That loud noise you’re hearing (especially if you’re a frustrated federal network manager) is the noise of legacy IT systems taking up more than 60% of federal IT spending. By comparison, modern IT accounts for about 13% of total government IT spending.
The IT Legacy Mitigation Act will be a boon to companies facing the challenge of replacing or upgrading heavy legacy IT that is often outdated, unreliable and, yes, expensive to maintain. The bill would require (and pay for) companies to overhaul outdated legacy IT systems and develop plans for updating and decommissioning legacy systems. These changes and improvements will promote safety and save taxpayer dollars. But in the near term, the IT Legacy Reduction Act may create security issues.
A key component of this bill is a requirement by the Office of Management and Budget to assist agencies, in the form of guidance, in identifying and improving legacy IT. The company improvement plan will be two years after the bill becomes law. This is another step forward in the fight for better network security. It supports the Cybersecurity and Infrastructure Agency’s Zero Trust Maturity Model, an approach for companies developing a zero trust strategy and implementation plan.
But how can the bill, despite its good intentions and potential for improvement, fail to acknowledge that poorly written code continues to be used and is important (perhaps more) for software security? Working with congressional leaders, we must all ensure that this opportunity to mandate and invest in development does not ignore important application security measures and allows federal technology leaders to secure their applications as they go. written. Now, more than ever, is the chance to “turn left.”
In today’s tumultuous climate, the idea of a “left shift” is hard to ignore. It focuses on building security into software from the beginning of the development life cycle, giving companies a significant advantage in the fight against malicious hackers.
In addition to implementing security from the start, application layer companies should take steps to regularly monitor software for errors and proactively fix vulnerabilities. Without tools to properly address application-level security, simply updating legacy systems may not be enough to effectively improve cyber security.
It is important that responsible parties implement application security standards that work across the globe. As the recent release of Veracode’s State of Software Security version 12 has identified, and compared to many different industry sectors, government agencies have the highest number of software showing flaws, at 82%. Public servants also prefer the latter in terms of its ability to fix defects as soon as they are discovered – about twice as fast as other departments. This emphasizes the importance of strong government software security. Starting at the application layer is a proven way to address these weaknesses.
Initiatives such as OMB’s zero trust memo, the software finance document, and CISA’s aforementioned Zero Trust Maturity Model all help define the path forward for zero trust buildings. IT Legacy Mitigation Policy can benefit from incorporating, or at least referring to, this guide.
Overall, the IT Legacy Mitigation Act has the right idea in dealing with modernity – but it can be improved. This rule will require companies to implement software security testing. With only a 22% overall improvement rate, public officials are challenged to maintain a competitive software supply chain that affects critical applications in all areas of life. A comprehensive software security platform is needed to provide maximum protection against cyber attacks before they happen, arguably more so in government agencies than anywhere else. Now is the time for federal technology leaders to act on the future of secure systems. Turning left can make this true.
