It modernization best practices repository

IT Modernization Best Practices Repository

The IT Modernization Best Practices Repository wiki was created for the Cyber Resilience Summit series. Here you will find meeting notes, presentations, policy updates, press coverage and more.

The IT Modernization Best Practices Repository is managed by

UPCOMING MEETING

Cyber Resilience Summit

MEETING NOTES

Download meeting notes from the March 20, 2018 Cyber Resilience Summit

Download meeting notes from the October 19, 2017 Cyber Resilience Summit

PRESENTATIONS

Trustworthy Systems Manifesto: Executive Policy Governing Cyber Risk to the Mission and Business
Dr. Bill Curtis, Executive Director, Consortium for Information & Software Quality (CISQ)
Cyber Resilience Summit, October 16, 2018

IT Modernization Center of Excellence: Measuring the Risks, Mission Value and Lifecycle Cost of IT Modernization Investments
John Weiler, Vice Chair, IT Acquisition Advisory Council (IT-AAC)
Cyber Resilience Summit, October 16, 2018

DHS/S&T Perspective on Cyber Resilience
Scott Tousley, Deputy Director, Cyber Security Division, U.S. Department of Homeland Security Science and Technology Directorate
Cyber Resilience Summit, October 16, 2018

Supply Chain Risk Management (SCRM) Gets Legislative Attention
– Joe Jarzombek, Director for Government, Defense and Aerospace Programs, SynopsysA
– William Stephens, Director of Counterintelligence, Defense Security Service
– Don Davidson, Deputy Director, Cybersecurity Risk Management (+ Chief of SCRM Division), Office of the Deputy DoD-CIO for Cybersecurity
– Shon Lyublanovits, Senior Advisor for Cybersecurity, GS
– Dr. Allan Friedman, Director, Cybersecurity Initiatives, National Telecommunications and Information Administration, U.S. Department of Commerce
Cyber Resilience Summit, October 16, 2018

Delivering Uncompromised (DU)
William Stephens, Director of Counterintelligence, Defense Security Service
Cyber Resilience Summit, October 16, 2018

Continuous Diagnostics and Migitation (CDM) Moves to Phase 4
Betsy Kulick, CDM Program Deputy Director, U.S. Department of Homeland Security
Cyber Resilience Summit, October 16, 2018

Innovative Methods for Producing Cybersecure Software
– Girish Seshagiri, EVP and CTO, ISHPI Information Technologies
– Paul Seay, Northrop Grumman Fellow, Engineering Center of Excellence, NGMS Engineering, Sciences, and Technology, Northrop Grumman Corporation
– Bill Newhouse, Deputy Director, National Initiative for Cybersecurity Education (NICE); Security Engineer, National Cybersecurity Center of Excellence (NCCoE), NIST
– Robert Martin, Senior Principal Engineer, MITRE

Standards for Managing Cybersecurity, Risk and Technical Debt
Dr. Bill Curtis, Executive Director, Consortium for Information & Software Quality (CISQ)
Cyber Resilience Summit, March 20, 2018

Using Software Quality Standards with Outsourced IT Vendors – a Fortune 100 Case Study
Marc Cohen, Vendor Management practitioner at Fortune 100 institution
Cyber Resilience Summit, March 20, 2018

Security Risk Management
Adam Isles, Principal, Chertoff Group
Cyber Resilience Summit, March 20, 2018

Bugcrowd – The Pentagon Opened Up to Hackers and Fixed Thousands of Bugs
Michael Chung, Head of Government Solutions, Bugcrowd
Cyber Resilience Summit, March 20, 2018

Risk Management Standards in Practice
Robert Martin, Senior Principal Engineer, MITRE
Cyber Resilience Summit, March 20, 2018

Getting IT Quality Standards into Practice – Confessions of a Texas IT Champion
Herb Krasner, University of Texas at Austin (ret.), Texas IT Champion
Cyber Resilience Summit, March 20, 2018

UL 2900 Security Standards
Jeff Barksdale, Principal Security Advisor, Underwriters Laboratories (UL)
Cyber Resilience Summit, March 20, 2018

Roadmap for IT Modernization and Cyber Resilience
John Weiler, Vice Chair, IT Acquistion Advisory Council (IT-AAC)
Cyber Resilience Summit, October 19, 2017

Supply Chain Risk Management (SCRM) for Continuous Diagnostics and Mitigation (CDM) Products

Emile Monette, Senior Cybersecurity Strategist and Acquisition Advisor, DHS OCISO

Cyber Resilience Summit, October 19, 2017

PRESS COVERAGE

Resources-strapped agencies are leaving networks vulnerable to cyberattack
Jessie Bur, Federal Times, March 21, 2018

Tony Scott calls IT workforce drain a “creeping” crisis bigger than Y2K
Carten Cordel, fedscoop, October 20, 2017

Report: DHS Tests Cyber Tech Acquisition Management Model
Nichols Martin, ExecutiveGov, October 20, 2017

DHS piloting agile cyber acquisition, CDM for cloud, CISO says
Carten Cordel, fedscoop, October 19, 2017

DHS to Stand Up CDM Cloud Services for Small Agencies
Morgan Lynch, Meritalk, October 19, 2017

Learn to Deal With Cyber Risk
Morgan Lynch, Meritalk, October 19, 2017

POLICY

House IT Subcommittee Chair Will Hurd (TX-23) and Ranking Member Robin Kelly (IL-02) introduced the Federal CIO Authorization Act of 2018 in September 2018. The bill would reauthorize and rename the Office of Management and Budget’s Office of E-Government as the Office of the Federal Chief Information Officer. The bill would also make the federal CIO a presidential appointee who reports directly to the head of OMB, and codify the federal CISO position to report directly to the federal CIO. Read Bipartisan bill seeks to elevate the federal CIO position on techcrunch.

The Office of Management and Budget (OMB) published its Cloud Smart Strategy proposal on September 24, 2018. This is the first cloud policy update in seven years offering a path forward for agencies to migrate to a safe and secure cloud network. This new strategy will support agencies to achieve additional savings, security, and will deliver faster services. The 2018 Federal Cloud Computing Strategy is available online at https://cloud.cio.gov.

GSA is weighing “multiple initiatives” for the next wave of IT Modernization CoE (Centers of Excellence) projects in 2019, reports fedscoop. The CoE program, announced in December 2017, is built on five teams of IT talent specializing in cloud adoption, IT infrastructure optimization, customer experience, contact center services and service delivery analytics. Those teams are paired with contractors, as well as personnel at target agencies, to carry out IT modernization projects based on their skill sets. They kicked off work in April. The USDA was selected to be the “lighthouse” agency for the rollout of all five CoE teams.

The Technology Modernization Fund (TMF), which supports the transformation of agency IT to improve mission execution and delivery of services to the American public, has awarded funding for three projects (for more information see https://tmf.cio.gov/projects/). The TMF website has launched for updates: https://tmf.cio.gov/.

The White House Office of Management and Budget published the Federal Cybersecurity Risk Determination Report and Action Plan on May 20, 2018 in accordance with Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, (Executive Order 13800) and OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

The Presidents Management Agenda was released on March 20, 2018 and focuses on three drivers: IT modernization, modern workforce, data transparency and accountability. “A key part of the President’s Management Agenda is establishing cross-agency priority goals, or what we call CAP goals, to compliment the broad vision and get into execution and on the ground tactics,” says Office of Management and Budget Deputy Director for Management Margaret Weichert. “Each CAP goal will be led by an interagency team of senior federal leaders.” Read more on Federal Times. Says the White House, “Because accountability is important part of the PMA, CAP goal results will be tracked publicly each quarter online at www.performance.gov/PMA.”

OMB’s user guide to the MGT Act – February 6, 2018 on FWC

The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek funds under the Modernizing Government Technology Act. In a 19-page draft memorandum to agency heads obtained by FCW, OMB lays out what information agencies should include in their project proposals to receive money from the centralized modernization fund, housed by the General Services Administration, as well as how to navigate using their IT working capital funds.

Gen. Burke “Ed” Wilson was promoted to OSD Policy on Cyber. Read the announcement published January 29, 2018 on www.defense.gov.

Suzette Kent, principal at Ernst & Young, is appointed new Federal CIO by President Donald Trump. Read Trump picks federal CIO(FCW) on January 26, 2018.

Final White House IT Modernization Plan delivered to President Trump in December 2017 outlining plans to accelerate the modernization of legacy systems. See https://itmodernization.cio.gov/.

IT-AAC Federal IT Modernization Report signed September 20, 2017 was submitted to White House American Technology Council (ATC) in response to Executive Order 13,800.

IT-AAC Recommendations for Embracing Commercial Cloud in DoD signed November 17, 2017 submitted to DoD Cloud Executive Steering Group.

CYBER RESILIENCE STANDARDS

Consortium for Information & Software Quality (CISQ) www.it-cisq.org/standards

Standards for software sizing: Automated Function Points, Automated Enhancement Points
Standards for structural quality: Automated Quality Characteristic Measures, Technical Debt
CISQ launched a new Embedded Extensions working group to develop standards for securing embedded and real-time systems.

Also see related standards and guidelines including NIST, ISO, CMM, etc.

WEBINARS

New Automated Technical Debt Standard

The CISQ measure of Automated Technical Debt has just been approved by the OMG®s a standard for measuring the future cost of defects remaining in system source code at release. Technical Debt hinders innovation and puts businesses at unacceptable levels of risk, including high IT maintenance costs, outages, breaches, and lost business opportunities. Dr. Bill Curtis, CISQ Executive Director, delivers an overview of the specification.

Using Software Quality Standards with Outsourced IT Vendor Engagements – a Fortune 100 Case Study

Marc Cohen led IT vendor management at American Express and discusses how to use software quality standards from CISQ in outsourcing engagements. He explains how to derive better software, better development resources, and better vendor relationships by leveraging software quality standards.

Using Software Quality Standards at Scale in Agile and DevOps Environments

Over the past two years Fannie Mae IT has transformed from a waterfall organization to a lean culture enabled by Agile and DevOps. Barry Snyder, DevOps Product Manager at Fannie Mae, discusses how to use software measurement standards from CISQ to demonstrate significant improvements in code quality and development productivity. Executive management monitors the organization’s Agile-DevOps transformation by reviewing quality, productivity, and delivery-to-speed.

IT ACQUISITION ADVISORY COUNCIL (IT-AAC) DOCUMENTS

DoD’s acquisition and sustainment chief, Ellen Lord, shares path forward for new office, envisioning an agile acquisition framework, reports Federal News Radio on May 25, 2018.