The Current Environment
As one would imagine, the Government’s Information Technology (IT) landscape is enormously large. In a report from 2018, it was determined that the “DoD infrastructure involves more than 15,000 classified and unclassified networks, connecting more than seven million computers and IT devices, 10,000+ operational systems in 770 data centers supported by a 170,000-person IT workforce” (AT&T, 2018). Many of these systems are on premise, with the Government footing the bill for each component needing to be replaced due to end of life. Even with new equipment being ordered, the hardware is only as modern as the day it was ordered and will not meet the needs of an ever-changing IT landscape.
In 2015, the Government Accountability Office (GAO) determined that the “federal government spent about 75 percent of the total amount budgeted for [IT] for fiscal year 2015 on operations and maintenance (O&M) investments…which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization, and enhancement activities” (GAO). This was due to legacy systems that are still mission critical. In some cases, the systems still running within the Government are over 30 years old. There is a fear that these legacy systems cannot be replaced due to their mission criticality; however, it is more so the lack of information on how the legacy systems can be converted into modern platforms and virtual services.
Another inefficiency comes from using multiple redundant systems, capturing the same information but on different hardware components. This leads to wasted man hours in cataloging systems on the network and many cases of configuration drift and technical debt. An example is when personnel within an agency use multiple versions of the same product (e.g., v12.0.1, v12.0.1b, etc.) to support a specific product, making it challenging to consolidate to a single version due to possible incompatibilities.
A third roadblock is the users themselves. If it works, why fix it? This is especially true when many system overhauls can go into the millions while budgets are more constrained. The philosophy of “the system is doing its job, and therefore, is working just fine” is a head-in-the-sand approach to IT infrastructure. Many personnel are okay with using legacy hardware because it is familiar; however, technology constantly evolves, providing a better user experience, quicker response times, 11 nines resiliency and uptimes, and more secure environments using Machine Learning (ML) and Artificial Intelligence (AI). Unfortunately, the right people must be in leadership positions to push the system refresh initiatives.
Fortunately, over the last couple of years, the Government has taken action to catch up with modern advances in IT technology and created several strategies/programs for updating the aging infrastructure.
The Technology Modernization Fund (TMF)
TMF was authorized by the Modernizing Government Technology Act of 2017, passed by Congress. This act allowed Government agencies to obtain capital for the following objectives:
- Improve, retire, or replace existing information technology systems to enhance cybersecurity and improve efficiency and effectiveness.
- Transition legacy information technology systems to cloud computing and other innovative platforms and technologies.
- Assist and support efforts to provide adequate, risk-based, and cost-effective information technology capabilities that address evolving threats to information security.
- Transfer amounts from the fund to an agency to improve, retire, or replace existing federal information technology systems to enhance cybersecurity and improve efficiency and effectiveness.
- Use amounts in the fund to develop, operate, and procure information technology products services, and acquire vehicles to improve efficiency and cybersecurity.
- Use amounts in the fund to provide services or work performed in support of such activities.
Agencies using the TMF are required to submit Initial Project Proposals (IPPs) for screening. The projects must be unique and never have been explicitly denied funding in the past. Top priority is given to projects supporting mission-critical systems and systems that will inspire the reuse/support of common systems. Once the IPP passes screening, agencies will submit their Full Project Proposal (FPP) for review. Funding for modernization projects is released incrementally based on milestones accomplished during the project. Repayment terms are flexible and can be extended for up to five years. TMF has acquired $1.225 billion in funding for agencies’ modernization projects.
Digital Modernization Strategy (DMS)
DMS was enacted in 2019 to modernize the IT enterprise within the Joint Information Environment. Some tasks for this program include a refresh for enterprise technology, implementing new cybersecurity efforts, and providing new enterprise IT services. During Fiscal Year (FY) 22, the following efforts were noted:
- Use a commercial cloud environment to support enterprise activities.
- Optimize the Enterprise Collaboration and Productivity Services (ECAPS) capabilities (e.g., Office 365 Suite).
- Use end-to-end Identity, Credential, and Access Management (ICAM) infrastructure within DoD environments.
- Implement Zero Trust Architecture (ZTA) throughout the DoD enterprise (desktop and mobile devices).
- Implement modern cybersecurity capabilities to protect the DoD Information Network (DoDIN).
- Support collaboration, international partnerships, and allied interoperability through the Mission Partner Environment (MPE).
While many of these initiatives still need to be developed and implemented, it is hard to say how DMS will affect overhauling the aging Government IT infrastructure. The Director Operational Test and Evaluation (DOT&E) notes in their assessment that “[t]here has been little operationally realistic testing performed on DMS programs, projects, and initiatives, precluding an evaluation of their operational effectiveness, suitability, or cyber survivability” (DOT&E, 2022). In other words, it is hard to thoroughly test modern solutions when no testing structure has been developed for the new technology or to test commercial technology that relies on a third-party vendor. There will need to be comprehensive testing of all systems—from an operational and cybersecurity standpoint—before the DoD can replace legacy systems with modern technologies.
Department of Defense (DoD) Software Modernization Strategy
The Software Modernization Strategy (November 2021) focuses on the software used to complete the mission. As adversaries become more technologically advanced, so does their method of attack through software applications. The key to success with this strategy is to not only streamline resilient and capable software to the enterprise but also have talented and knowledgeable personnel to use and adapt the integrated software. The Software Modernization Strategy is based on five principles:
- A Primacy of Security, Stability, and Quality at Speed—the adoption of modern software must move at the speed of relevance and adopt modern software development processes (e.g., DevSecOps)
- Cloud Smart/Data Smart—Cloud adoption is crucial to modernizing the Government’s infrastructure. Cloud technologies will allow software modernization quickly while managing the data within the environments.
- Enterprise First—An efficient and cost-effective portfolio is needed to integrate enterprise-level systems. Another factor will be for agencies to collaborate in adopting enterprise software to meet the fiscal requirements of the portfolio.
- No One Left Behind—A significant factor in the success of software modernization is ensuring the leadership and personnel working with the system have quality training and skillsets for the modern systems.
- More Than Code—To successfully adopt modern software, policies, processes, and standards must be in place. These components should be created in a manner that helps, instead of hindering, the integration of modern software into the enterprise.
The Software Modernization Strategy is the foundational roadmap for integrating capable and resilient software into the Government enterprise. While there are hurdles to overcome during this change of thinking while meeting fiscal responsibilities, incorporating a strategy for integrating modern software with technologies (e.g., cloud) will make the enterprise more capable of supporting personnel and defending against cyber-attacks.
As mentioned in previous strategies for modernizing the Government’s IT infrastructure, ZTA plays a significant factor from the cybersecurity standpoint. Authentication is performed at all system interactions, and users are given the least privilege to perform their tasks. According to the DoD Chief Information Officer (CIO), the ZT Portfolio Management Office (PfMO) has planned to execute appropriate ZTA levels across the DoD by FY27. Risk, duration standard deviations, and cloud employment will be considered to meet the timeline. The following methods will be used during the development and integration of ZTA:
- Define—producing a common lexicon on capability descriptions, outcomes, impact statements, activity outcomes, and providing appropriate references.
- Understand and Contextualize—Realizing the relationships and dependencies helped to drive timeline development.
- Develop and Refine—multiple iterations resulted in one primary COA, opportunities for acceleration with the cloud, and other considerations supporting an executable plan.
The success of ZTA integration will also rely on funding available to modernize the aging infrastructure. To do this, the accelerated timeline for ZTA will align with budget cycles from FY23 to FY27. Like the other programs for modernizing the Government’s IT infrastructure, an efficient and cost-effective portfolio will be required so timelines do not move right and/or run over on budget.
The Path Forward
Each of the mentioned programs/strategies touches on similar components for modernizing the Government’s IT infrastructure. While all have good ideas for how to move forward with modernization, they need to be able to collaborate across programs. If each strategy runs parallel to the other while in a silo, the result will have duplicating efforts and systems. Collaboration will allow modern technologies, software, and training practices to be amalgamated into enterprise development. Further, refreshing future hardware/software will be more efficient due to cloud technologies and capable personnel.
By no means is modernizing the Government’s IT infrastructure going to be easy, cheap, or quick. There are mission critical systems over 30 years old still being used, personnel not adequately trained in new technologies, and budget restraints that can stop an initiative in its tracks. The key to success will be open communication and collaboration across the Government enterprise, focusing on supporting the mission more efficiently.