Congress will be busy with future tech initiatives and members have high hopes for the potential of current programs, according to two congressmen who spoke June 7 at MeriTalk’s Cloud Computing Brainstorm.
Congressional IT leaders Reps. Will Hurd, R-Texas, and Gerry Connolly, D-Va., talked about the future of major IT initiatives such as FedRAMP, the Modernizing Government Technology (MGT) Act, FITARA, and executive leadership, offering insight into the shape of IT developments in the coming months.
Though Connolly has been a longtime critic of the slow nature of FedRAMP’s cloud authorization process, and even threatened legislative intervention, he told MeriTalk that recent data has diminished his desire to intervene.
“At the legislative side, we’re feeling pretty good, we’re pleased with the progress of FedRAMP. It wasn’t that long ago that we were feeling pretty dire about how FedRAMP was proceeding. Significant improvements have been made,” said Connolly. “I think the need for legislation has diminished, based on the data and the results that I’m looking at. And that’s good news, how it ought to work.”
Connolly added that he would like to explore how the FedRAMP process ended up in such a bad place, and how they were able to turn things around, and Hurd said he plans to call a hearing on FedRAMP to explore how the process can be improved even further.
“We’re looking at FedRAMP reform, and we’re going to be holding some hearings on it,” said Hurd. “My working thesis is that there’s a lot of streamlining that can happen.”
Hurd reached out to audience members for their own input, explaining that his understanding of the pros and cons of the process comes only from third-party accounts.
“Part of my reason for wanting to spur conversation this morning is to get a better understanding of those that are using the process,” said Hurd. “I think I have some ideas, but I need to test those ideas.”
Ultimately, Hurd said that the process should not become more bureaucratic, and that government should stop trying to find perfect security solutions.
“We are letting the idea of perfect security get in the way of adopting new technology into our systems,” said Hurd. “We’re never going to find out that the Chinese have broken into somebody’s widget. And if you’re designing a system that does not begin with the presumption of breach, you’re doing something wrong.”
Both Hurd and Connolly expressed high hopes that the MGT Act would pass the Senate and get signed into law in the coming months, enabling agencies to begin using the bill’s provisions for modernization funds.
However, Hurd emphasized that agencies would need to be active in making the case for exactly why and how they will use the appropriations funds to improve their IT.
“Those of y’all that would like a piece of that need to articulate your case,” said Hurd. “That’s what I’m looking for from the administration and from the agencies, if I’m going to be supportive of an appropriation to this fund. In concept, of course, it’s a good idea. That’s why we did the thing. But the specifics matter.”
Connolly said that MGT would likely act as an addition to the work already done by his legislation, the Federal Information Technology Acquisition Reform Act.
“Added to FITARA, that’s a nice corpus of legislative reference and framework for governing IT procurement and acquisition and management,” said Connolly. “MGT builds on FITARA, but it’s only a couple of aspects, it’s not comprehensive. We’re hoping it will be another tool we can use.”
When asked if the use of MGT could be incorporated into FITARA scorecard evaluations, Connolly said that there was no reason it couldn’t be, as the members of Congress dealing with one were the same ones dealing with the other. Hurd was more definitive about the two bills’ potential.
“As long as I’m the head of the IT subcommittee, it for sure will be. It should be, because part of FITARA is about modernization,” said Hurd, adding that there will certainly be questions for the agencies that decide not to take advantage of MGT.
A recently signed cybersecurity executive order places agency responsibility for their cybersecurity posture with the agency head, driving IT responsibility up the chain of command. Hurd welcomed the order as a positive addition to leadership goals established in legislation like FITARA, which gives the CIO full responsibility for their agency’s IT.
“At the end of the day, it is the agency heads responsible for that agency,” said Hurd. “If the agency head is responsible for cybersecurity then they’re going to make sure that they’re leaning on their CIO, who’s ultimately responsible for that. I’ve never interpreted FITARA, what we’re doing, as the CIO being an independent authority from the agency head.”
“We welcome any attention coming from this administration about the portfolio of issues we’re talking about. The key is always going to be follow-up,” Connolly said, though he questioned the lack of technology leadership within the executive branch as a barrier to the order’s success. “If you don’t have a team in place, I don’t know how you do that.”
Connolly said that the IT-focused members of Congress and agency CIOs need a partner at the top, such as someone to fill the currently vacant Federal CIO position, to succeed.
According to Hurd, his next major hurdle is going to be establishing a Cyber National Guard to address Federal workforce shortages by offering scholarships to cybersecurity students in exchange for government service. However, he told MeriTalk that a lot more work has to be done before that legislation can be put on the table.
“Before we can really do this, we’ve got to make sure we know what the actual need in the Federal government is, so we can start placing people more accurately,” said Hurd. “My goal is, when we introduce something, all the discussions have been had. That’s what we did with MGT.”
Hurd said that he wants to establish plans for how to manage the scholarships, where to place the recipients within the government, how often those people would need to be on loan from their private sector jobs, and how to standardize Federal cybersecurity job listings.
“The most difficult part is that there are no commonly accepted position descriptions across the Federal government when it comes to IT. Now, I think OPM can do that,” said Hurd. “And we have to do this before we start something like the Cyber National Guard.”
Join us at GovProtect17 on June 21 for a one-day, collaborative discussion on how agencies can gain actionable insight into the increasingly complex security risks facing a modern government. Click here to learn more.