IT Modernization Grants Will Prioritize CybersecurityFederal Agencies to Get $1 Billion in Funding
The Biden administration will prioritize cybersecurity in its $1 billion IT modernization grant program for federal agencies, which will be overseen by the General Services Administration and the Office of Management and Budget.
In March, Congress allocated $1 billion for federal IT modernization project grants as part of the American Rescue Plan - the $2 trillion economic relief package signed by President Joe Biden. That measure also includes $650 million in funding for the Cybersecurity and Infrastructure Security Agency to address security issues (see: Relief Package Includes Less for Cybersecurity).
Grants disbursed by GSA and OMB under the new Technology Modernization Fund will focus on projects that address cybersecurity improvement as well as other shortcomings in IT systems. The two agencies also will take into consideration projects that deal with improving public-facing federal services and cross-agency collaboration programs.
Since January, the Biden administration has made IT modernization and improved cybersecurity priorities in the wake of the SolarWinds supply chain attack - which led to follow-on attacks on nine federal agencies and 100 companies - as well as the series of attacks that exploited flaws in on-premises vulnerabilities in Microsoft Exchange email servers.
The Technology Modernization Fund "enables multiyear transformational projects by ensuring federal agencies have resources that exist throughout the lifecycle of modernization," Federal CIO Clare Martorana said Tuesday. "We plan to use these resources to enable the federal government to better respond to SolarWinds, the COVID-19 crisis and support the economic recovery."
The Biden administration's fiscal 2022 discretionary funding request, submitted to Congress on April 9, calls for providing an additional $500 million for the Technology Modernization Fund next year.
The White House is also pushing a separate $2 trillion infrastructure spending proposal that includes upgrading the aging and insecure electrical grid, addressing supply chain vulnerabilities and supporting research on artificial intelligence and quantum computing. Some experts believe that improvements to the nation's critical infrastructure will help address security issues (see: Biden's Infrastructure Plan: 3 Cybersecurity Provisions).
Changes and Improvements
Federal agencies have until June 2 to apply for grants from the Technology Modernization Fund.
As part of Tuesday's announcement, the GSA described changes in the grant program's repayment structure, especially when it comes to modernization projects that address immediate security needs.
To address some of these concerns, the GSA will not require agencies to repay grants for projects that address needs related to cybersecurity or COVID-19. Repayment of grants for other IT modernization projects, however, will be judged on a case-by-case basis.
"The updated Technology Modernization Fund model provides the clarity and flexibility necessary to encourage federal agencies to prioritize technology modernization while transforming the relationship between the federal government and the public we serve," says acting GSA Administrator Katy Kale. "It is more aggressive, to meet the urgent technology needs of the federal government today, as well as more ambitious, to anticipate the demands of tomorrow."
While many federal agencies have lacked funds to improve their IT and other mission-critical systems, some observers argue that the added money from the grant program will not make a significant difference.
Chad Hoffman, a former Defense Department intelligence analyst, believes that many IT systems run by federal agencies are too outdated to be patched or properly upgraded. He also says the federal government needs to address IT and security issues by adopting new, more modern approaches.
"As we've seen with the commentary around the SolarWinds activity, the [threat] detection capabilities of the federal government are vastly inferior to what is available today in the commercial market," says Hoffman, who is now COO of security firm Analyst1. "There needs to be ... full modernization of U.S. government networks to provide a complete understanding of how they are potentially affected and what to do about it."
In testimony before a U.S. Senate committee in March, Christopher DeRusha, the federal CISO, and Brandon Wales, the acting director of CISA, each noted that the attacks against SolarWinds and Exchange should prompt the federal government to adopt newer security practices, such as "zero trust," to counter modern threats to networks (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).
The Biden administration is also expected to roll out a series of executive orders soon that will require new cybersecurity standards for federal agencies, which could include adopting a security scorecard and ratings system for U.S. software (see: Exchange Hacks: How Will the Biden Administration Respond?).