CISO Trainings , Incident & Breach Response , Security Operations
US CIO: Federal Funding Process Played Key Role in OPM Hack
Piecemeal Approach to Appropriations Hinders Modernization of Agencies' ITThe way the U.S. federal government funds information technology served as a major contributor to last year's breach of computers at the Office of Personnel Management that exposed 21.5 million records, many of which included personally identifiable information of employees and contractors with security clearances, says Federal Chief Information Officer Tony Scott.
Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. "It's a culture of, what I call 'set it and forget it,'" Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. "Go put something in, and then assume your work is done."
Scott says that approach was in play at OPM. "What you have is a recipe for high costs, cost overruns, projects that can't be completed or difficult to start and the whole litany of things that we all know historically have been true," the CIO says. "And, indeed, in OPM we found exactly that. We found there, and across the federal government, when we looked at it, projects that could have been done in one or two years were taking 10 years to do because they couldn't put together enough funding in one budget cycle or two budget cycles to do the needed work.
"And, you know what happens in 10 years: Management changes, priorities change, talent changes, all kinds of things change. So, any project that will take 10 years to do, probably is destined to failure."
In this report (click on player beneath image to listen), you'll hear Scott:
- Describe a $3 billion Obama administration initiative to seed a fund that will allow agencies to borrow money to modernize their information technology;
- Discuss government guidance that requires agencies to be more diligent in assessing IT risk; and
- Defend OPM's leadership during and after the breach, in which he points out it was the implementation of an IT modernization program that enabled the agency to identify the breach.
Before President Obama tapped Scott to be chief information officer of the United States in February 2015, he led the global information technology group at VMware. Previously, he served as CIO at Microsoft and The Walt Disney Co. and chief technology officer of information systems and services at General Motors.