The Department of Homeland Security has applied for Technology Modernization Fund money to support four of its modernization projects, CIO Eric Hysen said Tuesday.
Hysen intends to make the department an “active user” of the TMF, which recently got a $1 billion injection under the Biden administration’s American Rescue Plan Act, he said at the Professional Services Council’s Federal Acquisition Conference.
DHS‘s four projects run the gamut, from improving the processing of immigrants at the southern border and making “the experience of going through an airport easier, more seamless, and more secure,” Hysen said, to modernizing how DHS components work with data in conjunction with the department’s new Office of the Chief Data Officer and better sharing threat information with state and local law enforcement.
Hysen said DHS is approaching the TMF now differently than it has in the past by looking to apply modernization across the department, rather than focusing only on single components. Customs and Border Protection, a DHS component, won a $15 million TMF award last July to continue modernization of its Automated Commercial System, a mainframe platform that runs on 3.9 million lines of COBOL code to track, control, and process everything imported into the U.S.
“[W]hat we’re trying to do very deliberately is not just use the TMF as an opportunity to look at our big list of unfunded modernization programs that we just need one vendor, we already have a whole plan for, but really to look at common problems and challenges across the department and set up systems and structures that will allow us to move together because we think we can get a lot more done if we modernize in common, aligned ways across DHS components and systems,” he said.
To be clear, Hysen said, he’s not advocating for DHS to build single systems “to rule them all.” Rather, he said, “we want to address these issues holistically from the experience up from the perspective of the people that are depending on DHS, whether those be immigrants, travelers, state and local law enforcement officers, and using the TMF as a way to move to move forward together across different parts of the department.”
Since the $1 billion injection into the fund, the board that leads the TMF award process has introduced a more flexible model for agencies to repay those investments. The board is also prioritizing selecting and funding projects “that cut across agencies, address immediate security gaps, and improve the public’s ability to access government services.”
Zero trust and the cyber EO
Hysen described President Biden’s recent cybersecurity executive order as “one of if not the most ambitious attempts to lay out a new framework for federal cybersecurity ever.”
That order calls for federal agencies to modernize their cybersecurity, namely through the adoption of a zero-trust architecture. Hysen said while that’s the right direction to move in, it’s important to keep in mind that “zero trust is not something we’re going to buy and turn on one day.”
“[I]t’s easy to think about this as, ‘Oh, just buy your zero trust product, turn it on on your network, and then everything will be great,'” Hysen said. “And that is in no way what we’re talking about. When we think about zero trust, we think about, in many ways, a fundamental rethinking of our security architecture, away from this outdated model of perimeter defense — that we can build a wall around our network and everything inside is safe, everything outside is unsafe — and that we have to be securing every system, every server, every endpoint and our data as it moves within our network and outside of it. And that’s going to require a lot of time; this is not going to be something that we do overnight.”
DHS has a zero-trust working group led by its CTO “that’s working across our components to look at different approaches,” Hysen said, adding that the department is working in three-to-four-month sprints to deliver new pieces of the security architecture iteratively. First up, he said, is conditional access and rights management.
“I expect [zero trust] to be something that will only become more important over time, and will be important that we really do this as a marathon…because it is such a fundamental rethinking of our security architecture,” Hysen said.