Modernizing applications in light of the cyber executive order

The long-awaited Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was released on May 11 and laid to rest many of the questions federal and industry stakeholders had concerning the Trump administration’s security plans.  The order clearly places cybersecurity in the context of IT modernization. 

The cyber EO states that it is the policy of the executive branch to build and maintain a modern, secure and more resilient IT architecture, and that agency heads should show preference for shared IT services, including cloud services. 

The cyber EO is very clear on “what” needs to happen, but does not have much to say about “how” modernization should occur so that it is coordinated and stays on track.  It leaves that up to the American Technology Council. 

Unfortunately, when it comes to implementation of the cyber EO, it would be very easy to go down the completely wrong path.   

Roughly 77 percent of agency IT budgets for FY 2017 are being spent on operations and maintenance, much of which is going to legacy IT applications.  That’s an estimated $69 billion spent this year doing the same applications with largely outdated technologies.  It would be very tempting to simply “lift and shift” legacy systems into the cloud, check the box and call it a win. 

Yet while we clearly want more secure and less expensive systems, we also care about improving mission performance, providing better citizen services and making government work better for its customers.  That means we must modernize these systems, leveraging cloud-based, platform-as-a-service technologies in a smart way that optimizes performance.   

Although modernizing agency IT applications may seem a bit daunting, IT managers can update and transform their application portfolio by following these steps.

Place modernization in the context of larger agency strategies

To successfully kick-start the digital transformation process, the first critical step is to develop a modernization vision and goals that are consistent with the broader policy objectives and strategies of the agency.  IT managers should view this as an overall transformation program and build in change management and communications capabilities right at the outset.

Inventory applications and conduct opportunities analysis

Most agencies already have some sense of their security deficiencies or the savings they could reap through application modernization. Agencies should consider conducting initial screening of these known-impact opportunities and then follow up with deeper dives that assess the biggest performance impacts, security vulnerabilities, costs, contracts, culture, business process complexity, technologies and dependencies/integration issues in greater detail. 

One tool we use to support modernization opportunities analysis is a modernization prioritization matrix, which maps applications across business complexity and technological obsolescence matrixes, taking into account how much is spent on the application (by the size of the bubble in the figure).  

Cost and technological obsolescence taken together can be a proxy for security risk, as agencies are typically paying more for patches and upgrades from outdated technologies.

Take a look at this sample matrix, for example. Applications in quadrant three are usually considered good starting points for modernization because there is a clear need from a technological perspective and the business complexity is manageable. 

On the other hand, applications in quadrant two are typically large, difficult undertakings.  They need to be tackled because of the significant risk and the potential payoff, but they require greater organizational commitment and expertise.

When prioritizing modernization efforts, IT managers should select projects that have the highest cost savings but relatively low business complexity, such as Application C in the matrix example above. This will allow an agency to modernize the application at a relatively quick pace and give it savings it can  reinvest into other modernization efforts, thereby pursuing a budget-neutral approach to modernization.  This approach is consistent with the objectives of the Modernizing Government Technology Act, which is now making its way through Congress.

Develop a modernization portfolio and manage the effort through a digital service center

To complete the initial stage of modernization, match opportunities to investment priorities, select candidates for modernization and also conduct alternatives analysis as well as development business cases.  Once that is done, develop the application modernization roadmap, tie it to enterprise architecture transition plans and manage the effort as a portfolio. 

Any major transformational effort requires the management and governance discipline to make it successful.  Agencies should invest in a centralized capability to support stakeholder engagement and promote platform-based solutions in the context of business process improvement and IT modernization. They must also  provide technical and solution architecture support, risk mitigation services and consistent project management.    

This is no small undertaking.  For each application, it requires deep understanding of both policy objectives and business processes combined with the knowledge of what can be possible with newer technologies.   As the President’s Homeland Security Advisor Thomas Bossert said, “Modernizing is imperative for our security.  But modernizing is going to require a lot of hard, good governance.” 

The American Technology Council will approach its cybersecurity mandate from multiple perspectives that range from critical infrastructure protection to a variety of shared IT services.  As it proceeds with its mandate to coordinate the development of a report on modernizing federal IT to be delivered to the president by mid-August, it should keep the modernization of applications front and center of its focus.