Cybersecurity is a top concern for federal CIOs as they work to incorporate mobility and cloud computing into their enterprises, and they feel hobbled by outdated policy and budget constraints in their efforts to modernize government IT, according to a new study from trade organization TechAmerica.
Among the challenges they cite: a "bitterly divided Congress" that has failed to update acquisition requirements and budgeting authority for IT and has instead produced sequestration and a government shutdown.
Despite the challenges, there is some increase in spending on new systems development, and technologies that promise improved economy and productivity are slowly being adopted. "CIOs are making headway moving to continuous monitoring for cyber, using agile techniques to simplify IT modernization and 'walking, not running' toward cloud and mobile," the report says.
The findings come from TechAmerica's 24th annual survey of federal CIOs, released June 5. This year's survey, which also included CISOs, is based on interviews with 59 participants from 32 federal organizations.
[Agencies need to do a better job of adapting to a connected world. Read Smart Government: All About Disruption.]
IT spending increased a modest 2% for civilian agencies in fiscal 2014, from $41.8 billion to $42.4 billion, and about 13% of that is spent on security. The largest shares of the budget are being spent on operations and maintenance of existing systems (37%) and on infrastructure, including telecommunications and data centers (23%). While the lion's share of a stagnant budget is going toward maintaining legacy systems, IT is undergoing a major evolution with the rapid expansion of mobile consumer devices in the workplace, a mandated move by agencies to cloud computing, and the emergence of big data analysis as a tool for productivity and security.
The current trend in cybersecurity is continuous monitoring, or continuous diagnostics and mitigation, in which automated tools produce near-real-time data on the security status of IT systems. CIOs are optimistic that continuous monitoring will improve security, but there is concern about the ability to analyze and use the amount of data being generated. Although automated tools can help, skilled analysts are needed to take full advantage of it, and the money and flexibility to build this workforce has not been forthcoming.
Progress has been made in incorporating mobile devices into the enterprise. Digital credentials derived from the credentials embedded in Personal Identity Verification Cards will help enable identity and access control, and industry is cooperating with the management of devices. In April, major mobile carriers and manufacturers, including Apple, Google, Samsung, and Nokia, made a voluntary commitment to include a Kill Switch on all phones manufactured after July 2015 that would allow agencies to wipe the workplace partitions of lost or stolen devices.
Nearly 90% of agencies have made some move to the cloud, with email being the most common service. One agency expects to save more than $50 million over five years through email, but others complain they have not seen the promised savings. Even with adoption of cloud computing, the scarcity of a skilled workforce remains a problem.
The CIOs said they need more flexible acquisition rules that reflect rapidly changing technology, greater budget control, and more flexibility in hiring skilled workers.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.