Congressional oversight to turn up heat on federal IT in 2023

This post first appeared on Federal News Network. Read the original article.

As the calendar flips into 2023, the federal technology community can count on a few things. Cybersecurity/zero trust, IT modernization and customer experience will remain hot topics.

Conferences, webinars and “fireside chats” will continue to abound on these and other related topics as industry follows the buzzwords.

What will be new in 2023 is the change in Congress where Republicans won the majority in the House in November. Experts believe new committee chairmen will usher in a new and aggressive brand of oversight of the Biden administration. Of course some, maybe most, will be big “P” politically motivated, but certain areas like the technology modernization fund or cybersecurity will get fresh attention by the new leadership.

On the policy side, experts say the next 12 months will provide more insights into how the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency and agencies will take on software supply chain security and implement the concept of software bill of materials (SBOM).

And as we move into 2023, there will be story lines we have not yet thought of or considered which will, as always, make it a fun and wild ride.

Here is what a group of federal technology expert panelists are watching for in 2023 and beyond:

  • Jonathan Alboum, the former chief information officer at the Agriculture Department and now federal chief technology officer for ServiceNow
  • Ann Dunkin, the chief information officer at the Energy Department
  • Julie Dunne, a former House Oversight and Reform Committee staff member for the Republicans, a former commissioner of the Federal Acquisition Service at the General Services Administration, and now a principal at Monument Advocacy
  • Kelly Fletcher, the chief information officer at the State Department
  • Mike Hettinger, former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group.
  • Keith Jones, former State Department CIO and now president and CEO of the Edgewater Group
  • Janet Vogel, the former chief information officer at the Department of Health and Human Services and now president of the Vogel Group.

What are two IT or acquisition programs/initiatives that you are watching closest for signs of progress and why?

AD: Software bill of materials (SBOM)/Secure software supply chain — Currently no one in either the public or private sector has the infrastructure to fully implement the capability. Our colleagues in Europe are proposing a digital standard that, if adopted could make this workable. Adopting a standard is going to be critical to success and I’ll be both watching and advocating for that going forward.

JD: Cybersecurity and federal acquisition requirements. In 2021, the cybersecurity Executive Order 14028 directed federal agencies to implement requirements related to cyber incident response, multi-factor authentication, data encryption and zero trust architecture. This EO also directed the federal acquisition regulation (FAR) council to develop contractor rules to address related cybersecurity challenges. The FAR rules are still pending. These rules are expected to address cyber threat and incident reporting and information sharing and potentially standardize certain cybersecurity requirements for contractors. I hope these proposed rules will be out in the new year so contractors can react and prepare for future requirements. We’re also watching for new cybersecurity-related developments from other agencies that could impact contractors, such as the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) rule, which we could see in March 2023.

KF:  We will be keeping close watch on our Evolve acquisition over the next year. It has the potential to be a game-changing acquisition vehicle for us that we need to optimize. Having access to the best of what industry has to offer will help us to accelerate Secretary Antony Blinken’s modernization agenda.

The other is our logistics management system (ILMS) re-compete. This is a $2.5 billion contract that will be a single award indefinite delivery, indefinite quantity (IDIQ). This is important because it’s a major IT system that connects our program offices to our procurement process and facilitates global logistics and supply chain management — key areas that will intersect with cybersecurity and supply chain risk management.

JA: The federal government has a great opportunity in 2023 to accelerate its path toward a national digital strategy. A recent Gartner survey predicts that by 2023, governments without a total experience strategy will fail to successfully transform government services. Citizens increasingly expect government services to mirror the pandemic advances of the private sector in making digital services accessible, fast and easy to use.

Jonathan Alboum is the former USDA CIO and now federal chief technology officer for ServiceNow.

One place I’ll be watching to see how well government is doing in this regard is around social and economic support initiatives. If agencies are asked to deploy a safety net quickly and efficiently for Americans in the scenario that we hit a rough economy, how will they do? We learned in the pandemic how important it is for agencies to have digital service offerings that make it easy for people to interact with agency programs when they need them most. We all remember the stories of how hard it was for some people to sign up for unemployment in 2020. In 2023, agencies may be forced to see if pandemic-era changes to systems hold up when Americans need them most.

Cybersecurity and Infrastructure Security Agency Binding Operation Directive (BOD) 23-01 requires agencies perform an automated asset discovery every seven days, determine what vulnerabilities exist in their environments, and then feed this information into the continuous diagnostics and mitigation (CDM) agency dashboard. This capability needs to be in place by April 2023. Further, agencies will need to be able to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets by this time. I think this will be a tall order for most agencies, so it will be enlightening to see if the April deadline remains in place.

MH: Even though I think we have made significant progress this year on CX, it’s still an area I am watching closely. Are agencies really going to put forth the types of budget requests needed to meet the challenges associated with delivering better customer experiences? And if they do, will Congress step forward and fund those?

JV: I am watching the National Institutes of Health’s program called “All of Us.”  The use of genomic data should provide insight and answers on how to treat diseases and illness. The release of findings should advance our understanding of data relationships in ways that will be both affirming and surprising.

KJ: Monitoring the use of the Technology Modernization Fund (TMF) — There was great hype when the playing field was due to change to leverage funds with varying repayment options. 2021 remained more like prior years with very little progress on awards, 2022 — some increases however, no major efforts to point to. It will depend on what changes the federal CIO will continue to push for the TMF review board and what role CISA and others agency reps outside of GSA will play on the reviews going forward. The TMF has been viewed as somewhat of a self-licking ice cream cone for projects governed by GSA — where other agencies continue to wait for approval.

Monitoring the progress Department of State, Bureau of Information Resource Management (IRM) and the Office of the Senior Procurement Executive is able to accomplish with the Evolve solicitation. We should all have a close eye on the progress of Evolve. Evolve, if successful, will be the largest IT contracting initiative across State ranging from $10 billion to $12 billion in total contract value over seven years. It is also a game changer for bureaus within the department having a go-to vehicle for a broad range of IT services. Things to watch would be — is the program office hitting their milestones without major slippage, does the executive sponsor stay in engaged to track progress and take corrective action when/where needed, does the program office within IRM remain committed to building out the staff required to run such a large vehicle, and can the protest potential be minimized with great diligence on behalf of the evaluation teams.

What do you expect to see from Capitol Hill around federal technology/acquisition oversight and/or legislation?

JD: Oversight. There will be more oversight. This shouldn’t be a surprise given the Republican control of the House. There will be high profile non-IT/acquisition investigations, but I think we’ll also see more oversight on IT spending and programs. Improving the management of IT acquisition and operations is still on GAO’s high-risk list. This type of oversight could include, how the Technology Modernization Fund is being managed and how/when funds are repaid, or whether the TMF is actually targeting modernizing legacy IT. I think there will also be oversight looking at whether the government has controls in place to ensure we’re not buying Chinese-made drones or non-compliant Trade Agreements Act (TAA) products. I’m hopeful the Federal IT Acquisition Reform Act (FITARA) scorecard oversight will continue. Based on the last FITARA scorecard hearing, there will continue to be an emphasis on agencies’ cybersecurity posture. In the Senate, Democrats retain control but incoming Homeland Security and Governmental Affairs Committee (HSGAC) Ranking Member Rand Paul (R-Ky.) will likely be focused on oversight (although his IT priorities are unclear) and Rep. James Lankford (R-Okla.) is expected to continue his Federal Fumbles oversight series on government waste.

Julie Dunne is a former House Oversight and Reform Committee staff member for the Republicans, a former commissioner of the Federal Acquisition Service at the General Services Administration, and now a principal at Monument Advocacy.

Legislation. One of things that didn’t get across the finish line in this Congress is updating the Federal Information Security Modernization Act (FISMA) of 2014. I think we’ll see activity here again as HSGAC Chairman Gary Peters (D-Mich.) has said this is a priority and frankly a lot has changed in IT security since 2014 and the 2021 cybersecurity EO has significantly altered expectations for federal IT security requirements. On the topic of security, Congress will continue to watch and potentially react to software supply chain security risks with new requirements. We saw this in provisions that would have required contractors to provide SBOMs in the House NDAA (sec. 6722) and Senate NDAA (sec. 1627) — but these provisions were ultimately dropped in conference. In September 2022, the Office of Management and Budget did issue a software development security memo (M-22-18) requiring agencies to have contractors attest to their software development security which could result in contractors having to provide artifacts such as SBOMs.

MH: The new Republican-led House of Representatives will definitely bring a new approach to oversight of federal IT and cybersecurity initiatives — hopefully it will remain largely bipartisan — but I think you can expect to see increased oversight of IT initiatives at the IRS and other big agencies, as well as related to TMF investments, making sure that taxpayers are getting the best return on investment. What impact this change has on federal IT will be determined in the coming weeks and months as they get going.

Another area I am watching closely is the emergence of the Select Committee on China. While this committee will have a broad focus on all things related to competition from China, I would be surprised if it doesn’t also look at some of the critical cybersecurity issues that are at the forefront of concerns about China, including related to software supply chain security. The incoming chairman of the select committee, Rep. Mike Gallagher (R-Wis.) has a strong cyber background, so I expect cyber to be at the top of their agenda.

Lastly, I am watching carryover issues like FISMA reform, open source software security, and software licensing as they reemerge in the 118th Congress, as well as new ideas, like the chief design officer concept that Rep. Ro Khanna (D-Calif.) announced in December as one of his next congress priorities. It’ll be interesting to see what can get across the line next year.

JA: With the inclusion of Federal Risk Authorization Management Program (FedRAMP) legislation in the defense authorization bill, I expect greater oversight of the FedRAMP joint authorization board (JAB) and the General Services Administration’s FedRAMP program management office. Congress has heard repeatedly about challenges with a lack of FedRAMP reciprocity between agencies and about how long it takes to for a cloud service to become FedRAMP certified. I think the hill is likely to study both issues and more.

Additionally, I expect that the new Congress will want greater insight into the effectiveness of the Technology Modernization Fund. The TMF received $1 billion in the American Rescue Plan and has made number of awards over the two years. Congress wants to understand the return on these investments.

Further, as the Federal Reserve continues to signal high interest rates, and economists increasingly expect a recession in 2023, I anticipate Congress will feel increased pressure to show taxpayers they are investing in technology with a clear goal and a fast and meaningful return on value. With increased scrutiny of the Technology Management Fund and agency budgets in a mixed Congress, agency chief information officers must be able to demonstrate how their technology investments are driving mission outcome, creating efficiencies, and reducing operating costs.

JV: Capitol Hill has helped to push for updating cybersecurity and IT measurements. The former measures focused on numbers and compliance. Because of the ever-evolving landscape of cybersecurity and IT risk, future measures should shift and capture positive outcomes and manage and mitigate risk.

Resiliency of IT capabilities is going to be key. Legislation to fund and support these efforts will strengthen the infrastructure that serves our citizens.

KF: Congress passed the CHIPS and Science Act in August. This legislation includes $52 billion to strengthen semiconductor manufacturing in the United States. The act has potential for significant developments in technology and acquisition for years to come in terms of enabling the purchase of U.S. manufactured technologies in the chip sector and hopes to ease supply chain issues because of worldwide disruptions.

KJ: Changes to FedRAMP legislation the speeds of the evaluation of platforms and applications that are secure and really improves the landscape of options for federal agencies. It would be Hope to see more realistic option around the cybersecurity scorecard and FISMA.

AD: I think we’re going to see more cybersecurity legislation, specifically around quantum resistant cryptography and critical infrastructure.

I also think we’ll see legislation to help with workforce challenges. The best case would be a complete overhaul of the general schedule. I don’t think we’ll get that. But I do think that we’ll see targeted efforts to help with critical hiring and retention areas.

If 2021 and 2022 has been all about zero trust and customer experience, what do you think will emerge as the buzzword of 2023?

MH: We hear a lot these days about quantum computing but I don’t know if it has the same reach as terms like distributed cloud or datafication. Do we really need new buzzwords?

KF: Distributed cloud. Federal agencies will continue to leverage cloud-based models and performance will need to keep up with demand. Moving infrastructure closer to the customer will be an avenue to explore to meet performance expectations. 

KJ: Data, modernization and delivery — As we continue to come out the pandemic, departments and agencies will figure out the true workforce balance onsite and offsite. Programs will level out and customers will refocus their efforts back on delivery both internally and externally. Many programs spent late 2021 and a great portion of 2022 in recovery and somewhat re-baslining efforts. Organizations can no longer point to staffing and the pandemic with the maturation of tools that are now at the disposal of staff.

Keith Jones is the former State Department’s CIO and now president and now CEO of the Edgewater Group.

The importance of accurate data and speed to deliver cannot be underestimated. Day in and day out, leveraging quality and accurate data has served a tremendous benefit for CIOs and agency leadership.

We should also expect to see a greater push behind robotic process automation (RPA) across agencies. Industry has worked closely with many federal agencies proving out case studies with potential cost savings with the ability to re-direct staff and resources on greater agency challenges.

JD: Supply chain security. There was a provision in the NDAA this year (Sec. 5949) that got a lot of attention because it has language prohibiting the U.S. government from buying goods with semiconductors originating from three specific Chinese semiconductor manufacturing. In that same section there was language extending authority for the Federal Acquisition Security Council (FASC) and authorizing funding for the FASC. It seems Congress is renewing interest in this forum. This signals the continuing policy interest in tackling supply chain risks in federal acquisition — so stay tuned for more FASC activity. The FASC was also directed to review and analyze ways to mitigate supply risks related to certain semiconductors. The FASC was established by the Secure Technology Act of 2018 and intended to be a forum for interagency coordination and efforts to mitigate supply chain risks.

JV: Quantum computing and resiliency, or continuity of operations.

JA: Total experience (TX) — it is more than employee experience or customer experience. Government agencies are ultimately looking for ease of use, a simple and secure interface, and accessible features for all to use, irrespective of the use case. Further, CX and EX are really just different sides of the same coin. An employee is a customer of human resources. The ideas aren’t that different and shouldn’t be treated as unique endeavors. TX recognizes this and incorporates the user experience across all service channels to create great experiences for all.

AD: I think cybersecurity will continue to be a focus area for 2023, as we continue to implement zero trust and wrestle with secure supply chain. If we’re looking for a buzzword, I think it’s likely to be post quantum cryptography. There’s well founded nervousness that quantum computing may actually be feasible as a mainstream capability in the next decade and that many, if not all, current cryptographic algorithms may be easily cracked, exposing data that has already been collected.

Leave a Reply

Your email address will not be published. Required fields are marked *