IT Modernization – For decades, the federal government has been hamstrung in its efforts to adopt new IT systems by the glacial pace of RMF accreditation and the manual processes required to secure any system connected to the outside world from security risks and inherent vulnerabilities.

Streamlining this process, however, could dramatically reshape government operations and allow for shorter-duration projects that advance the cause of government IT modernization much more quickly – including moves to the Cloud.

Read Full Article: SteelCloud-6-COTS Journal

With government IT modernization initiatives stimulating new legislation and increasing funding opportunities, it is even more critical to address a significant and continuous drag on the system: the painstaking process of securing the system to the specifications of the Defense Information Systems Agency, a support agency for the Department of Defense (DoD)

As part of this process, systems must be hardened to standard Security Technical Implementation Guide (STIG) benchmarks.  The STIGs provide configuration specifications for operating systems, database management systems, web servers and weapon systems used by government agencies.

The problem is STIGs are long and detailed.  Often containing hundreds of pages, adhering to or upgrading software or systems to a particular STIG has been a highly specialized manual process that can take many months to accomplish.  In addition to the significant time involved, it requires well-trained engineers that are skilled in the technical system, operating system policies and security guidance.

This task adds to implementation costs and can add years before an Authorization to Operate (ATO) is issued.   The task is so tedious and painstaking, and there is such a shortage of STIG experts, that it often prevents agencies from pursuing modernization projects.

“With modernization, the government is spending a lot of money upfront, but they don’t get any benefit until someone can actually use the new technology in production,” says Brian Hajost, president of SteelCloud and an expert in automated STIG compliance.  “One of the things that must get done is the system must be ‘hardened’ and it has to be accredited through the RMF process before an ATO is possible.”

IT modernization projects for government agencies comes in many forms.  Information may be consolidated into a single, shared data center or new applications moved to a different infrastructure.  Increasingly, due to the government’s Cloud Smart program as well as security guidelines outlined by FedRAMP, modernization projects involve moving to the commercial cloud.  The advantages for the government are moving to a more agile and accessible system that can be accessed anywhere and does not require complex on-premise networks.

According to Hajost, however, the difference between deploying an application in the Cloud and a traditional data center is insignificant, at least as it relates to security hardening.

“Moving to the cloud is supposed to be relatively quick and easy, but addressing system security in the cloud is no faster or easier than it is for an on-premise environment,” explains Hajost.  “In our world, it isn’t much different than if an application moved from one data center to another, or the application is moved from a data center to the Cloud.”

Hajost says that even considering the slow pace of it, most still underestimate the expertise and time required, particularly when moving to the Cloud.  A shortage of trained personnel impacts the ability to modernize, a shortage that is even more acute in classified environments.