.g., health, transportation, energy, etc.) information sharing strategy that brings together the sector specific infrastructure providers with public sector leaders. This sector-by-sector dialog will foster long-term strategies for department and agency investment and funding strategies for modernizing the crumbling IT infrastructure. This approach will require a considerable amount of time and effort; however some departments and agencies have simply run out of time and can only preserve what they have. To the extent practicable, these agencies should aggressively manage and restrict access to mission essential systems and applications, and adopt Homeland Security Presidential Directive 12, “Policy for a Common Identification Standard for Federal Employees and Contractors,”(HSPD-12). HSPD-12 requires that all agencies issue interoperable credentials to all federal employees and contractors for logical and physical access. It ensures consistency with existing privacy and security law and policies to ensure employee and contractor information is protected and appropriately used; and it provides for individual credentials to provide for greater individual accountability through the aggressive monitoring of audit logs and configuration control items.
In conclusion, the renewal and modernization of a crumbling IT infrastructure does not happen overnight. The problem developed over many years and will most likely take years to resolve. The funding strategy for addressing this issue is costly and may need to span across several fiscal years. However, departments and agencies must seriously invest in the crumbling IT Infrastructure in order to deliver critical capabilities and services to the people of the U.S., day to day and when they are most in need. In order to achieve that outcome, we, as a Nation, must provide departments and agencies the resources required to modernize their critical and crumbling IT infrastructure.