Leveraging the TMF for the secure modernization of high value assets

Last week we published the first in an ongoing series of commentaries intended to highlight the Technology Modernization Fund as a funding option available to agencies to modernize critical systems while lessening reliance on costly legacy systems and reducing cyber risk. In this first post, we outlined elements of the Office of Management and Budget’s TMF/American Rescue Plan (APR) guidance that were just recently updated. The updated guidance incorporates new flexibilities in the fund’s payback requirements and also continues to focus modernization efforts on addressing High Value Assets (HVAs), improving cybersecurity, improving citizen-facing services, and leveraging scalable cross-government services.

On May 12, President Joe Biden issued a comprehensive executive order that gave direction to federal departments and agencies for strengthening the government’s cybersecurity posture. The order establishes a requirement to modernize systems and implement stronger cybersecurity standards by moving agencies and their contract partners to secure cloud services and a zero-trust architecture, and by mandating deployment of multifactor authentication and encryption.

(Note:  Zero trust architecture (ZTA) assumes that no user, device or application attempting interaction with a technology environment can be trusted by default.  A zero-trust architecture employs the elements of identity management including least privilege access and continuous authentication along with micro-segmentation of the network to limit lateral movement once inside the environment. ZTA is designed to lessen the risk of breaches and damage resulting from inappropriate access.)

Additionally, the EO addresses software supply chain security by establishing a public-private process to develop new and innovative approaches to secure software development, and uses the power of Federal procurement to incentivize the market. (The full text of the order can be found here.)

In this post, we will explore the opportunity to leverage the TMF to modernize HVAs while improving cybersecurity in a manner consistent with the EO’s direction.

The definition of a High Value Asset, as set forth by the Cybersecurity and Infrastructure Security Agency, is as follows:

A High Value Asset (HVA) is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.

This HVA definition was further clarified and expanded with the issuance of OMB M-19-03, “Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program.”      

Agencies have long been responsible for identifying and protecting their most critical assets as part of their continuity of operations planning programs. If missions are threatened by natural disasters, terrorist activities, or cyber attacks, agencies must be able to quickly reconstitute operations and restore those critical assets to their normal function in priority order. Also, with the establishment of the High Value Asset Program in 2015, CISA received authority to assist Federal agencies in further identifying those HVAs most vulnerable to cyber attacks, and to set remediation requirements.

These two foundational programs provide data to assist agencies in sequencing systems for modernization, in priority order based on criticality to the mission and identified cyber vulnerabilities. Agencies that have done the critical thinking and planning necessary to take an enterprise portfolio view of their technical assets, and have developed a modernization roadmap tied to the strategic plan and prioritized according to HVA status, can best leverage the expanded funding options afforded to them by the TMF and other funding streams established in the ARP.

Further, agencies can connect the dots among prioritizing HVAs that need modernization, addressing the criteria for a successful business case and the focus areas outlined in the OMB TMF/ARP guidance, and accounting for the stated goals of the Cyber EO.  In making this linkage, they can take advantage of opportunities to develop TMF proposals that meet all of these imperatives. Connecting those dots would enable agencies to focus on TMF proposals that:

• Leverage modernization solutions that move HVAs to cloud environments with zero trust architectures and upgraded authentication fine-grained permissions for access control.
• Leverage a common and well-designed solution/platform/software to address remediation of multiple HVAs based on the analysis of integration points within and across agency enterprise portfolios, for both mission support and mission delivery processes.
• Utilize solutions provided by and marketplaces developed by the General Services Administration designated Quality Service Management Offices in the areas of finance, human capital, cybersecurity and grants management. QSMOs serve as government-wide storefronts, offering multiple solutions for technology and services in their functional area
• Employ a DevSecOps approach to develop modernized applications while following secure practices for software development as outlined in NIST 800-160 and related guidance. The DevSecOps approach automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing and software delivery.
• Leverage a modernization solution that improves the customer experience and enhances the cybersecurity posture of citizen-facing systems that contain personally identifiable information.

The federal government continues to be well overdue for modernization. Past modernization efforts have often lacked the level of investment needed to accelerate progress. The TMF was designed specifically to address that issue – the increased funding and added flexibilities improve chances to accelerate progress. Investments made based on strategic significance of assets (as with HVAs) -- and with the use of modernization approaches that leverage commercially available, scalable solutions consistent with TMF criteria – will present opportunities to drive progress by optimizing return on those investments. 

Given the multiple efforts around HVA modernization and cybersecurity that the TMF guidance integrates, more foundational elements of success now exist.  These elements apply both within the TMF and, as we discussed last week, can drive progress across the $100 billion federal IT portfolio.  Agencies and their industry partners can and should take advantage of the moment and opportunity for significant mission and performance improvement from modernized, secure technology.