Federal IT Policy Recommendations: 2021–2024
This article is part one in a series on IT policy recommendations. A PDF of the full recommendations may be downloaded here.
The work improving technology in government through policy initiatives over the last twelve years has been very successful, however there will always be more work that needs to be done. Today, there are several key steps that the Biden Administration could immediately address and work on over the next four years to continue to build trust and drive maturity in technology across government to “Build Back Better” — not just at the Federal level, but state and local as well. These steps include:
- Renew the Commitment to Open Data & Transparency
- Focus on Outcomes, not Box-Checking
- Drive Customer Experience & Human-Centered Design
- Solve Identity Once and for All
- Increase Attention to Small Agencies and
- Manage Risk through Security
I’ve spent the last ten years working on civic tech from local to Federal levels, inside and outside of government, and have been excited to see incredible gains in the government’s ability to deliver services to constituents. After the Obama Presidency, the work to drive innovation in government didn’t suddenly stop — the Trump Administration pursued an aggressive agenda of IT Modernization. This included a major effort to update a very large amount of outdated government technology guidance, laying the critical foundation for many modern technology practices and ideas.
From 2017–2019, I served in the Office of Management and Budget (OMB) in the Office of the Federal Chief Information Officer (OFCIO), where I worked on the new Federal Cloud Computing Strategy, ”Cloud Smart.” I designed this strategy to drive maturity across the Federal Government by updating a variety of older, interrelated policies on cybersecurity, procurement, and workforce training. At the time, we had no idea that many of these initiatives, such as the update to the Trusted Internet Connections policy (TIC), would be critical to enabling government-wide mission continuity during the COVID-19 response just a few months later.
From the past 4 years spent in government, I have been able to see many opportunities for improvements that did not get as much attention as they deserve. What follows are a few policy areas that I believe would build trust and improve service delivery to the American people. These aren’t all major innovations, but these efforts are needed to Move Carefully and Fix Things.
1. Renew the Commitment to Open Data & Transparency
Before joining the Federal Government, I spent years working for government transparency organizations including the Sunlight Foundation and the OpenGov Foundation. Although those and many other transparency organizations have shut their doors over the last four years, the need for transparency has never been greater.
However, I no longer hold the naive belief that sunlight is the best disinfectant. As it turns out, disinfectant is a better disinfectant, and regularly putting in the work to keep things clean in the first place is critically important. Transparency is an active process, not an end in and of itself — and care will have to be given to rebuilding some of the atrophied muscles within government.
Share Data on the Fight Against COVID-19
First and foremost, to heal the country a new Administration will need to deal with not only the COVID-19 virus, but also the disinformation virus. To do so effectively will require addressing public trust around information quality and availability. The Administration should focus on providing timely, accurate information including infection rates from Health and Human Services (HHS), job numbers from the Department of Labor (DOL), housing data from Housing and Urban Development (HUD), and loan data from the Small Business Administration (SBA). By utilizing the new Chief Data Officers across government installed as part of the Open, Public, Electronic and Necessary, (OPEN) Government Data Act signed into law in 2019, the Biden Administration would be able to gather and centralize the critical recovery data. Everyone loves shiny dashboards, but I would instead propose that sharing raw data to allow independent analysis would be vastly more valuable than Yet Another Dashboard.
Revise the National Action Plan
My work on the Fourth National Action Plan for Open Government (NAP4) — and the challenges the Trump Administration faced in delivering this plan — are matters of public record. As we look towards the Fifth National Action Plan, it will be critical to improve engagement with the public and open government groups. Since most of the country has quickly become accustomed to remote collaboration due to the pandemic, I would recommend hosting a variety of virtual forums beyond the DC area to maximize input and idea-generation outside of the beltway. In addition to bringing in more stakeholders from across the country, this would also aid in empowering grassroots-initiated activities towards anti-corruption practices as well.
I’d also recommend starting this process as early as possible to develop and gain traction around high-quality, ambitious commitments. There are also more than a few initiatives that civil society has proposed over the last decade that are worthy of reconsideration, including these from the NAP4.
Revise Agency Open Government Plans
As part of this work, OMB will need to update the long-neglected Agency Open Government Plans guidance, which has not been revised since 2016. Although most agencies have updated their Open Government plans since then, more ambitious efforts to publish data are needed. Notably, the Department of Veterans Affairs (VA) have not updated their plan since 2010, even though more scrutiny has been paid to them by Congress during this time. The VA Inspector General also previously identified that the VA had been actively working to undermine efforts to measure their progress on improving patient wait times, as a result of simply not recording data on the topic. With the new, $5 billion Electronic Health Records (EHR) system being implemented today, it is even more urgent that the VA improve their transparency.
However, all Federal agencies should be directed to more aggressively and proactively publish data, instead of just as a response to Freedom of Information Act (FOIA) requests. Throughout the Trump Administration, key datasets have been removed from government websites. The new Administration can both better tell its story and also build confidence in the American people using government services by working to restore key data and increasing the volume of information that is actively shared.
Rebuild The Office of Science and Technology Policy
The Office of Science and Technology Policy (OSTP), headed by the Federal Chief Technology Officer, was previously the center of open government work under the Obama Administration, but this office and its authority were dramatically reduced over the last four years, with staff cut from 150 to less than 50. As a result, major reconstitution of OSTP and other offices will need to be done to drive these efforts.
2. Focus on Outcomes, Not Box-Checking
Narrow Oversight Focus to High-Impact Projects
Transparency goes hand-in-hand with oversight. The Office of Management and Budget is the primary oversight organization within the Executive Branch (other than Inspectors General), and is organized into smaller domain-specific offices. Staff in these program offices act as “desk officers,” focusing primarily on the 24 large CFO Act Agencies. For smaller offices, a single individual may be tasked with oversight of several agencies’ billion dollar budgets. OMB’s OFCIO is one such smaller office that has been stretched thin in this oversight duty while having to simultaneously fulfill a variety of policymaking roles. However, the primary role of this office is to oversee technology implementation across government to ensure the success of projects.
Given the few remaining staff, rather than being stretched thin on meaningless compliance, these resources could be better spent primarily focusing on only the top five or ten major technology projects in government and making sure that they do not fail in the way we saw happen with Healthcare.gov. Projects such as the State Department’s passport & visa modernization, the Department of Veterans Affairs new EHR system, and other similar initiatives could greatly benefit from closer scrutiny. By investing in hiring subject matter experts with skills in technology and managing massive projects, the government could save taxpayers billions of dollars while simultaneously improving services. OFCIO should also collaborate closely with the Office of Performance and Personnel Management (OPPM) which oversees the Customer Experience initiative across government to make sure that these projects also meet the needs of the American people.
Restore and Expand The Office of the Federal Chief Information Officer
Moreover, OFCIO shares its limited budget with the U.S. Digital Service’s (USDS) core operations via the Information Technology Oversight and Reform (ITOR) Fund, which was slashed dramatically under the Trump Administration. More than just paying for staff salaries, this fund is used to fund a variety of key technology oversight projects, such as the government’s software code sharing initiative, code.gov. Cuts to this fund have caused OFCIO to eliminate programs like pulse.cio.gov, which monitored and evaluated the maturity and security of agency websites. Moreover, this fund is flexible and can be used by OMB to fund interesting technology initiatives at other agencies. The new Administration should restore the ITOR budget. It would also be useful to further supplement this fund by taking the step of working with Congress to set appropriations to ensure the future of OFCIO and USDS.
Like OSTP, OFCIO has experienced large setbacks. The constant budget cuts and toxic culture have decimated the office, and most of the talented & passionate subject matter experts I served with have since left. Reversing the course on this office, and investing in hiring experts with practical experience in technology in government — not just Silicon Valley thought leadership solutionism — in these offices and beyond will be critical for the success of Federal IT for the next four years. This will improve both the quality of policy that is created as well as the outcomes of IT projects governmentwide.
3. Drive Customer Experience & Human-Centered Design
Historically the government spends hundreds of millions of dollars on major IT projects. However, very little work is typically done to make sure that the right thing is being built — or if the right problem is even being solved. And sadly, newer systems are not always better systems. However, initiatives on Human-Centered Design (HCD) — a process to engage service recipients as stakeholders in the design and implementation of those services and systems — that were started under the Obama administration were built upon over the last four years. For instance, common private sector practices like user research and testing were previously considered difficult in government because of review & approval requirements under the Paperwork Reduction Act, but using streamlined processes and blanket-permission requests these barriers have largely been eliminated for most agencies. These efforts need continued attention and support to maintain the momentum.
Drive Commitment to Human-Centered Design Across OMB
At OMB, the Office of Information and Regulatory Affairs and the Performance & Personnel Management office worked to institutionalize much of this work over the last four years, including new governmentwide Customer Experience (CX) metrics guidance and a related Cross-Agency Priority Goal as part of the President’s Management Agenda. These metrics should be considered table stakes for driving customer experience, and much more work must be done in this area. For instance, every major (and possibly even minor!) IT project should have CX metrics defined as part of its requirements, and these should be tracked throughout the life of the project. For existing projects, these should be created retroactively — starting with the highest-impact public-serving systems — with adequate baselines so that agencies don’t just receive an “easy A.” The recent General Services Administration (GSA) Playbook on CX may provide a great starting point for most agencies.
Fix the Definition of Agile
Of course, this customer experience work is not a new idea — in fact, this sort of Human-Centered Design is a core tenet of Agile software development. Unfortunately, the Federal Government has completely missed the forest for the trees on the principles of Agile, and almost all law and regulation focuses entirely on one area: incremental development, delivering software in small, working chunks over time, instead of delivering a full solution at the end of a lengthy development process. However, the real value of Agile is not in these small chunks, but rather in regular testing – both automated as well as having actual members of the public using the service directly involved in the development process to give feedback as the project progresses. In this way, teams can make sure their software works and is actually solving problems for people using the service, instead of assuming what the people served want. In the private sector we joke that you’ll have testing either way — would you rather do it before your product launches when you can get ahead of the issues, or after when it’s a public embarrassment?
Currently, agencies are required to report on their major IT investments and state if these projects are developed “incrementally,” defined in guidance at the depressingly-low rate of once every six months. OMB could refine their guidance to add additional Agile characteristics, including the requirement that software is tested throughout the development process with real customers. This alone would dramatically decrease the number of failed projects in government, saving potentially billions of dollars.
Fund Great Customer Experience
However, all of this work requires expertise to be done well, and expertise comes at a cost. Champions such as Matt Lira have called for the creation of Chief Customer Experience Officers (CXOs) within agencies, which would be an excellent next step. However, we must not repeat the mistake of the creation of the Chief Data Officer (CDO) roles, where additional funding was not dedicated for these new roles or their staff – as a result this became yet another hat for the CIO to wear at most agencies. Agencies will need to have increased funding in the President’s Budget to both hire new CX experts as well as to fund contracts to support these efforts CX efforts government-wide.
4. Solve Identity Once and for All
Accurately verifying a person’s identity to satisfy Federal requirements, as well as creating a secure environment to allow them to login to Federal websites & tools, is a difficult and expensive task for all agencies. This also remains one of the biggest challenges for both agencies and the people accessing government services today. Most agencies have multiple login systems, each specifically tied to an individual service and without sharing information. For instance at the Department of Veterans Affairs until very recently there were nearly a dozen different login systems. Each of these systems would require you to prove that you are who you say you are separately as well.
Meanwhile, the GSA’s Login.gov is an easy solution to this problem, and has been an overwhelming success for many agency services, including USAJobs, the website for most Federal job postings and application processes. Login.gov provides a simple solution to the very expensive problem of checking the identity of a member of the public and allowing them to login to a government website or application — to receive government benefits, register their small business, or any number of other services. This identity-proofing step is typically the most expensive part of the process, requiring the use of independent, private data sources like those used by our national credit bureaus. With Login.gov, once you’re verified on one site you’re verified at them all, so the cost for taxpayers is dramatically reduced.
Although some agencies are starting to move to this platform, a new administration should mandate all agencies must use Login.gov, and require them to provide a transition plan to this service within 5 years. In fact, usage of Login.gov is already required by law, but the law is simply not being followed (6 U.S.C. 1523(b)(1)(D)). Instead of just an unfunded mandate, the President’s Budget should include a request for Congress to provide appropriations directly to GSA to fund these efforts to ensure this product is sustainable well into the future.
Use USPS for In-Person Identity Proofing
At the VA we also learned that many people have trouble with identity proofing over the internet for a number of reasons, including problems with having suitable cameras for capturing information from IDs, issues with people’s memory that preclude standard address verification methods, and other issues. However, we found that people were much more likely to be successful by having their identity validated by humans in-person at VA hospitals. The US Postal Service (USPS) has successfully piloted a service to check people’s identity in-person at both USPS locations and at people’s homes using their existing portable tablets used for mail delivery. By working with Congress to help fund this service, identity verification could be a solved problem, while also providing a sustainable additional revenue stream for the desperately-underfunded USPS.
Share these Services with State & Local Governments
Moreover, these services should be offered to state and local governments, who are incredibly eager for these solutions, coupled with the expertise of the Federal government. For instance, the same login that you use for USAJobs could be used to login to your local DMV, once again making government easier and friendlier for everyone. To date, GSA leadership has not actively allowed sales to these governments, even though it is explicitly allowed under law and other similar services have been allowed, such as Cloud.gov. The White House should direct GSA to provide this service to any government agency who wants it — and even to the private sector where appropriate!
Recent bills in Congress have also prioritized security for state and local governments, so it would not be unreasonable to go even further and work with Congress to set appropriations to provide this identity service to them as well. Working closely with the Cybersecurity and Infrastructure Security Agency (CISA), GSA could turn this from a small project into a national program.
5. Increase Attention to Small Agencies
There are nearly a hundred smaller independent agencies that are not situated under the President’s Cabinet, and as a result they are largely ignored. However, they still have critically important missions, and these agencies also interface with the bigger agencies to exchange data, presenting a number of potential security concerns and operational risks. Although a focus on projects and outcomes — not just compliance — is critical, OMB needs to pay more attention to these smaller agencies.
For instance, the U.S. Securities and Exchange Commission is a small independent agency of only 4000 people, but is tasked with protecting investors and the national banking system, as a result of the stock market crash in the 1920s. As such a small agency, they don’t have nearly the budget for IT and cybersecurity of the large agencies. However, since they exchange data with the Department of the Treasury, they act as a backdoor into the larger agency. This sort of attack, by exploiting a softer target to gain access to a more secure one, is extremely common on the smaller scale and will inevitably become a focus for hostile nation-states in the future.
Fund Small Agencies’ IT
These smaller agencies will need additional resources to be able to deal with these threats while also keeping their services up-to-date. OMB can take the much-needed step of requesting larger IT budgets for these agencies. Furthermore, to date no small agencies have been selected for Technology Modernization Funds — a “loan program” for agencies to fund IT projects — to help them improve their IT. Meanwhile massive organizations such as U.S. Customs and Border Protection (CBP) — who have an annual budget of 17 billion dollars and are not in any way short of money — have received an additional 15 million dollars from this fund to update their legacy financial systems. Providing access to further funds for smaller agencies would give them an opportunity to improve their systems.
Drive Shared Service Use
Shared IT services are even more important for these agencies as well. In many cases the Chief Information Officer (CIO) will wear many hats — acting as Chief Information Security Officer (CISO), Chief Data Officer (CDO), and other roles. To be successful while being stretched so thin means that staff must take advantage of the capabilities of the bigger agencies to help them fill their gaps, such as the Department of Justice’s Security Operations Center-as-a-Service offering. The idea of a “CIO in a Box” for the smaller agencies has been brought up several times, providing information, services, and resources to these organizations. However, very little movement has been made on this initiative and this is a large opportunity for further work and investment.
Other shared services, including the aforementioned Login.gov and Cloud.gov also would provide major benefits to smaller agencies, especially if the President’s budget included additional dedicated funding to GSA for these projects for small agencies, so that they don’t have to scrape together the money out of their own limited budgets.
6. Manage Risk through Security
The common theme here is that cybersecurity remains one of the greatest challenges for technology in government today. The Federal Information Security Management Act (FISMA) sets many of the legal requirements for cybersecurity in government, and in practice this has transformed risk management into risk avoidance, reducing the overall risk tolerance for agencies and freezing any interest in trying new things. There is little hope of Congress fixing FISMA in the near future, and the attempts to date only will make things worse. In the meantime, the Biden Administration could supplement ongoing initiatives for security automation with additional resources, and implement the resulting best practices as official policy governmentwide.
Continuous Security Authorization of IT Systems
At the center of IT security in government is the Authorization to Operate (ATO) process. If you’ve ever worked for the government, I’m sure you groaned just having to read that phrase. FISMA requires that for all IT systems, agencies must implement a series of “security controls” — measures defined by the National Institute of Standards and Technology (NIST) to enhance security. Now, this is an extremely laborious process, and a new product may take months to meet the requirements of a security review. This process generates a lot of paperwork — enough to stop bullets, but this isn’t very effective for keeping out nefarious attackers. Many agencies only have a three-year cycle of re-assessing products for these security controls — basically only checking to see if the door is locked once every few years. Moreover, the interpretation and implementation of these controls differ wildly between agencies.
Several agencies have started separate pilots to improve the consistency and speed of this process. For instance, some agencies are working to implement a “lightweight authorization to operate” (LATO) or a “progressive authorization to operate” process where only a subset of the security controls must be reviewed to begin developing on a platform, with further controls added along the way before launching the application for public use. Others are moving to “continuous authorization,” a concept similar to continuous integration for software testing, by using standard tools to automatically check the various security controls on an ongoing basis — providing real-time visibility to the security of the systems. Still other agencies are working to standardize security plan language, or use natural language processing (NLP) as a means of reviewing paperwork-heavy controls faster. These efforts also relate to NIST’s efforts to standardize controls via a machine-readable structure called OSCAL, which is now being used by GSA’s FedRAMP program. Some of these efforts were previously being replicated via the CIO Council, but with the exodus of OFCIO staff efforts have stalled out. These efforts should be spread across government via additional funding, staffing, and more pilots.
These are just a few of the policy areas that need attention in technology in government. There are still other agency-specific projects that need further attention that I haven’t covered here. However, these specific areas of focus will continue to build back better technology in government, and equip us with the necessary tools for the next decade or two.