On August 30, the Trump administration unveiled an ambitious plan to upgrade the federal government’s cyberdefenses by shifting digital functions to the cloud and prioritizing security upgrades for the government’s most important systems.  In this plan, which in many ways continues the cyberefforts of the Obama administration, the White House’s American Technology Council (ATC) justified this large-scale approach due to what it characterized as the federal government’s longstanding less-than-adequate cyberefforts in the face of years of mounting digital threats.

The plan, grounded in the President’s May 2017 Executive Order (EO) 13,800,   tasked  the Director of the ATC to coordinate the preparation of a report to the President from the Secretary of the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB), and the Administrator of the General Services Administration (GSA), in consultation with the Secretary of Commerce (Commerce), regarding the modernization of Federal Information Technology (IT).  In accordance with EO 13,800, a draft IT Modernization report was submitted to the President last week.

The ATC and signatory agencies will seek to gather feedback from industry experts and any other relevant stakeholders on the goals and proposed implementation plan for Federal IT Modernization outlined in the draft report. The information received will be grouped into high-level themes under the key input areas listed below:

Appendix A:  Data-Level Protections and Modernization of Federal IT

This subject area will focus on “foundational capabilities” such as multi-factor authentication, least privilege principles, and timely patching practices, plus “risk-based capabilities” such as data encryption (at rest and in transit), secure application development, security testing, threat modeling, application whitelisting, and mobile device management.  In addition, this sector will address “leveraging modern deployment solutions” such as automated deployments and immutable deployments.

Appendix B:  Principles of Cloud-Oriented Security Protections

This subject area will focus on “data-centric” protection efforts for cloud-based information systems, but will still permit perimeter-based security efforts for those legacy data centers that cannot be moved to the cloud.  With this over-arching approach in mind, the plan for this sector will focus on “government-wide visibility and classified indicators” as well as “proportionate security” – both concepts aimed at maximizing government system security, but on a prioritized basis.

One of the draft report’s major recommendations is a yearlong triaged upgrade of the government’s most important IT systems.

Implementation Plan

With these goals in mind, the plan outlines immediate next steps and long-term considerations related to the modernization of federal networks. The focus areas accelerate federal efforts on three core concepts: (1) prioritizing high-value assets; (2) adopting security frameworks that better protect systems at the data level; and (3) consolidating and standardizing network acquisitions and management wherever possible.  Under this plan, high-risk high-value assets will be identified for rapid migration to modernized architecture utilizing best security practices over the next 365 days (utilizing 30-, 60-, 75-, 80-, 100-, 180- and 365-day time windows depending on specific risk assessment evaluations).  Within this same timeframe, evaluations will be conducted on gateway and system access points – with the goal being to improve protections, remove barriers and enable the migration of federal systems to the commercial cloud.

Finally, the plan contemplates the consolidation of network acquisitions and management functions at the federal level.  This will reverse the current “fractured IT landscape” and begin to maximize the buying power of the federal government and take advantage of the resulting economies of scale, reductions in inefficiencies caused by disjointed acquisition practices, and improvements in technical developments and operations.

In short, the overall vision of the plan is to consolidate the federal government’s IT acquisition, management, cybersecurity and development practices and operations to eliminate the current situation of disjointed systems, weak cybersecurity practices, wasteful purchasing protocols, and disconnected development practices.

The ATC is seeking public comments on the report by September 20.