From: InformationWeek/Government
Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey
By Michael Biddick
Many mandates have been heaped on federal IT executives over the past few years: cloud computing, data center consolidation, open government,shared services, and wider support for mobile devices and applications. Which of these requirements, all coming from the Office of Management and Budget, have risen to the top of agency to-do lists? Well, none of them.
InformationWeek Government’s third annual Federal Government IT Priorities Survey shows that federal IT pros are focused, first and foremost, on providing a secure, solid foundation for all of those other IT efforts. Security, continuity planning, and data records management—in that order—top the list of federal IT priorities. Our survey, conducted in July, was completed by 147 federal IT pros.
That’s not to say that those other IT initiatives aren’t important; federal IT teams have their hands full with all of them. It’s just that with a government-wide preoccupation with information security, and so many competing priorities, agency CIOs are putting most of their resources into establishing and maintaining a firm foundation. After all, it’s hard to justify an investment in mobility projects or new collaboration tools if your firewalls have holes or your databases are offline.
IT strategy decisions aren’t made in a vacuum, of course. 2012 is an election year, a period when many agency leaders shift into a more cautious wait-and-see mode. And for the fourth year in a row, federal IT budgets will be flat. When funds are tight, it’s hard to spend on new initiatives. The single greatest barrier to effective IT execution, according to our survey, is lack of funding, mentioned by 35% of respondents.
Federal CIO Steven VanRoekel has been encouraging agency IT leaders to “do more with less,” and he points to cloud computing and shared services as ways to do that. But progress tends to be slow and incremental. Only 11% of survey respondents rated the efficiency and effectiveness of their agency’s IT performance as much improved over the past 12 months.
A question mark hangs over federal IT planning in the form of the Budget Control Act. If Congress fails to adopt a package of spending cuts or push out the act’s deadline, automatic provisions will go into effect in January. The act would reduce federal spending by $1.2 trillion over 10 years, which would almost certainly have a significant impact on IT spending at the agency level.
Some people see adoption of consumer-like IT products and services as a way around these constraints, by putting new productivity and collaboration tools into the hands of federal employees at low cost. VanRoekel is a proponent of this approach, but federal IT pros are still figuring out the best way to do it. Only 5% of survey respondents consider “bring your own device” to be an extremely important IT initiative.
A major effort to reduce redundancy and increase efficiency in federal IT operations is the “shared first” strategy VanRoekel introduced in October and updated in May. It calls for agencies to share IT resources, facilities, and services. According to the OMB document outlining that strategy, a review of more than 7,000 federal IT investments found many redundancies and “billions of dollars” in potential savings. OMB wants agency CIOs to identify opportunities to consolidate redundant IT services “at all levels, in all federal sector lines of business, in all program areas, and with all IT acquisition vehicles.”
In our survey, shared services garnered a 3.2 rating (out of 5) on the federal IT priority list, putting it on par with business intelligence, PC and laptop upgrades, and IT automation; right below cloud computing; and just above telework systems.
We wanted to understand the driving forces behind agencies’ IT priorities. Agency-specific goals are the most-mentioned driver, cited by 70% of respondents (up from 57% in our 2011 survey), while half of respondents said OMB is a primary driver. That finding jibes with the key premise of this report—that federal IT teams put more of their energies into “must-haves” than into policy guidance from above.
Along these same lines, our survey revealed that agencies are following their strategic IT plans more closely than they did in 2011. Forty-four percent of respondents told us that they have a strategic plan and follow it closely, up from 36% last year. That finding points to stronger IT leadership within federal agencies and departments.
We’re surprised that cloud computing is only a midtier IT priority. The cloud scored a 3.3 (out of 5) on our priority list, failing to make it into the top 10 initiatives. More than half of survey respondents do plan to replace IT infrastructure with cloud services in the upcoming fiscal year. Even so, a sizable minority, 45%, has no such plans.
One new development that could spur cloud adoption is the Federal Risk and Authorization Management Program, or FedRAMP, which promises to expedite the process of ensuring that cloud services satisfy government security and other requirements. After two years of planning, FedRAMP is up and running.
The program employs third-party organizations to perform independent assessments of cloud services on behalf of an agency. In our survey, 16% of respondents using or planning to implement cloud services said they are already they are already using FedRAMP and 36% plan to use it within 12 months.
Priority No. 1: Security
As was the case last year and in our 2010 survey, cybersecurity and security (we put them in the same bucket) are the No. 1 priority among federal IT pros—88% of respondents rated them as very important or extremely important. The simple explanation is that federal agencies continue to be prime targets for malware, phishing attacks, information theft, and other threats.
OMB has complained about the amount of spending, estimated at 10% of federal IT budgets, needed to perform security compliance testing, exercises that critics argue do little to make systems more secure. The Federal Information Security Management Act (FISMA) requires agencies to develop and implement programs to secure their operations and assets, and central to that effort is the certification and accreditation (C&A) process defined by the National Institute of Standards and Technology in its Special Publication 800-37.
That paper-based exercise has been at the center of the criticism. In our survey, 60% of respondents rated the C&A process a “mixed bag”—sometimes helpful, sometimes not. But the process does have its fans. Twenty-seven percent said it’s “very valuable” and good for identifying real security problems.
Continuous monitoring, the use of security monitoring tools to watch the health of IT systems in near real time, is an area of focus for many federal IT teams. In April 2010, OMB released guidelines requiring agencies to provide FISMA auditors with timely information about the state of their systems and networks. This approach included the concept of continuous monitoring as defined in NIST Special Publication 800-137 (revision 1). NIST says continuous monitoring alone doesn’t make for a comprehensive, enterprise ‐wide risk management process, but it’s a key component.
We asked federal IT pros to describe their pursuit of continuous monitoring, along with nine other IT initiatives, on a scale of 1 (not doing it at all) to 5 (doing it very aggressively). With an average score of 3.4, continuous monitoring rose to the top of the list, right alongside federal efforts to improve customer service. Both ranked higher than data center consolidation, big data management, and other government-wide IT undertakings.
Agencies are making progress with their continuous monitoring implementations, but they still have a long way to go. Only a third of survey respondents (34%) said the bulk of their IT infrastructure—76% or more—is managed by such tools.
Given the critical nature of the challenge, and the work that remains to be done, security will almost certainly continue to top the fed IT priority list for years to come. New approaches such as dynamic network and application environments that limit the damage from attacks hold promise.
For more data and analysis on the state of federal IT security, including spending plans and threats, see InformationWeek Government’s 2012 Federal Cybersecurity Survey.
Priority No. 2: Continuity Planning
Disaster recovery planning is a major concern for federal agencies. After 9/11, Homeland Security Presidential Directive 12 (HSPD-12) and Federal Preparedness Circular 65 (FPC-65) put pressure on executive branch agencies to ensure that their essential operations are continually available even during severe natural or man-made disasters.
Continuity of operations is a top priority for federal IT pros. In our survey, 72% identified disaster recovery planning and continuity planning as a very impor tant or extremely impor tant initiative, even if it doesn’t get as much buzz as some other initiatives.
FPC-65 outlines specific requirements. Agencies must be able to implement disaster plans with or without warning, operate within 12 hours of a plan being activated, sustain operations for up to 30 days, and do so in alternate facilities in designated areas. Their plans must take into account telecommuting and shared facilities.
For their most critical services, agencies must develop and maintain a continuity plan Agencies must be able to implement disaster that includes a disaster recovery site and a resilient infrastructure comprising generators, physical security, and telecom and data services with multiple access points. This can be complicated, especially in environments that span both government and contractor facilities.
As part of continuity planning, IT teams should define service levels and devise restoration plans for essential services. They must commit to providing internal or external customers with information on the status of any outages. In this regard, agencies must learn to function and communicate the way telecom service providers do when network outages occur.
Ideally, continuity planning will be done under the umbrella of risk management. Threats and vulnerabilities must be identified so that controls can be put in place to prevent them or minimize their impact. That includes cyber threats such as zero-day vulnerabilities. It’s no coincidence that IT security and continuity planning are at the top of the federal IT priority list.
Standard IT best practices can be helpful in the development and implementation of business continuity planning. Widely used, according to our survey, are ISO 9001 (53%), Six Sigma (50%), CMMI (44%), and ITIL (43%).
Priority No. 3: Data Records Management
You might think that data records management would be a rote exercise for federal IT, not a top priority, but a handful of regulations leave federal IT pros with little choice. Agencies have records management responsibilities under the U.S. Code (Chapter 31, to be specific) and the Freedom of Information Act, and they must be able to provide data related to congressional inquiries, federal judicial proceedings, and lawsuits.
All of which explains why data records management received a 3.7 score in our priorities ranking, identified by 56% as very important or extremely important. Agencies must maintain documentation—much of it digital—of the work they do, decisions they make, policies they implement, and transactions they conduct. Those records take many forms: electronic documents, images, video, email and voice mail, fax, and wiki content. This kind of unstructured content represents the largest body of information assets, and the job of managing it all hasn’t gotten any easier.
One of OMB’s newest initiatives, the Digital Government Strategy, introduced in May, is sure to have implications for the future of data records management. A core principle is to transition from managing documents to managing “discrete pieces of open data” and other content that’s tagged with metadata. A related goal is to make government data available through Web APIs and to mobile devices. As agencies move in this direction, they must evaluate their existing data records processes and systems to see how well suited they are to OMB’s new digital services model.
Priority No. 4: Data Center Consolidation
There’s no escaping data center consolidation. OMB’s Federal Data Center Consolidation Initiative (FDCCI), launched in 2010, requires agencies to cram their servers and storage systems into fewer, more densely packed facilities. And even if this weren’t a federal mandate, cash-strapped CIOs with “cloud first” ringing in their ears would probably be moving in this direction anyway.
At last count, there were 3,133 federal data centers, according to OMB. Its goal is to close 1,080 of them by the end of 2015, about half that number in 2012. In our survey, 60% said data center consolidation is very important or extremely important.
But it’s not easy work. When asked about the biggest barrier they face, 29% of respondents at organizations that are consolidating data centers cited cultural resistance, and an equal number pointed to technical problems in migrating applications.
The pace of IT build-out prior to the FDCCI had become unsustainable. Agencies had implemented some 500 human resources management systems, an equal number of financial management systems, and 24,000 websites. And electricity consumption by federal data centers had doubled over five years, from 6 billion kilowatt-hours in 2006 to more than 12 billion kilowatt-hours in 2011.
FDCCI seeks to reduce the cost of data center hardware, software, and operations; improve security; and shift investment to more efficient computing platforms. Cloud computing is one way the feds are trying to do that. Hard evidence of cost savings remains scant, but agencies have begun to make that case. The Department of Agriculture says it expects to save $27 million over five years in a cloud deployment that extends to 120,000 users, and the General Services Administration anticipates $15 million in savings over five years in a smaller-scale cloud rollout.
OMB’s cloud-first policy, issued in December 2010, gave agencies 18 months to implement three cloud services per agency. After the June 2012 deadline passed, the Government Accountability Office assessed seven agencies: the U.S. Department of Agriculture, the General Services Administration, Health and Human Services, Homeland Security, the Small Business Administration, State, and Treasury. It determined that five agencies met the deadline, and that the USDA and SBA will satisfy the requirement by the end of this year.
Of 20 cloud migration plans submitted to OMB, however, only one was complete. According to the GAO, 11 plans didn’t include performance goals and seven lacked cost estimates. One of the biggest challenges for agencies seems to be how to retire legacy platforms when they move an existing application to the cloud.
Our survey revealed a shift in the type of clouds that agencies plan to use. Fewer agencies (24% in 2012 compared with 34% in 2011) are implementing or planning to implement private clouds in the upcoming fiscal year, and more agencies (10% in 2012 compared with 6% in 2011) are implementing or planning to implement public cloud services. This finding suggests a growing level of comfort with commercial cloud services. Twenty-one percent of respondents already use or are planning to use both public and private cloud services.
Priority No. 5: Data Storage
Storage infrastructure and data growth— popularly known as big data—round out the top five in our list of federal IT priorities. Just as in the business world, federal agencies and departments are hard pressed to keep up with the burgeoning data volumes generated by employees, the public, and the operations behind the services they provide.
In our survey, 57% cited storage and data growth as a very important or extremely important IT initiative. The Obama administration agrees. In March, the White House announced a big data research and development initiative that seeks to improve the government’s ability to extract knowledge and insights from “large and complex” data sets. Six agencies are behind $200 million in new commitments to develop tools and techniques to access, organize, and analyze huge volumes of data.
John Holdren, director of the White House Office of Science and Technology Policy, compared the effort to the government research that led to the creation of the Internet, saying it holds great promise for scientific discovery, education, and national security. But R&D efforts may take years to bear fruit. Alex Rossino, an analyst at research firm Deltek, doesn’t foresee much progress on Uncle Sam’s big data push until 2015 or later, as agencies focus near term on data center consolidation and cloud computing.
Federal agencies have no choice but to embrace big data management. Without the right tools and architectures, organizations won’t be able to use effectively the information they have collected. Big data management tools make it possible to standardize procedures and services, and organize data into a fabric that can be searched, browsed, navigated, analyzed, and visualized.
Moving Forward
It’s important to remember that these priorities are interrelated. For example, data center consolidation and cloud computing are both ways to centralize IT resources. And centralization makes it easier to apply consistent security and cybersecurity policies.
You can take this notion a step further. Without robust security, users and managers won’t have confidence in shared services, making that federal mandate a harder sell. Getting one initiative right often as a bearing on the success of others.
Thus, it’s more important than ever that agencies hone their skills in IT project management as a way to keep things on the right track. OMB has made this area a priority with its TechStat and PortfolioStat initiatives, which increase accountability in the areas of project performance and IT asset management, respectively. Federal IT teams understand the need to get those things right. IT project management rated 3.3 (out of 5) on the federal IT priority list, on par with cloud computing.
Over the past few years, federal IT execs have made a start in reorienting their tech strategies toward more effective, less wasteful outcomes. But we’re still in the early going with the government-wide verhaul of IT investment and operations. Ultimately, it comes down to delivering on these key priorities, and that job is ongoing.
Michael Biddick is CEO of integrator Fusion PPT. Read more stories by him at informationweek.com/michaelbiddick.
Leave a Reply