Federal agencies already under the gun to modernize their information technology capabilities have a new set of standards to meet as a result of an executive order President Donald Trump issued this spring. The directive not only will affect agency managers in their IT operations and acquisition activities, but also will have a significant effect on IT vendors.
The Trump initiative “adds another important piece to the U.S. federal IT modernization puzzle,” said Katell Thielemann, research vice president at Gartner.
“Various parts of the executive order will have a direct impact on the U.S. federal market,” she wrote in an 18-page briefing on the program.
A key element of the order is that responsibility for cyberprotection has been elevated to the level of cabinet officers and the heads of various agencies rather than residing with their IT or cybersecurity officers.
“The President will hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises,” reads the executive order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” issued on May 11.
Agency heads will be held accountable to the president “for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data,” it states.
Call for Swift Action
The order requires agencies to comply “immediately” with several specific mandates:
- Each agency shall use the “Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. The framework was developed by NIST generally for private sector use and has been widely adopted not only by critical infrastructure companies but also by a wide range of businesses.
- Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.
Agencies must deliver a report by early August on their cyber-risk mitigation and acceptance choices, as well as their plans to implement the NIST framework. After reviewing the reports, the Department of Homeland Security and the Office of Management and Budget must submit a joint plan for the cyberprotection of the executive branch enterprise by early October.
The emphasis on “executive branch enterprise” is a clear statement of policy that cybersecurity protection now is considered a government-wide goal, versus isolated agency efforts.
The executive order also links cyberprotection to the goal of moving faster to modernize federal IT operations in general.
“Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture,” says the executive order.
To advance IT performance, the order requires the director of the American Technology Council to provide a report to the president, also by early August, “regarding modernization of federal IT.”
The White House established the ATC prior to issuance of the executive order to “coordinate the vision, strategy, and direction for the federal government’s use of information technology and the delivery of services through information technology.”
As a follow-up to creating the ATC, President Trump met with 18 tech industry leaders last month.
While the order embodies many new and upgraded standards, the overall goal represents significant continuity with prior efforts, and builds upon Obama administration policies “rather than deviating sharply,” DLA Piper attorneys Sydney M. White and Jim Halpert note in an online post.
Still, the Trump initiative will require IT providers to significantly adjust their marketing efforts.
For example, vendors should “clearly articulate … risk management positioning and governance enabling solutions,” along with “targeting the main groups of federal stakeholders,” Gartner’s Thielemann advised, including “influencers, procurers, enterprise agency end users and mission agency end users.”
IT providers who support the federal enterprise IT environment should “lead an assessment of … offerings through a cloud-based digital platforms lens,” she suggested.
Vendors should evaluate “the implications of emerging enterprise shared services moving to centralized digital platforms,” Thielemann recommended.
Vendors may have to make more investments to enhance their offerings to meet the upgraded goals, although “IT vendors already have to make investments they would not normally have to make elsewhere” in order to pursue the federal market, Thielemann noted.
“These investments are not for the faint of heart, so IT vendors are making continual strategic trade-offs with regard to the level of investments they are willing to make,” she told the E-Commerce Times.
Such investing is a continuous process among contractors already in the market, noted John Slye, research analyst at Deltek.
“Most experienced vendors and service providers are aware and have been addressing these concerns out of necessity, and anything that adds rigor and review to services or products adds effort and cost,” he told the E-Commerce Times.
However, companies new to the federal market may need to put more into product development efforts for government customers.
The reports required by the directive, “coupled with additional action from NIST, could lead to additional requirements on government contractors,” suggests an analysis by Eric Crusius and Norma Krayem at law firm Holland and Knight.
“Certainly, the emphasis on shared services could further direct changes to how the government obtains IT services from contractors and a focus on federal IT modernization provides a series of opportunities for contractors as well,” they wrote.
Providers who specialize in exclusively offering cyberprotection products and services are in a good position to benefit from the Trump policies and many already have, Thielemann reported.
The Trump initiatives on cybersecurity and associated IT modernization are in line with recent federal agency moves that recognize that standard government practices actually may hinder timely acquisition of cybersecurity offerings, she noted.
“Several federal organizations have also realized that the unique federal rules of engagement when it comes to market positioning and procurement approaches can be a deterrent for cybersecurity vendors with commercial pedigrees. They are responding by looking for ways to attract them to the market faster,” Thielemann said.
Special Programs and Cloud IT
The Defense Innovation Unit Experimental program (DIUx) has been created to serve as a bridge between Defense Department components confronting major security challenges and private sector companies at the cutting edge of technology.
DIUx offices have been established in California’s Silicon Valley, Boston and Austin, Texas, to promote dialog with the private sector. In addition, the General Services Administration has set up Special Item Numbers, or SINs, for cybersecurity products to accelerate acquisition, Thielemann noted.
The Trump cybersecurity initiative likely will spark a much greater degree of interest in shared services, for which cloud technology is the most visible vehicle.
“The linking of shared services with modernization is opening the route to cloud-based government digital platforms,” Thielemann said, noting the commitments of major players such as Amazon Web Services and Microsoft in the federal market.
“This cybersecurity aspect has been a theme that has evolved in parallel with agency efforts to achieve efficiencies and increase the effectiveness of their IT infrastructure and applications through cloud, and so forth. A few years ago, one question with the feasibility of the cloud was whether it could be secure,” said Deltek’s Slye.
“Now we are hearing how cloud is an avenue to vastly improve security,” he continued. “It comes down to the implementation and how cloud services have matured. The cost, complexity, and time it takes to modernize many legacy systems makes placing those systems in a cloud environment with a security layer in front of it an appealing option. So security has become a ‘selling point.’ for many cloud advocates.”