BTW, a little primer that got buried in a recent thread - but is applicable for the "Why didn't the US Government do better for the #SolarWInds since we there so much money and resources at it..." - the simple answer is, "we didn't , actually" and here's a little why. #thread
I officially became a Fed in 2010, but was a contractor in 2006/2007 and an FFRC staff 2009/2010, so I got back a ways... but the Federal budgeting process has changed a little in that time... thank you deficit spending.
Our housing bubble famously exploded in 2008, so THAT was fun. But it caused some scramble on how the Federal government went about funding stuff. Mainly, as tax dollars dried up a little and folks supposedly got serious about balanced budgets, agencies were forced to...
...think about programs that were previously multi-year behemoths, as well as statutory programs (like Medicare, etc.) that were going to have their operations affected by pullbacks. We called it "sequestration" in 2013, and it occurred after the Budget Control Act of 2011
It affects agencies and their planning to this day (and I can't imagine when it won't especially after the pandemic now) - but often the agencies create budget plan given their missions, some new stuff they may want to do, like modernization, etc. - and formulate a budget request
This goes to OMB for review and markup... basically always ask for a little more than you need, but don't pad it too bad, because, like Pawn Stars, you're gonna be negotiating... but usually it's less than what you wanted because of that Budget Act...
As I mentioned, Medicare, VA bennies and Social Security are exempt mandatory/statutory programs... but you still have to operate them, and the USG is big and intertwined... so it's hard just to cut out a chunk and tell and agency this is for this and that is for that.
Say for the newer focus on cybersecurity, because agencies are often funded at the programmatic, initiative, or bureau/office/division-level, doing anything enterprise is "passing the hat" and hoping folks chip in... sad but true, unless you are lucky to get an appropriation...or
See a program like the Technology Modernization Fund, which was designed to help small "micro" agencies and commissions (like the FTC, EEOC, etc.) who don't often have the right funding to take on a major upgrade or modernization unless tied/riding on something else (backdoored)
Large agencies, and this REALLY irritated me, but I knew it was going to happen... have program offices that know how to work the system, and they were first to the trough to ask for "a little sump thin'" from the TMF to shore up programs already in progress...
For HHS, it was their beleaguered PeopleSoft implementation - which was (and probably, still is) a major CF of monumental proportions. Interior had that with FBMS, but the TechStat program from OMB kicked it in the ass, and they eventually went live in, IIRC, 2013.
So, again, like pigs muscling into the trough of very ambiguously defined way the money was to be used and allocated (and I have no idea what deals were made), near zero small agencies got initial TMF funds... so, guess what...
budget designed to help the most in need, never actually went that way (sounds familiar with other programs, doesn't it?)... internally, same thing goes for cybersecurity. They centralized policy and some ops in DHS, but they weren't exceptionally funded.
Phase One of CDM was severely under budgeted, because the initial estimates were WAY off, and it seemed very little mechanisms were left for DHS (and GSA) to go back to Congress and OMB and ask to expand... so scope was cut.
and that's how a lot of the programs are... because DHS, put in charge of this, has near zero knowledge of how agencies run things... because the lack of information sharing is a feature, not a bug. So when agencies finally surveyed their environment, DHS said "whoah"
and it's also endemic to how OMB does planning, since they often issue data calls to agencies, with a relatively quick turnaround time, and by the time they get to folks who can provide the data, it's not reliable and is self-attestation at it's best.
There may be a 30-45 day window but as it gets passed down, sometimes 15-20 days have been already taken up in working it down to the components and then it's a scramble to find out who has the dat requested, because it's never a regular or uniform request framework.
Oddly, I say I saw this both as somebody who saw it at work from the OMB eGov office, but also somebody who managed those same data calls at HHS OIG... I got both ends of the sticks and it wasn't pretty.
(also, in most cases OMB is staffed by non-techies/practitioners, so they are often asked to "get X" and may not develop the best question or method to ask for the data from agencies... so the 15-20 days sometimes is also interpreting the request)
so you may get a week or so to collect stuff, format it, check it for completeness, or even when needed, ask for clarification... which in itself takes time and rarely gets a good answer.
So how does this affect Congressional appropriations... well, OMB puts the request (President's Budget), Congress folks have their own (CBO) and they, as we've seen with the recent budget stuff, differing views on what's needed.
So with sequestration, lack of domain knowledge, and very abysmally bad broad budget and legal language (presumably there for some flexibility), we get poorly funded programs that are often under funded and resourced with no clear direction on what is supposed to come of them
So asking/mandating CISA to do "pen tests" to "threat hunting" on agency networks - seems like a way to shoulder agency burdens - their own lack of agency knowledge will require learning (often done by contractors a behest of DHS/CISA) and negotiation...so slow and mistakes
plus the agencies will be like... "why don't you just fund our cybersecurity efforts properly"... but of course any read of Politico, The Hill, GovExec, FedScoop, will find plenty of mismanaged or failed programs that get press, regardless of good intentions...
so we are in a vicious cycle of declining budget funding, hard decisions of which fire to put out (aging system are that lovely tech debt), and constant advancing attackers, because agencies still have a mission to perform... the tissue paper keeps getting thinner
so, that's my piece for now, but it's a nasty dance of budget, resourcing, and who has the con (as it were) to control their own security destiny... feel free to comment or correct, but this is the incoming admin's challenge to "get" IMHO... big-ass challenge
Oh, also, if you want to get into deep budgeting and appropriations, think about 1-year vs. no-year funding, as well as "the color of the money" which tightly restricted when and how Federal budget dollars can be spent. It's never always just a technical issue at that point.
JFYI... I'm still available for back-rub, long walks on the beach, bar mitzvahs, Federal leadership roles, and hosting beer tastings, cookie baking, and the occasional Federal explainer... #cheers and #HappyHolidays
You can follow @webjedi.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.