Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

White House Issues ATC Report and Seeks Comments on IT Implementation Plan

Share

On August 30, the Trump administration unveiled an ambitious plan to upgrade the federal government’s cyberdefenses by shifting digital functions to the cloud and prioritizing security upgrades for the government’s most important systems.  In this plan, which in many ways continues the cyberefforts of the Obama administration, the White House’s American Technology Council (ATC) justified this large-scale approach due to what it characterized as the federal government’s longstanding less-than-adequate cyberefforts in the face of years of mounting digital threats.

The plan, grounded in the President’s May 2017 Executive Order (EO) 13,800,   tasked  the Director of the ATC to coordinate the preparation of a report to the President from the Secretary of the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB), and the Administrator of the General Services Administration (GSA), in consultation with the Secretary of Commerce (Commerce), regarding the modernization of Federal Information Technology (IT).  In accordance with EO 13,800, a draft IT Modernization report was submitted to the President last week.

The ATC and signatory agencies will seek to gather feedback from industry experts and any other relevant stakeholders on the goals and proposed implementation plan for Federal IT Modernization outlined in the draft report. The information received will be grouped into high-level themes under the key input areas listed below:

Appendix A:  Data-Level Protections and Modernization of Federal IT

This subject area will focus on “foundational capabilities” such as multi-factor authentication, least privilege principles, and timely patching practices, plus “risk-based capabilities” such as data encryption (at rest and in transit), secure application development, security testing, threat modeling, application whitelisting, and mobile device management.  In addition, this sector will address “leveraging modern deployment solutions” such as automated deployments and immutable deployments.

Appendix B:  Principles of Cloud-Oriented Security Protections

This subject area will focus on “data-centric” protection efforts for cloud-based information systems, but will still permit perimeter-based security efforts for those legacy data centers that cannot be moved to the cloud.  With this over-arching approach in mind, the plan for this sector will focus on “government-wide visibility and classified indicators” as well as “proportionate security” – both concepts aimed at maximizing government system security, but on a prioritized basis.

One of the draft report’s major recommendations is a yearlong triaged upgrade of the government’s most important IT systems.

Implementation Plan

With these goals in mind, the plan outlines immediate next steps and long-term considerations related to the modernization of federal networks. The focus areas accelerate federal efforts on three core concepts: (1) prioritizing high-value assets; (2) adopting security frameworks that better protect systems at the data level; and (3) consolidating and standardizing network acquisitions and management wherever possible.  Under this plan, high-risk high-value assets will be identified for rapid migration to modernized architecture utilizing best security practices over the next 365 days (utilizing 30-, 60-, 75-, 80-, 100-, 180- and 365-day time windows depending on specific risk assessment evaluations).  Within this same timeframe, evaluations will be conducted on gateway and system access points – with the goal being to improve protections, remove barriers and enable the migration of federal systems to the commercial cloud.

Finally, the plan contemplates the consolidation of network acquisitions and management functions at the federal level.  This will reverse the current “fractured IT landscape” and begin to maximize the buying power of the federal government and take advantage of the resulting economies of scale, reductions in inefficiencies caused by disjointed acquisition practices, and improvements in technical developments and operations.

In short, the overall vision of the plan is to consolidate the federal government’s IT acquisition, management, cybersecurity and development practices and operations to eliminate the current situation of disjointed systems, weak cybersecurity practices, wasteful purchasing protocols, and disconnected development practices.

The ATC is seeking public comments on the report by September 20.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
September 11, 2017
Written by: Ken Dort
Category: Cybersecurity, OMB
Tags: ATC, Executive Order

Post navigation

Previous Previous post: HHS-OCR’s Response to Hurricanes Harvey and Irma
Next Next post: Pending IoT Legislation Would Impose Significant Obligations on Manufacturers

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT