Federal Chief Information Officers (CIO) and, more importantly, heads of Departments and Agencies (D/A) have expressed their commitment to modernizing the federal government’s aging IT systems and improving our cyber defenses. As congressional support continues to grow, and current legislation is being revised, there are proactive steps CIOs can take now to maintain operational stability and resiliency during their D/A IT modernization efforts. To date, the Technology Management Fund (TMF) has invested more than $500 million in well over 20 IT investment programs. The Fiscal Year 2023 funding bill recently passed by the House Appropriations subcommittee slated $100 million in funding for the TMF.
Feasibility: For some D/As, trying to refactor and align an aging IT system to an expanded and/or evolved mission set may be cost-prohibitive, and too complex to accomplish in a reasonable timeframe. Conducting a thorough feasibility study will help determine which approach best aligns with your system’s technology stack and mission requirements. Some aging IT systems may perform limited, but mission-critical, functions in support of your D/A overall mission. Consider expanding the capabilities and features of existing systems to encompass the capabilities of aging systems. Keep in mind your best option may include retiring an aging IT system, and/or building from scratch.
Executive leadership will look to their D/A CIO to identify those IT systems that are candidates for modernization. CIOs will need to know what technical and business factors should be included in this decision-making process. I strongly recommend collecting and analyzing key operational performance metrics to aid in this decision. Here are some suggested metrics:
- Risks and Risk Mitigation: Document and validate all high probability/high impact system risks
- Solution Architecture: Will the current Solution Architecture support new cybersecurity and performance controls?
- Cost and Schedule: Is the system cost-justifiable?
- Customer and User Satisfaction: Conduct surveys to gauge customer and end-user satisfaction. Is the system continuing to meet stakeholders’ expectations?
- Expanding Capabilities: Will planned enhancements meet industry and federal standards?
- System Performance Metrics: Has there been any degradation in system performance? Is system meeting speed and capacity expectations?
- Data Architecture: Will/has current System Data Architecture support evolving business requirements and performance standards?
Planning: For D/As with multiple aging IT systems, prioritization should be your first step. Here are some key actions that should be taken as you prepare to prioritize your modernization efforts and/or develop your roadmap for successfully modernizing aging IT systems:
Perform vulnerability scans of the aging IT assets. Critical vulnerabilities, especially those associated with known attack vectors, should carry a heavy weight factor. Improving your D/A cybersecurity posture should be a top priority.
What programming language(s) were used to develop and/or maintain the aging IT system? You will need to weigh the availability and cost associated with finding the skilled resources required to perform the work. Any code rewrite and/or refactoring should include a strong emphasis on application security. Improving your software design and coding practices for securing access to critical code blocks, data access layer, and core algorithms should be a top priority.
Review your D/A’s mission critical systems and determine the level at which these systems align to current business processes. As D/A’s mission and business processes evolve, aging IT systems have struggled to keep pace, so this may be your best opportunity to fully align aging IT systems with current business processes. The goal here is to improve operating efficiencies while executing the mission.
Mainframe vs. tiered web applications. You may want to consider modernizing your aging tiered web applications before beginning work on Mainframe systems. Skilled resources for tiered web applications are still a required resource on most existing or new IT contracts. However, the skilled resources needed to support your Mainframe transformation may require the establishment of new IT contracts and/or costly recruitment efforts.
The availability of funds will undoubtedly impact any decision to modernize an aging IT system. Your modernization efforts may require a full budget cycle before funds become available. Obtaining the funds required to complete your modernization efforts may require a budget reprogramming request or other federal budget actions. Keep in mind existing IT system support contracts may not include options for re-engineering the system, so specific contract modifications and/or new IT contracts may need to be awarded.
As D/As develop plans to modernize aging IT systems, one critical step in this effort will be Requirements (Re)-Engineering. Aging IT systems, in most instances, will most certainly mean (re)aligning with either modified or outdated business processes, so a healthy Requirements Engineering phase will be critical to success.
Execution: You have developed a roadmap and received executive leadership approval. Congratulations! To successfully execute on your vision, I recommend giving some consideration to the following:
Data Tier. Most of your aging IT systems will include outdated data read/write design elements, so I strongly recommend taking this opportunity to optimize data read/write methods. Updating the relational store and database schema will improve overall system performance and bolster your D/A’s business intelligence (BI) capabilities. You should also take this opportunity to review your database encryption options as well. Remember, do not over-normalize your databases.
Security. Having robust and scalable cyber defenses in place will be critical to slowing down potential intrusions and protecting data assets. A strident approach to application security will help reduce your D/A risk of exposure. Most aging federal IT systems do not support multi-factor authentication (MFA/2FA). Now would be a good time to consider complementing your strong application security posture with MFA and single sign-on (SSO).
Compliance. Don’t forget to keep compliance on the forefront. Ensure that you have identified all regulatory, policy, and compliance requirements.
Hosting. Cloud migration should be a top priority. Optimize your applications for deployment to a cloud environment. Most cloud-hosting providers will offer cloud access security brokers (CASBs) to bolster your cyber defenses. Additionally, do not pay for hosting in a classified environment when an unclassified hosting environment will address your requirements. The cost difference can be substantial.
Closing: It’s important that CIOs, in partnership with stakeholders, conduct a thorough feasibility study and establish a sound governance program. This will aid in the development of core program objectives and ensure the right tools for program monitoring and reporting are in place.