Federal IT experts are calling for agencies to integrate Agile and DevSecOps strategies into their plans to rapidly decommission legacy IT infrastructure.
Ten federal agencies, including the departments of Defense and Homeland Security, have IT modernization plans in various stages of progress, according to a 2021 Government Accountability Office report that studied agencies' legacy systems in 2019. The Defense Department, for example, has had a plan that detailed actionable milestones. But similar plans for other agencies were still nascent.
Part of the reason for this is because IT modernization overall is a colossal task and many agencies don't have the resources or direction to fully accomplish it. Another part is the lack of data that would inform on which systems need to be scrapped or updated.
“Identifying costs associated with legacy systems is more difficult than one might think,” said Kevin Walsh, director for IT and cybersecurity at GAO, during a hearing with the Senate Committee on Homeland Security & Governmental Affairs’ Subcommittee on Emerging Threats & Spending Oversight. “We just finished getting a complete inventory of our software licenses for major agencies just this past year. We need to focus on getting better inventory of what IT we have out there before we can fully capture the cost. There is a nascent effort underway called TBM, which would closely tie accounting systems to our IT oversight and management systems, which would help allow us to better track where the money is going. But there is no good way right now to identify all the legacy IT in government.”
During the hearing, Walsh and former federal CIOs urged lawmakers to help federal agencies control bloated IT costs and modernize more quickly.
Walsh said there is no “silver bullet” or “easy fix," but former federal CIOs think some strategic changes could give federal agencies a strong start.
Casey Coleman, former CIO of the General Services Administration, said long budgetary lifecycles tied to technological transformation are the death knell of federal IT modernization.
“[There needs to be] greater use of Agile, DevOps tactics to deliver short and quick results so there can be fine tuning and transparency and oversight throughout the process,” she said during the hearing. “Any project intended to deliver results in two to three years is going to be out of date by the time it delivers. We need short rapid cycles to deliver results.”
Max Everett, former CIO for the Department of Energy, said legacy IT systems pose critical cybersecurity risks. As the cybersecurity world warps and transforms, federal IT and cybersecurity professionals won’t be able to keep up with legacy infrastructure that can’t handle new security technologies and practices.
“You can't put modern protection (on legacy systems) like multi-factor authentication,” he said during the hearing. “Security is also about resilience. They fail all the time because they're old and fall apart and no one knows how to fix them. That in itself is a security risk because everyone has to adapt around that and you make security compromises just to keep it going.”
While FedRAMP is a “valuable service” for authorizing and verifying IT infrastructure, it’s “far too slow” and costly given the pace of innovation, he added.
“I don't know of any vendor that doesn’t complain about the timeline for FedRAMP,” Everett said. “For most of these small startups coming up with innovative new things to do, that' s not sustainable.”
Renee Wynn, former CIO of NASA, said the unique nature of federal appropriation cycles also hamstrings IT modernization.
“Every time you cross a fiscal year with a project, you add more risk to your plan, and each year, you face a potential loss of funding or people and extend when that project will get done,” she said during the hearing. “You're potentially using software that will no longer be considered modern or available.”
For federal agencies facing this problem, Wynn recommended creating budget reserves specifically for IT modernization.
“I take my total budget and create a reserve to make sure the most critical, high-risk projects would get funding going into the secondary years of their project,” she said.
Everett also recommended budgetary reserves, as well as Agile and DevOps strategies.
“Breaking things up in an Agile method is appropriate,” he said. “There are very few systems we should be building in government anyway. We should mostly be using commercial [systems]. When we do build [in house], they should be done in an Agile way so you don't have to plunge hundreds of millions of capital expense into something only to come to the end of the road and the money's all gone. I think that's happened all too often.”
Federal agencies just getting started should prioritize documenting all their legacy IT systems before developing an actionable plan to modernize.
“Agencies that don't have a documented plan: we don't know what kind of resources they're going to be able to throw out or what needs to be done,” Walsh said. “In our 2019 report, it was very disheartening to see three agencies didn't have a plan, five had some aspects of a plan, and only two had a firm idea of what needed to be done. It's critical because modernizing legacy systems is critical to the government's security and privacy and how well we serve our citizens. Getting our agencies to be thinking about modernization is the first step.”