When Congress went big on a stimulus spending known as the American Rescue Plan, it appropriated a billion dollars for the Technology Modernization Fund. The Fund is for use by federal agencies seeking to update their information technology. Gordon Bitko is the senior vice president of policy at the Information Technology Industry Council. He talked with Federal Drive with Tom Temin about where the money might best be used.
Tom Temin: Now a billion is way more than the fund has ever had in a given year, it’s less than the Biden administration had floated for $9 billion. But the reality is, it’s only about 1% of what the federal IT budget tends to be in a year, maybe a little bit more than $95 billion. So can this money really make a difference do you think?
Gordon Bitko: Yeah, that’s the right place to start, Tom. And the answer is yes, it can make a difference. We have to figure out smart ways to use the money that can be shared and scaled across agencies and across government for shared services to be built out and for the expectation that individual agencies will be able to take advantage and leverage those benefits. But you’re right, it is a drop in the bucket of the total annual federal IT investment. And so we really do need to think about how do we build on that? How do we use this to start the transformation that’s necessary, but to have commitments from appropriators and from agencies to continue down the path of modernization?
Tom Temin: Because there was also a lot of money appropriated separately from the TMF that is going to the Cybersecurity and Infrastructure Security Agency for cyber, that was like 600 and some million. And then there’s money going to US Digital Service, a couple of 100 million there, which is where agencies typically go to help with digital services deployment, which is a form of modernization. So there’s a lot of different ways that this money could be divided. And what’s your sense of the best way to maybe operate the TMF, on this traditional payback model? The reason I ask is agencies didn’t exactly flock to it when it was the smaller amount of money.
Gordon Bitko: Yeah, the operating model for TMF has been one of the questions and challenges, Tom, throughout. Part of it has been the dollar amount, it just was never appropriated with all that much money. And I think agencies looking at large scale IT modernization didn’t think that 10 or 15 or $20 million, was enough to really make a difference. A billion dollars is enough for an agency with a good modernization plan to make a difference. And of course, all the money shouldn’t go to one agency, but there’s enough there that I do think it’s gonna change the thinking within individual agencies about is this program and the constraints that come with it around repayment — is it worth the opportunity that it presents? And I think the answer is going to be yes. Especially if GSA, again, is able to figure out ways to fund programs that deliver shared services that can scale, that can benefit across multiple agencies, rather than being one project for a specific single agency. I think also, Tom, you hit on another really important point there, which is there is other money going to CISA, to US Digital Services. And I think also to GSA’s Citizen Services Fund, those things play a role here as well. The amount of money going to CISA really does highlight the importance of using this money smartly for cybersecurity, not just the money going to them, but as one of the expectations for good TMF investments as well. Cybersecurity has to be a significant component of that, and SolarWinds really highlighted agencies as part of their modernization need to be rethinking a lot of their cybersecurity programs.
Tom Temin: And how do you think contractors should best position themselves to be able to help government decide where to head and perhaps get some of that money in contracting?
Gordon Bitko: One of the things that the pandemic, Tom, really highlighted is agencies that were leveraging commercial shared services were able to scale elastically and effectively. They were able to move quickly to allow workers to telecommute because they could take advantage of those commercial capabilities. I think that that’s a really important message that contractors should be looking to build upon, how do we continue to supply those commercial services in ways that allow that elasticity to the government. Every time somebody builds a custom, unique one off solution, those things were really hard to scale. But the folks who were using those commercial products, they moved great. You look at all of the press releases from DoD about their installations of various products and services and about how they were the largest in the world because, of course, there’s millions of DoD customers using those services. DoD was able to do that by using largely commercial products. And so I think that’s a big part of the message for agencies and for industry is to figure out how to take advantage of those best in class capabilities.
Tom Temin: In some ways, that’s a return to traditional thinking because COTS, commercial off the shelf products, have at least in theory always been the preference for federal agencies and deploying technology
Gordon Bitko: That’s true. It is stated Tom as the preference. But of course inevitably what happens in each individual agency and I’ll fully admit to having been responsible for this myself, as have many other CIOs, was the thinking that, well I have some special requirement and I can use that COTS product, but I’ve got to add something onto it or use it in a non standard way, or in a non typical environment that makes that sort of elastic commercial capability very difficult when the rubber meets the road like it did during the pandemic. And every time you customize, you are limiting your ability to take advantage of those capabilities. And so the more we can actually truly get back to that preference for COTS and relying on COTS and challenging agency business models and business practices that say we’re different and special, and we need to do something unique. The more that we can get away from that mindset, the better we’re going to be at becoming more resilient and being able to use this money smartly across government.
Tom Temin: And many agencies still face the issue of their legacy code in some of the big applications they’ve been running for 20-30 years. And even though they can re-host it, it’s still the same old code and that limits their ability to change functionality or to redeploy as digital services and so on, to share the data from it. So do you feel perhaps this money might be able to help that effort if they make a concentrated approach to the legacy?
Gordon Bitko: Absolutely, Tom. And that’s a great question. One of the lessons that many folks who have tried to modernize have learned is when all you do is pick up your legacy application and move it to cloud providers with a lift and shift, you aren’t able to take advantage of any of the benefits. Really what people need to do is to think about what’s the new operating model, we have workers scattered around, we need to be able to provide services continuously at all times of the day, globally in some cases, and certainly around the country in many cases. How can we change our application? How should we change our application to be able to do that securely and reliably to deliver the services that users need? And like you said, not rely on a legacy development from sometimes older than 20 or 30 years, to be honest. How can we as we’re doing that transformation actually take advantage of these modern capabilities? And that does mean rethinking the way the application is built.
Tom Temin: And now that there is a federal CIO established, reestablished I guess, at the White House level, Clare Martorana — what should Ms. Martorana top priorities be at this point, given all this money that’s kind of sloshing around now?
Gordon Bitko: I think her top priority is absolutely going to have to be cybersecurity, given everything that’s been going on, the response to SolarWinds and all the other ongoing activities, and the failures of the government to detect and respond appropriately — that’s got to be job one. And so this money as it’s being spent, a priority is going to have to be putting it towards things that are going to help improve cybersecurity to get beyond the reactive. Here’s a signature of some known bad thing to how do we understand risk in our organizations? How do we appropriately design our cybersecurity models to protect against the highest risks in ways that minimize the impact when the next attack happens? So that absolutely has to be priority number one, not just for for her as a federal CIO, but there’s a new federal CISO, there’s still to be named a new National Cyber Director, there’s the head of CISA — all of those functions have to work together. And I think that’s one of the challenges that we see is what is the interplay between all those roles.