Technology and tech policy have been at the heart of the Trump administration since the president took office, and major pushes over the last three years will have significant impacts on federal IT management for years to come.
Early on, the administration published the IT Modernization Plan and a tech-heavy President’s Management Agenda. While neither document is policy itself, they set the stage for a surge of IT policy updates from the Office of Management and Budget’s Office of the Federal Chief Information Officer.
The focus on technology as a driver of management decisions led to the creation of a few IT policies and significant updates to many more. While the Trump administration is coming to an end, the policies established during his term will live on—at least until updated, rescinded or superseded by new policies.
Extra Reading: Why It’s So Hard to Write Federal Technology Policy
Before leaving office, then-Federal CIO Suzette Kent said 2020 would be the year all the planning and policy turned into progress. But COVID-19 had other ideas.
Despite—and, in one case, because of—the pandemic, there were a few IT policy moves this year.
From an IT perspective, 2020 was marked by two major policies: the “Maximum Telework” memo and release of documents for Trusted Internet Connection 3.
In response to the COVID-19 pandemic, OMB issued a memo in March instructing agencies to offer “maximum telework flexibilities,” followed by additional guidance for federal IT managers and contractors.
While these policies have a relatively small window of relevance—they only apply to working through the pandemic—they set the stage for the rest of 2020 and demonstrated how technology would be a core part of government operations during the new normal.
The IT-focused memo directs agencies to “utilize technology to the greatest extent practicable to support mission continuity” and to “use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes.” This would result in big spending to increase teleworking capacity, including more devices, more virtual private networks and more cloud.
This year also saw the release of key documents and guidance as part of the update to the Trusted Internet Connection, or TIC, policy, which establishes how federal agencies should set up network access to safeguard government data.
In the past, TIC policy has focused on creating barriers to entry, namely by requiring all network traffic to flow through agency headquarters as a means of control. But in the modern IT environment that includes a reliance on mobility and cloud services, those boundaries no longer make sense.
In 2019, OFCIO released a finalized TIC 3 policy that set the stage for the future but left it to the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, or CISA, to work out the details.
CISA released draft guidance and use cases in December 2019 and prepared to spend most of the year finalizing those documents. But COVID-19 had other plans for that program, too.
By April, the TIC program office was focused on helping agencies secure their remote workforce—issuing interim guidance and starting to work aggressively on a remote user use case, which was called for in the OFCIO policy but was a secondary priority before the pandemic hit.
That interim guidance was set to expire by the end of 2020, prompting CISA to release the draft remote user use case before the end of the year. The draft use case was put out for public comment Dec. 22, with plans to finalize that and the other outstanding use cases in early 2021.
The main body of the new TIC 3 policy was finalized in July, including the TIC 3 Guidebook; the reference architecture explaining how the concepts should be applied to agency enterprises; and the Security Capabilities Catalog, formerly the Security Capability Handbook.
The Big Push
The bulk of the Trump administration’s IT policy work came over the course of two years: 2018 set the stage with a number of draft policies and announced plans to update others, most—if not all—of which came to a head in 2019.
By the end of 2019, OFCIO had updated and finalized six major IT policies, including the base TIC 3 policy mentioned above. But the year also saw a number of the administration’s tentpole IT policies come to fruition, including Cloud Smart, a more nuanced version of the Obama-era Cloud First policy.
Cloud Smart looked to bring the government’s cloud policy forward by offering harder definitions of what counts as cloud services. After the initial draft received public comments and went through internal debate, the finalized policy released in June was similar to the original draft but contained several important changes, including a focus on application rationalization—making keep, upgrade or kill decisions on legacy apps—and a new avenue for agency-owned and -operated cloud environments where deemed appropriate.
The cloud policy update was joined by two other infrastructure-centric policy updates: the new Data Center Optimization Initiative, which, like Cloud Smart, shifted emphasis from closing government-owned data centers to optimizing that infrastructure, either in-house or through a cloud vendor; and a new Identity, Credential and Access Management, or ICAM, policy, which jumpstarted the government’s move toward zero-trust frameworks and established who—or what—would need to be credentialed going forward.
Together, these three policies have the largest effect on federal IT operations.
But the focus wasn’t only on cloud and infrastructure. 2019 also saw the release of two novel policies: the Federal Data Strategy and the establishment of the Quality Service Management Offices, or QSMO, program to reignite the push for governmentwide shared services.
The Federal Data Strategy was developed in the wake of the Foundations for Evidence-Based Policymaking Act and other initiatives—like the PMA—that pushed agencies to make better use of the data they collect. The strategy outlined a litany of principles and practices to frame how agencies collect, store, share and use data, coupled with a one-year action plan with specific deliverables.
As with just about everything else, COVID-19 derailed some of those efforts, though data strategy leaders worked to shift some deadlines and focus areas in response to the pandemic.
OMB and OFCIO also released a memo entitled, “Centralized Mission Support Capabilities for the Federal Government,” which established the QSMO concept as the next step in shared services. While past shared services efforts created single service offerings at multiple agencies, the QSMO construct looks to establish one agency as the lead for each service but with multiple offerings from that agency.
For example, rather than offering slightly different versions of payroll and accounting services from four different agencies, the QSMO effort looks to consolidate all such services in one agency—the General Services Administration—which would then offer a range of options, including full-service payroll management, a marketplace of third-party vendors and a set of governmentwide standards to guide the more independent agencies and programs.
“We’re creating a centralized place versus having agencies doing things that maybe aren’t their mission to do,” outgoing shared services lead Beth Angerman told Nextgov in a December 2019 interview. “That helps to stabilize a marketplace and a set of solutions for customers and it brings them the right kind of partnership with the right agencies to really help them think through how they would optimize that particular function in their agency.”
Per Kent’s promise that 2020 would be the year of implementation, three QSMO offices were officially designated this year, with CISA tapped to lead on cybersecurity, the Treasury Department on financial management and GSA on human resources services.